Recognizing Phishing Attacks

What Is Phishing?

Phishing is a type of cyberattack where an attacker impersonates a trusted entity to trick you into revealing sensitive information such as passwords, credit card numbers, or personal data. The name comes from the idea of "fishing" for victims -- casting out bait and waiting for someone to bite.

Phishing remains one of the most successful attack vectors because it targets human psychology rather than technical vulnerabilities. According to industry reports, over 90% of successful data breaches begin with a phishing attack. No amount of firewalls or antivirus software can protect you if you willingly hand over your credentials to an attacker.

💡

Why Phishing Works

Phishing exploits trust, urgency, and fear. Attackers craft messages that look legitimate and create scenarios where you feel pressured to act quickly -- before you have time to think critically about what you are doing.

Types of Phishing Attacks

Phishing comes in many forms, each tailored to different targets and communication channels. Understanding the varieties helps you recognize them regardless of how they arrive.

Email Phishing

The most common form. Attackers send mass emails that appear to come from legitimate organizations such as banks, online services, or government agencies. These emails typically contain a link to a fake website designed to harvest your credentials.

From: security@paypa1.com           <-- Note: "paypa1" with number 1, not "paypal"
Subject: Your account has been limited

Dear Customer,

We have detected unusual activity on your account. Please verify
your identity immediately by clicking the link below or your
account will be permanently suspended within 24 hours.

[Verify Now]                          <-- Links to a fake website

Spear Phishing

Unlike mass email phishing, spear phishing targets a specific individual. The attacker researches the victim using social media, company websites, and public records to craft a highly personalized message. Because the email references real details about the victim's life or work, it is much more convincing.

Whaling

A form of spear phishing that targets high-value individuals such as CEOs, CFOs, and other senior executives. Whaling emails often impersonate business partners, board members, or legal authorities and involve large financial transactions or sensitive corporate data.

Smishing (SMS Phishing)

Phishing delivered via text message. Attackers send SMS messages claiming to be from your bank, a delivery service, or a government agency. The message usually contains a shortened URL that leads to a credential harvesting page.

Vishing (Voice Phishing)

Phishing conducted over the phone. An attacker calls pretending to be tech support, a bank representative, or a government official. They use urgency and authority to pressure you into providing personal information or granting remote access to your computer.

⚠️

Caller ID can be spoofed.

Attackers can make their phone number appear as any number they choose, including your bank's real number. Never trust a call solely because the caller ID looks legitimate. Hang up and call the organization back using the number on their official website.

Red Flags to Watch For

While phishing attacks are becoming more sophisticated, most still contain telltale signs that something is wrong. Train yourself to look for these indicators before taking any action.

Urgency or threats -- "Your account will be closed in 24 hours" or "Immediate action required"
Generic greetings -- "Dear Customer" or "Dear User" instead of your actual name
Suspicious sender address -- The display name says "PayPal" but the email is from support@paypa1-secure.com
Spelling and grammar errors -- Legitimate organizations proofread their communications
Mismatched URLs -- The link text says one thing but the actual URL goes somewhere else
Unexpected attachments -- Especially executable files (.exe, .scr) or Office documents with macros
Requests for sensitive information -- Legitimate companies never ask for passwords via email
Too good to be true -- Prize winnings, unexpected refunds, or free gifts from unknown sources

Examining Email Headers

Email headers contain technical metadata that reveals the true origin of a message. While the "From" field can be easily spoofed, the headers tell a more complete story. Learning to read them is a powerful skill for identifying phishing.

How to View Headers

Most email clients let you view the full message headers. In Gmail, click the three dots next to the reply button and select "Show original." In Outlook, open the message properties. In Thunderbird, go to View, then Message Source.

What to Look For

Return-Path: <bounce@suspicious-domain.xyz>     <-- Does not match the "From" address
Received: from mail.suspicious-domain.xyz
    (unknown [185.234.xx.xx])                      <-- Unfamiliar sending server
Authentication-Results:
    spf=fail                                        <-- SPF check failed
    dkim=none                                       <-- No DKIM signature
    dmarc=fail                                      <-- DMARC check failed

💡

SPF, DKIM, and DMARC

These are email authentication protocols. SPF verifies the sending server is authorized, DKIM provides a cryptographic signature, and DMARC ties them together with a policy. If any of these show "fail" or "none," the email may not be from who it claims to be.

Checking URLs Before Clicking

The most dangerous part of a phishing email is usually the link. Before clicking any link in an email or message, take a moment to verify where it actually goes.

Hover Before You Click

On a desktop, hover your mouse over the link without clicking. Your email client or browser will show the actual URL in the bottom-left corner of the window or in a tooltip. Compare the displayed URL with what the link text claims.

Common URL Tricks

Lookalike domains -- paypa1.com (number 1 instead of letter l), g00gle.com (zeros instead of o's)
Subdomain tricks -- paypal.com.attacker-site.com -- the real domain is attacker-site.com
URL shorteners -- bit.ly/xyz123 hides the true destination
Encoded characters -- %70%61%79 in the URL to obscure the domain name
Homograph attacks -- Using characters from other alphabets that look identical to Latin letters (e.g., Cyrillic "a" instead of Latin "a")

⚠️

When in doubt, navigate manually.

If an email asks you to log in to your bank or any other service, do not click the link. Open your browser, type the website address manually, and log in from there. This eliminates the risk of being redirected to a phishing page entirely.

What to Do If You Clicked a Phishing Link

If you realize you have clicked a phishing link or entered your credentials on a suspicious site, act quickly. The faster you respond, the more damage you can prevent.

Change your password immediately -- Go directly to the real website and change the password for the affected account
Enable two-factor authentication -- If not already enabled, set it up now to prevent unauthorized access even with stolen credentials
Check for unauthorized activity -- Review recent login history, transactions, and account changes
Scan your device -- Run a full antivirus scan in case the phishing site delivered malware
Monitor your accounts -- Watch for unusual activity over the following weeks
Change passwords on other accounts -- If you reused the same password elsewhere, change those too

✅

Acting quickly matters.

Attackers often do not use stolen credentials immediately. If you change your password within minutes of entering it on a phishing site, you may prevent the attacker from ever accessing your account.

Reporting Phishing

Reporting phishing helps protect others and helps organizations take down fraudulent sites. Every report contributes to the collective defense against these attacks.

Report to your email provider -- Most providers have a "Report phishing" button that helps train their spam filters
Report to the impersonated organization -- Forward the phishing email to the real company (many have a dedicated address like phishing@company.com)
Report to national authorities -- In the US, forward to the Anti-Phishing Working Group at reportphishing@apwg.org or file with the FTC
Report to your IT department -- If it happened at work, notify your security team immediately so they can warn others
Report the phishing URL -- Use Google Safe Browsing or PhishTank to report the malicious URL

Summary

Phishing is the most common and often the most effective cyberattack because it targets people rather than technology. Defending yourself requires awareness and healthy skepticism.

Phishing uses impersonation to trick you into revealing sensitive information
It comes in many forms -- email, SMS, phone calls, and targeted attacks against specific individuals
Red flags include urgency, generic greetings, mismatched URLs, and requests for sensitive data
Email headers reveal the true origin of messages and whether authentication checks passed
Always verify URLs by hovering before clicking, and navigate manually when in doubt
If you fall for phishing, change passwords immediately, enable 2FA, and monitor your accounts
Report phishing to your email provider, the impersonated organization, and relevant authorities

🎉

Stay vigilant.

The best defense against phishing is a habit of pausing before acting on any unexpected message. Take five seconds to verify the sender, check the URL, and ask yourself whether the request makes sense. That brief pause can save you from a major security incident.