HolyGhost logoHolyGhost
← cd ..
Learn

What Is Phishing? The Attack That Targets People, Not Computers

Most breaches start with a message, not a hack. A beginner friendly guide to phishing and social engineering: the common types, the warning signs, and how to not take the bait.

HolyGhost··10 min read

A company can spend a fortune on firewalls, security software, and expert staff, and still get breached because one tired employee clicked a link in an email on a Friday afternoon. This is not a rare embarrassment. It is how a huge proportion of real world break ins actually begin. The attackers did not defeat the technology. They went around it, straight for the one part of any system that no security patch can fix: the people using it.

That is phishing. It is the art of getting a human to open the door voluntarily, and it works so well that it remains one of the most common ways accounts and companies are compromised. The good news is that once you understand how it works, you become dramatically harder to fool. This is a plain guide to what phishing is, the many forms it takes, the warning signs that give it away, and the simple habits that keep you off the hook.

The core idea

Phishing is a form of social engineering, which is a term worth unpacking because it sounds more technical than it is. Social engineering means manipulating a person into doing something, rather than hacking a machine. Instead of picking a lock, the attacker convinces you to hand over the key, and the tools of the trade are ordinary human feelings: trust, fear, curiosity, helpfulness, and a sense of urgency.

A phishing message pretends to be someone or something you already trust. Your bank, your employer, a delivery company, a streaming service, a colleague. It borrows that trust to get you to do one of three things:

  • Hand over your credentials on a fake login page that looks just like the real one.
  • Click a link that leads somewhere malicious.
  • Open an attachment that installs harmful software, known as malware.

It works because it combines borrowed trust with applied pressure. The attacker does not break in. They convince you to open the door and hold it politely while they walk through.

Why is it called phishing, spelled with a ph? The name plays on fishing, and the picture is apt. The attacker casts out bait, a tempting or alarming message, across a huge pool of people, and waits for a few to bite. They do not need everyone to fall for it. They only need a small fraction of a very large number.

The family of phishing

The word phishing covers a whole range of techniques, and the names are genuinely useful to know, because recognising the shape of an attack is the first step to resisting it.

  • Phishing: the broad, classic version. Mass emails blasted out to huge numbers of people, hoping a small percentage bite. Think of the clumsy "your parcel could not be delivered" messages.
  • Spear phishing: a targeted attack aimed at one specific person, built using real details about them to be far more convincing. Named after spearfishing, where you aim at a single fish rather than casting a wide net.
  • Whaling: spear phishing aimed at the big fish, meaning executives, finance staff, or other high value targets whose access or authority makes them especially worth catching.
  • Smishing: phishing carried out over SMS text messages. The word is a blend of SMS and phishing.
  • Vishing: phishing over a voice call, blending voice and phishing. Often the caller impersonates IT support, your bank, or a government office, using a live conversation to apply pressure in real time.
  • Business email compromise: an attacker impersonates a colleague, a boss, or a supplier, usually to redirect a payment into their own account. It is quiet, targeted, and among the most costly forms of all, because it can move large sums with a single believable email.

Why targeted phishing works so well

When a message uses your real name, your manager's name, a project you are actually working on, and a genuine sounding reason, your guard naturally drops. Attackers gather these details from social media, company websites, and previous leaks. Here is the counterintuitive rule to remember: the more specific and personally accurate a message is, the more suspicious you should be, not less, because that specificity is exactly what a targeted attacker invests in.

A phishing attempt, step by step

It helps to see one play out, because the individual moves are subtle. Imagine an email lands in your inbox looking like it is from your bank.

1. Bait:      "Unusual sign in detected. Verify your account now
              or it will be locked within 24 hours."
2. Trust:     the logo, colours, and layout match your real bank.
3. Pressure:  the 24 hour deadline stops you from pausing to think.
4. The hook:  a "Verify now" button linking to a look alike site.
5. The catch: you type your username and password into the fake page,
              and it lands straight in the attacker's hands.

Notice that nothing here required any clever hacking. Every step relied on you behaving reasonably: trusting a familiar looking brand, wanting to protect your account, and reacting to a deadline. That is the whole game. The attack is engineered around normal human instincts, which is why simply knowing the pattern is such a strong defence.

The warning signs

Most phishing shares a handful of tells. Learn to notice them, and over time you will start to feel when something is off before you can even say why.

