What Is Phishing and How to Avoid It: A Practical Guide
Phishing is the most common way accounts get compromised -- and it doesn't require any technical skill from the attacker. This guide explains exactly how phishing attacks work, how to recognize them across email, SMS, and phone calls, and the specific habits and tools that will keep you from becoming a victim.
What Phishing Actually Is (and Why It Works)
Phishing is a social engineering attack in which an attacker impersonates a trusted entity — your bank, Amazon, Apple, your employer, a government agency — to trick you into giving up credentials, payment information, or access to your accounts.
It works because it exploits psychology, not technology. The attacker doesn't need to break encryption or guess your password. They just need you to type it into the wrong website. And they're very good at creating the right sense of urgency, fear, or authority to make that happen.
According to the FBI's Internet Crime Complaint Center, phishing is consistently the most reported cybercrime category year over year, with hundreds of thousands of victims annually and financial losses running into the billions. Understanding how these attacks work is the single most practical security skill you can develop.
The Most Common Phishing Attack Patterns
Email phishing: You receive an email appearing to be from PayPal, your bank, Netflix, or Apple. It claims your account has been suspended, there's suspicious activity, or your payment failed. It asks you to click a link and verify your information. The link goes to a convincing fake website that captures your credentials.
Spear phishing: A targeted version where the attacker has researched you specifically. The email might reference your employer, a recent transaction, or your full name. These are harder to spot and more dangerous. Executives and high-net-worth individuals are frequent targets of spear phishing campaigns — which can spend weeks gathering open-source intelligence before launching an attack.
Smishing (SMS phishing): The same concept delivered via text message. Common examples include fake package delivery notifications, bank fraud alerts, and toll payment notices. These are increasingly effective because people are less suspicious of text messages than emails.
Vishing (voice phishing): An attacker calls you impersonating tech support, the IRS, Social Security Administration, or your bank's fraud department. They create urgency and guide you toward giving up information, installing software, or transferring money.
Clone phishing: The attacker copies a legitimate email you've previously received, replaces links or attachments with malicious versions, and resends it from a spoofed address. This is particularly insidious because the email content is genuine.
QR code phishing (quishing): Attackers replace legitimate QR codes — on menus, parking meters, or in emails — with codes that redirect to phishing sites. Most people don't check URLs when scanning QR codes.
How AI Is Making Phishing More Dangerous in 2026
The phishing landscape has shifted significantly with the widespread availability of large language models. Attackers now have access to AI tools that can generate grammatically perfect, contextually convincing phishing emails at scale — eliminating the spelling errors and awkward phrasing that were once reliable red flags.
AI-generated spear phishing: Attackers scrape your LinkedIn profile, public social media posts, and company website to build a targeting brief, then use AI to generate a hyper-personalized email that references your colleagues by name, mentions recent company news, and matches the tone of legitimate internal communications. These emails are indistinguishable from real ones without careful analysis of the sender domain.
Deepfake vishing: Voice cloning technology can replicate someone's voice from as little as a few seconds of audio — easily sourced from a YouTube video, podcast appearance, or public Zoom recording. Attackers use cloned voices of CEOs, IT managers, or family members to authorize wire transfers or request credential resets. Several multi-million-dollar fraud cases have involved AI-cloned executive voices.
Real-time AI phishing proxies: Sophisticated attacks use adversary-in-the-middle (AiTM) frameworks like Evilginx that sit between you and the real website, proxying the actual login page in real time. You interact with what looks like a perfect copy of your bank's login portal because it literally is — just with the attacker intercepting the session token. This defeats standard TOTP-based 2FA because the attacker captures the session after successful authentication.
The practical response: phishing-resistant authentication (hardware keys, passkeys) defeats AiTM attacks because authentication is cryptographically bound to the legitimate domain. No fake site — no matter how convincing — can capture a valid passkey assertion for the real domain.
