How Phishing Actually Works and How to Spot It

Most people picture phishing as a badly written email from a Nigerian prince. That mental model is about fifteen years out of date, and it's getting people breached. Phishing isn't a technology attack. It's a social engineering attack — someone manipulating you into doing something you wouldn't do if you had all the information. The technology is just the delivery vehicle.

According to the 2024 Verizon Data Breach Investigations Report, 74% of all data breaches involve the human element — social engineering, errors, or misuse. Not zero-day exploits. Not sophisticated nation-state hackers. People clicking things they shouldn't click, because someone made the wrong action look like the right one.

Understanding how phishing actually works is the single most effective thing you can do to protect your business. Not buying another security product. Understanding the mechanics of deception.

Phishing is social engineering, not hacking

There's a persistent misconception that phishing is a technical exploit — something that happens because your firewall has a gap or your antivirus is outdated. It isn't. Phishing bypasses all of that by targeting the one system you can't patch: human decision-making.

A phishing attack works by creating a scenario where the victim believes they're taking a normal, expected action. Clicking a link from their bank. Opening an attachment from their boss. Entering credentials on what looks like a login page. The technology behind the attack can be trivially simple. The psychology behind it is not.

This is why foundational security practices matter more than expensive tools. The best firewall in the world doesn't help when someone on your team hands over credentials voluntarily because they thought they were logging into Microsoft 365.

The types of phishing you'll actually encounter

Phishing isn't one thing. It's a category of attacks that share the same principle — impersonation and manipulation — but use different delivery methods and levels of targeting.

Email phishing

The most common form. Bulk emails impersonating trusted brands — your bank, a shipping company, a SaaS product you use. These cast a wide net. The attacker doesn't know who you are specifically. They know that if they send 100,000 emails pretending to be FedEx during the holidays, a predictable percentage of people will click.

Spear phishing

Targeted email phishing aimed at a specific person, using information gathered about them — their name, role, company, recent activity. "Hi Sarah, here's the Q3 report Jim mentioned in this morning's standup." It works because it references real context. The FBI's Internet Crime Complaint Center reports that business email compromise (BEC), which relies heavily on spear phishing, accounted for $2.77 billion in losses in 2023 — more than any other category of cybercrime.

Vishing (voice phishing)

Phishing over the phone. A caller impersonates your bank, the IRS, your IT department, or a vendor. They create urgency — "your account has been compromised, we need to verify your identity immediately" — and walk you through handing over credentials or authorizing a transfer. Vishing has seen a 442% increase in volume, partly because AI-generated voice cloning has made impersonation dramatically more convincing.

Smishing (SMS phishing)

Phishing via text message. "Your package couldn't be delivered. Click here to reschedule." "Unusual login detected on your account. Verify now." Text messages have higher open rates than email — most people read every text they receive — and the small screen makes it harder to inspect URLs before tapping.

How to spot phishing — the practical checklist

These are the specific things to check every time something feels even slightly off. Build these into habit and you'll catch the vast majority of phishing attempts.

Check the sender address, not the display name

Display names are trivially easy to fake. An email can say "Chase Bank" or "Your IT Department" in the from field while actually coming from [email protected]. Always expand the sender details and read the actual email address. If the domain doesn't match the organization it claims to be from, that's your answer.

Hover over links before clicking

On desktop, hovering over a link shows you the actual destination URL in the bottom-left corner of your browser or email client. Does it go where the text says it goes? A link labeled "Sign in to your account" that points to https://login-microsft-verify.com/auth is not going to Microsoft. On mobile, long-press to preview the URL instead of tapping.

Watch for urgency and pressure

Phishing relies on getting you to act before you think. "Your account will be suspended in 24 hours." "Immediate action required." "You have an outstanding balance that must be resolved today." Legitimate organizations almost never require immediate action via email. If something feels urgent, that urgency itself is the red flag.

Verify through a separate channel

If you get an email from your CEO asking you to wire money, call your CEO. Not using the phone number in the email — using the number you already have. If your bank sends you a suspicious-looking security alert, open a new browser tab and go to your bank's website directly. Never follow the link in the message. This single habit defeats almost every phishing attack.

Look for mismatches

Phishing emails often get close but not perfect. The logo is slightly wrong. The email references a product you don't use. The tone doesn't match how that person normally writes. Your legal name is missing or wrong. These small inconsistencies are signals. Trust your instinct when something feels off, then verify.

Before AI vs. now with AI

Before AI

Phishing emails were largely template-based. Attackers would create one email, translate it poorly into multiple languages, and blast it to millions of addresses. The tells were obvious: broken grammar, generic greetings ("Dear Valued Customer"), mismatched branding, implausible scenarios. Most people could spot them by feel. Security awareness training focused on "look for typos and bad grammar," and that advice actually worked reasonably well.

Now with AI

That advice is dangerously outdated. Researchers at Abnormal Security found that 82.6% of phishing emails are now AI-generated — grammatically perfect, contextually appropriate, and personalized at scale. An attacker can scrape your LinkedIn profile, your company's About page, and your recent press releases, then feed that context to a language model that generates a spear phishing email indistinguishable from something your actual colleague would write.

Voice cloning has lowered the barrier for vishing to near-zero. A three-second audio clip from a conference talk, podcast appearance, or even a voicemail greeting is enough to generate a convincing voice clone. The 442% increase in vishing attacks correlates directly with the accessibility of this technology.

