Phishing for Information is classified under the reconnaissance tactic in the MITRE Fight Fraud Framework (F3). It covers any electronically delivered social engineering attack designed to extract credentials, one-time passcodes, or other sensitive data from a target.
Unlike phishing attacks aimed at getting a user to execute malicious code, Phishing for Information focuses entirely on data extraction. The technique spans four main delivery channels:
| Channel | Common Name | Primary Goal |
|---|---|---|
| Phishing / Spear-phishing | Credential harvesting at scale or targeted | |
| SMS | Smishing | Click on shortened malicious link |
| QR code | Quishing | Redirect to fraudulent site |
| Voice / voicemail | Vishing | Real-time credential or OTP extraction |
How do attackers execute Phishing for Information?
Fraud actors combine technical and psychological tools to make attacks convincing:
- Pretext: Impersonating a bank, payment provider, help desk, or vendor creates a believable scenario.
- Urgency: Account lockout or security alert messages pressure victims into acting without thinking.
- Spoofing: Email spoofing, look-alike domains, shortened SMS links, and caller-ID spoofing make the source appear legitimate.
- Header manipulation: Altering message headers, sender IDs, or phone numbers helps bypass security filters.
What is the difference between Phishing and Phishing for Information in F3?
In the F3 taxonomy, these are distinct techniques. Phishing targets the execution of malicious code or payloads on the victim's device. Phishing for Information targets the extraction of data (credentials, OTPs, account details) through deception, without requiring the victim to run anything.
This distinction matters for defenders: detection logic and training scenarios need to be calibrated to the goal of the attack, not just the channel.
Key takeaways
- Phishing for Information maps to the Reconnaissance tactic in MITRE F3.
- It covers four channels: email, SMS (smishing), QR code (quishing), and voice (vishing).
- The goal is data extraction, not code execution; this distinguishes it from standard phishing in F3.
- Attackers use urgency, impersonation, and technical spoofing to increase success rates.
- Employees who handle sensitive data, credentials, or customer accounts are primary targets.
What is MITRE Fight Fraud Framework™ (F3)?
The MITRE Fight Fraud Framework (F3) is a curated knowledge base of tactics, techniques, and sub-techniques used by fraud actors in cyber-based financial fraud incidents. Developed by MITRE's Center for Threat-Informed Defense in collaboration with FS-ISAC, JPMorganChase, and Lloyds Banking Group, it provides a common language for fraud-fusion teams to describe, detect, and prevent financial fraud. F3 is modeled after MITRE ATT&CK® and focuses on banking institutions as its initial scope.
