What Is Phishing?
Phishing is a social engineering attack in which an attacker masquerades as a trusted entity to trick victims into revealing sensitive information - Such as passwords, credit card numbers, or personal data - Or into installing malware. It is consistently one of the most common and successful cyberattack vectors because it exploits human psychology rather than technical vulnerabilities. It is also a leading cause of data breaches.
Types of Phishing Attacks
| Type | Vector | How It Works | Target |
|---|---|---|---|
| Phishing (standard) | Mass emails impersonating banks, delivery companies, or tech platforms with malicious links or attachments | Broad - Anyone | |
| Spear Phishing | Targeted emails using personal details (name, employer, recent activity) to increase credibility | Specific individuals or organisations | |
| Whaling | Highly targeted spear phishing aimed at executives (CEO, CFO) - Often for large wire transfers | C-suite executives | |
| Smishing | SMS / text message | Text messages with malicious links, often impersonating postal services, banks, or government agencies | Mobile users broadly |
| Vishing | Phone call | Live voice calls impersonating tech support, banks, or government agencies | Older adults, employees |
| Clone Phishing | Duplicates a legitimate email you received previously, replacing a link or attachment with a malicious one | Previous communication recipients | |
| QR Code Phishing (Quishing) | Physical / email | Malicious QR codes embedded in emails or physical materials that redirect to phishing pages | Broad |
Red Flags to Spot a Phishing Attempt
- The sender's email domain does not match the company it claims to be from (e.g. [email protected] instead of @amazon.com).
- The email creates urgency or fear: "Your account will be suspended in 24 hours unless you act now."
- Links in the email point to a domain that looks similar to but is not the real domain - Hover over links before clicking to see the actual URL.
- The email contains grammar errors, unusual formatting, or an unexpected language mix.
- You were not expecting the email - Package delivery notifications, prize wins, or password resets you did not initiate.
- Attachments have double extensions (e.g. invoice.pdf.exe) or are unexpected Office files asking you to "enable macros".
What to Do If You Fall for a Phishing Attack
Act immediately: change the password for the compromised account and any accounts sharing that password. Enable two-factor authentication everywhere possible. Use the breach check tool to see if your credentials are circulating. If financial information was compromised, contact your bank to freeze or monitor your account. Report the phishing email to your email provider and to the Anti-Phishing Working Group at [email protected].
Anatomy of a Phishing Email
The hook
Every phish opens with a reason to act: a blocked account, an undelivered package, a refund, an invoice, a security alert. The emotion targeted is urgency or curiosity, because both short-circuit the careful reading that would expose the fraud.
The disguise
Display names are freely chosen by the sender - SMTP, the protocol that delivers email, performs no identity check of its own - So "PayPal Support" can sit on top of any mailbox. The reliable evidence lives in the underlying headers - The actual sending domain, the Return-Path, and the SPF/DKIM/DMARC authentication results. Paste the full header into the email header analyzer to see where a message really originated and whether it passed authentication for the domain it claims.
The payload
The destination is either a credential-harvesting page mimicking a real login, or an attachment that installs malware. Hover (or long-press on mobile) every link to preview the real URL before touching it, and judge it with the right-to-left domain reading from how to check if a website is safe.
The 5-Point Pre-Click Checklist
| # | Check | Phishing Tell |
|---|---|---|
| 1 | Sender domain (not display name) | Domain is misspelled, generic, or unrelated to the brand |
| 2 | Pressure level | Deadlines, threats, or rewards demanding immediate action |
| 3 | Link destination on hover | URL's registered domain is not the brand's real domain |
| 4 | Expectation | You never initiated the reset, order, or delivery referenced |
| 5 | Requested action | Asks for credentials, codes, payment, or "enable macros" |
One unbreakable rule beats all five checks: never authenticate through a link you were sent. Open a new tab, type the site's address yourself or use your bookmark, and log in there. If the alert was real, it will be waiting in your account; if nothing is there, the email was the attack.
What This Means for You
Phishing succeeds at scale because it needs only one rushed click among thousands of deliveries, so your goal is not to spot every fake - It is to make your accounts survive the click. Phishing-resistant two-factor authentication (security keys and passkeys verify the real domain cryptographically) means a stolen password alone opens nothing. A password manager helps the same way: it refuses to autofill your credentials on a lookalike domain, which is itself a warning. Combine those two with the type-it-yourself login habit, and periodically check whether your address is circulating in dumps with the breach check tool - Leaked data is what makes spear phishing personal.
Frequently Asked Questions
What should I do if I just clicked a phishing link?
If you only viewed the page, close the tab - Clicking alone rarely compromises an updated browser. If you entered a password, change it immediately on the real site and anywhere it is reused, then enable two-factor authentication. If you downloaded or ran a file, disconnect and run a full malware scan.
How can attackers send email that looks like it comes from a real company?
The display name in an email is free text the sender chooses, and lookalike domains cost a few dollars. Authentication standards - SPF, DKIM, and DMARC - Let receiving servers verify the true sending domain, which is why checking the actual sender address and header results beats trusting the name shown.
Does two-factor authentication stop phishing?
Codes by SMS or app raise the bar but can be phished in real time by proxy sites that relay them instantly. Security keys and passkeys are phishing-resistant: they cryptographically verify the site's real domain, so they simply will not authenticate to a fake - Making them the strongest practical defence.