Home

Phacking

Phacking is a term used in cybersecurity to describe the practice of using phishing techniques as part of a broader hacking operation to gain unauthorized access to accounts, data, or systems. The term is a portmanteau of phishing and hacking and is used in some communities to emphasize the criminal and technical aspects of credential theft. Not all sources distinguish phacking from phishing; some use phacking to denote phishing campaigns conducted as part of a larger intrusion.

Methods: Phacking typically involves social engineering combined with technical tricks. Common vectors include email phishing with

Tactics and objectives: The goal is to harvest usernames and passwords, tokens, or other sensitive data, or

Defenses: Organizations promote awareness training, simulated phishing campaigns, and robust authentication practices such as multi-factor authentication

Legal and ethical considerations: Phacking is illegal in many jurisdictions and can violate computer misuse laws

credential
harvesting
pages,
SMS
or
voice
phishing
(smishing
and
vishing),
social
media
outreach,
and
fake
apps
or
software
updates.
Attackers
may
use
cloning
or
typosquatted
domains,
OAuth
consent
phishing,
or
embedded
malware
in
attachments
or
links.
Phishing
kits
and
phishing-as-a-service
platforms
lower
barriers
for
novice
criminals
and
enable
rapid
deployment
of
campaigns.
to
install
malware
to
establish
persistent
access.
Techniques
include
credential
harvesting
forms,
MFA
fatigue,
credential
stuffing,
and
indirect
data
exfiltration.
and
hardware
keys.
Email
security
with
DMARC,
DKIM,
and
SPF
helps
reduce
spoofing.
User
education
on
red
flags,
such
as
unsolicited
requests,
urgent
language,
mismatched
domains,
and
unfamiliar
sender
addresses,
complements
technical
controls.
and
data
protection
regulations;
perpetrators
face
criminal
charges,
civil
liability,
and
sanctions.