Phishing Has Changed
The stereotype of phishing — a poorly written email from a "Nigerian prince" — is years out of date. Modern phishing attacks are sophisticated, targeted, and increasingly difficult to distinguish from legitimate communications.
Phishing remains the number one initial access vector for data breaches. Understanding how these attacks work is your strongest defense.
Types of Phishing Attacks
Email Phishing
The most common form. Attackers send emails that impersonate legitimate organizations (banks, tech companies, government agencies) to trick recipients into clicking malicious links or providing credentials.
Modern email phishing uses:
- Exact visual replicas of legitimate emails
- Legitimate-looking sender addresses (using lookalike domains like "rnicrosoft.com")
- Real company logos, formatting, and legal disclaimers
- AI-generated text that's grammatically perfect
Spear Phishing
Targeted attacks aimed at specific individuals using information gathered from social media, company websites, or previous breaches. These emails reference real projects, colleagues, or events to appear authentic.
Smishing (SMS Phishing)
Phishing via text message. Common examples include fake package delivery notifications, bank alerts, and toll payment notices. The shorter format of text messages makes it harder to spot suspicious elements.
Vishing (Voice Phishing)
Phone calls from attackers impersonating tech support, government agencies, or banks. AI voice cloning has made these attacks more convincing, with some attackers able to replicate the voice of a colleague or family member.
QR Code Phishing (Quishing)
Malicious QR codes placed in emails, physical locations, or documents that direct to credential-harvesting websites. These are particularly effective because the destination URL isn't visible before scanning.
Red Flags to Watch For
In emails and messages:
- Urgency or threats ("Your account will be suspended in 24 hours")
- Unexpected requests for credentials or personal information
- Links that don't match the claimed sender (hover over links before clicking)
- Generic greetings ("Dear Customer") instead of your name
- Requests to bypass normal procedures ("Don't tell IT about this")
On websites:
- URLs that are close but not exact matches (g00gle.com, arnazon.com)
- Missing or invalid SSL certificates
- Login pages that look slightly different from the real ones
- Unusual URL paths or parameters
On phone calls:
- Unsolicited calls claiming to be from your bank or tech support
- Requests for remote access to your computer
- Pressure to act immediately or face consequences
- Requests for payment via gift cards or cryptocurrency
What to Do If You've Been Phished
- Change your password immediately on the affected account
- Enable 2FA if it isn't already active
- Check for unauthorized activity — review recent logins, email forwarding rules, and account settings
- Report the phishing to the impersonated organization and to your email provider
- Monitor your accounts for signs of identity theft
Building Phishing Resistance
- Use a password manager — it won't auto-fill credentials on a fake site because it checks the domain
- Enable hardware security keys for critical accounts — they're cryptographically bound to domains and are phishing-proof
- Verify requests through a separate channel — if you get an email from your boss asking for something unusual, call them directly
- Keep software updated — browsers and email clients increasingly flag known phishing sites
Check LeakedSource to see if credentials linked to your email have been exposed in breaches — exposed credentials are often the starting point for targeted phishing campaigns.