Business Email Compromise: The Costliest Phishing Variant
Business Email Compromise (BEC) is a targeted phishing variant specifically designed to defraud organizations. Unlike mass phishing campaigns seeking credentials, BEC attacks aim to initiate wire transfers, redirect payroll, or manipulate vendor payment instructions. The FBI estimates BEC costs U.S. businesses over $2.7 billion annually — more than any other cybercrime category by financial loss.
Common BEC scenarios: an attacker compromises or spoofs your CFO's email and requests an urgent wire transfer to a new vendor account. Or they intercept a legitimate invoice from a supplier and change the bank routing number to one they control. Or they email HR impersonating an executive requesting employee W-2 data for "tax filing."
Why BEC works: The requests look legitimate because they come from (or appear to come from) trusted internal parties, reference real business relationships, and use correct business terminology. The "urgency" is plausible — executives request things quickly, vendors have payment deadlines.
Defenses against BEC: Establish out-of-band verification for any wire transfer request above a threshold — a phone call to a known number, not one provided in the email. Implement DMARC, DKIM, and SPF on your domain to prevent spoofing. Train finance teams to verify any change to vendor banking details directly with a known contact at the vendor. Use a business password manager like 1Password Teams to reduce credential theft risk across your organization.
How to Recognize a Phishing Attempt
Red flags that should immediately raise suspicion:
- Urgency and threats: "Your account will be suspended in 24 hours" or "Immediate action required" are manipulation tactics. Legitimate companies don't communicate this way.
- Suspicious sender address: The display name says "PayPal" but the actual email address is something like support@paypal-billing-update.com. Always check the real address, not the display name.
- Mismatched URLs: Hover over any link before clicking (on mobile, press and hold). The real URL should match the company's actual domain. Watch for subtle typos: paypa1.com, amazon-support.net, apple-id-verify.com.
- Generic greetings: "Dear Customer" instead of your name suggests a mass phishing campaign rather than a real communication from a service you use.
- Requests for credentials via link: Your bank will never email you a link and ask you to enter your password. Navigate directly by typing the URL yourself.
- Unexpected attachments: Don't open attachments you weren't expecting, even from known contacts — their account may be compromised.
- Perfect writing alone is not a green flag: AI-generated phishing is now grammatically flawless. Don't rely on typos or awkward phrasing as a detection method.
Habits and Tools That Actually Protect You
Use a password manager: This is your strongest passive defense against phishing. A password manager like NordPass autofills credentials only on the exact domain the password was saved for. If you land on paypa1.com instead of paypal.com, your password manager won't fill in your credentials — giving you a critical warning that something is wrong. Use our free password generator to create unique, unguessable passwords for every account.
Enable phishing-resistant 2FA: Hardware security keys (YubiKey) and passkeys are phishing-resistant — they cryptographically verify the domain before authenticating, so they won't work on fake sites. TOTP apps (Google Authenticator, Microsoft Authenticator) are better than nothing, but can still be phished in real-time relay attacks. SMS codes are the weakest form of 2FA and should be replaced where possible. See our full two-factor authentication guide for setup instructions.
Navigate directly, don't click links: When you receive an email about your bank account, don't click the link. Open a new browser tab and type your bank's URL manually. This single habit defeats most phishing attacks without requiring any technical knowledge.
Verify unexpected requests by phone: If your IT department emails asking you to install software, or someone calls claiming to be from your bank's fraud team, hang up and call back using the number on the official website or the back of your card. With AI voice cloning, even a caller who sounds exactly like your manager should be verified if they're requesting unusual actions.
Use browser protection: Google Safe Browsing (built into Chrome and Firefox) warns you before visiting known phishing sites. Keep it enabled. Our browser security settings guide covers the full range of protections available.
Enable dark web monitoring: Services like NordProtect continuously scan breach databases and dark web markets for your email address and credentials. If a phishing attack did succeed and your credentials were sold or posted, you'll receive an alert — often within hours of the data appearing — giving you time to change passwords before the attacker acts on them.
Phishing in Social Media and Messaging Apps
Phishing has spread far beyond email. Modern attackers actively use social media and messaging platforms, which often receive less skepticism than email.
