What Is Phishing and How Does It Work?

Published: 05 January 2026 10 min read By ScanTotal Security Team
Last reviewed: 4 May 2026 by Kumari Rajapaksha, Founder, ScanTotal

I almost fell for one last year. An email from what looked like my bank - right logo, professional tone, even a reference number. It said there was suspicious activity on my account. I was halfway through typing my password before I noticed the URL was slightly off. That moment of realisation was genuinely unsettling. And I work in this space - imagine how effective it is against someone who doesn't.

That's phishing. It's not some sophisticated hack, just deception, and it works disturbingly well. It's been the most common cyberattack for years running, and honestly, it's only getting harder to spot. Here's what you need to know.

What Is Phishing?

Phishing is a type of cyberattack where someone pretends to be a trusted entity, like a bank, tech company, employer, or government agency, to trick you into revealing sensitive information. This could be your passwords, credit card numbers, Social Security number, or other personal data.

The name "phishing" is a play on the word "fishing." Attackers cast out bait (a fake message) and wait for someone to bite (click a link or share information). The "ph" spelling comes from early hacker culture, where replacing "f" with "ph" was common.

Phishing can happen through email (the most common), text messages (called "smishing"), phone calls (called "vishing"), social media messages, and even fake websites that appear in search results.

How a Phishing Attack Works, Step by Step

Understanding the anatomy of a phishing attack helps you recognize and avoid them. Here's how a typical attack unfolds:

Anatomy of a phishing email A mock-up email with five red-flag callouts pointing to the sender address, manufactured urgency in the subject line, a generic greeting, a deceptive link URL, and tonal or grammar errors in the footer. Each callout names the warning sign in plain English. Inbox, 1 new message FROM PayPal Support <support@paypa1.com> SUBJECT URGENT: Account will be closed in 24 hours Dear Customer, Your account has been temporarily limited due to unusual activity. To avoid permanent closure, please verify your information immediatly. Verify My Account paypa1-secure-verify.tk/login SENDER SPOOF paypa1.com, not paypal.com (1 vs l) MANUFACTURED URGENCY "24 hours" forces you to skip thinking GENERIC GREETING Real banks address you by name SPELLING / TONE "immediatly", real brands proofread MISMATCHED LINK .tk domain, never used by real PayPal
Five red flags in a single phishing email. Real attacks rarely show all five at once, even one or two of these should be enough to delete and report.

Step 1: The attacker creates the bait. They design a fake email or message that closely mimics a legitimate company. They copy the company's logo, color scheme, and writing style. They create a fake website that looks almost identical to the real one. Modern phishing pages are incredibly convincing, some are pixel-perfect replicas.

Step 2: The message is sent to potential victims. The attacker sends the fake message to thousands or even millions of email addresses. The message usually claims something urgent: your account has been compromised, a payment has failed, a package can't be delivered, or you need to verify your information.

Step 3: The victim takes the bait. When someone clicks the link, they're taken to a fake website that looks exactly like the real company's login page. The victim enters their username and password, thinking they're logging into their real account.

Step 4: The attacker captures the information. The fake website records everything the victim enters and sends it to the attacker. The victim is usually then redirected to the real website, so they don't realize anything happened. Meanwhile, the attacker now has their login credentials.

Step 5: The attacker uses the stolen information. With the victim's credentials, the attacker can access their accounts, steal money, make fraudulent purchases, steal personal data, or use the compromised account to launch more attacks.

🔗 Got a suspicious link?

Check any URL before clicking it. Our free scanner will tell you if a link leads to a phishing site, malware, or other threats.

Check a URL Now, Free

Types of Phishing Attacks

Not all phishing is the same. Attackers have developed several variations, each with different tactics:

Email phishing is the classic form. Mass emails are sent to large numbers of people, hoping a percentage will fall for it. These typically impersonate well-known companies like banks, Amazon, PayPal, Netflix, or Microsoft. The emails contain links to fake login pages designed to steal credentials.

Spear phishing is targeted phishing aimed at a specific person or organization. Unlike mass phishing, the attacker researches their target and crafts a personalized message. For example, they might reference your actual job title, a project you're working on, or your manager's name. This makes the message far more convincing and harder to detect.

Whaling targets high-value individuals like CEOs, CFOs, and other executives. These attacks are carefully crafted and often involve large financial transfers or access to sensitive company data. A "whale" is a big catch for the attacker.

Smishing (SMS phishing) uses text messages instead of email. You might receive a text claiming to be from your bank, a delivery service, or a government agency, with a link to a fake website. Smishing has exploded in recent years because people tend to trust text messages more than emails. We cover how to identify scam text messages in a separate guide.

Vishing (voice phishing) uses phone calls. A scammer calls pretending to be from your bank, the IRS, tech support, or another trusted organization. They try to get you to share information or grant them remote access to your computer over the phone.

Clone phishing takes a legitimate email you've actually received and creates a near-identical copy, but replaces the links or attachments with malicious ones. Because the email looks like something you've already seen and trusted, it's particularly effective.

