What Is Phishing (and How to Spot It Before It’s Too Late)

Phishing is one of the most effective attack methods in use because it bypasses technical security entirely. No software vulnerability is exploited. The target is persuaded to hand over credentials or click a malicious link voluntarily, under the impression that they are doing something normal.
This guide explains how phishing works, the signs that reliably indicate a phishing attempt, and the habits that make you a significantly harder target.
What this covers:
What phishing is and how it gets its name
The anatomy of a typical phishing attempt
Common signs to look for
Real-world examples of phishing scenarios
Practical steps to protect yourself
What to do if you have already fallen for one

What Phishing Is

Phishing is a social engineering attack in which someone poses as a trusted entity to trick the target into revealing sensitive information or performing an action they would not otherwize take. The information sought is typically login credentials, payment details, or personal identifying information.

The name comes from "fishing": cast enough believable bait and some percentage of targets will bite. The bait is a message that appears to come from a legitimate source. The hook is usually a link to a fake site or an attachment that installs malware.

Phishing happens across several channels: email is the most common, but SMS (called smishing), voice calls (vishing), and social media messages are all used. The principles are the same regardless of channel.

How a Phishing Attack Unfolds

A typical phishing attack follows a recognisable structure.

The message creates urgency or fear. Common framings include: your account has been suspended, a payment failed, you have been selected for a prize, an unusual login was detected. The goal is to provoke an emotional response that short-circuits careful reading.

The message includes a link or attachment that appears legitimate. The link might go to a domain that closely resembles the real one (paypa1.com, support-paypal.com) or to a subdomain that buries the real destination (paypal.login.attacker.com). The page the link leads to is often a convincing replica of the legitimate site.

The target enters credentials or personal information, which is captured directly by the attacker. In some cases, clicking the link or opening the attachment is enough to install malware without any further input from the target.

Once the attacker has credentials, the range of outcomes includes: draining financial accounts, selling the credentials, using them to access other accounts (particularly if the same password is reused), or deploying ransomware.

Signs of a Phishing Attempt

The sender address does not match. The display name can be set to anything, but the actual email address reveals the sender's real domain. [email protected] and [email protected] look nearly identical in a quick read. The extra letter is only visible if you look at the raw address.

Urgency and threats. Legitimate services rarely demand immediate action under threat of account closure or legal consequences. When a message creates pressure to act before thinking, that is the mechanism being used.

Generic greetings. A bank or service you use knows your name. "Dear customer" or "Dear user" suggests the message was sent to a large list, not personalized to you.

Links that do not go where they claim. On a desktop browser, hovering over a link shows the destination URL before clicking. If the displayed link text says paypal.com but the hover URL shows something different, that is a clear indicator. On mobile, pressing and holding a link typically shows the destination.

Attachments in unexpected contexts. A shipping company does not typically send invoices as executable files. An unexpected attachment, particularly with formats like .exe, .zip, or .docm, warrants extreme caution.

Spelling and formatting inconsistencies. Phishing messages have improved in quality but often still contain odd phrasing, formatting inconsistencies, or domain mismatches that a genuinely legitimate communication would not have.

Common Phishing Scenarios

Delivery scams. A text message claims a package is waiting for delivery and requests a small payment to release it. The link leads to a payment page that captures card details. These spike around periods of high online shopping activity.

Account security alerts. An email purporting to be from a bank, email provider, or social media platform warns of unusual activity and prompts a login through a provided link. The login page is a replica that captures credentials.

Invoice fraud. An email that appears to be from a supplier or service includes an invoice attached as a PDF or link. The invoice contains a payment link to an attacker-controlled account.

IT or support impersonation. A message from someone claiming to be IT support or a software vendor asks for credentials to resolve a problem. Legitimate support teams do not ask for passwords.

How to Protect Yourself

Slow down when something feels urgent. Phishing relies on pressure. A message that demands immediate action before you have time to think is using the mechanism against you. Taking thirty seconds to evaluate the message is often enough to spot the signs.

Verify through official channels. If a message claims to be from your bank, do not use the link or phone number in the message. Look up the official contact information independently and reach out through that. If the alert is real, you will find out. If it is fake, you have avoided the trap.

Enable two-factor authentication. Even if a phishing attack successfully captures your password, 2FA requires a second factor that the attacker typically does not have. This makes a stolen password significantly less useful.

Use a password manager. Password managers fill credentials only on the exact domain they were saved for. If you saved credentials for paypal.com and you are on a lookalike domain, the password manager will not fill them. This is a practical catch for spoofed sites.

Keep software updated. Some phishing attacks deliver malware through vulnerabilities in browsers, operating systems, or document readers. Keeping software current patches the vulnerabilities that these delivery methods exploit.

Bookmark important sites. Typing amazon.com and landing on arnazon.com due to a typo is a real vector (typosquatting). Bookmarks for frequently used financial and account management sites eliminate this risk.

What to Do If You Have Fallen for a Phishing Attack

Acting quickly reduces the damage.

Change the compromized password immediately, and change it on any other account where the same password is used. Password reuse is common and attackers know this, so credential stuffing (trying stolen credentials on other services) begins quickly.

Enable two-factor authentication on the affected account and any others where you have not yet done so.

Contact your bank or card provider if payment details were involved. Most providers have fraud teams that can freeze accounts, reverse unauthorized transactions, and issue new cards.

Scan the device for malware, particularly if an attachment was opened or a link was clicked on a page that appeared to do nothing. A reputable antivirus tool run immediately after an incident can identify and remove malware before it does further damage.

Report the phishing attempt to your email provider (most have a "report phishing" option) and to the impersonated organization. Many companies have dedicated email addresses for reporting phishing that uses their branding.

The Psychology Phishing Exploits

Understanding why phishing works makes it easier to resist. The techniques are not random: they exploit well-documented cognitive shortcuts.

Authority: messages from banks, government agencies, or well-known companies trigger compliance because people defer to perceived authority figures.

Urgency and fear: time pressure reduces careful evaluation. The immediate concern of account closure or financial loss overrides the slower, more analytical thinking that would catch the warning signs.

Familiarity: a message that looks exactly like other legitimate communications from the same source is harder to distinguish, particularly when most legitimate emails from that sender look the same.

Recognizing that these pressure mechanisms are being applied is often enough to break the spell. The question to ask is: why is this message trying to make me act before I have time to think?

Key Takeaways

Phishing bypasses technical security by manipulating people into taking actions voluntarily.
The reliable signs are: mismatched sender addresses, urgency and threats, generic greetings, links that do not match their display text, and unexpected attachments.
Verify suspicious messages through official channels independently, not through the link or number in the message.
Two-factor authentication limits the usefulness of stolen credentials. A password manager prevents filling credentials on lookalike sites.
If you fall for a phishing attack, change affected passwords immediately, enable 2FA, contact your bank if payment details were involved, and scan for malware.

Conclusion

Phishing succeeds because it is designed around how people actually behave under pressure, not around technical vulnerabilities. Understanding the structure of a phishing attempt and the psychological mechanisms it uses turns the attacker's main advantage into something you can recognize and counter.

The protective habits are not complicated: slow down when something feels urgent, verify through official channels, and use 2FA. These three practices address the most common attack scenarios.

Received a suspicious message you are not sure about? Describe it in the comments and the community can help you evaluate it.