
Phishing is the single most common way ordinary people get hacked, and it is getting harder to spot every year. What is phishing, how do modern attacks actually work, and what are the reliable signals that give them away — now that “bad spelling” is no longer one of them? This guide covers the main types, the red flags that still work, the ones that no longer do, and exactly what to do in the first ten minutes after you realise you clicked. It is the anti-phishing playbook of Mahi Info Tech.
What Phishing Actually Is
Phishing is an attack that tricks you into doing something harmful — handing over a password, approving a login, installing malware, or transferring money — by impersonating someone you trust. The defining characteristic is that it attacks you, not your software. No firewall, antivirus or operating system update can stop you from voluntarily typing your password into a convincing fake login page.
That is precisely why it remains so popular with attackers. Breaking encryption is hard. Convincing a tired person that their account will be suspended in 24 hours unless they click a link is easy, cheap, and scales to millions of targets at once.
The Main Types of Phishing
Bulk phishing
The classic spray-and-pray: millions of identical emails claiming to be from a bank, delivery company or streaming service. Individually unconvincing, but at that volume even a 0.1% success rate is a large number of victims.
Spear phishing
Targeted at you specifically, using real details — your name, your employer, a project you are actually working on, a colleague’s real name. Vastly more convincing and vastly more dangerous. The information usually comes from your public social media, your company website, and previous data breaches.
Whaling
Spear phishing aimed at executives and finance staff, typically to authorise a fraudulent payment. The classic form is an urgent email that appears to come from the CEO to someone in accounts.
Smishing and vishing
Phishing by SMS (smishing) and by voice call (vishing). Text messages about failed deliveries and phone calls from “your bank’s fraud team” are now among the highest-volume attacks going. Voice cloning has made vishing far more effective — a familiar voice on the phone is no longer evidence of anything at all.
Clone phishing
A genuine email you previously received is copied, the link or attachment is swapped for a malicious one, and it is resent as an “updated version.” Because you recognise the thread, your guard drops.
QR code phishing
A malicious QR code on a poster, a parking meter, a restaurant table or in an email. It bypasses email link-scanning entirely because the destination is hidden inside an image, and phone screens make the resulting URL much harder to inspect.
The Red Flags That Still Work
Attackers have fixed their spelling. These signals, however, are structural — they are hard for an attacker to remove without undermining the attack itself.
| Red flag | Why it works |
|---|---|
| Manufactured urgency | Pressure stops you thinking. Real organisations rarely give you 24 hours. |
| Unexpected contact | You did not order that parcel, enter that lottery, or request that reset. |
| Request for credentials | Legitimate services never ask you to confirm a password by email. |
| Mismatched sender domain | The display name says “PayPal”; the actual address does not. |
| Link destination differs from link text | Hovering reveals a domain that has nothing to do with the brand. |
| Unusual payment method | Gift cards, crypto and wire transfers are irreversible — which is the point. |
| Pressure to keep it secret | “Don’t tell anyone until it’s confirmed” exists solely to prevent you verifying. |
Of all of these, unexpected plus urgent is the combination that should stop you cold. Almost every successful phishing attack contains both, because together they short-circuit careful thought.
The Signals That No Longer Work
A great deal of phishing advice is now actively dangerous because it teaches you to trust things you should not.
“Look for bad grammar and spelling.” This is obsolete. AI writing tools produce flawless, natural-sounding text in any language. A perfectly written email is no longer any evidence of legitimacy.
“Check for the padlock.” The padlock means the connection is encrypted, not that the site is honest. The overwhelming majority of phishing sites now have valid HTTPS certificates, because they are free and take minutes to obtain. A padlock on a fake login page is still a padlock.
“It came from a real person I know.” Their account may be compromised, or the sender address may be spoofed. Familiarity is not verification.
“It was in a reply to an existing thread.” Attackers hijack real threads precisely because it defeats your suspicion.
How to Check a Link Safely
The most valuable skill in this entire subject is reading a URL correctly, because attackers rely on you skimming it.
The part that matters is the registered domain — the last two segments before the first single slash. In https://accounts.google.com.verify-login.xyz/reset, the real domain is verify-login.xyz, not Google. Everything before it is a subdomain the attacker controls and can set to anything they like. Read a URL from the right, not the left.
Watch for lookalike characters too — a lowercase “l” substituted for a capital “I”, a zero for an “O”, or an accented character from another alphabet. On a phone, where the address bar truncates, this is especially hard to catch.
The safest habit removes the problem entirely: never navigate from the message. If your bank emails about a problem, close the email, open your browser, and type the bank’s address yourself or use your own bookmark. If the message was genuine, the alert will be waiting for you inside your account. If it was not, you have lost nothing. This single habit defeats nearly every phishing attack regardless of how convincing it looked.
Why 2FA Is Not a Complete Shield
Two-factor authentication dramatically reduces your risk and you should absolutely use it — our guide on securing your online accounts covers the setup. But modern phishing kits can defeat basic 2FA in two ways you should understand.
