Phishing Explained: How It Works and How to Spot It

Run a Speed Test

Phishing uses deceptive messages — email, SMS, voice calls, or fake websites — to trick people into revealing credentials, financial data, or installing malware. No network exploit is needed: the attack targets human trust and urgency rather than software vulnerabilities. It remains the leading initial access vector in data breaches.

How Phishing Works

The attacker sends a message that impersonates a trusted entity — a bank, employer, cloud service, or government agency. The message creates urgency ("Your account will be suspended in 24 hours") and directs the victim to take an action: click a link to a fake login page, open a malicious attachment, or call a fraudulent phone number. The fake login page captures credentials in real time; the attacker uses them to access the real account immediately, often before the victim realizes something is wrong.

Phishing Variants

Spear phishing: Targeted at a specific individual or organization. The attacker researches the victim (LinkedIn, social media, company website) to craft a convincing, personalized message. Spear phishing emails have much higher success rates than generic campaigns because they reference real colleagues, projects, or events.

Whaling: Spear phishing targeting executives (CEOs, CFOs). Often aims for wire transfer authorization or access to sensitive systems. The attacker impersonates a board member, legal firm, or regulatory body.

Smishing: Phishing via SMS. Commonly impersonates parcel delivery services ("Your package requires a customs fee"), banks ("Suspicious activity detected"), or government agencies. SMS lacks the email authentication infrastructure (SPF/DKIM/DMARC), making sender spoofing straightforward.

Vishing: Voice phishing via phone call. The attacker claims to be technical support, a bank fraud department, or a government agency and manipulates the victim into revealing credentials or granting remote access.

Adversary-in-the-Middle (AiTM) phishing: A sophisticated variant using a reverse proxy. The phishing site relays credentials and MFA codes to the real site in real time, stealing session cookies rather than just static credentials — bypassing TOTP-based MFA entirely.

How to Recognize a Phishing Attempt

  • Check the sender domain: Hover over (don't click) links and verify the full URL. paypa1.com, amazon-support.net, and login.microsoft.com.attacker.io are not the real domains.
  • Urgency and threats: Legitimate services rarely demand immediate action under threat of account closure. Urgency is a manipulation lever.
  • Unexpected requests: Banks don't ask for full passwords, PINs, or MFA codes by email or phone. IT departments don't need your password to fix your account.
  • Mismatched branding: Low-quality logos, inconsistent fonts, or generic greetings ("Dear Customer") are signals — though sophisticated attacks now use pixel-perfect clones.
  • Attachments from unknown senders: Office documents, PDFs, and ISO files can execute malicious code. Verify before opening.

Technical Defenses

  • Hardware security keys (FIDO2): Origin-bound authentication — a key will not authenticate to a phishing site because the cryptographic response is tied to the legitimate domain. Defeats credential phishing and AiTM attacks. The strongest available protection.
  • Password managers: Auto-fill credentials only for the exact matching domain. A password manager that doesn't offer to fill on paypa1.com is itself a phishing detection tool.
  • Email authentication (SPF, DKIM, DMARC): Domain-level controls that prevent spoofed "From" addresses from passing filters. Recipients of a DMARC-enforced domain's email can trust the sender identity.
  • Browser phishing protection: Chrome, Firefox, and Edge check URLs against known phishing databases (Google Safe Browsing). Not comprehensive, but catches known campaigns quickly.
  • MFA (TOTP/SMS as second layer): Better than password-only, but defeatable by AiTM attacks. Use hardware keys where possible.

Frequently Asked Questions

Does HTTPS on a phishing site mean it's safe?

No. HTTPS only encrypts the connection — it confirms the server is at the certificate's domain, not that the domain is legitimate. Phishing sites routinely use HTTPS and display a padlock. Always verify the full domain in the address bar, not just the padlock presence.

What is the single most effective defense against phishing?

Hardware security keys (FIDO2/WebAuthn). They are origin-bound — the cryptographic response is tied to the legitimate domain and will not work on a phishing site, even if the user is completely deceived. For accounts that support it, a hardware key makes credential phishing impossible regardless of how convincing the fake site is.

Related Guides

Man-in-the-Middle Attack

AiTM phishing achieves a MITM position using a reverse proxy.

DNS Poisoning

Redirecting to fake sites at the DNS layer without a deceptive link.

Browser Fingerprinting

How sites identify you beyond cookies — and what phishing sites can infer.

Secure Your Home Network

Network-level controls that reduce phishing exposure.

More From This Section

All Security Guides

Router hardening, VPN vs DoH, WiFi security, and WPA3 encryption.

AdGuard Home Explained: Self-Hosted DNS Blocker

AdGuard Home is a self-hosted DNS blocker like Pi-hole — but with built-in DoH, DoT, and parental controls.

ARP Poisoning Explained

ARP poisoning corrupts the ARP cache to redirect traffic through the attacker.

Run a Speed Test

Measure download, upload, ping, and jitter in your browser.