BreachExpress

Cybersecurity, explained for the rest of us.

Explainer

What Is Phishing and How to Spot It Before You Click

Margot 'Magic' Thorne@magicthorne17 min read

Phishing is a social engineering attack that tricks you into doing something the attacker wants. Usually that something is entering your password on a fake site, sending money to a fraudulent account, or installing malware that pretends to be a legitimate file. The attack relies on impersonation: the message looks like it comes from your bank, your boss, your delivery service, your coworker. It looks legitimate enough that you act on it without checking.

That's the short version. The longer version requires understanding how phishing has evolved from obvious "Nigerian prince" emails into messages that can fool security professionals on a bad day. The attack has become more sophisticated. The defenses have to be more deliberate.

I've spent two decades reviewing phishing campaigns aimed at companies I worked for. The volume is staggering. The quality has improved every year. The most effective attacks aren't the ones that look obviously fake. They're the ones that look exactly right.

How phishing works

The attacker sends you a message that appears to come from a trusted source. The message has a hook: an urgent reason for you to act quickly. Your account has been compromised. A package can't be delivered. An invoice needs to be paid. A document is waiting for you to review.

The message contains a link or an attachment. The link goes to a site that looks like the real one but is controlled by the attacker. The attachment is a file that runs malicious code when opened.

If you click the link, you land on a page that mimics the real service. You enter your username and password. The attacker captures both. They might pass them through to the real service so the login appears to succeed and you don't notice anything wrong. Behind the scenes, they now have your credentials and use them to access your real account.

If you open the attachment, it might be a Word document with macros, a PDF with embedded code, or an executable disguised as something innocuous. The malicious code runs, often quietly, and gives the attacker some form of access to your computer.

The whole attack depends on you trusting the message. Modern phishing is a craft of building that trust through visual fidelity, contextual relevance, and social pressure. The technical part is mostly trivial. The deception is the work.

Why phishing works

Phishing succeeds because it targets human psychology, not technical vulnerabilities. The attacker isn't breaking your computer. They're convincing you to give them what they want.

The psychological levers are predictable. Authority: messages that appear to come from someone you respect or fear (your bank, the IRS, your CEO) get treated more seriously. Urgency: messages that demand immediate action prevent careful evaluation. Fear: messages that warn of consequences if you don't act push you to act first and think later. Helpfulness: messages from coworkers asking for a small favor exploit the social norm of helping colleagues.

These levers work on humans because we're wired to trust signals that have been reliable in the past. Most messages from your bank really are from your bank. Most urgent requests really are urgent. Most coworker emails really are from coworkers. Phishing attacks parasitize that trust.

The FBI's Internet Crime Complaint Center reported $52 million in losses from phishing and related social engineering attacks in 2024, and that number reflects only what gets reported. The actual total is much higher. Phishing is the most common attack vector against consumers and businesses, by a wide margin.

The reason it stays the most common is that it works. Defenses against technical attacks have improved enormously over the past two decades. Defenses against social engineering have not, because the target is human cognition, which doesn't get patched.

The main types of phishing

The attack has subcategories that target different victims with different methods.

Email phishing is the original and still the most common. Mass emails sent to large lists, hoping a small percentage of recipients click. The messages tend to be generic ("your account has been suspended") because they have to work on millions of inboxes simultaneously.

Spear phishing is targeted. The attacker researches a specific person and crafts a message just for them. Spear phishing emails reference real coworkers, real projects, real contexts. They're harder to detect because the details check out. Spear phishing is the method used in most high value attacks: corporate breaches, executive compromises, journalists, activists.

Whaling is spear phishing aimed specifically at executives. The targets have access to the most valuable resources, so attackers invest more effort in convincing them.

Smishing is phishing via SMS. Texts claiming to be from your bank, your delivery service, your tax agency. The link in the text leads to a fake site optimized for mobile screens, where it's harder to verify URLs.

Vishing is phishing via voice calls. Someone calls claiming to be from Microsoft support, your bank's fraud department, the Social Security Administration. They walk you through a process that ends with you giving them remote access to your computer or transferring money.

Quishing is phishing via QR codes. The attacker prints QR codes that look like they belong on a parking meter, a restaurant table, an event poster. Scanning the code opens a phishing page on your phone, where URL inspection is even harder than on desktop.

Business email compromise is the variant where the attacker compromises (or convincingly impersonates) a real business email account, then uses it to send fraudulent payment requests to employees, vendors, or customers. The FBI reports BEC as one of the highest dollar value scams, with single incidents in the millions.

Each variant uses the same fundamental technique (impersonation plus a hook plus a payload) but adapts to the medium and the target.