LinkedIn phishing: Fake recruiters reach out with compelling job offers, directing you to a fake hiring portal that captures your credentials — or sends a malicious attachment disguised as a job description. LinkedIn's high professional context makes people more trusting of unsolicited outreach.
WhatsApp and iMessage smishing: Impersonation of family members in distress ("I lost my phone, this is my new number — can you help?"), fake crypto investment opportunities, and fraudulent package delivery notifications are common. The personal channel lowers psychological defenses.
Discord and Slack: In communities and workspaces you trust, compromised accounts spread malicious links or files. A message from a colleague's hacked Slack account asking you to review a Google Doc carries significant credibility. Always verify unusual requests through a separate channel.
Instagram DM phishing: Fake brand partnership offers, verification scams ("Your account is under review — log in here to prevent suspension"), and lottery/gift card scams are rampant. Legitimate brands contact you through your public business email, not DMs, for significant commercial arrangements.
The best defense across all channels: treat any link in a message — even from a known contact — with the same scrutiny as an email link. Verify through a separate communication channel before acting, especially if credentials or payments are involved.
What to Do If You've Been Phished
If you suspect you've entered credentials on a phishing site, speed matters. Act in this order:
- Change your password on the real site immediately — use a strong, unique password from our password generator
- If you reused that password anywhere else, change it everywhere it was used
- Enable two-factor authentication if you haven't already
- Check for unauthorized activity: logins from new devices or locations, changed recovery email or phone number
- Report the phishing site to Google Safe Browsing (safebrowsing.google.com/safebrowsing/report_phish) and the company being impersonated
- If financial accounts were involved, contact your bank or card issuer immediately and request a fraud review
- Place a fraud alert or credit freeze with the three major bureaus (Equifax, Experian, TransUnion) if personal or financial data was exposed
Phishing attacks that succeed often lead to identity theft — the attacker may sell your credentials or use them to open fraudulent accounts in your name. For a full response plan, see our guide on what to do after a data breach.
Protecting Your Organization From Phishing
If you manage a team, phishing is your top human-layer risk. A single click from one employee can compromise your entire network.
Key organizational controls: Deploy DMARC, DKIM, and SPF email authentication records to prevent email spoofing of your domain. Use a business password manager like 1Password Teams so employees have unique strong passwords and a built-in phishing check on every login. Run periodic phishing simulations — free tools like GoPhish let you test your team without real risk. Train employees to recognize the specific types of attacks your industry faces.
The goal isn't to make everyone a security expert. It's to build the habits — check the URL, don't click links in emails, verify unusual requests — that stop 90% of attacks before they start. Pair that with a robust credential security program and dark web monitoring to catch the 10% that slip through.
Phishing Resistance: The Final Layer
The best protection against phishing combines three layers: unique passwords (so one phished credential doesn't cascade into other accounts), phishing-resistant 2FA (so credentials alone aren't enough), and identity monitoring (so you know when your data appears in breach databases).
Services like NordProtect monitor the dark web for your email and credentials, alerting you when they appear in breach databases — often before attackers have a chance to use them. Combined with strong passwords and phishing-resistant 2FA, this three-layer approach makes you a substantially harder target than the average user.
Recommended Tools
- NordPass — Password manager that autofills only on the correct domain, blocking credential theft on fake sites. Generate unique passwords for every account and store them securely.
- NordProtect — Dark web monitoring and identity theft protection. Alerts you when your email or credentials appear in breach databases.
- 1Password Teams — Business password management with phishing-resistant autofill for organizations protecting multiple employees.
For a full list of tools that protect against phishing and identity theft, visit our recommended tools page.
Recommended next step
See recommended security tools
Use the generator for new credentials, then store them in a manager built for long-term password hygiene.
See recommended security tools →Keep Improving Your Account Security
- Browse the phishing hub for the complete set of related guides.
- Email Security Best Practices 2026: Protect Your Inbox from Hackers and Phishing
- How to Secure Your Email Account: The Complete Guide
- Google Authenticator vs. Authy: Which 2FA App Should You Use in 2026?
- How to Secure Your Microsoft Account: Passwords, 2FA, and Recovery Options