Chapter 22 Β· Glossary

Phishing β€” Term Reference

Every term you need for phishing and social engineering attacks on the Security+ exam.

Phishing
Deceptive emails impersonating trusted organizations to trick recipients into revealing credentials, installing malware, or taking harmful actions. The most common initial access vector in cyberattacks. Relies on urgency, authority, and brand impersonation to bypass critical thinking and exploit conditioned user behaviors.
Spear Phishing
Targeted phishing using personal details about the specific victim β€” name, employer, role, manager, recent activities β€” to increase credibility and success rates. Research-intensive but far more effective than generic phishing. Preferred initial access method for APT groups and ransomware operators targeting specific organizations.
Whaling
Spear phishing targeting high-value individuals β€” CEOs, CFOs, board members, and other executives. Higher research investment justified by higher-value targets. Commonly used in Business Email Compromise (BEC) attacks targeting C-suite executives or their assistants for financial fraud, wire transfer authorization, or strategic information theft.
Vishing
Voice phishing. Phone calls impersonating legitimate organizations β€” IT support, banks, IRS, government agencies β€” to extract credentials, personal information, or payment details. Caller ID spoofing makes the call appear to originate from a legitimate number. The real-time human interaction creates pressure and prevents the reflection that written communication allows.
Smishing
SMS phishing. Text messages containing malicious links or fraudulent requests impersonating package carriers, banks, or government agencies. Short URLs (bit.ly, etc.) obscure the true destination. Small screen real estate makes URL inspection difficult. Defense: never click links in unsolicited SMS β€” go directly to the official app or website.
Clone Phishing
An attacker copies a real, previously delivered legitimate email, replaces a link or attachment with a malicious version, and resends it from a spoofed address. High credibility because the email content is authentic β€” recipients recognize the email from the original delivery and process the clone with the trust established then. The only change is the malicious payload.
Pharming
Redirecting users from legitimate URLs to malicious sites without their knowledge. Achieved by DNS cache poisoning (corrupting a DNS resolver's cache so lookups return attacker-controlled IP addresses) or hosts file modification (editing the local hosts file on a compromised system). The victim types the correct URL and is silently redirected to a fake site.
Credential Harvesting
Collecting usernames, passwords, and authentication tokens by presenting fake login pages that mimic legitimate services. The core goal of most phishing attacks. After credential submission, the user is typically redirected to the real service β€” they experience no disruption and remain unaware. Harvested credentials are replayed against real services for account takeover or sold on dark web markets.
SPF (Sender Policy Framework)
A DNS TXT record listing the mail servers authorized to send email on behalf of a domain. Receiving mail servers check whether the sending server's IP address appears in the domain's SPF record. Reduces domain spoofing β€” emails claiming to be from a domain but sent from unlisted servers fail SPF. Does not validate message content or prevent display-name spoofing.
DKIM (DomainKeys Identified Mail)
Adds a cryptographic signature to outgoing emails, allowing receiving servers to verify the email was sent by an authorized server and was not modified in transit. The sending server signs the email with a private key; the public key is published in DNS. DKIM validates both server authorization and message integrity β€” unlike SPF, which only validates the sending server.
DMARC (Domain-based Message Authentication, Reporting and Conformance)
A DNS policy record specifying what to do when SPF or DKIM checks fail: none (monitor only, still deliver), quarantine (route to spam), or reject (block entirely). Enables reporting β€” domain owners receive aggregated reports of all SPF/DKIM failures, revealing spoofing attempts against their domain. Without DMARC at quarantine or reject, SPF and DKIM failures are logged but emails are still delivered.
Typosquatting
Registering domain names that are common misspellings or visual variations of legitimate domains: micros0ft.com (zero for O), arnazon.com (rn resembles m), paypa1.com (one for L). Used for phishing, credential harvesting, and malware delivery. Users who mistype a URL, or who fail to inspect the domain carefully, land on attacker-controlled infrastructure.
Homograph Attack
Using Unicode characters that look visually identical to ASCII characters to create lookalike domain names. The Cyrillic letter 'Π°' (U+0430) is visually indistinguishable from the Latin 'a' (U+0061) in most fonts. A domain substituting Cyrillic characters looks identical to the real domain but is technically a different domain. Browsers may display punycode (xn--...) as a warning in some cases.
Phishing Kit
A pre-built package for deploying a credential-harvesting phishing site β€” copied HTML and CSS of a legitimate site, PHP scripts to capture and forward harvested credentials, obfuscated code to evade security scanners. Available on dark web forums for $20–200. Enables attackers with no web development skills to deploy convincing, professional-looking phishing campaigns against any major service within hours.
URL Inspection (Hover)
The practice of hovering over a hyperlink before clicking to reveal the actual destination URL in the browser's status bar. A fundamental phishing defense technique. The display text of a link and its actual href destination are completely independent in HTML β€” a link can display "Click to verify your Microsoft account" while pointing to any attacker-controlled URL. Hovering exposes this discrepancy before any click occurs.
Phishing-Resistant MFA
Authentication methods that cannot be captured and replayed on phishing sites β€” FIDO2 hardware security keys (YubiKey, hardware tokens), passkeys using WebAuthn. The credential is cryptographically bound to the legitimate domain's origin: the authentication challenge comes from the real site, and the response only validates for that exact domain. A phishing site cannot generate a valid challenge and therefore cannot harvest these credentials under any circumstances.