Phishing Methods Overview: From Spear Phishing to AI Phishing

Phishing has been a growing problem since the dawn of the internet. However, the term no longer describes a single, uniform method. Anyone who wants to fend off attacks must first understand the different variants that exist, how they work technically, and why people continue to fall for them despite increasing awareness.

This guide summarizes the most important phishing methods—with concrete real-world examples and one protective measure for each method.

---

1. The Evolution of Phishing

Attempts at fraud existed even before the internet. Back then, of course, not via email, but via letter. However, with increasingly rapid networking and digitization, the business of criminal messages has become increasingly scalable. Spam filters and other security solutions do try to keep malicious emails out of inboxes—but their success has been rather limited. This is partly because criminals are constantly finding new methods and attack vectors to bypass these filters.

Phishing attacks are difficult to detect because they can mimic legitimate emails or websites. Now they are becoming even more sophisticated: Artificial intelligence enables realistic, personalized messages that are nearly impossible to detect, even for vigilant users. At the same time, Phishing-as-a-Service platforms lower the technical barrier to entry to a minimum.

The following overview shows which methods criminals are using today—and what companies can do to counter them.

---

2. Email Phishing (Classic)

Classic email phishing is the origin of all variants. Phishing is a type of digital attack in which users are tricked into revealing personal data, such as passwords or credit card numbers, through fraudulent emails or websites.

Mass phishing campaigns target as many recipients as possible at the same time. The messages mimic well-known brands, banks, or government agencies and create a sense of urgency—often through feigned urgency or threats of consequences.

Real-world example: An email pretends to come from a well-known streaming platform and asks the recipient to update their payment information. The link provided leads to a deceptively realistic fake version of the real website.

Precaution: Carefully check the sender’s domain and the linked URL—both must match the organization in question. If in doubt, log in directly on the real website instead of clicking the link in the email.

---

3. Spear Phishing and Whaling/CEO Fraud

While mass phishing relies on quantity, spear phishing targets individual, carefully selected people. A spear phishing attack is a targeted attack on a person or group of people—using pre-researched, personal details that make the message convincing.

CEO fraud is the most common form of spear phishing used in companies. The word “fraud” means exactly what it says: deception. CEO fraud is a scam in which the identity of a decision-maker is impersonated—whether through a manipulated email, call ID spoofing, or even a deepfake video call. Perpetrators conduct extensive social engineering via LinkedIn and company websites beforehand before calling the accounting department posing as the CEO or requesting a wire transfer via email.

The North Rhine-Westphalia Police warned early on that the number of cases had doubled. Various scammers have stolen several million euros using this scheme. What’s interesting is that the police also warn that small and medium-sized enterprises can become targets as well. While initially it was only the very large, internationally active companies, small business owners are now also being specifically targeted. No wonder: there’s a lot to be gained here too, although the risk and security barriers are usually lower than at top corporations.

Real-world example: Security researchers used machine learning software to automatically send tweets to Pokémon Go players on Twitter. The software responded fully automatically to tweets with the hashtag #PokemonGo, achieving click-through rates of 30% to 60%—compared to 5–10% for standard phishing. A manually created spear-phishing attack typically takes up to 10 minutes to prepare, with a click-through rate of up to 40%.

Preventive measure: Instructions regarding financial transactions must always be confirmed via a second, verified channel—a quick call back to the alleged sender’s known number is enough to stop the scam. Employees must also know that it is acceptable to question even their boss.

---

4. Vishing (Phone Phishing)

Vishing is short for “voice phishing”—phishing over the phone. Attackers call their victims directly and pose as bank employees, IT support staff, or government officials. When combined with caller ID spoofing, the victim sees a trustworthy-looking phone number.

The speed of communication during phone calls and the resulting level of trust are significantly higher than with emails. Attackers exploit this effect deliberately: When pressured by an authority figure over the phone, people act faster and question less.

Vishing is regularly used in CEO fraud: Fraudsters have been infiltrating the company for a long time, know how employees think, and usually play the role of the boss very credibly and authoritatively.

Real-world example: An attacker calls the accounting department posing as the CEO and demands an urgent transfer to a foreign account. The displayed phone number matches the executive’s real phone number because call ID spoofing is being used.

Precaution: Always verify instructions given over the phone regarding transfers or the disclosure of sensitive data via a different channel (e.g., in person or via email to the known address).

---

5. Smishing (SMS Phishing)

Smishing refers to phishing attacks via SMS or messaging services. The principle is the same as with email phishing—only the channel is different. Fraudsters send text messages that announce a package delivery, simulate an account warning, or contain alleged prize notifications, and link to fraudulent websites.