Real-time relay. The fake site forwards your credentials to the real one instantly, the real site sends you a genuine 2FA code, you type it into the fake site, and the attacker uses it within seconds. The code was real. The site was not.
MFA fatigue. The attacker, already holding your password, triggers push approval prompts repeatedly — often at 3am — until you approve one just to make it stop. Never approve a login prompt you did not personally initiate, no matter how persistent.
The defence against both is phishing-resistant authentication: passkeys or a hardware security key. These are cryptographically bound to the real domain, so they simply will not authenticate to a fake one. It is not that you might notice the fake — the key physically cannot be used there. Where passkeys are offered, take them.
What to Do If You Clicked
Panic is understandable; speed is what actually helps. Work through this in order.
- If you entered a password, change it immediately — on the real site, from a device you trust. Change it anywhere else you reused it, and stop reusing passwords.
- Check for persistence. This is the step people skip and it is the one that matters most. Inspect your account for new mail-forwarding rules, unfamiliar recovery emails or phone numbers, app passwords, and connected third-party apps. An attacker sets these up so that changing your password does not lock them out.
- Sign out of all sessions using the “log out everywhere” option.
- Enable 2FA, ideally a passkey or authenticator app rather than SMS.
- If you downloaded a file, disconnect from the network and run a full malware scan before reconnecting.
- If money or card details are involved, call your bank now. Speed determines whether a transfer can be stopped.
- Report it — to your IT team if it is work, and to the impersonated brand, which helps get the fake site taken down.
Do not waste time on embarrassment. Phishing works on smart, careful people; that is the entire reason it is still the most successful attack in existence. The only genuinely bad outcome is staying silent while an attacker consolidates access.
Phishing at Work
Workplace phishing has a different character, because the attacker knows exactly what they are after and can research you specifically. The most costly variant is business email compromise: an attacker impersonates a senior colleague or a supplier and requests an urgent payment or a change of bank details. It has cost organisations enormous sums, and it succeeds because it exploits hierarchy and urgency together — a junior member of staff who receives an urgent instruction apparently from a director is under real pressure not to question it.
The only reliable defence is procedural rather than technical. Any change to payment details, and any unusual payment request, must be verified by contacting the person through a channel you already had — a phone number you already hold, not one supplied in the email. This must be a rule that applies to everyone regardless of seniority, precisely so that nobody has to make a judgement call under pressure. If a genuine director is annoyed at being verified, that is a small price. If they are not verified, the money is gone and it does not come back.
Quick Reference: Phishing Do’s and Don’ts
- Do treat “unexpected + urgent” as an automatic red flag — that pairing is the signature of almost every attack.
- Don’t trust good grammar or a padlock — AI writes flawlessly and HTTPS certificates are free.
- Do navigate yourself — close the message, open the site from your own bookmark instead of clicking.
- Don’t approve a login prompt you did not trigger — repeated prompts are an attack, not a glitch.
- Do use passkeys where offered — they cannot be phished, because they will not authenticate to a fake domain.
Frequently Asked Questions
What is phishing in simple terms?
Phishing is a scam message that impersonates someone you trust in order to trick you into giving up a password, approving a login, installing malware, or sending money. It targets your judgement rather than your software, which is why technical defences alone cannot stop it.
How can I tell if an email is phishing?
The strongest signals are that it was unexpected, it creates urgency, it asks for credentials or payment, and the sender’s real domain does not match the brand. Read the URL from the right to find the true domain. Do not rely on spelling or the padlock icon — both are meaningless now.
Can phishing get past two-factor authentication?
Yes. Modern phishing kits relay your 2FA code to the real site in real time, and attackers also spam push notifications until someone approves one. Passkeys and hardware security keys are phishing-resistant because they are bound to the genuine domain and will not work on a fake one.
What should I do if I clicked a phishing link?
Change the password on the real site from a trusted device, then check the account for forwarding rules, unfamiliar recovery options, app passwords and connected apps, since attackers use these to keep access. Sign out everywhere, enable 2FA, scan for malware if you downloaded anything, and call your bank immediately if money is involved.
Is smishing worse than email phishing?
It is often more effective. Phones truncate URLs, making fake domains harder to inspect, people read texts quickly and with less suspicion, and text messages lack the filtering that email providers apply. The same rules apply: do not tap the link, go to the real site yourself.
One More Thing
Technology moves quickly, and the specifics in any guide will shift over time — but the underlying principles rarely do. Understanding why something works is what lets you adapt when the tools, the products and the interfaces inevitably change around you. That is the approach we take with every guide on Mahi Info Tech: explain the reasoning, not just the steps, so the knowledge outlasts the version number.
Final Thoughts
Phishing survives because it targets human psychology rather than technology, and psychology does not get patched. The good news is that you do not need to detect every fake — you need one reliable habit. When a message is unexpected and pushes you to act quickly, stop, do not click, and reach the organisation through a route you chose yourself. That single reflex defeats the overwhelming majority of attacks, no matter how polished they have become.
Explore more security guides, practical tutorials and technology explainers across Mahi Info Tech, and see our full cybersecurity guide for the wider picture.