๐ŸŸข Beginner Summary

Phishing is when an attacker pretends to be someone you trust โ€” your bank, Google, a colleague โ€” to trick you into handing over passwords, financial details, or clicking a malicious link. It's the most common cyberattack in the world, and it works because it targets humans, not computers.

Table of Contents

  1. What is phishing and why does it work?
  2. Types of phishing attacks
  3. A real phishing email, broken down
  4. Red flags to spot every time
  5. What to do if you're targeted
  6. What to do if you already clicked
  7. FAQ

What is Phishing and Why Does It Work?

The term "phishing" comes from "fishing" โ€” attackers cast out bait (a fake email or message) and wait for victims to bite. It's been around since the 1990s and remains the most effective hacking technique precisely because it targets psychology, not software.

Here's the uncomfortable truth: even technically sophisticated people get phished. Security researchers, IT professionals, and executives have all fallen for well-crafted attacks. Not because they're stupid โ€” but because the best phishing attacks are genuinely convincing, and they exploit moments of distraction or stress.

Phishing exploits three fundamental human tendencies:

  • Trust in authority โ€” we comply with messages that appear to come from banks, Google, or our bosses
  • Fear and urgency โ€” "Your account will be suspended in 24 hours" makes people act without thinking
  • Helpfulness โ€” we want to help colleagues who seem to be in trouble

Types of Phishing Attacks

Email Phishing (Most Common)

Mass emails sent to thousands of people simultaneously. They're often imperfect but effective at scale. Even a 0.1% success rate on a million emails is 1,000 compromised accounts.

Spear Phishing (Most Dangerous)

Targeted attacks customized for a specific person or organization. The attacker researches you first โ€” your name, your colleagues, your projects โ€” and crafts a message that looks entirely legitimate. These are extremely effective and often used against businesses and executives.

Smishing (SMS Phishing)

The same concept via text message. "Your package could not be delivered. Click here to reschedule." Or "Suspicious activity on your account โ€” verify now." SMS feels more personal and urgent than email, which is why it works.

Vishing (Voice Phishing)

Phone calls from fake "tech support," "bank fraud departments," or "government agencies." The caller uses authority and urgency to pressure victims into providing information or installing remote-access software.

Clone Phishing

Attackers take a legitimate email you've previously received, clone it, change one link to a malicious one, and resend it as a "resent" or "updated" version. Because the email looks familiar, people trust it.

A Real Phishing Email, Broken Down

Here's what a typical phishing email looks like. Let's dissect it:

Simulated phishing email โ€” for educational purposes

From: security-alert@g00gle-account.com โ† FAKE DOMAIN

Subject: โš ๏ธ Your Google Account Was Accessed From a New Device

Hi [Your Name],

We detected a sign-in to your Google account from an unrecognized device in Russia. If this wasn't you, your account may be compromised.

To secure your account immediately, click the link below within 24 hours or your account will be suspended:

https://accounts-google-verify.xyz/secure

โ† MALICIOUS LINK

What makes this convincing:

  • It creates fear (your account was accessed without permission)
  • It creates urgency (24 hours or suspension)
  • It uses authority (pretends to be Google)
  • It sounds official with technical-sounding language

What gives it away:

  • The email domain is g00gle-account.com โ€” not google.com
  • The link goes to accounts-google-verify.xyz โ€” not a Google domain
  • Google doesn't threaten to suspend accounts like this
  • Hover over any link before clicking โ€” the real URL shows at the bottom of your browser

Red Flags to Spot Every Time

๐Ÿ”ต Your Phishing Checklist

  • Check the sender's email address โ€” not the name, the actual address. Does it end in the real company domain?
  • Hover over links before clicking โ€” the real URL appears at the bottom of your screen. Does it match where it claims to go?
  • Question urgency โ€” real companies rarely threaten immediate suspension or demand action within hours
  • Watch for generic greetings โ€” "Dear Customer" instead of your name suggests a mass email
  • Look for spelling and grammar errors โ€” though sophisticated attacks are now error-free
  • Be suspicious of unexpected attachments โ€” especially .zip, .exe, .docm files
  • When in doubt, go directly โ€” don't click the link; instead, open your browser and navigate to the site manually

What to Do If You Receive a Suspicious Message

  1. Do not click any links or download attachments.
  2. Check the sender address carefully.
  3. If it claims to be from a company you use, go directly to that company's website (type it manually) and log in to check for any alerts.
  4. If it claims to be from a colleague, contact them through a separate channel (call or text) to verify.
  5. Report the email to your email provider (Gmail, Outlook all have "Report phishing" buttons).
  6. Delete it.

What to Do If You Already Clicked

Don't panic โ€” but act fast.

  1. Change your password immediately for that account and any account sharing the same password
  2. Enable two-factor authentication if you haven't already
  3. Check your account activity for anything suspicious
  4. Disconnect from Wi-Fi temporarily if you think malware was installed
  5. Run antivirus software
  6. Notify your bank if financial information may have been exposed
  7. Check if your email has been compromised โ€” read: How to Check if Your Email is Hacked

FAQ

Can I get hacked just by opening an email?

Opening a plain text email is generally safe. The danger comes from clicking links, downloading attachments, or loading images (which can track you and sometimes execute scripts). Using an email client that blocks remote images adds an extra layer of protection.

Are phishing attacks illegal?

Yes โ€” phishing is illegal under computer fraud laws in virtually every country. However, many attackers operate from jurisdictions where enforcement is difficult.

My email says it was from someone I know โ€” is it definitely safe?

Not necessarily. Attackers can spoof email addresses to make messages look like they come from people you trust. If a message from a known contact asks you to do something unusual, verify it by calling them directly.

References

  • Anti-Phishing Working Group (APWG) Phishing Trends Report
  • Google Safety Center โ€” safety.google
  • FTC Consumer Information on Phishing โ€” consumer.ftc.gov