How phishing works
A phishing attack has three moving parts: a pretext (a believable reason to act), a lure (urgency, fear, or reward), and a payload (a fake login page, a malicious attachment, or a request to send money or codes). The attacker impersonates a trusted sender, creates pressure — “your account will be suspended,” “confirm this payment now” — and directs you to a page or action that hands them what they want. The more they know about you (often from breaches and data brokers), the more convincing the pretext.
The main types of phishing
- Email phishing. Mass, generic messages impersonating well-known brands.
- Spear phishing. Targeted messages tailored to a specific person using real details — your name, employer, or a recent purchase — making them far more convincing.
- Whaling. Spear phishing aimed at executives and other high-value targets.
- Smishing. Phishing via SMS text message (fake delivery notices, bank alerts).
- Vishing. Voice phishing over the phone, often impersonating support desks, banks, or government agencies.
- Clone phishing. A copy of a legitimate message you’ve seen before, with the links swapped for malicious ones.
How to spot a phishing attempt
Common tells include a sense of manufactured urgency, a mismatched or look-alike sender address, generic greetings, links whose real destination differs from the visible text, unexpected attachments, and any request for a password, one-time code, or payment. When a message pressures you to act right now, that pressure is itself the warning sign — legitimate organizations give you time and never ask for your full password or your two-factor code.
Rule of thumb: never enter credentials or codes by following a link in a message. Navigate to the site yourself, or call the organization back on a number you look up independently.