Why Phishing Still Works

Despite decades of awareness campaigns, phishing remains the leading cause of successful cyberattacks against both individuals and organizations. The reason is simple: attackers don't need to break through technical defenses when they can trick a human into handing over the keys. And those humans are you, your colleagues, and your family members — regardless of technical sophistication.

Modern phishing attacks are far more convincing than the poorly-spelled Nigerian prince emails of the early internet. Today, attackers use AI-generated text, spoofed domains that look nearly identical to the real thing, and highly targeted "spear phishing" built from social media research about specific individuals.

The Anatomy of a Modern Phishing Attack

A typical attack has a few predictable components:

  • A spoofed sender address: The display name says "PayPal Support" but the actual email domain is paypa1.com or paypal-support.net.
  • A sense of urgency: "Your account will be suspended in 24 hours." Urgency is designed to bypass careful thinking.
  • A malicious link: The button says "Verify Now" but the URL goes somewhere else entirely. Hover over it (on desktop) before you click.
  • A credential-harvesting page: You're sent to a login page that looks identical to the real service. Enter your password and the attacker has it.

Red Flags to Check For

In Emails

  • Sender domain doesn't match the company (check carefully — attackers use look-alike characters)
  • Generic greetings like "Dear Customer" instead of your name
  • Requests for credentials, payment info, or personally identifying data
  • Unexpected attachments, especially .zip, .exe, or macro-enabled Office files
  • Links that don't match the displayed text when you hover over them

On Websites

  • URL has a slightly different spelling or extra subdomain (e.g., secure.apple.com.verify-account.net)
  • Missing HTTPS — though note that HTTPS alone doesn't mean a site is safe
  • Requests for unusual information the real service would never ask for

The Rise of Smishing and Vishing

Smishing (SMS phishing) and vishing (voice phishing) are growing rapidly. Text messages claiming your package is held, your bank account is compromised, or that you owe taxes are common vectors. A real tip: legitimate organizations will never ask you to verify account details via an unsolicited text message.

Your Best Defenses

  1. Enable multi-factor authentication (MFA) on every account that supports it. Even if an attacker steals your password, they can't get in without the second factor.
  2. Use a password manager. It won't autofill on a fake site because the domain won't match — a built-in phishing defense.
  3. Go directly to the source. If an email claims to be from your bank, don't click the link — open a new tab and navigate to the bank's site directly.
  4. When in doubt, verify out-of-band. Call the person or company using a number you already know, not one provided in the suspicious message.

If You Think You've Been Phished

Act quickly: change the compromised password immediately, enable MFA if you haven't, check for any unauthorized activity, and notify your bank or IT team depending on what was accessed. The faster you act, the less damage an attacker can do.