What Is a Phishing Attack?

A phishing attack is a message or webpage that impersonates someone you trust — your bank, your employer, a delivery service — specifically to trick you into handing over credentials, payment details, or system access. It's a con, not a technical exploit: the vulnerability being targeted is human trust, not a flaw in your software.

Hands typing on a keyboard at night, representing a phishing threat targeting login credentials
A phishing threat targeting your login credentials, one keystroke at a time

How a phishing attack actually works, step by step

Every phishing attack, regardless of channel, follows roughly the same four-stage anatomy — understanding it is more useful than memorizing examples, because the examples change every few months and the underlying structure doesn't:

  1. The pretext. The attacker picks a scenario that justifies urgent action from a trusted source — an invoice, a locked account, a failed delivery, a message from "IT" about an expiring password.
  2. The lure. A message is sent through email, text, a phone call, or a QR code, spoofing the sender identity closely enough to survive a quick glance, and applying time pressure so you act before you think.
  3. The hook. A link to a cloned login page, a malicious attachment, or a request to "confirm" information over the phone — whatever gets the victim to hand over something valuable.
  4. Capture and monetization. Credentials get tested against other services, sold in bulk, or used directly for wire fraud; malware payloads get used to deploy further tools, including ransomware, deeper into a network.

The reason this framework matters practically: almost every effective defense targets one of these four stages specifically, rather than trying to detect "phishing" as a single thing.

Illustration of a cyber phishing attack, showing the lure and hook stages used to capture credentials
The anatomy of a phishing attack: lure, hook, capture, monetize

The many faces of phishing — it's rarely just email anymore

The core con is identical across all of these; only the delivery channel changes, usually to whichever channel currently has the weakest scrutiny:

The technique most guides skip: phishing that defeats two-factor authentication entirely

Standard advice says two-factor authentication stops phishing. Against modern attack kits, that's no longer reliably true. Adversary-in-the-middle (AiTM) phishing kits — Evilginx is the best-known example in this category — don't just clone a login page's appearance. They act as a live reverse proxy sitting directly between the victim and the real service, relaying every request and response in real time.

When the victim enters a password and then approves a push notification or types in a one-time code, that entire exchange passes straight through to the real service — which authenticates it successfully, because it's genuinely correct. The service then issues a valid, authenticated session cookie back through the same relay, and the attacker captures that cookie directly. From that point on, the attacker has a live, already-authenticated session — no password needed again, no further MFA prompt required, because from the real service's point of view, nothing suspicious happened at all.

What actually closes this gap: phishing-resistant authentication methods — passkeys and hardware security keys built on the FIDO2/WebAuthn standard — cryptographically bind each login to the exact origin domain requesting it. A look-alike phishing domain simply cannot complete that handshake, regardless of how convincing the page looks. SMS codes and app-based push approvals don't have this protection; they authenticate the person, not the destination.

Red flags that actually hold up — and the one that doesn't

Some advice repeated in basic security training genuinely helps; some of it is outdated or flatly wrong. Here's what's still worth checking:

And the one that doesn't hold up: the padlock icon or "https://" in the address bar. Free, automated certificate authorities like Let's Encrypt issue valid encryption certificates to any domain, including one registered five minutes ago for a phishing campaign. HTTPS confirms the connection is encrypted in transit — it says nothing about who controls the server on the other end. Treat the padlock as meaningless for judging trust; it was never designed to signal that in the first place.

What happens after someone actually clicks

The outcome depends heavily on what was actually captured. If a password was typed into a cloned login page, it gets tested immediately against other popular services — a far bigger risk if that password was reused anywhere, since credential-stuffing tools automate exactly that check within minutes of a new haul. Running the entered password through our password strength checker is a reasonable first move if you're unsure whether it's strong enough to have survived the attempt.

If the kit used was an AiTM proxy, the far more serious outcome is a stolen live session — meaning the attacker didn't just get a password, they got standing access to the account as it already existed, MFA and all, until that session is manually revoked. If a malicious attachment was opened rather than a link clicked, the concern shifts to whatever payload ran locally — commonly an infostealer designed to harvest saved browser passwords and cookies directly off the device, which is a different and often worse problem than a single phished credential.

What actually stops it

In rough order of how much they actually help, based on what defeats the attack techniques above rather than just general good habits:

What's the actual difference between phishing and spam?

Spam is unsolicited bulk messaging trying to sell you something legitimate, if unwanted — a real company's mailing list you never joined. Phishing is impersonation with intent to steal: the message pretends to be your bank, your employer's IT department, or a delivery service specifically to extract credentials, payment details, or system access. Spam wastes your time; phishing is trying to actively compromise you.

Does the padlock icon or HTTPS mean a website is safe?

No, and this is one of the most persistent myths in basic security advice. HTTPS and the padlock icon only confirm that the connection between your browser and the server is encrypted — they say nothing about who controls that server. Free, automated certificate authorities like Let's Encrypt will issue a valid TLS certificate to a phishing domain registered five minutes ago just as readily as to a legitimate bank. The padlock proves the traffic can't be eavesdropped on in transit; it proves nothing about the destination's intent.

Can a phishing attack actually bypass two-factor authentication?

Yes, and this is the part most beginner guides skip entirely. Adversary-in-the-middle phishing kits sit between you and the real login page in real time, relaying not just your password but the session token or cookie generated after your one-time code or push approval succeeds. From the real service's perspective, a valid, fully authenticated session was just created — because it was, just handed straight to the attacker. Phishing-resistant methods like passkeys are specifically designed to close this gap; SMS codes and push notifications are not.

I already entered my password on a site I now think was phishing. What should I do?

Change that password immediately, on the real site, typed manually rather than via any link from the suspicious message. If you reused that password anywhere else, change it there too — credential-stuffing tools test leaked passwords against other services within minutes of a breach. Check whether the exposed password now shows up in breach data, and if your account offers phishing-resistant multi-factor authentication (a passkey or security key rather than SMS), switch to it. If it was a work account, report it to your IT or security team immediately rather than waiting to see if anything happens.

Is falling for a phishing attack illegal, or am I just a victim?

Being deceived by a phishing attack makes you the victim of a crime, not a participant in one — the person who sent the message is committing fraud, and in most jurisdictions, computer-crime and wire-fraud statutes as well. The exception is if you were then coerced or knowingly used into forwarding the attack to others, which is a different and much rarer scenario.

How did an attacker get my email address or phone number in the first place?

Almost always from a data breach at some completely unrelated company — a leaked customer database, a scraped LinkedIn export, or a breached forum account — rather than anything specific you did. Contact details from breaches get aggregated, resold, and combined across sources into large target lists, which is also why checking whether your email appears in known breaches is a reasonable first step whenever phishing volume targeting you increases.