The Phishing Bestiary
One con, many costumes — learn to name every creature in the swamp.
01 One Con, Many Costumes
Phishing is impersonation at scale: an attacker pretends to be someone you trust — your bank, your boss, a service you use — to make you hand over credentials, money, or access. The core con never changes. What changes is the costume and the channel. Field guide:
| Species | Channel | Distinguishing marks |
|---|---|---|
| Phishing | Mass email | Generic bait sent to thousands; wins on volume |
| Spear phishing | Targeted email | Personalized using research on you — your projects, vendors, colleagues |
| Whaling | Targeted email | Spear phishing aimed at executives and other big fish |
| BEC | Email, often a real hijacked thread | No malware, no link — just a fraudulent payment or payroll-change request |
| Smishing | SMS | Fake delivery notices, toll fees, bank alerts with a link |
| Vishing | Voice call | Live human (or AI voice) applying real-time pressure |
| Quishing | QR code | Malicious QR in email, on a poster, or stickered over a real one |
| Consent phishing | OAuth prompt | A malicious app asks you to grant it account permissions — no password stolen, none needed |
Taxonomy matters because each species dodges different defenses. Email filters never see a vishing call. Password rules don't stop consent phishing. Knowing the bestiary tells you where your blind spots are.
02 BEC: The Quiet Billion-Dollar Crime
Business email compromise is phishing's most profitable species, and the least cinematic. No malware. Often no link. Just an email that convincingly asks the finance team to pay an invoice or update a vendor's bank details. The FBI's Internet Crime Complaint Center has ranked BEC among the costliest cybercrimes for years, with reported losses running to billions of dollars annually.
The masterclass: between 2013 and 2015, a Lithuanian man named Evaldas Rimasauskas stole over 120 million dollars from Google and Facebook — two of the most technically sophisticated companies on Earth. His method was almost insultingly simple. Both companies genuinely did business with Quanta Computer, a Taiwanese hardware maker. Rimasauskas registered a company in Latvia with the same name, then sent forged invoices, contracts, and letters that looked like the real vendor's. The tech giants' accounts-payable teams wired the money. He was arrested in 2017, extradited, pleaded guilty in 2019, and got five years.
Also 2015: networking company Ubiquiti disclosed in an SEC filing that impersonation fraud against its finance department had moved 46.7 million dollars to overseas accounts. Attackers posed as executives and a lawyer handling a confidential deal. Only part of the money came back.
03 Case File: The Twitter Teen
On July 15, 2020, the Twitter accounts of Barack Obama, Joe Biden, Elon Musk, Bill Gates, Apple, and dozens of other blue-check giants all tweeted the same thing: send bitcoin to this address and get double back. It was, obviously, a scam — and it netted over 100,000 dollars in a few hours before Twitter locked down verified accounts sitewide.
The breach behind it wasn't an exploit. It was phone spear phishing. Attackers called Twitter employees posing as internal IT staff, directed them to a fake login portal, and captured credentials — eventually reaching employees with access to internal administration tools. From there they could reset the email on some of the platform's most powerful accounts and take them over outright.
The mastermind, Graham Ivan Clark, was seventeen years old. A Florida teenager, working with a small crew, socially engineered his way into one of the world's most scrutinized platforms. He pleaded guilty in 2021 and received a three-year sentence.
Two lessons. First, vishing works against tech companies, not just grandparents — a convincing "IT help desk" call is devastating anywhere. Second, internal tools are crown jewels: once an attacker is holding an admin panel, every downstream security feature belongs to them. The human perimeter and the technical perimeter are the same perimeter.
04 The New Costumes: Smishing, Quishing, Consent Phishing
As email filtering improved, phishing migrated to channels with weaker immune systems.
Smishing exploits the trust gap on your phone: SMS has no sender authentication worth mentioning, links are shortened and hard to inspect, and you're usually reading them while distracted. Fake package-delivery fees, unpaid-toll notices, and "is this your bank charge?" texts dominate because they're cheap and they convert.
Quishing hides the destination entirely. A QR code is an unreadable-to-humans link, which makes it perfect camouflage — in a fake "scan to verify your account" email, on a parking meter, or as a sticker slapped over a restaurant's legitimate menu code. Your phone happily decodes it and offers you the hook.
Consent phishing is the connoisseur's move: instead of stealing your password, a malicious app asks you to grant it access through a legitimate OAuth permission screen — "This app would like to read your email and files." Click accept and the attacker holds a valid token that survives password changes and often sails past MFA. The 2017 "Google Docs" worm spread exactly this way, tricking users into authorizing a fake app named Google Docs that then mailed itself to their contacts.
05 Red Flags That Survive Good Fakes
Old-school advice — hover the link, hunt for typos — fails against modern attacks. Lookalike domains can be near-perfect, grammar is now flawless (thank the LLMs), and a hijacked real account has no spoofed anything. So anchor on the flags that survive even a technically perfect fake, because they live in the request itself:
- The ask involves money, credentials, or access. Every phish ultimately converges here. Treat this category of request as radioactive regardless of who's asking.
- Urgency plus consequences. Act now or lose the account, the deal, the refund. Manufactured deadlines are the con's fingerprint.
- Secrecy. "Keep this confidential" or "don't loop in anyone else" exists to disable your verification instincts. Legitimate business rarely fears a second pair of eyes.
- A channel or process switch. An email asking you to continue on WhatsApp, a text asking you to call a new number, an invoice with suddenly different bank details. Breaking the established channel breaks your audit trail.
- Unsolicited resolution. You didn't report a problem, but someone's calling to fix one. Real support doesn't cold-call.
None of these flags requires you to out-tech the attacker. They only require you to notice what's being asked — and to verify through a channel you choose before acting. That habit, out-of-band verification, gets a full treatment in module four.
⌘ Field Glossary
- Phishing
- Mass impersonation attacks, classically by email, that trick recipients into surrendering credentials, money, or access. The parent species of the whole bestiary.
- Spear phishing
- Phishing personalized with research about the specific target — their role, projects, colleagues, and vendors — trading volume for dramatically higher success rates.
- Business email compromise (BEC)
- Malware-free email fraud that manipulates employees into sending payments or changing bank details, often by impersonating executives or real vendors.
- Vishing
- Voice phishing: live phone calls, increasingly AI-assisted, in which attackers impersonate IT support, banks, or authorities to apply real-time pressure.
- Quishing
- Phishing via QR codes, which hide the destination URL from human inspection — in emails, on posters, or stickered over legitimate codes.
- Consent phishing
- Tricking a user into granting a malicious app OAuth permissions to their account, yielding a valid access token without stealing a password.
Knowledge Check
Field Assessment
01 What made the Rimasauskas scam against Google and Facebook work?
02 Why is consent phishing especially dangerous compared to classic credential phishing?
03 Which red flag remains reliable even when an attack has perfect grammar, a flawless design, and comes from a genuinely compromised real account?