The most reliable way into someone’s account is often the simplest: just ask for the keys, convincingly. That is phishing. Rather than defeating encryption or cracking a password, the attacker persuades you to hand over your credentials or your money willingly, usually by pretending to be someone you trust. Phishing works because it targets people rather than machines, and people can be hurried, worried, or simply busy. This guide explains how these attacks operate, the tactics behind them, the tells that give them away, and exactly what to do if you realize you have fallen for one.
What Phishing Is
Phishing is a form of social engineering, the art of manipulating people into doing something against their own interest. A phishing attack impersonates a trusted source, a bank, a delivery company, an employer, a well-known service, to trick you into revealing sensitive information, clicking a malicious link, or transferring money. The message looks legitimate, the request feels plausible, and the goal is to get you to act before you think.
The defining feature is deception aimed at a human. Other attacks exploit flaws in software; phishing exploits trust and habit. That is why even people with strong passwords and up-to-date devices can be caught. The defense is not a tool you install but a habit of recognition, a learned instinct to pause when a message pushes you to act quickly.
How Phishing Works
A typical attack follows a recognizable arc, even though the surface details change constantly.
First, the attacker poses as a trusted entity, often copying real logos, branding, and wording so the message looks authentic. Then they create a reason to act, frequently urgent or alarming: your account is suspended, a payment failed, a package could not be delivered, suspicious activity was detected. Next, they direct you toward an action, clicking a link, opening an attachment, or replying with information. The link usually leads to a fake site that mimics a real login page. When you enter your credentials there, they go straight to the attacker, who can then use them on the genuine service. The whole sequence is engineered to keep you moving and discourage the moment of doubt that would expose it.
Common Phishing Tactics
Phishing comes in several forms, distinguished by how they reach you and how targeted they are. Recognizing the variety helps you spot attempts you might otherwise wave through.
Email Phishing
The classic form arrives as an email that appears to come from a known organization. It might warn of a problem with your account, offer a too-good refund, or attach an “invoice” you need to review. The link or attachment is the trap. This remains the most common channel simply because email reaches everyone.
Spear Phishing
Spear phishing is targeted. Instead of a generic blast, the attacker researches a specific person and tailors the message using real details, your name, your employer, a project you are working on, to make it far more convincing. Because it is personalized, it is harder to dismiss and more dangerous. A related variant, sometimes called whaling, targets senior executives whose access or authority is especially valuable.
Smishing and Vishing
Phishing is not limited to email. Smishing uses text messages, often a short alarming note with a link, exploiting the fact that people read texts quickly and trust them more than email. Vishing uses voice calls, where an attacker phones you posing as your bank, a tech-support agent, or a government official, applying pressure in real time. Hearing a human voice can make a scam feel more legitimate, which is exactly why it works.
Clone and Business-Email Compromise
In a clone attack, the scammer copies a real message you have seen before, then resends it with the links swapped for malicious ones, so it looks like a familiar follow-up. Business-email compromise targets organizations: an attacker impersonates an executive or a supplier and instructs an employee to make an urgent payment or change bank details. These can be costly because they bypass technical defenses and lean entirely on workplace trust and routine.
How to Recognize Phishing
Most phishing attempts carry warning signs once you know to look. No single sign is proof on its own, but several together are a strong signal to stop.
| Warning sign | What to look for |
|---|---|
| Urgency or threats | Pressure to act immediately, warnings of suspension, closure, or penalty |
| Sender mismatch | A display name that does not match the actual email address or domain |
| Suspicious links | A link whose true destination differs from the text, or an odd-looking domain |
| Requests for secrets | Any message asking for your password, full card number, or one-time code |
| Generic greetings | “Dear customer” instead of your name, especially from a service that knows you |
| Unexpected attachments | Files you did not request, particularly ones urging you to enable content |
| Small errors | Off wording, slightly wrong logos, or a domain that is almost but not quite right |
Two checks are worth building into your routine. Before clicking, hover over a link (or press and hold on mobile) to preview where it actually leads, and look closely at the domain rather than the display text. And remember the golden rule: a legitimate organization will not ask you for your password or a one-time authentication code. Any message that does is fraudulent, full stop.
The padlock is not a safety guarantee here. A phishing site can run over valid HTTPS and show a padlock, because the certificate only proves the connection is encrypted and matches that domain, not that the domain is trustworthy. The domain itself is what you must verify. Our guide to HTTPS and TLS explains exactly what the padlock does and does not promise.
How to Avoid Phishing
Recognition is the core defense, but a few habits make you a much harder target overall.
Slow down. Urgency is the attacker’s main lever, so treat any message that pressures you to act immediately as suspect by default. When in doubt, do not use the link in the message at all; instead, go to the organization directly by typing its address yourself or using a bookmark, and check your account there. If a message claims your bank has a problem, your real banking app or the number on your card will tell you the truth.
Verify through a separate channel. If a colleague or executive emails an unusual payment request, confirm it by phone or in person using contact details you already have, not the ones in the message. Keep your devices and browsers updated, since modern browsers warn about many known phishing sites. Above all, turn on two-factor authentication. It is your safety net: even if you are tricked into revealing a password, an attacker without your second factor is still locked out. Our password security guide covers how to set that up.
What to Do If You Get Caught
Falling for a phishing attack is more common than people admit, and quick action limits the harm. Work through these steps without delay.
Change your password immediately on the affected account, and change it anywhere you reused the same one, since attackers will try it elsewhere. If you have not already, enable two-factor authentication now to block continued access. If you entered financial details, contact your bank or card provider straight away to flag the fraud and, if needed, freeze the account or card. Watch your accounts closely in the following days for unauthorized activity, and be alert to follow-up scams, since being caught once can mark you as a target for more.
Then report it. Notify the real organization that was impersonated, so they can warn others, and report the attempt to the appropriate authority or, at work, to your security team. If malware may have been installed through an attachment, run a security scan on your device. Acting calmly and promptly almost always contains the damage, and the embarrassment fades far faster than the consequences of doing nothing.
Frequently Asked Questions
How can I tell a phishing email from a real one?
Look for urgency, a sender address that does not match the supposed organization, links whose true destination differs from the text, generic greetings, and any request for your password or a one-time code. When unsure, do not click; go to the service directly through a bookmark or by typing the address and check your account there.
Is a website safe if it has a padlock?
Not necessarily. The padlock means the connection is encrypted and matches that domain, not that the site is honest. Phishing pages can show a valid padlock too. Always confirm the domain itself is the real one before entering anything. Our HTTPS and TLS guide explains the distinction.
What is the difference between phishing and spear phishing?
Phishing is usually a broad, generic attempt sent to many people. Spear phishing is targeted at a specific person and uses real personal or work details to seem convincing, which makes it harder to spot and more dangerous.
I clicked a phishing link but did not enter anything. Am I in trouble?
Often you are fine, but be cautious. Some links can attempt to load malware, so run a security scan, keep your browser updated, and watch for anything unusual. If you entered any information at all, treat it as compromised and change that password right away.
