How does a Phishing attack work?

It typically unfolds over 4 phases. It begins with: [Obtain domain name and certificate to spoof legitimate site] This optional step can be used to help the attacker impersonate the legitimate site more convincingly. The attacker can use homograph attacks to convince users that they are using the legitimate website. Note that this step is not required for phishing attacks, and many phishing attacks simply supply URLs containing an IP address and no SSL certificate.

How do you prevent CAPEC-98?

Do not follow any links that you receive within your e-mails and certainly do not input any login credentials on the page that they take you too. Instead, call your Bank, PayPal, eBay, etc., and inquire about the problem. A safe practice would also be to type the URL of your bank in the browser directly and only then log in. Also, never reply to any e-mails that ask you to provide sensitive information of any kind.

What weaknesses does CAPEC-98 target?

CAPEC-98 exploits 1 CWE weakness, including CWE-451 (User Interface (UI) Misrepresentation of Critical Information).

How severe is CAPEC-98?

MITRE rates CAPEC-98 as Very High severity with high likelihood of attack.

Standard attack pattern

Draft

CAPEC-98: Phishing

Phishing is a social engineering technique where an attacker masquerades as a legitimate entity with which the victim might do business in order to prompt the user to reveal some confidential information (very frequently authentication credentials) that can later be used by an attacker. Phishing is essentially a form of information gathering or "fishing" for information.

Last updated June 1, 2026

Very High

Typical severity

Per MITRE

High

Likelihood of attack

Per MITRE

Related weaknesses

CWEs this targets

Standard

Abstraction

MITRE classification

Overview

CAPEC-98 (Phishing) is a standard-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.

CAPEC-98: Phishing

CAPEC-98: Phishing

Overview

CAPEC-98: Phishing

Overview

How the attack works

What the attacker needs

Prerequisites

Skills required

Resources required

Consequences

How to mitigate it

How to detect it

Examples

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CAPEC-98?

How does a Phishing attack work?

How do you prevent CAPEC-98?

What weaknesses does CAPEC-98 target?

How severe is CAPEC-98?

References

Defend against CAPEC-98

Related

Overview

Overview

How the attack works

What the attacker needs

Prerequisites

Skills required

Resources required

Consequences

How to mitigate it

How to detect it

Examples

Related weaknesses

Related attack patterns

Parent

Child

Can precede

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CAPEC-98?

How does a Phishing attack work?

How do you prevent CAPEC-98?

What weaknesses does CAPEC-98 target?

How severe is CAPEC-98?

References

Defend against CAPEC-98

Related