What Is Phishing — and Why Is It So Effective?

Phishing is a social engineering attack where criminals impersonate a trusted entity — your bank, a delivery service, your employer, or a popular platform — to trick you into handing over credentials, clicking a malicious link, or downloading malware.

It's effective because it targets human psychology, not software vulnerabilities. Urgency, fear, and authority are the tools attackers use. No operating system patch can fully protect against a convincing fake email.

The Main Types of Phishing

  • Email phishing: Mass-sent fake emails impersonating well-known brands or institutions.
  • Spear phishing: Targeted attacks using your personal information to appear more credible (e.g., referencing your company name or recent activity).
  • Smishing: Phishing via SMS text message ("Your package could not be delivered — click here").
  • Vishing: Voice phishing — phone calls from fake "support agents" or government agencies.
  • Clone phishing: A legitimate email you previously received is duplicated, but links or attachments are replaced with malicious ones.

Red Flags to Watch For

In Emails

  • Mismatched sender domains: The display name says "PayPal" but the actual email is from paypa1-support@randomdomain.net.
  • Generic greetings: "Dear Customer" instead of your actual name (though spear phishing can include your name).
  • Artificial urgency: "Your account will be suspended in 24 hours" — designed to make you act before thinking.
  • Suspicious links: Hover over any link before clicking. The URL shown at the bottom of your browser should match the expected domain.
  • Unexpected attachments: Unsolicited invoices, shipping notifications, or documents you didn't request.
  • Grammar and formatting errors: Though modern phishing campaigns are increasingly polished, odd phrasing remains a common tell.

In Text Messages

  • Unexpected delivery notifications with tracking links
  • Alerts about "suspicious activity" on accounts you hold
  • Short links that don't reveal the destination

How to Verify Before You Click

  1. Go directly to the source. If an email claims your bank account is compromised, don't click the link — open a new browser tab and navigate to your bank's website directly.
  2. Call back on a known number. If a "support agent" calls you, hang up and call the company's official number from their website.
  3. Check the full email header. In Gmail or Outlook, you can view the full headers of an email to see its true origin.
  4. Use Google's Safe Browsing Transparency Report. You can check whether a URL has been flagged as malicious at safebrowsing.google.com/safebrowsing/report_phish.

What to Do If You Clicked a Phishing Link

Stay calm — clicking doesn't always mean you're compromised. Take these steps immediately:

  1. Disconnect from the internet if you suspect malware may have downloaded.
  2. Change passwords for any accounts you may have entered credentials for.
  3. Enable two-factor authentication (2FA) on those accounts if not already active.
  4. Run a malware scan using a reputable tool (e.g., Malwarebytes free version).
  5. Report the phishing attempt to the impersonated company and to your email provider.

Your Best Long-Term Defense

No single tool eliminates phishing risk, but this combination covers you well:

  • 2FA everywhere: Even if credentials are stolen, attackers can't log in without your second factor.
  • Hardware security keys: Phishing-resistant 2FA — even fake websites can't capture these codes.
  • Password manager: These tools auto-fill only on the real domain, providing an automatic phishing check.
  • Skepticism as a habit: The most important defense is simply pausing before clicking on anything unexpected.