What a Phishing Attack Actually Looks Like From the Inside
What Phishing Actually Is
Phishing is social engineering delivered digitally. The attacker impersonates something โ a company, a person, a system notification โ to trick you into doing one of three things: clicking a link to a fake login page, downloading malware, or transferring money or data directly.
The name comes from "fishing" โ casting a wide net hoping someone bites. But modern phishing has evolved well beyond that. Spear phishing targets a specific person with a highly personalized message. Whaling targets executives. Business Email Compromise (BEC) impersonates a trusted colleague or vendor to authorize wire transfers.
According to the FBI's 2023 Internet Crime Report, phishing and related attacks caused over $2.7 billion in losses in a single year. It's consistently the most common initial access method in data breaches โ not because people are stupid, but because the attacks have become very, very good.
The Anatomy of a Modern Phishing Attack
Here's a real-world scenario, step by step.
Step 1: Reconnaissance
Before sending a single email, attackers research the target. LinkedIn tells them where you work, your job title, and who your manager is. Your company's website shows their email format (firstname.lastname@company.com). Your Twitter mentions what tools and services you use. Public breach databases may already contain your old passwords.
For a spear phishing attack, the attacker now knows to impersonate your company's IT department, your CFO's name, or a service you use daily (Microsoft 365, DocuSign, PayPal).
Step 2: Infrastructure setup
The attacker registers a domain that looks similar to a legitimate one:
microsoft-security.cominstead ofmicrosoft.compaypa1.com(number 1 instead of letter l)account-google.com(words swapped)support.company-name.net(your actual company name, different TLD)
They then clone the exact login page of the service they're impersonating โ pixel-perfect copies of Google, Microsoft, or your bank's login page are freely available in phishing kits. They add a valid TLS certificate (the padlock in your browser), which most people interpret as a sign the site is safe. It isn't. TLS only means the connection is encrypted โ it says nothing about who owns the server.
Step 3: Delivery
The email arrives. It looks legitimate โ correct logo, matching colors, plausible language. Here's what a real phishing email looks like (annotated):
We detected a sign-in attempt from an unusual location.
Location: Lagos, Nigeria | Device: Unknown Windows PC | Time: Today, 3:47 AM
If this wasn't you, your account may be compromised. Please verify your identity immediately to secure your account.
If you did sign in from Nigeria, you can safely ignore this message. This link expires in 24 hours.
Notice the tactics: urgency ("immediately"), fear (compromised account), a fake location to make you think someone else is logging in, and a 24-hour deadline. Even the fake domain looks plausible โ microsoft-account.net sounds like it could be real.
Step 4: Credential harvesting
You click the link and land on a perfect copy of the Microsoft login page. You type your email and password. The page passes your credentials silently to the attacker's server, then redirects you to the real Microsoft website with a message like "Your account has been secured." You never realize anything happened.
Within minutes โ sometimes seconds โ the attacker is logging into your real account, exporting your emails, changing the recovery phone number, and setting up forwarding rules.
Two-factor authentication helps, but sophisticated phishing kits use real-time proxy attacks: when you type your password on the fake page, the kit simultaneously logs into the real site and forwards the 2FA prompt to you. You type the code, thinking you're authenticating the real site, but you've just handed the attacker an active session. This is called an Adversary-in-the-Middle (AiTM) attack. Hardware security keys (FIDO2) are the only 2FA method that blocks this โ they're domain-bound and won't authenticate on a fake site.
The Different Flavors of Phishing
| Type | Channel | Target | What makes it convincing |
|---|---|---|---|
| Email phishing | Broad / anyone | Spoofed sender, logo, layout from trusted brands | |
| Spear phishing | Specific person | Uses your name, role, coworkers, recent events | |
| Whaling | C-suite executives | Impersonates board members, legal demands | |
| Smishing | SMS | Mobile users | Looks like a delivery update, bank alert, tax refund |
| Vishing | Phone call | Anyone | Caller ID spoofed to show your bank's real number |
| Clone phishing | Previous contact | Resends a real email you received but with a malicious link | |
| BEC | Finance/HR staff | Impersonates CEO or vendor for wire transfer | |
| QR phishing | Email/Physical | Anyone | QR code bypasses email link scanners, leads to phishing page |
How to Spot It Before You Click
The tactics have gotten better, but there are still reliable tells. Train yourself to check these before acting on any unexpected email or message:
Check the sender domain โ not just the display name
The "From" display name can say anything: "Microsoft Security", "Your Bank", even your boss's full name. What matters is the actual email address. Expand it and look at the domain after the @. Ask yourself: is this the actual domain this company uses? paypal.com or paypa1.com? amazon.com or amazon-support.org?
Hover over links before clicking
On desktop, hover your mouse over any link in an email and look at the URL that appears in your browser's status bar. Does it match where it claims to go? Long URLs, URL-shorteners, and domains that include a legitimate brand name as a subdomain (google.com.attacker-domain.xyz) are red flags.
