Phishing is not new.
We have been talking about fake emails, fake login pages, scam links, fake bank messages, fake delivery SMS messages, and social engineering for many years. But the problem is still here. Actually, it is getting bigger, faster, and more personal.
Today, a scam can reach anyone in seconds.
A phishing link can come from an email, a WhatsApp message, a Telegram group, a fake job offer, a QR code, a PDF file, a social media ad, or even a simple comment under a post. APWG reported more than 1 million phishing attacks in Q1 2025, the highest number since late 2023, and also noted that criminals are sending millions of QR-code phishing emails that lead people to phishing sites and malware. (APWG)
This is the simple truth:
The internet is open. And because it is open, scams are always one click away.
That openness is beautiful. It is the reason we can build, share, learn, and connect with people all around the world. But it also means that anyone can buy a domain, create a fake page, get a certificate, and start attacking people very quickly.
And this is why phishing is still one of the biggest problems on the internet.
The old solutions are not enough anymore
Most companies still work with threat intelligence feeds, blocklists, and reputation systems.
The idea is simple: if a website is known as phishing, add it to a list and block it later.
This works sometimes. But phishing is no longer that slow.
A phishing website can live for only a few hours. In one 2025 academic study, researchers found that phishing websites had a median lifespan of only 5.46 hours, while Google Safe Browsing detected only 18.4% of the phishing websites in their dataset and took 4.5 days on average to detect them. The same study also found that many phishing sites were already taken down before they were detected by the blocklist. (7 Days Later: Analyzing Phishing-Site Lifespan After Detected)
This is a very important point.
If the attack is alive for hours, but the defense reacts in days, then many users are already exposed.
This is why blacklist-only protection is not enough.
It is not useless. It still has value. But it is not enough for modern phishing.
Attackers know how to hide
Another problem is evasion.
Attackers do not always show the same page to everyone. They can show the real phishing page only to the victim and show a clean page to security tools.
This is called cloaking.
A phishing website can behave differently depending on:
- the country of the visitor,
- the device type,
- the browser,
- the IP address,
- the time of day,
- whether the visitor looks like a real human or a security crawler.
Recent academic work also supports this need for more adaptive detection systems. For example, the PhishParrot paper on arXiv shows that phishing sites can use cloaking to display the real malicious page only to selected users, while showing clean content to security crawlers. In their 21-day evaluation, the researchers showed that an adaptive crawling approach improved detection accuracy by up to 33.8% compared to standard analysis systems (PhishParrot: LLM-Driven Adaptive Crawling to Unveil Cloaked Phishing Sites). For me, this is a strong signal: static and one-size-fits-all detection is not enough anymore. We need systems that can adapt to how attackers hide, change, and selectively expose their phishing pages.
So when someone asks, "Why is phishing still not solved?", this is one of the answers.
Because attackers do not just create fake pages.
They create fake pages that hide.
Machine learning helped, but it did not fully solve the problem
After blacklist systems started to become too slow, many researchers and companies moved to machine learning.
This made sense.
Instead of asking only "Is this URL already known?", machine learning asks a better question:
"Does this URL look suspicious?"
This is useful. But it also brings another problem: false positives.
If a security product blocks a safe website, people lose trust in it. In a company, this also creates operational pain. Security teams become slower. Employees get annoyed. Analysts waste time checking alerts that should not exist.
I also saw this problem directly while building the first version of PhiShark.
The first version of PhiShark was based on machine learning. And honestly, it helped us understand the problem much better.
The biggest lesson was simple:
Data, data, data.
With machine learning, you are always dependent on data. But in phishing, the data changes every second. A new scam type can appear tomorrow. A new domain pattern can become popular. A new fake brand campaign can start. A new cloaking trick can make your old dataset less useful.
And then you face a very hard question:
Which data should you trust?
Which data should you use for training?
Which old samples are still useful?
Which old samples are now misleading?
How do you keep the model updated without making it noisy?
How do you avoid being crushed under your own historical data?
This is much harder than it looks.
Because phishing is not a static problem. It moves. It changes. It adapts.
That is why, from the beginning, I felt that a phishing product needs more than only a trained model. It needs intelligence.
It needs a system that can look at new signals, understand context, connect different pieces of evidence, and make a decision closer to how a human analyst thinks.
And for us, this became much more possible with an agentic architecture.
I will write about this in more detail in future posts, but this was one of the biggest turning points for PhiShark.
This is why phishing detection is difficult.
If you are too soft, you miss attacks. If you are too aggressive, you block normal life.
A good phishing product needs balance. It needs to be fast, but not noisy. It needs to protect people, but not break their daily internet usage.
Phishing is not only a technical problem
When we look at cybersecurity products, we see many tools for endpoint security, cloud security, identity security, SIEM, SOAR, network security, and threat intelligence.
But when we look at phishing protection for normal people, the options are still limited.
Why?
Because phishing is not only a technical problem.
It is a human problem.
