what it is
Phishing is the most common cyber-attack on consumers. Someone sends you a message, usually email, sometimes SMS ("smishing"), DMs, or even a phone call ("vishing"), that looks like a real notification from a real company. The message contains a link or attachment.
The link goes to a near-perfect replica of the real login page. You log in. The page records your username and password. Sometimes it also intercepts your one-time MFA code in real time.
By the time you realize the page wasn't real, the attacker is already logged in as you somewhere else.
how they reach you
Phishing arrives through whichever channel a given target is most likely to read with their guard down.
- Email. Still the most common, and the channel best at evading filters. Often spoofs your employer, a vendor you actually use (Microsoft, Google, DocuSign, Slack), or a real billing relationship (PayPal, Apple, Amazon).
- SMS / smishing. Bank fraud alerts, USPS / FedEx redelivery, "iCloud locked", "your Venmo account is on hold". Short messages, usually with a link.
- Social DMs. Instagram, X, Facebook, LinkedIn, Discord. "Hey is this you in this video?" with a link is the LinkedIn / Discord classic. "Verify your account or lose access" is the Instagram / X variant.
- Voice / vishing. A phone call asking you to confirm a code or click a link they'll text. Often paired with the SMS or email lure.
- Search ads. A Google or Bing ad spoofing a real brand at the top of search results. You search "Coinbase login" or "Chase login", click the first result, and land on a fake site.
- QR codes / quishing. Physical or digital QR codes, on parking meters, restaurant tables, shipping notifications, even posters in elevators, that link to phishing pages. Phones don't show URL previews as clearly as desktop browsers, so this works better than it should.
- Calendar invites. A fake meeting invite from "Microsoft Security Team" with a "join now" link.
- Browser notifications. Sites that tricked you into accepting notifications can spam you with "Windows Defender detected a virus, click here".
- Fake LinkedIn or Indeed job postings. The "application" link goes to a credential harvester wearing the company's branding.
- Fake "shared document" emails ("DocuSign document waiting for your signature") with branded links that go to fake login pages.
- Compromised real accounts. Sometimes the lure comes from a real coworker's hijacked Gmail or Slack, those get past every filter, since the sender is technically real.
What they share: an unsolicited message about something time-sensitive, a link, and a login page on the other side.
how it works after you click
- The lure picks a believable urgency. "Your Microsoft 365 password expires today." "Your iCloud is locked." "USPS could not deliver your package." "Action required to reactivate your bank account."
- The link. Sometimes obfuscated (
bit.ly,tinyurl), sometimes a typo-domain (micros0ft.com,app1e.com), sometimes a legit-looking subdomain on a hijacked site, sometimes routed through a Google / SendGrid tracking redirect to look clean. - The fake login page. Pixel-perfect replica. Often hosted on a stolen WordPress site or a
.app/.dev/.livesubdomain. The page logs your password, and on more sophisticated kits, it relays your MFA code to the attacker as you type it. - The login at the real site. Behind the scenes, the attacker uses your captured credentials (and live MFA code) to log into the real account.
- The damage. Email forwarding rules get added to siphon future messages. Recovery emails get changed. Linked banks get drained. If your password was reused, every other account that shares it falls within hours.
the moved-the-conversation tactic
Phishing is mostly one-shot, you click a link, you lose. But there's an interactive variant worth flagging that mirrors the off-platform pivot in social scams.
When phishing operators get a partial hit (you replied to their email but didn't click the link, or they have your number from a previous leak), they often pivot to a different channel to finish the job:
- Email reply → SMS callback. "I'm having trouble with this email, please text me at [number]", moving you to SMS where you have less context to evaluate the request.
- Slack / Teams message → "personal" Signal call about an urgent task from "your CEO" or "your boss". This is the executive-impersonation variant and is heavily used against finance and HR staff.
- A LinkedIn lure → an invite to "discuss the role" on Telegram or Signal.
The reason is the same as everywhere else. Email and corporate chat both have anti-phishing tooling. Personal SMS and Signal don't. Once they have you texting them on your personal number, the operator owns the channel and can run a longer con, sometimes pivoting into employment fraud, gift-card runaround, or wire fraud against your employer.
If a "coworker", "executive", or "vendor" tries to push a sensitive conversation off your work email or work chat onto your personal phone or a personal app, treat that as the same red flag a romance scammer asking to move to WhatsApp would be. Real coworkers don't need to.
red flags
- Sender domain doesn't match the real company. Look at the actual email address, not just the display name.
support@paypa1.comis not PayPal. - Links don't go where they appear to. Hover before clicking, the URL shown in your browser status bar is the truth.
- Urgency. Real companies don't give you 24 hours to "verify or lose access".
- Attachments you weren't expecting (.zip, .iso, .htm, .docm, .xlsm).
- Grammar that's slightly off. Less reliable now that LLMs write the lures.
- Login page looks right but the URL bar isn't on the real domain.
- An OTP / MFA code arrives that you didn't request and someone "from support" wants you to read it to them. Never.
- A "coworker", "executive", or "vendor" pushes the conversation from email / Slack / Teams onto your personal SMS or a personal app like Signal or Telegram. (See moved-the-conversation tactic above, same operational reason as off-platform pivots in social scams.)
the URL bar test
Before you type a password into any login page, look at the address bar.
- Does the domain exactly match?
mail.google.comis real.mail-google.comis not.accounts.google.comis real.google-accounts.supportis not. - Subdomains can look misleading. The real domain is everything between the last two dots. So
secure-banking.com.totally-fake.appis ontotally-fake.app, not onsecure-banking.com. - If you arrived from a link, close the tab and navigate to the site manually by typing the URL or using your bookmark. That single habit eliminates most phishing.
what to do if you clicked
- Change your password right now, on the real site. Use a unique, long passphrase.
- Change the same password on every other site you used it on. This is why password reuse is the real attack vector. A password manager solves this permanently.
- Turn on hardware-key MFA if the service supports it (YubiKey, Google Titan). SMS MFA is weaker but better than nothing.
- Check the account for damage.
- Email, look for new forwarding rules, new filters, new recovery emails or phone numbers.
- Bank, review pending transfers, freeze the card if anything looks off.
- Social, review connected apps and active sessions, log them all out.
- Report.
- If you re-used the password anywhere, assume those accounts are also compromised. Rotate everything.
password reuse is the actual problem
A single phished password becomes a dozen breached accounts only if you reuse passwords. The fix is unsexy but absolute:
- Use a password manager (Bitwarden, 1Password, Apple Keychain, KeePass).
- Let it generate a unique password for every site.
- Use haveibeenpwned to check which of your old accounts are already in dumps. Rotate those first.
the bottom line
The link is the weapon. If you treat every link in every unsolicited message as untrusted, and only ever log in by typing the URL yourself or using a bookmark, the entire phishing economy stops working on you.