Question urgency and fear
"Your account will be suspended in 24 hours." "Unusual activity detected." "Invoice overdue โ immediate action required." Urgency and fear are the emotional levers phishing relies on. Legitimate companies rarely demand immediate action via email. When you feel pressure to act fast, that's a signal to slow down and verify independently.
Verify out-of-band
If you receive an unexpected email from your bank, Microsoft, or even a colleague asking you to do something sensitive โ don't use the links in the email. Open a new tab and go directly to the website you know is real. Call the person directly using a phone number you already have, not one provided in the suspicious message.
A green padlock (or closed padlock icon) in your browser's address bar means the connection to the server is encrypted with TLS. It does NOT mean the website is legitimate or that the server is owned by who you think. Phishing sites routinely have valid TLS certificates โ getting one is free (Let's Encrypt) and takes minutes. Always check the actual domain name, not just the padlock.
Why Smart People Still Fall For It
Most people assume phishing only works on people who aren't paying attention. That's not true โ and understanding why helps you stay protected.
Cognitive load and context switching
Phishing emails arrive when you're busy. You're processing dozens of emails, switching between tasks, managing interruptions. Your brain is in "scan and act" mode, not "critically evaluate" mode. Attackers know this and time their attacks accordingly โ fake DocuSign requests at the end of a quarter, fake IT password resets on Monday mornings.
The authority bias
We're wired to comply with authority. An email that appears to come from your IT department, your bank's security team, or your CEO bypasses our natural skepticism. Spear phishing exploits this by using real names, correct job titles, and references to real projects or events.
Context-appropriate requests
Receiving an invoice for a service you actually use, a shipping notification for something you ordered, or a calendar invite for a meeting you have scheduled โ these feel completely normal, even when they're fake. The best phishing attacks are indistinguishable from legitimate communication when you're not actively looking for red flags.
Does a VPN Protect You From Phishing?
This is one of the most common misconceptions in consumer security. A VPN does not protect you from phishing.
A VPN encrypts the traffic between your device and the VPN server and hides your real IP address and location. It does nothing to stop you from visiting a phishing page, and nothing to stop your credentials from being sent to an attacker's server if you type them on a fake site.
What VPNs actually protect against:
- Your ISP seeing your browsing history
- Attackers on the same public Wi-Fi network intercepting unencrypted traffic
- Websites tracking your real IP address and location
- Government surveillance in certain jurisdictions
What VPNs don't protect against:
- Phishing (you still visit the fake site)
- Malware already on your device
- Credential stuffing from breach databases
- Social engineering attacks
- The VPN provider itself seeing your traffic
Hardware security keys (FIDO2/WebAuthn) are the single most effective technical defense โ they bind authentication to the real domain, so they simply won't work on a phishing page. After that: password managers (they won't autofill on fake domains), browser-based phishing protection (Google Safe Browsing, Microsoft SmartScreen), and email security (SPF, DKIM, DMARC records on your domain).
Phishing at Work โ Why It's Different
Workplace phishing is more targeted and more damaging. A successful attack on a corporate account can mean ransomware affecting hundreds of machines, a wire transfer fraud for hundreds of thousands of dollars, or theft of customer data triggering regulatory fines.
Common workplace scenarios:
- Invoice fraud: Attacker compromises a supplier's email and updates the bank account on legitimate invoices. Your finance team pays an invoice they've received from a known vendor โ directly to the attacker.
- CEO fraud: Attacker spoofs the CEO's email to the CFO: "I need a wire transfer of $85,000 processed urgently. Confidential โ don't discuss on Slack." The urgency and authority combination works more often than you'd expect.
- IT helpdesk impersonation: "Your Microsoft 365 password expires tonight. Click here to reset." Employees reset their password on a fake login page, handing over credentials to the company's entire email archive.
- Callback phishing: Email says "Your subscription renews for $349.99 โ call this number to cancel." The phone agent then social-engineers the victim into installing remote access software.
What to Do If You Think You've Been Phished
Act quickly โ the window before the attacker exploits access is often very short.
- Change the compromised password immediately. Do this from a different device if possible.
- Revoke active sessions. Most services have a "sign out of all devices" option in account security settings.
- Check for unauthorized changes. Email forwarding rules, recovery email/phone changes, connected apps, authorized third-party access.
- Enable 2FA if it wasn't on. Especially a hardware key if the account supports it.
- Check your other accounts. If you reused the compromised password anywhere, change those too โ immediately.
- Tell your organization's IT/security team if this happened at work. Time matters.
- Report the phishing email to the service being impersonated (forward to phishing@paypal.com, abuse@amazon.com, etc.) and to your email provider.
Use a password manager with autofill. Password managers match the domain before filling credentials โ they won't autofill on microsoft-account.net because their entry is for microsoft.com. This one feature turns phishing from a major threat into a near-miss every single time. It's not foolproof (you could still manually type your password), but it eliminates the passive risk completely.