How modern phishing pages work

The fake page that captures your credentials is more sophisticated than it used to be. Attackers run frameworks like Evilginx that operate as transparent proxies. Your browser thinks it's connected to a phishing page. The phishing page is connected to the real site. Everything you do passes through.

You enter your password. The proxy forwards it to the real site. The real site sends back a 2FA prompt. The proxy forwards that to you. You enter your 2FA code. The proxy forwards it to the real site. The real site logs you in and sends back the session cookie. The proxy captures the cookie and now has an authenticated session.

This attack defeats most forms of 2FA. Authenticator app codes are valid at the moment of theft. SMS codes are valid at the moment of theft. Even biometric prompts can be relayed in real time. The only defense that works against this attack is hardware keys (FIDO2/WebAuthn), because the cryptographic signature is bound to the actual domain. The fake domain doesn't get a valid signature, no matter how convincing the page looks.

This is why hardware keys matter for high value accounts. Authenticator apps are good against the typical credential phishing attack, but they fail against real time proxy phishing. Hardware keys don't.

The visual quality of phishing pages has also improved. Attackers can clone any login page in minutes by saving the HTML and tweaking the form action. The cloned page looks pixel identical because it is the same page, just hosted somewhere else. The only visible difference is the URL, which most people don't check carefully.

The signs that something is phishing

Despite the sophistication, most phishing attacks have detectable signs. The signs are easier to see when you know what to look for.

The sender address doesn't match the claimed sender. An email claiming to be from PayPal might come from "service@paypa1.com" with a digit one substituted for the lowercase L. Or from a Gmail address that has the word "paypal" in the local part. Hover over the sender name in your email client to see the actual address.

The URL doesn't match the legitimate site. Phishing URLs use lookalike domains (paypa1.com instead of paypal.com), subdomains (paypal.attacker.com), or path tricks (attacker.com/paypal). Browsers display the registered domain name in the address bar after the protocol, and that's the part that matters. Check it before entering credentials.

The message has urgency that doesn't fit. Real organizations rarely demand action within hours. If your bank really detected fraud, they'd lock the card and call you, not email you a link to "verify within 24 hours."

The message asks for information the real organization wouldn't request via that channel. Banks don't ask for your password by email. The IRS doesn't ask for Social Security numbers via text. Customer support doesn't ask for your 2FA codes.

The grammar or phrasing feels off. Modern phishing is often well written, but some attacks still have awkward translations or ESL constructions.

The link target doesn't match the link text. The text says "https://chase.com" but the actual link goes somewhere else. Hover over the link without clicking to see the target URL.

The attachment is unexpected. Real organizations don't usually send attached invoices or documents out of nowhere. If you weren't expecting a file, treat it as suspicious.

The request is unusual for the relationship. Your CEO doesn't normally email you about gift cards. Your bank doesn't normally need you to re enter your information through a link. Anomalies in patterns of communication are signals.

None of these signs is definitive on its own. Sophisticated attacks work hard to avoid each one. But most phishing fails on at least one of these dimensions, which gives you something to check.

What to do when you receive a phishing message

If you receive a phishing email at work, report it to your IT security team using whatever process they have for reporting suspicious messages.

If you receive a phishing email personally, you can report it to the Federal Trade Commission at reportfraud.ftc.gov or to the Anti-Phishing Working Group at reportphishing@apwg.org. For texts, forward to 7726 (SPAM).

Don't click the link to verify. The act of clicking can sometimes confirm to the attacker that your address is active and worth targeting more aggressively. Some phishing pages also serve drive by malware that exploits browser vulnerabilities just from the page load.

Don't reply to the message. Engaging with the sender confirms your address is real.

Delete the message. If you're worried it might be legitimate, contact the supposed sender through a channel you know is real. Look up your bank's phone number on the back of your card. Go to your account by typing the URL directly into the browser. Call your coworker on a number you already had.

If you've already clicked the link, change your password for that account immediately, from a different device if possible. Enable 2FA if you haven't already. Check for unfamiliar logins or settings changes.

If you've already entered your credentials on a fake site, assume the credentials are compromised. Change them everywhere they were reused. Check for new accounts created in your name. Monitor for fraudulent transactions.

If you've already opened a malicious attachment, run a malware scan with Malwarebytes or your existing antivirus. For severe incidents, the cleanest recovery is wiping the device and restoring from backups predating the incident.

Defending against phishing

Use a password manager. Password managers fill credentials based on the actual domain, not the visual appearance of a page. If you land on a phishing page, the manager won't autofill because the domain doesn't match. This is a strong signal that something is wrong.