Deepfake video calls have already been used in high-profile BEC attacks. In early 2024, a finance worker at a multinational was tricked into transferring $25 million after a video call with what appeared to be their CFO and several colleagues — all AI-generated in real time.

The old heuristics — bad grammar, generic content, obviously spoofed branding — no longer reliably identify phishing. The new defense is procedural: verify through separate channels, check actual sender addresses and URLs, and never let urgency override verification. The mechanics of detection have shifted from "does this look wrong" to "am I following the process regardless of how right this looks."

What to do when you receive a suspected phishing message

1. Don't click anything. Don't open attachments. Don't reply. Don't forward it to your team to ask "is this real?" (forwarding can spread the threat).
2. Verify through a separate channel. If it claims to be from a colleague, call them. If it claims to be from a vendor, go to their website directly. Never use contact information provided in the suspicious message itself.
3. Report it. Most email clients have a "Report Phishing" option. If your company uses a security tool, use its reporting mechanism. This feeds threat intelligence and protects others on the same mail system.
4. Delete it. Once reported, delete the message. Don't keep it in your inbox where you might accidentally interact with it later.

What to do if you already clicked

Don't panic, but move quickly. The window between clicking and the attacker exploiting your credentials is often short.

1. Change the password immediately — for the account you entered credentials into, and for any other account where you use the same password. This is why unique passwords per service matter.
2. Enable multi-factor authentication if it isn't already on. If it is, check your account's active sessions and revoke any you don't recognize.
3. Notify your IT team or security contact. They can check for unauthorized access, lock compromised accounts, and monitor for lateral movement. Telling them early limits damage. Telling them late multiplies it.
4. Monitor your accounts for unusual activity over the following weeks — unexpected password reset emails, login notifications from unfamiliar locations, transactions you didn't initiate.
5. Run a malware scan if you opened an attachment. Some phishing payloads install keyloggers or remote access tools that persist after the initial interaction.

The instinct to feel embarrassed about falling for phishing is strong and counterproductive. The 74% statistic from Verizon's report means this happens to experienced, intelligent people across every industry. Reporting quickly is more valuable than catching it in the first place.

Building organizational habits that actually work

Individual awareness is necessary but not sufficient. If you run a team, these structural changes reduce phishing risk more than any annual training module:

• Establish verification procedures for financial actions. Any wire transfer, vendor payment change, or credential handoff requires voice confirmation through a pre-established phone number. No exceptions, no matter who's asking or how urgent it feels.
• Implement proper email authentication. SPF, DKIM, and DMARC records make it significantly harder for attackers to spoof your domain. These are foundational security headers and DNS records that every business should have configured.
• Use a password manager and enforce unique passwords. If a phishing attack compromises one credential, the blast radius should be exactly one account — not every service where someone reused the same password.
• Make reporting psychologically safe. If people are afraid of getting in trouble for clicking a link, they won't report it. The delay between compromise and reporting is where the damage compounds.

Phishing works because it exploits trust, authority, and urgency — things that functional organizations rely on. The defense isn't to stop trusting. It's to build verification into the process so that trust gets confirmed before action gets taken.

---

Related reading

• What Happens When You Get Hacked: A Realistic Timeline
• What Your Vendors' Security Posture Actually Means for You
• Building a Security Culture When Everyone Thinks It's IT's Job
• The Problem with Generic Tech Recommendations
• If the Recommendation Came Before the Questions, It's Not Advisory

Frequently Asked Questions

Can spam filters catch AI-generated phishing?

Modern spam filters catch a significant portion of phishing emails, but they're in an arms race with AI-generated content. AI-crafted emails are specifically designed to pass automated filters by avoiding the patterns those filters look for — suspicious keywords, known malicious URLs, formatting anomalies. Spam filters are a necessary layer, not a sufficient one. They reduce volume, but the most dangerous phishing emails are the ones that get through.

Is multi-factor authentication enough to protect against phishing?

MFA dramatically reduces the impact of credential theft, but it's not phishing-proof. Adversary-in-the-middle (AiTM) attacks can intercept MFA tokens in real time by proxying the victim's session through a relay server. Hardware security keys (FIDO2/WebAuthn) are currently the strongest MFA method against phishing because they cryptographically bind to the legitimate domain — they won't authenticate on a spoofed site. If you're in a high-risk role, hardware keys are worth the investment.

What's the difference between phishing and social engineering?

Phishing is a subset of social engineering. Social engineering is any attack that manipulates human behavior — tailgating through a secure door, impersonating a repair technician, leaving infected USB drives in a parking lot. Phishing specifically refers to social engineering delivered through electronic communication — email, text, phone, or messaging apps. All phishing is social engineering. Not all social engineering is phishing.

How do I train my team without making it feel punitive?

The most effective phishing training is continuous and low-stakes, not annual and high-pressure. Send simulated phishing emails regularly and treat clicks as learning opportunities, not failures. Share real examples of phishing emails (redacted) in team channels so people see what current attacks look like. Focus on building the verification habit — "I called to confirm" should be praised, not treated as paranoia. The goal is a culture where checking is normal, not a culture where clicking is shameful.

Are small businesses really targeted by phishing?

Disproportionately. Attackers know that small businesses are less likely to have dedicated security teams, formal verification procedures, or advanced email filtering. Automated phishing campaigns don't discriminate by company size — they target email addresses at scale. And spear phishing increasingly targets small business owners and finance staff specifically, because the path from "phishing email" to "wire transfer" has fewer checkpoints. The $2.77 billion BEC figure includes a significant share of small and mid-market businesses.