How Phishing Attacks Work (And How to Spot Them Every Time)

What Is Phishing, Really?

Phishing is a social engineering attack where criminals impersonate a trusted entity — your bank, your employer, a shipping company, a government agency — to trick you into revealing sensitive information or installing malware.

Unlike brute-force attacks that target technology, phishing targets human psychology. It exploits urgency ("Your account will be locked in 24 hours"), fear ("Suspicious login detected"), authority ("This is from the IRS"), and curiosity ("You have a pending package").

And it works. According to Proofpoint's 2025 State of the Phish report, 71% of organizations experienced at least one successful phishing attack in 2024. For individuals, the numbers are even worse — most people encounter phishing attempts daily without recognizing them.

Types of Phishing Attacks

Anatomy of a Phishing Attack: Step by Step

Understanding how phishing works behind the scenes helps you spot it. Here's what a typical email phishing attack looks like from the attacker's perspective:

1. Target selection: Attackers either cast a wide net (mass phishing) or research specific targets using LinkedIn, social media, and breach databases.
2. Infrastructure setup: They register a lookalike domain (e.g., "amaz0n-security.com" or "paypal-verify.net"), set up a convincing fake login page, and obtain an SSL certificate so the site shows the padlock icon.
3. Email crafting: The email is designed to create urgency or fear. Common templates: account suspension warnings, security alerts, invoice/payment requests, delivery notifications, or prize winnings.
4. Delivery: The email is sent from a spoofed or compromised address. Advanced attacks use legitimate email services or compromised business accounts to bypass spam filters.
5. Credential harvesting: When the victim clicks the link and enters their credentials, the fake page captures them and either stores them or forwards them to the attacker in real-time.
6. Account compromise: The attacker logs in to the victim's real account within minutes, often changing the password and recovery settings to lock the victim out.
7. Exploitation: Depending on the account type: financial theft, data exfiltration, further phishing from the compromised account, or ransomware deployment.

Red Flags: How to Spot Phishing Every Time

No single red flag is definitive, but multiple flags together are a near-certain indicator of phishing. Train yourself to check for these:

Email Red Flags

• Sender address doesn't match the brand: The display name says "Amazon" but the email comes from "notification@amz-secure-alert.com." Always click or hover on the sender name to reveal the actual email address.
• Generic greeting: "Dear Customer" or "Dear User" instead of your actual name. Legitimate services almost always use your real name.
• Urgency and threats: "Your account will be permanently deleted in 24 hours" or "Immediate action required." Legitimate companies rarely use this level of urgency.
• Suspicious links: Hover over (don't click) any link to see the actual URL. Does it go to the real company's domain? Watch for subtle misspellings: "paypa1.com" (with a numeral 1) or "microsoft-support.net" (not microsoft.com).
• Spelling and grammar errors: While AI has made phishing emails more polished, many still contain awkward phrasing, unusual capitalization, or grammatical errors.
• Unexpected attachments: Especially .zip, .exe, .doc with macros, or .html files. Legitimate companies rarely send attachments in unsolicited emails.
• Request for sensitive information: No legitimate company will ask you to send passwords, SSNs, credit card numbers, or PINs via email.

SMS/Text Red Flags

• Message from an unknown number claiming to be a known company.
• Shortened URLs (bit.ly, tinyurl) that hide the real destination.
• Requests to call a phone number you can't verify.
• Delivery notifications for packages you didn't order.

Phone Call Red Flags

• Caller creates extreme urgency ("Your bank account is being drained right now").
• Requests remote access to your computer.
• Asks you to buy gift cards as "payment" — this is always a scam.
• Caller ID shows a legitimate company name (caller ID can be spoofed easily).

How to Verify Suspicious Messages

When you receive a message that might be phishing, follow this verification process:

1. Don't click any links or call any numbers in the message.
2. Open a new browser tab and navigate directly to the company's official website by typing the URL yourself.
3. Log in to your account normally and check for any alerts or messages. If there's truly an issue, you'll see it in your account dashboard.
4. Call the company using the number on their official website (not the number in the suspicious message) if you want verbal confirmation.
5. Search for the exact message text online. If it's a known phishing campaign, you'll find reports from other users or security researchers.

