Direct answer
Where can defenders detect phishing earliest? Often in CT logs, URLScan submissions, suspicious registrations, shortlink redirects, public ad/search surfaces, and active OSINT chatter before victim reports arrive.
Preparation
Attackers register or compromise domains, obtain certificates, configure redirects, reuse kits, prepare ads or messages, and test pages before broad delivery. Certificate Transparency, URLScan, DNS, app stores and public chatter often reveal this phase.
Delivery and trust borrowing
Email, SMS, sponsored ads, search results, fake apps, social profiles and support pages carry the lure. The message is shaped by local language, current events, target brand and expected payment or login journey.
Capture and cash-out
The landing page collects credentials, sessions, OTPs, payment details, IBAN transfers, card data, crypto wallets or callback contact. This is where mule routes, phone numbers and handles become as important as domains.
Reuse
Kits, favicons, JS, panel paths, redirectors, certificates, ASNs, senders and mule routes repeat. Reuse is what turns indicators into campaign and operator-style intelligence.
How PhishNet uses this
Inside PhishNet this topic is treated as operational graph context: observations are linked to sources, evidence, Belgian relevance, confirmation state, liveness, campaigns and exports. Public pages explain the method; authenticated users can pivot into the full platform workflow when a signal needs investigation or handoff.
Selected sources and research
These pages combine PhishNet platform knowledge with public research, official Belgian sources and open OSINT documentation.
Common questions
Where can defenders detect phishing earliest?
Often in CT logs, URLScan submissions, suspicious registrations, shortlink redirects, public ad/search surfaces, and active OSINT chatter before victim reports arrive.
Why model the full chain?
Because takedown, blocking, evidence preservation and investigation require different artifacts at different points in the chain.