There are many techniques attackers use to gather personal information for phishing attacks. Here are ten of the most common:

Spear phishing: Attackers target specific individuals or groups with personalized emails that appear to be from a trusted source, such as a bank or company.

Spoofed websites: Attackers create fake websites that mimic legitimate ones to trick users into entering their personal information.

Malware: Attackers use malware, such as keyloggers or spyware, to record keystrokes and steal personal information.

Phishing kits: Attackers use pre-packaged phishing kits that include fake login pages and scripts to steal personal information.

Social engineering: Attackers use psychological manipulation to trick individuals into divulging personal information. Smishing: Attackers use text messages to trick individuals into clicking on links or entering personal information.

Vishing: Attackers use voice over IP (VoIP) technology to impersonate legitimate organizations and trick individuals into providing personal information.

Watering hole attacks: Attackers compromise legitimate websites that are frequented by their target victims and use them to deliver malware or collect personal information.

Credential stuffing: Attackers use stolen login credentials obtained from previous data breaches to gain access to personal information.

Business email compromise (BEC): Attackers impersonate a company executive or vendor to trick employees into transferring funds or providing sensitive information.

Once attackers have gathered personal information, they may create a fake website that appears to be legitimate, such as a bank or e-commerce site, and use that site to trick individuals into providing additional sensitive information. These websites may use tactics such as domain spoofing, which makes the site's URL appear to be legitimate, or SSL certificates to create the appearance of a secure connection.