Security writing is full of jargon that assumes you already know the jargon. This glossary defines the terms you’ll actually meet — in news coverage, in vendor claims, and in our own guides — in plain language, each in under 80 words. Every entry is linkable: use the anchor links to cite a definition directly.
Last reviewed: July 2026. New techniques get names fast; we add them as they earn one.
A
Adversary-in-the-middle (AiTM)
A phishing technique where the fake site sits between the victim and the real one, relaying the genuine login — including the MFA prompt — in real time. The kit captures the authenticated session token at the end, so the attacker logs in as the victim, MFA and all.
B
Blocklist
A list of web addresses or senders already identified as malicious, used by browsers, filters and DNS tools to block known threats. Structurally reactive: a page created an hour ago is on nobody's blocklist yet.
Brand impersonation
Any attack that borrows a trusted brand's identity — its logo, layout, domain lookalikes or email style — to trick that brand's customers or staff. The brand's systems aren't breached; its reputation is used as the weapon.
Browser-in-the-browser (BitB)
An attack that draws a fake browser window — address bar included — inside a normal web page. The 'trusted' URL the victim checks is just a picture, defeating the standard advice to verify the address bar.
Business email compromise (BEC)
A targeted scam in which an attacker poses as an executive, employee or supplier — often from a compromised or lookalike account — to trick staff into transferring money or changing payment details. Usually contains no malware or malicious link at all, which is why filters miss it.
C
CEO fraud
A form of BEC where the attacker impersonates a senior executive, typically emailing finance staff with an urgent, confidential payment request. Relies on authority and time pressure rather than technology.
ClickFix
A social-engineering technique using a fake verification page ('prove you're human') that instructs the victim to paste a command into their own computer. The pasted command runs malware — the victim performs the infection themselves, so no attachment is ever scanned.
Clone phishing
Re-sending a legitimate email the victim has already received, with the original link or attachment swapped for a malicious one — often framed as a 'resend' or 'updated version'.
Credential harvesting
Collecting usernames and passwords at scale, most commonly through fake login pages. Harvested credentials are used directly, sold on, or tested against other services the victim uses (credential stuffing).
D
Deepfake
AI-generated audio, image or video that convincingly imitates a real person. Increasingly used to add a 'voice confirmation' or video call on top of a phishing email, defeating verify-by-phone habits.
DKIM (DomainKeys Identified Mail)
An email authentication standard that cryptographically signs outgoing mail so receivers can verify it wasn't altered and genuinely comes from the signing domain. One of the three checks (with SPF and DMARC) behind sender verification.
DMARC (Domain-based Message Authentication, Reporting and Conformance)
A policy layer on top of SPF and DKIM that tells receiving mail servers what to do with messages that fail authentication — and reports abuse back to the domain owner. A DMARC failure is a strong phishing signal.
Domain spoofing
Forging or imitating a domain to make a message or site appear to come from a trusted source — via lookalike registrations, subdomain tricks, or forged headers where authentication is weak.
Drive-by download
A download that starts without the victim knowingly requesting it, triggered by visiting a compromised or malicious page. Modern browsers block most, which is why attackers now prefer tricking users into acting.
H
Homoglyph / lookalike domain
A domain built from characters that resemble another's — 'rn' for 'm', Cyrillic 'а' for Latin 'a' — or that embeds a brand name in a subdomain. Often visually indistinguishable from the real address.
M
Malvertising
Malicious advertising: attackers buy legitimate ad space to deliver scam pages or malware, including fake brand ads placed above the real result in search engines.
MFA fatigue (push bombing)
Flooding a victim with authentication push notifications until they approve one out of annoyance or confusion — a way of beating MFA that requires no technology at all.
Multi-factor authentication (MFA)
Requiring a second proof of identity — a code, a push approval, a hardware key — beyond the password. Blocks most password attacks, but modern AiTM phishing kits capture the session after MFA succeeds.
P
Pharming
Redirecting victims from a legitimate address to a fake site by tampering with DNS or the victim's device, so even a correctly typed address lands on the attacker's page.
Phishing
The umbrella term: tricking someone into revealing credentials, data or money by impersonating a trusted party — via email, text, phone, QR code or fake website. Named for 'fishing' with bait; the 'ph' comes from early hacker jargon.
Phishing kit / Phishing-as-a-Service (PhaaS)
A ready-made package — fake pages, hosting scripts, evasion tools, often AiTM MFA bypass — sold or rented (typically around US$120) so non-technical criminals can run professional campaigns.
Pretexting
Building a believable scenario ('I'm from IT', 'your CEO needs this before the board call') to justify an unusual request. The narrative backbone of BEC and vishing.
Pig butchering
A long-con investment scam: the attacker builds trust over weeks (the 'fattening'), then steers the victim into a fake investment platform and takes everything. Frequently begins with a 'wrong number' text.
Q
Quishing
Phishing delivered by QR code, usually in an email attachment, invoice or poster. Email filters can't read the code's destination, and scanning moves the attack to a phone, where URLs are harder to inspect.
S
Session token / cookie theft
Stealing the small file a site issues after successful login — the session cookie — so the attacker can resume the victim's authenticated session without ever knowing the password or passing MFA themselves.
Smishing
Phishing by SMS text message: fake delivery notices, bank alerts, toll fees, 'wrong number' openers. Effective because texts feel personal, arrive on a trusted device, and hide the usual warning signs.
Social engineering
Manipulating people, rather than software, into breaking security — through urgency, authority, fear or helpfulness. Phishing is social engineering's highest-volume form.
SPF (Sender Policy Framework)
An email standard listing which servers are allowed to send mail for a domain. An SPF failure means the message came from somewhere the domain owner never authorised.
Spear phishing
Phishing aimed at a specific person or small group, using researched details — names, projects, suppliers — to make the lure credible. Lower volume, far higher success rate than mass phishing.
T
Typosquatting
Registering misspellings and near-misses of popular domains to catch mistyped visits or to serve as convincing phishing addresses.
V
Vishing
Voice phishing: fraud by phone call, increasingly using AI voice cloning. Often paired with an email or text ('our fraud team will call you shortly') to manufacture legitimacy.
W
Watering hole attack
Compromising a website the target group already visits and trusts, then using it to serve malware or harvest credentials — bringing the trap to the victims instead of luring them out.
Whaling
Spear phishing aimed at the biggest targets — executives, board members, finance leaders — where a single success can authorise very large transfers. Executive-grade protection exists for exactly this tier.
Z
Zero-day phishing
A phishing page or email so new that no blocklist, filter or browser warning has ever seen it. Most phishing pages live only hours — long enough to catch victims, short enough to stay off every list.
Keep going
See these techniques in the wild: the latest phishing techniques in 2026, the numbers behind them in phishing statistics 2026, or test your eye with the spot-the-fake quiz.