CISA describes social engineering as an attack where the attacker uses human interaction to obtain or compromise information. In simple words, attackers do not always hack the system. Sometimes they hack trust. (CISA)
And this is much harder.
Because humans are emotional. We get tired. We hurry. We panic. We trust familiar brands. We trust messages that look urgent. We click when something looks normal.
A software vulnerability can be patched.
But how do you patch fear? How do you patch stress? How do you patch a parent who receives a fake school payment link? How do you patch an elderly person who receives a fake bank SMS?
This is why phishing is still powerful.
Training is useful, but training alone is not enough
For a while, many companies focused on phishing awareness training.
And yes, training is important.
Employees should learn what a phishing email looks like. They should understand fake domains, urgent language, suspicious attachments, and fake login pages.
But training alone cannot be the full solution.
Because attackers do not only target employees.
They can target their families, friends, partners, parents, or children.
Today, because of social media, almost everyone is reachable. Our lives are public. Our jobs, schools, friends, family members, locations, and daily habits are easier to find than ever before.
This means attackers can move around us.
Maybe they cannot reach the employee directly. So they reach someone close to that person. And then the attack comes from a trusted direction.
This is why I believe phishing protection should not only live inside companies.
It should also protect people in normal life.
The people most at risk are often the least protected
This part is very important to me.
Most cybersecurity tools are built for experts.
They have dashboards, alerts, risk scores, logs, policies, integrations, and complex settings.
That is fine for a SOC team.
But what about a child?
What about an elderly person?
What about someone who just wants to open a delivery message?
What about someone who scans a QR code at a restaurant?
The FBI's 2024 internet crime data showed that people in the U.S. lost more than $16 billion to scams and cybercrime in 2024. People aged 60 and older filed more than 147,000 complaints and reported $4.8 billion in losses. Phishing or spoofing was one of the top complaints for seniors. (Axios)
This tells us something very clearly:
The people who need protection are not only companies.
Normal people need protection too.
Families need protection. Parents need protection. Children need protection. Elderly people need protection.
And the solution must be simple enough for them.
This is why we built PhiShark
At PhiShark, we started with a simple idea:
What if phishing protection could be closer to the user?
Not only inside the company network.
Not only inside an enterprise dashboard.
Not only after a URL is already reported.
But directly where people click.
This is why we built the PhiShark browser extension.
The goal is simple:
Before someone clicks a dangerous link, PhiShark should help them understand the risk.
We wanted to make it useful not only for security teams, but also for normal internet users. Because phishing does not only happen in corporate email anymore.
It happens in PDFs. It happens in QR codes. It happens in messages. It happens in fake invoices. It happens in fake delivery pages. It happens in fake government forms. It happens in fake social media login pages.
APWG also warned that QR-code phishing became a serious channel, with criminals sending millions of emails containing QR codes that lead people to phishing sites and malware. (APWG)
So we designed PhiShark to check more than just a simple URL.
We want it to look at links inside emails. We want it to analyze PDFs. We want it to check QR codes. We want it to protect people before the mistake happens.
We need tools that think more like human analysts
A human analyst does not only ask one question.
They do not only ask:
"Is this URL in a blacklist?"
They ask many small questions:
Why does this domain look strange? When was it created? What certificate does it use? Where is it hosted? Does the page look like a login page? Is it copying a known brand? Is there suspicious redirection? Is the website hiding from crawlers? Is it active only in one country? Does it behave differently on mobile?
This is the direction we want for PhiShark.
We want to build a system that looks at many signals together.
Not just one signal.
Not just a blacklist.
Not just a score.
But a real analysis.
A system that can say:
"This looks suspicious, and here is why."
That "why" is important.
Because trust is important.
People should not only see a red warning. They should understand the reason behind it.
Why this area needs more attention
I still believe phishing is one of the most underestimated problems in cybersecurity.
Many people still think phishing means bad emails with spelling mistakes.
But modern phishing is much better than that.
The pages look real. The messages are personal. The timing is smart. The domains look believable. The attacks move fast. The attackers hide from security tools.
Even Verizon's 2026 DBIR notes that mobile devices are becoming a stronger target, with mobile threats getting higher click rates than traditional email threats. (Verizon)
So phishing is not staying in the old email inbox.
It is moving into our daily life.
And our protection needs to move with it.
This is the story behind PhiShark
So this is why I started building PhiShark.
Not because phishing is a new problem.
But because it is still not solved.
And I believe the current solutions are not simple enough, fast enough, and close enough to real people.
We need tools that can protect companies.
But we also need tools that can protect parents, children, elderly people, students, small business owners, and anyone who uses the internet.
We need faster validation.
We need better detection.
We need less noise.
We need phishing protection that works in real life.
This blog will be my place to write about that.
I will share what I see from research, from the industry, from real phishing examples, and from building PhiShark.
Phishing is a big problem.
But I believe we can build better tools against it.
Stay safe.
Download PhiShark.
And if you message me directly on LinkedIn, I will give you 3 months of professional access. :D
Best, Furkan.