  • Urgency and fear. "Your account will be closed in 24 hours." "Suspicious activity detected, act immediately." Pressure is deliberately designed to stop you thinking calmly, because a thinking target is a safe target.
  • A sender address that is almost right. Something like support@paypa1.com with a number one standing in for the letter l, instead of the real paypal.com. Look closely at the actual address, not just the friendly display name, which can be set to anything at all.
  • Links that do not match their text. On a computer you can hover your mouse over a link, without clicking, and your browser or email app will show you where it truly leads at the bottom of the screen. The visible text can say www.yourbank.com while the real destination is something else entirely.
  • Unexpected attachments. Be especially wary of documents that ask you to "enable macros" or "enable content" to view them. Macros are small programs inside a document, and enabling them is often exactly how malware gets permission to run.
  • Requests for secrets or money. Legitimate organisations do not email asking for your password, and genuine payment details do not change on the strength of a single unexpected message. A request to move money or reveal a secret should always raise your guard.
  • Odd wording or small mistakes. Awkward phrasing, a greeting that does not use your name, or subtle grammar errors can be a sign, though be aware that attackers are getting better at avoiding these, so a polished message is not automatically safe.

The link is the trap, and the padlock will not save you

A phishing site can display a perfectly valid HTTPS padlock in your browser. That padlock only proves the connection between you and the site is encrypted, meaning nobody can eavesdrop on it. It says absolutely nothing about whether the site itself is honest. A criminal can encrypt their fake page just as easily as a bank can encrypt its real one. Always read the actual domain name, not the padlock. See how HTTPS really works for why the padlock is a privacy feature, not a trust badge.

Reading a web address the right way

Since so many phishing attacks hinge on a fake web address, it is worth learning to read one correctly, because attackers rely on the fact that most people do not. The important part of a web address is the main domain, which sits just before the first single slash. Everything after that slash, and cleverly placed extra words before it, can be arranged to mislead you.

https://accounts.google.com/signin      real: main domain is google.com
https://google.com.secure-login.ru/...   fake: the real domain is secure-login.ru,
                                          "google.com" is just decoration
https://www.paypa1.com/login             fake: paypa1 with a number one, not paypal

The trick in the middle example is common and worth staring at until it clicks. Reading left to right, "google.com" looks reassuring, but the actual domain, the bit right before that first slash, is secure-login.ru. Everything to the left of it is just window dressing the attacker chose. Train yourself to find the real domain, the last dotted name before the slash, and much phishing falls apart on sight.

Let your tools do some of the watching

A password manager will only offer to fill your saved login on the exact site it belongs to, so if you land on a look alike page and the autofill stays silent, that is a strong hint you are somewhere fake. Combined with multifactor authentication as a backstop, these tools quietly catch mistakes before they become disasters. See what is a password manager.

How to not take the bait

Defending yourself against phishing is a habit, not a purchase. A few simple reflexes cover the vast majority of attacks.

  • Slow down. Urgency is the attacker's single most important weapon, so refusing to be rushed disarms most of them. A genuine problem will survive you taking two minutes to check. A fake one usually will not.
  • Verify through another channel. If your bank, your boss, or a supplier supposedly messaged you with an urgent request, contact them using a phone number or address you already have and trust, never the contact details supplied in the suspicious message itself. This one habit defeats business email compromise almost entirely.
  • Check the sender and the link before you act, every time. Read the real address. Find the real domain. Make it a reflex, not a special occasion.
  • Never enable macros or content in a document you were not expecting, and be cautious opening attachments from anyone if the message feels even slightly off.
  • Turn on multifactor authentication. This is your safety net for the day you slip. Even if you do hand over a password to a convincing fake, a second factor can stop the attacker actually getting in. See what is multifactor authentication.
  • Report it. If you spot a phishing attempt at work, tell your IT or security team. You were probably not the only recipient, and reporting it protects everyone else who got the same message. There is no shame in it, and if you did click something, reporting quickly gives the team a chance to limit the damage.

If you think you already bit

Do not panic, and do not stay quiet out of embarrassment. Change the password on the affected account immediately, and on any other account that shared it. If it is a work account, tell your security team straight away. Check whether multifactor authentication is on, and watch the account for anything unexpected. Fast action turns most successful phishing attempts into near misses.

The takeaway

Phishing skips the technology and targets the human, using borrowed trust and manufactured urgency to make you click a link, log in to a fake page, or send a payment. It comes in many flavours, from mass emails to laser targeted messages aimed at a single executive, but they all lean on the same handful of pressure tactics, which is exactly why learning to recognise them works so well. The defence is a habit rather than a product: slow down, read the real sender and the real domain, verify anything unexpected through a channel you already trust, never enable content in surprise attachments, and keep multifactor authentication switched on as a safety net for the day you slip. The single best security tool against phishing is a calm, sceptical read of the message sitting in front of you.