This takes about 60 seconds and eliminates virtually all phishing risk. The key rule: never trust the message itself as the verification method. Always go to the source independently.

Tools That Block Phishing Attacks

While human vigilance is important, automated tools catch what your eyes miss — especially with increasingly sophisticated AI-generated phishing.

Malwarebytes Browser Guard (Free)

A free browser extension available for Chrome, Firefox, Edge, and Safari that blocks phishing sites, malicious ads, and scam pages in real-time. It uses a combination of blocklists and heuristic analysis to detect phishing pages that are minutes old. Browser Guard also blocks tech support scams, PUPs (potentially unwanted programs), and browser hijackers.

Why we recommend it: It's completely free, lightweight, and provides a critical layer of phishing protection that complements any antivirus.

Norton Safe Web and Norton 360

Norton Safe Web rates websites for safety before you visit them, displaying trust ratings directly in search results. Norton 360 extends this with real-time URL scanning, email phishing detection, and its SafeCam feature that blocks unauthorized webcam access — which phishing-delivered RATs (Remote Access Trojans) often exploit.

Why we recommend it: Norton's URL database is one of the largest in the industry, and its real-time analysis catches zero-day phishing sites that blocklist-based tools miss.

Password Managers as Phishing Defense

Password managers like 1Password and NordPass provide an often-overlooked anti-phishing benefit: they only auto-fill credentials on the exact matching domain. If you're on a phishing site like "paypa1.com" instead of "paypal.com," your password manager won't offer to fill your PayPal credentials — immediately alerting you that something is wrong.

What to Do If You Clicked a Phishing Link

If you clicked a link in a phishing message, don't panic — but act quickly. Your response depends on what happened after the click.

If You Clicked But Didn't Enter Information

1. Close the page immediately. Don't interact with any pop-ups or download prompts.
2. Disconnect from the internet temporarily (turn off Wi-Fi) to prevent any background malware communication.
3. Run a full malware scan with Norton or Malwarebytes. Some phishing pages attempt drive-by downloads that install malware without user interaction.
4. Clear your browser cache and cookies to remove any tracking cookies the phishing site may have planted.
5. Monitor your accounts for the next 48 hours for any suspicious activity.

If You Entered Credentials

1. Change the password immediately on the real site. Go directly to the service's official website — do not use the phishing link.
2. Change the password everywhere you reused it. Use a password manager to identify all accounts with the same password.
3. Enable 2FA on the compromised account and all related accounts.
4. Check for unauthorized changes to your account settings — especially recovery email, phone number, and connected apps.
5. Revoke all active sessions using the security settings of the affected service.
6. Report the phishing attempt to the impersonated company and to the Anti-Phishing Working Group at reportphishing@apwg.org.

If You Entered Financial Information

1. Contact your bank or credit card company immediately to freeze or replace the card.
2. Monitor transactions closely for the next 30-60 days.
3. Place a fraud alert with the credit bureaus (one bureau will notify the others).
4. Consider a credit freeze if you entered your SSN or extensive personal details.
5. File a report with the FTC at IdentityTheft.gov.

The Rise of AI-Powered Phishing

Generative AI has changed the phishing landscape dramatically. In 2025, AI-generated phishing emails have become nearly indistinguishable from legitimate communications:

• Perfect grammar and tone: AI eliminates the spelling and grammar errors that were once reliable red flags. Phishing emails now read as naturally as real corporate communications.
• Personalization at scale: AI can generate thousands of unique, personalized phishing emails using data scraped from LinkedIn, social media, and breach databases.
• Voice cloning: AI voice synthesis can replicate a person's voice from a few seconds of audio, enabling highly convincing vishing calls that impersonate colleagues, family members, or executives.
• Deepfake video: Real-time deepfake technology has been used in video calls to impersonate executives and authorize fraudulent wire transfers.

This evolution makes automated protection tools more important than ever. Human pattern recognition alone is no longer sufficient against AI-enhanced attacks. Layered defense — combining email filtering, browser protection, password managers, and security awareness — is essential.