Smishing is effective because many people intuitively trust text messages more than emails. Additionally, URLs are often displayed in shortened form on mobile devices, making it harder to spot fakes.

Real-world example: A text message pretends to be from a package delivery service and requests payment of a small fee so the package can be delivered. The link leads to a fake payment page where payment details are stolen.

Precaution: Do not click on links in unexpected text messages. Verify suspicious messages by visiting the official website directly or contacting official customer service.

---

6. Quishing (QR Code Phishing)

Quishing combines QR codes with classic phishing tactics. In quishing, a QR code is generated that contains a malicious link. This link can also be disguised using a URL shortener. Unlike email phishing, the QR code is usually printed on physical media, as sending it via email isn’t particularly plausible.

The COVID-19 pandemic has deeply integrated QR codes into everyday life: digital vaccine passports, contact tracing, check-ins—QR codes have been ubiquitous ever since. If the QR code is placed in a plausible location and within a logical context, it appears more legitimate and trustworthy than an email.

Real-world example: In Austin, Texas, authorities discovered tampered QR codes at parking stations. The codes redirected to a page that did not originate from an official source—this allowed attackers to steal payment data from parkers.

Precaution: Use a QR code scanner that displays a URL preview before opening the link. Apple has built this feature into its system-integrated scanner; corresponding apps are available for Android. Do not scan codes in unusual or suspicious-looking locations.

---

7. Chishing (Chat Phishing)

Communication within companies increasingly takes place via business chat platforms. External partners are also being added to internal business chats more frequently, thereby expanding the attack surface. AWARE7 has discovered that with a variety of chat tools, it is possible to edit a profile in such a way that a spoofing attack becomes feasible. This attack method has been termed chishing—a portmanteau of chat and phishing.

Spoofing occurs when an attacker pretends to be someone else in order to gain access to confidential information. Attackers change the profile picture and display name so that conversation partners do not notice the identity change during an ongoing chat. The speed of communication in chats and the level of trust are significantly higher than with emails—an ideal environment for social engineering attacks.

AWARE7 analyzed six chat tools in a study: Microsoft Teams, Google Chat, Slack, Element.io, Mattermost, and WebEx Teams. Result: In four of the six tools—Google Chat, Slack, Mattermost, and WebEx Teams—it was possible to change the profile picture and name in such a way that it was not noticeable within a chat whether the person was genuine or not. Only Microsoft Teams (profiles are managed by IT admins) and Element.io (unique user tag) offered sufficient protection.

Real-world example: In Mattermost, three different users can create identical profiles. An external guest impersonates an internal employee and requests login credentials or a bank transfer via chat.

Protective measure: Always verify sensitive instructions in business chats via a second channel. Choose chat platforms that offer unique user identifiers. Raise employee awareness about this specific attack method.

---

8. AI-powered phishing – the new dimension

The most dangerous development in the field of phishing is the use of artificial intelligence. AI-powered phishing attacks have reached a new level of sophistication with the use of language models: These systems generate deceptively authentic, individually personalized emails that even careful users can hardly detect and that systematically bypass conventional spam filters.

GPT-3 (Generative Pre-trained Transformer 3) is a machine learning platform that produces human-like text and can even mimic the style of a specific author. In the Playground, all you need to do is enter the intended recipient of a phishing email—the program then automatically generates a plausible phishing message. This process can be fully automated via an API.

OpenAI has released an API that allows developers to utilize these features. Criminals can use it to compose and send phishing emails that are even more personalized and fully automated. Especially in combination with large-scale data breaches—which also enable the automated processing of email addresses, names, and other personal details—we can expect even more sophisticated and scalable phishing waves.

Classic telltale signs such as grammatical errors or generic salutations thus become worthless. Criminals are scaling their campaigns to an industrial level.

Real-world example: Software trained by security researchers using approximately 2 million tweets automatically generated responses to tweets with the hashtag #PokemonGo. The malicious tweets achieved click-through rates of 30% to 60%. The fact that the software did not speak perfect German or English did not detract from its success—Twitter slang works to the algorithms’ advantage.

Protective measure: Pay particular attention to the domain and the sender’s name—these must be well-faked to make the message appear truly authentic. It is crucial to be aware that even supposedly personalized emails can serve a malicious purpose.

---

9. Phishing Toolkits: Caffeine and the Phishing-as-a-Service Model

Another driver of the rising phishing threat is the professionalization of the attackers’ infrastructure. Phishing-as-a-Service (PhaaS) makes it possible to launch ready-to-use phishing campaigns immediately without any technical expertise.

Caffeine is a Phishing-as-a-Service toolkit with one key feature: The registration process has been significantly simplified and is accessible via the regular internet—no Darknet access or Telegram channel is required. Anyone who knows the site’s address can register.

