Phishing remains the most prolific form of cybercrime in the world. According to the FBI's Internet Crime Complaint Center, phishing attacks accounted for more reported incidents than any other category of cybercrime in 2024—and the numbers keep climbing. The reason is simple: phishing works. Even technically savvy people fall for well-crafted phishing attempts, because the attacks exploit human psychology, not software vulnerabilities.

This guide is built to make you harder to fool. We'll walk through the mechanics of phishing, show you exactly what to look for, and explain what to do if you've already taken the bait.

Email Phishing: The Most Common Attack Vector

The classic phishing email has evolved dramatically from the poorly spelled "Nigerian prince" messages of the early internet. Modern phishing emails are often indistinguishable from legitimate correspondence at first glance. They use corporate logos, proper formatting, and language that mirrors the tone of the company they're impersonating.

Here's what to examine in every email that asks you to take action:

The sender address. This is the first thing to check and the most commonly overlooked. Phishing emails often come from addresses that are close to, but not quite, the real thing. "support@paypa1.com" (with the number 1 instead of the letter l), "security@arnazon.com" (with an 'r' and 'n' that look like an 'm'), or "noreply@bankofamerica-secure.com" (a subdomain or modified domain). Always read the full sender address character by character.

The urgency. Phishing emails almost always create artificial urgency: "Your account will be suspended in 24 hours," "Unauthorized login detected—act now," or "Your payment method has been declined." Legitimate companies do send urgent communications, but they also provide multiple ways to verify the situation (phone numbers, official app notifications). A real security alert from your bank won't demand that you click a single link or lose access forever.

The links. Before clicking any link in an email, hover over it (don't click) to see the actual URL. On mobile, long-press the link to preview the destination. The displayed text might say "Log in to your account" but the actual URL leads to a completely different domain. If the URL doesn't match the company's official domain exactly, don't click it.

Attachments. Unexpected attachments are a major red flag, especially .exe, .zip, .scr, or macro-enabled Office files (.docm, .xlsm). Even PDF attachments can contain malicious links. If you weren't expecting an attachment, verify with the sender through a separate communication channel before opening it.

Website Spoofing: Fake Sites That Look Real

Phishing emails are typically the delivery mechanism; the payload is usually a spoofed website. These are fraudulent copies of legitimate websites designed to capture your login credentials, credit card numbers, or personal information.

Modern spoofed websites can be remarkably convincing. Attackers clone the entire front-end of a legitimate site—logos, layout, fonts, colors—and host it on a similar-looking domain. Here's how to spot them:

  • Check the URL meticulously: The domain name is your most reliable indicator. "login.facebook.com" is legitimate; "facebook.login-secure.com" is not. The key part of any URL is the domain immediately before the top-level domain (.com, .org, etc.).
  • Look for HTTPS: While HTTPS alone doesn't guarantee legitimacy (scammers can obtain SSL certificates too), the absence of HTTPS on a login page is an immediate disqualifier. No legitimate bank, email provider, or major platform runs login pages over unencrypted HTTP.
  • Examine page quality: While many spoofed sites are pixel-perfect copies, some reveal themselves through subtle defects: broken images, non-functional links (every link redirects to the same fake login page), missing pages, or slight layout inconsistencies.
  • Test non-critical links: On a legitimate website, the "About Us," "Contact," and "Help" links work. On a spoofed site, they often either don't work or all redirect to the same page.

"The most dangerous phishing sites aren't the ones that look suspicious—those are easy to spot. The dangerous ones are the pixel-perfect replicas that differ from the real site by a single character in the URL."

URL Tricks Phishers Use

Phishers have developed an arsenal of URL manipulation techniques. Knowing these tricks makes them far less effective:

Homograph attacks: Using characters from different alphabets that look identical to Latin letters. The Cyrillic "а" (U+0430) looks identical to the Latin "a" (U+0061), meaning "аpple.com" and "apple.com" appear the same but are completely different domains. Modern browsers have partial protections against this, but they're not foolproof.

Subdomain spoofing: Placing the legitimate brand name as a subdomain of a malicious domain: "paypal.com.secure-verification.xyz". The actual domain here is "secure-verification.xyz"—paypal.com is just a subdomain that appears legitimate at first glance.

URL shorteners: Services like bit.ly or tinyurl.com mask the true destination. While URL shorteners have legitimate uses, they're also frequently used to hide phishing links. Use a URL expander tool to see where shortened links actually lead before clicking.

Typosquatting: Registering domains that are common misspellings of popular sites: "gooogle.com," "amazom.com," "faceboook.com." These domains catch people who mistype URLs or don't read carefully.

Path-based deception: Using a legitimate-looking path to distract from a fraudulent domain: "evil-domain.com/https/www.paypal.com/login". The path (/https/www.paypal.com/login) looks like a legitimate PayPal URL, but the actual domain is evil-domain.com.

Two-Factor Authentication: Your Safety Net

Two-factor authentication (2FA) is the single most effective defense against phishing that targets login credentials. Even if a phisher captures your password through a spoofed login page, they can't access your account without the second factor.

Not all 2FA methods are created equal:

  • Hardware security keys (best): Physical devices like YubiKey that plug into your computer or tap against your phone. These are virtually phishing-proof because they verify the domain of the website before authenticating.
  • Authenticator apps (good): Google Authenticator, Authy, or Microsoft Authenticator generate time-based codes on your device. These are strong because the codes change every 30 seconds and aren't transmitted over the network.
  • SMS codes (better than nothing): Codes sent via text message. While vulnerable to SIM-swapping attacks, SMS 2FA still blocks the vast majority of phishing attempts. It's far better than no second factor at all.

Enable 2FA on every account that supports it, starting with your email, banking, and social media accounts. Your email is particularly critical because it's the recovery mechanism for most other accounts—if an attacker controls your email, they can reset passwords elsewhere.

What to Do If You've Been Phished

Speed matters. If you've clicked a phishing link and entered information, take these steps immediately:

  1. Change the compromised password right now. Go directly to the legitimate website (type the URL yourself, don't follow any links) and change your password. If you use the same password on other sites (you shouldn't, but if you do), change it everywhere.
  2. Enable 2FA immediately on the compromised account if it isn't already enabled.
  3. Check for unauthorized activity. Review recent login sessions, sent emails, account changes, and financial transactions. Many services let you see active sessions and revoke access from unrecognized devices.
  4. Contact the real company. If you entered banking or financial credentials, call your bank's fraud department immediately. They can freeze your account and issue new credentials.
  5. Report the phishing attempt. Forward phishing emails to the Anti-Phishing Working Group at reportphishing@apwg.org. Report phishing sites to Google's Safe Browsing team. File a report with the FTC at ReportFraud.ftc.gov.
  6. Run a security scan. If you downloaded or opened a suspicious attachment, run a full antivirus scan on your device. Consider using a secondary scanner like Malwarebytes for a second opinion.
  7. Monitor your credit. If you shared sensitive personal information (SSN, date of birth), place a fraud alert or credit freeze with the three major credit bureaus: Equifax, Experian, and TransUnion.

Phishing exploits something fundamentally human: the tendency to trust what looks familiar and act quickly under perceived threat. The best defense isn't any particular tool or technology—it's the habit of pausing before acting. When an email demands immediate action, that's precisely when you should slow down, verify independently, and proceed with caution. That three-second pause is worth more than any antivirus software on the market.