Phishing Content Detection

What is phishing content?

Phishing content is any user-submitted message, post, or listing that tries to trick someone into handing over credentials, payment details, or personal data. On platforms it usually arrives as a fake support reply, a too-good giveaway, or a link to a lookalike login page.

Also known as: phishing posts, credential harvesting, fake support scams.

How it works

Phishing on a platform rides on trust the platform already built. An attacker impersonates support, a payment provider, or a popular brand, then posts a comment, sends a direct message, or creates a listing that points to a fake login page. The page looks like the real one and captures whatever the victim types. Some campaigns skip the link and ask for a one-time passcode directly, claiming they need it to 'verify' an account. The text is written to create urgency: a locked account, a pending refund, a prize that expires today.

Warning signals

• Links to lookalike domains — URLs that mimic a known brand with small changes, extra words, or odd top-level domains.
• Requests for credentials or one-time codes — Any message asking for a password, PIN, or verification code is a strong flag.
• Manufactured urgency — Account locked, refund pending, prize expiring, all designed to rush a decision.
• Impersonated support or brands — Accounts posing as official help desks, often replying under real support threads.
• Shortened or obfuscated URLs — Link shorteners and redirect chains used to hide the real destination.
• Mismatched sender and claim — A 'bank' message from a free email account, or a brand reply from an account made yesterday.

Real-world examples

• A reply under a real support post saying 'DM our team to unlock your account' that links to a fake login page.
• A comment promising a refund if the user 'confirms' their card details through a form.
• A direct message claiming a prize win that asks for the one-time code just sent to the victim's phone.

Why it matters

Phishing turns a platform's own credibility into a weapon against its users. A successful campaign leads to account takeovers, drained balances, and a wave of support tickets, and the platform often gets blamed even when the attacker was an outside user. Letting phishing content sit visible also invites brand-impersonation complaints from the companies being faked.

How ModPilot detects phishing content

1. URL and pattern rules — Flag lookalike domains, known phishing hosts, link shorteners, and credential-request phrases at submission.
2. AI reads intent, not just keywords — A model scores whether a message is trying to harvest credentials even when the wording is new or the link is hidden.
3. Brand-impersonation checks — Content posing as official support or a known brand gets weighted toward review.
4. Escalation for novel campaigns — Phishing evolves fast, so uncertain or new-pattern cases route to a stronger model or a person.
5. Logged outcomes — Decisions are recorded so repeat campaigns can be matched and appeals can be answered.

Keyword blocklists lose to phishing because the attackers rewrite the wording every week. The link changes, the brand changes, the phrasing changes. What stays constant is the intent: get someone to hand over something they shouldn’t.

A model that scores intent holds up where a blocklist crumbles. It still flags a “confirm your account” message even when every specific word is one the filter has never seen.

Frequently asked questions