As a PhaaS, Caffeine handles much of the work for potential attackers. It includes up-to-date templates for phishing emails and the landing pages behind them—in particular, extensive templates for the Microsoft 365 environment. Interestingly, templates are available not only for major Western companies but also for Chinese and Russian companies. Mandiant has analyzed the toolkit in detail and confirmed its existence.

The price is $450 for three months; the Enterprise subscription for six months costs $850. The toolkit explicitly advertises customer support as well as various anti-detection and anti-analysis features. URLs can be dynamically generated using variables, making detection even more difficult. IP addresses or entire countries can be excluded from phishing campaigns. Payment is made with cryptocurrency—further lowering the barrier to entry.

The fact that yet another toolkit for illegal phishing activities has entered the market demonstrates just how lucrative the phishing business is. Particularly concerning is the trend that more and more potential attackers are being tempted to carry out illegal attacks due to the low barriers to entry.

Protective measure: Since phishing toolkits provide technically flawless attack email templates, technical detection features can no longer serve as the sole filter. Employees must be trained to recognize phishing patterns in the content of emails—regardless of how professional a message may appear.

---

10. How Companies Can Protect Themselves

No single technical measure provides complete protection against the full range of phishing methods. Effective protection is multi-layered:

Technical Measures:

• Consistently configure email authentication (SPF, DKIM, DMARC)
• Keep spam and phishing filters up to date
• Implement multi-factor authentication (MFA) for all logins—MFA renders stolen login credentials largely useless to attackers
• Use QR code scanners with URL previews
• Prioritize chat platforms with reliable user identification

Organizational measures:

• Clear processes for financial transactions and requests for sensitive data: Always follow the dual-control principle and perform verification via a second channel
• Allow and encourage employees to question instructions from supervisors
• Implement a compliance management system that mandates these processes

Training and Awareness:

• Regular awareness campaigns covering all methods—not just email phishing
• Conduct phishing simulations that also cover quishing scenarios (distributed flyers, QR codes placed within the company) and chat-based attacks
• Make it clear to employees that AI-generated phishing messages no longer contain classic spelling errors

The main reason fraudsters get away with scams like CEO fraud is that no one expects them. That is precisely the problem: employees need to know that such attacks are real and do happen—not just at large corporations, but also at small and medium-sized businesses.

---

11. Frequently Asked Questions (FAQ)

What is the difference between phishing and spear phishing? Phishing refers to fraudulent messages sent in bulk to many recipients at once. Spear phishing, on the other hand, is a targeted attack on a specific person or group of people—using pre-researched, personal details to make the message convincing. Click-through rates for spear-phishing are significantly higher: up to 40% for manually created attacks and up to 60% for AI-assisted attacks, compared to 5–10% for traditional mass phishing.

What is CEO fraud and who is affected by it? CEO fraud is a scam in which attackers impersonate a decision-maker—via email, phone, or even a deepfake video call. They demand money transfers or the disclosure of sensitive data. CEO fraud no longer targets only large corporations: small and medium-sized businesses are also specifically targeted because they often have fewer security barriers.

What is quishing? Quishing is phishing via QR codes. A QR code is linked to a malicious link and placed in physical form—on stickers, flyers, or on physical devices. Since QR codes have become deeply integrated into everyday life due to the COVID-19 pandemic, they appear trustworthy in a plausible context. A QR scanner with a URL preview offers protection.

What is chishing? Chishing is phishing in business chat tools such as Slack, Google Chat, or Mattermost. Attackers change their display name and profile picture to appear as other employees or known contacts. AWARE7 has demonstrated in its own study that this is easily possible on four out of six platforms examined.

How can I protect myself against AI-powered phishing? AI-generated phishing messages no longer have classic telltale signs like spelling errors. Protection comes primarily from a critical eye toward the sender’s domain and address, as well as the awareness that even messages that appear personalized can be malicious. Regular phishing simulations systematically train this vigilance.

What is Phishing-as-a-Service (PhaaS)? PhaaS is a business model in which criminals can rent ready-made phishing toolkits—including templates, hosting, anti-detection features, and support. Toolkits like Caffeine can now be booked directly on the clear web without dark web access, significantly lowering the barrier to entry. The result: more potential perpetrators, more attacks, and higher-quality templates.

What are the benefits of a phishing simulation? A phishing simulation tests how employees react in a real-world scenario—before real attackers do. Realistic scenarios uncover vulnerabilities and enable targeted retraining. Modern simulations can also replicate quishing scenarios (QR code flyers in the office) and chat-based attacks. You can find details on our [Phishing Simulation] page (/services/phishing-simulation/).