Real-World Examples of Phishing

These are actual patterns I've seen come through our scanner - and some of them are worryingly convincing:

⚠️ Fake bank alert

"ALERT: Your Chase account has been suspended due to unusual activity. Click here to verify your identity and restore access: http://chase-security.tk/verify"

⚠️ Fake subscription renewal

"Your Netflix subscription has been suspended because we could not validate your billing information. Update your payment method within 24 hours to avoid service interruption."

⚠️ Fake IT department email

"Hi [Name], your company email password expires today. Click the link below to keep your current password: http://company-portal.xyz/reset"

Notice the common patterns: urgency, a threat of losing access, and a link to a suspicious domain.

How to Spot a Phishing Attempt

Here are the most reliable ways to identify phishing:

Check the sender's email address carefully. The display name might say "PayPal" but the actual email address could be something like support@paypa1-secure.com. Always look at the full email address, not just the name shown.

Hover over links before clicking. On a computer, hover your mouse over any link to see the actual URL it points to. If it doesn't match the company's official website (like paypal.com), don't click it. On a phone, long-press the link to preview the URL.

Look for urgency and threats. Legitimate companies don't threaten to close your account or take legal action if you don't click a link within hours. Urgency is the number one psychological tool phishers use.

Check for generic greetings. Phishing emails often use "Dear Customer" or "Dear User" instead of your actual name, because they're sent to thousands of people at once.

Look for spelling and grammar errors. While phishing is getting more professional, many attempts still contain awkward phrasing, spelling mistakes, or grammatical errors that a legitimate company wouldn't have in official communications.

Be suspicious of attachments. Unexpected attachments, especially .exe, .zip, .js, or macro-enabled Office files, can contain malware. If you weren't expecting a file, don't open it.

📧 Received a suspicious email?

Upload the .eml file to our email analyzer. We'll check the sender authentication, scan links, and identify phishing indicators.

Analyze an Email, Free

How to Protect Yourself from Phishing

This is the single most important habit you can build: never click links in unexpected messages. If your "bank" emails you about a problem, ignore the link entirely. Open a new browser tab, type the bank's URL yourself, and log in that way. It takes ten extra seconds and it defeats almost every phishing attempt.

Turn on two-factor authentication (2FA). Everywhere. I cannot stress this enough - even if someone gets your password through a phishing page, they still can't get into your account without that second code from your phone. It's the closest thing to a silver bullet in cybersecurity.

Use a password manager. Password managers only auto-fill credentials on the correct website. If you're on a fake PayPal site, your password manager won't suggest your PayPal password, which is a strong signal that something is wrong.

Keep your browser updated. Modern browsers include anti-phishing features that warn you when you're about to visit a known phishing site. These protections only work if your browser is up to date.

Report phishing attempts. Forward phishing emails to the company being impersonated and to reportphishing@apwg.org. Report phishing texts by forwarding to 7726 (SPAM). Reporting helps protect others from the same attack.

What to Do If You Fell for a Phishing Attack

If you entered information on a phishing site, act immediately. Change the password for the affected account right away, and any other accounts where you used the same password. Enable two-factor authentication if you haven't already. Check for unauthorized transactions if financial accounts are involved. Contact your bank if you shared financial information. Monitor your accounts closely for the next few weeks. Consider placing a fraud alert on your credit report.

Don't feel embarrassed, phishing attacks are designed by professionals to be convincing. Even cybersecurity experts have fallen for well-crafted phishing attempts. What matters is acting quickly to minimize the damage.

Frequently Asked Questions

What happens if I click a phishing link?

Clicking a phishing link usually takes you to a fake website designed to steal your credentials. If you entered information, change those passwords immediately. If you only clicked but didn't enter anything, the risk is lower, but run a security scan on your device.

How can I tell if an email is a phishing attempt?

Check the sender's actual email address (not the display name), look for urgency and threats, check for generic greetings, hover over links to see real URLs, and look for spelling/grammar errors.

Can phishing happen through text messages?

Yes, phishing through text messages is called "smishing." Scammers send fake texts with links to fake websites. You can check suspicious texts with ScanTotal's SMS Scam Analyzer.

Why is it called phishing?

The term is a play on "fishing", attackers cast bait hoping someone will bite. The "ph" spelling comes from early hacker culture where replacing "f" with "ph" was common.

The Bottom Line

Here's the uncomfortable truth: phishing works because it exploits trust, not technology. No firewall or antivirus can fully protect you from voluntarily typing your password into a fake site. But the good news? Once you've seen the playbook, urgency, suspicious links, requests for information, you start spotting these attempts almost instinctively. The habit of pausing for five seconds before clicking any link will protect you more than any software ever could.

Phishing Email Security Smishing Cybersecurity Online Safety

Think you've spotted a phishing attempt? Check it now.

Scan a suspicious link or analyse an email for signs of deception, free and private.

Scan a Suspicious Link Analyse a Suspicious Email

Sources & Further Reading

Related Articles

Quishing: QR Code Phishing
How QR codes slip phishing past email filters.
What Is Malware?
Phishing is one of the most common ways malware is delivered.
How to Spot a Phishing Email
8 warning signs to identify phishing in your inbox.
Two-Factor Authentication (2FA)
How 2FA protects you even after a phishing attempt.