Enable 2FA on every account that supports it, with hardware keys for accounts that matter most. Authenticator apps are the right default for typical accounts. Hardware keys defeat real time proxy phishing for the accounts that justify the cost.

Be skeptical of unexpected messages, especially urgent ones. The default response to "you need to act immediately" should be slowing down, not speeding up.

Verify through known channels. If your bank emails you about fraud, find the bank's number from your card or their official site. The same logic applies for any organization or person.

Inspect URLs before clicking. The registered domain (the part right before .com or .org) is what matters. Anything before it is a subdomain. Both can be controlled by attackers.

Keep software updated. Malicious attachments often exploit known vulnerabilities in older versions of software.

The pretext keeps changing

Phishing pretexts evolve to match what's plausible at the moment. The IRS scam works around tax season. The package delivery scam works year round. In 2026, the active pretexts I see most often:

AI tool fake updates. Messages claiming to be from major AI providers asking you to re authenticate or update settings.

Cloud storage warnings. Fake messages from Google Drive, Dropbox, OneDrive saying a shared document needs your attention.

Subscription renewals. Fake invoices for services you might use. The recipient calls the included number to dispute the charge and gets walked through giving the attacker remote access.

Cryptocurrency wallet recovery. Fake messages claiming your wallet has unusual activity and asking for your recovery phrase. The phrase, if given, gives the attacker complete control of the wallet.

Multi factor authentication fatigue. The attacker has your password and triggers repeated 2FA prompts on your phone, hoping you eventually approve one out of frustration.

The specific pretexts will be different in five years. The structure will be the same.

Why training programs alone don't work

Companies have spent billions on phishing awareness training. Click rates have come down. They haven't gone to zero, and they probably won't.

The reason is structural. Phishing succeeds because human cognition makes mistakes under pressure. Training reduces mistakes but can't eliminate them. The defensive strategy can't depend on perfect human behavior. It has to assume that some phishing will succeed and limit the damage when it does.

Hardware keys mean a captured password is useless without the key. Unique passwords mean a captured credential doesn't compromise other accounts. Quick detection limits the window for damage.

Training is part of the layered defense. It's not the foundation.

A quick analogy

Phishing is the security version of a well dressed stranger at your door claiming to be from the gas company. They have a clipboard. They have an ID badge that looks real from a distance. They have a plausible reason for needing to come inside.

Most of the time, gas company workers really do come to check meters. The stranger is exploiting that legitimate pattern. The defense isn't to refuse all gas company workers. The defense is to slow down, ask for ID, call the gas company through a number you got from somewhere other than the stranger's clipboard, and verify before you let them in.

The pattern most people get wrong is treating speed as a virtue. The phishing message wants you to act fast. The right response is the opposite. Treat urgency as a signal to verify, not a reason to skip verification.

Frequently asked questions

Are emails from my own email address always real?

No. Email sender addresses can be forged trivially. An email that appears to come from your own address might be a spoof, especially if the content is suspicious.

What about emails that include accurate personal information about me?

Personal information appearing in a phishing email isn't proof the email is real. Data brokers sell that information. Past breaches contain it. The personalization is part of the attack.

Can I tell if a link is safe before clicking?

You can usually tell if a link is suspicious before clicking by hovering over it (on desktop) or long pressing (on mobile) to see the target URL. Inspect the registered domain. If it doesn't match what you expect, don't click.

Is HTTPS a sign that a site is legitimate?

No. HTTPS only means the connection is encrypted, not that the site is who it claims to be. Phishing sites get HTTPS certificates routinely.

Should I open suspicious emails to investigate?

In most modern email clients, opening an email is safe. The risks come from clicking links, opening attachments, or responding.

How do I report phishing?

For email, most providers have a "report phishing" button. For texts, forward to 7726 in the United States. For broader fraud reporting, reportfraud.ftc.gov accepts complaints.

Do antivirus tools protect against phishing?

Some do, partially. Modern security suites often include browser extensions that warn about known phishing sites. The protection depends on the site being on a blocklist. The protection is useful but not sufficient.

What to do next

If you haven't enabled 2FA on your important accounts, do that first. Authenticator apps for most accounts. Hardware keys for accounts where compromise would be catastrophic.

If you don't have a password manager, install one. The autofill behavior is one of the strongest phishing defenses available. The manager won't fill credentials on a domain it doesn't recognize.

If you have parents or family members who are particularly vulnerable to phishing, have a conversation about it. They don't need to become security experts. They need enough awareness to slow down when something feels urgent.

Phishing isn't going away. The defensive layers stack to make most attacks fail and limit damage from the ones that succeed.

→ Filed under
phishingsocial-engineeringemail-securityaccount-securityscams