Why Phishing Still Works

Phishing — the practice of deceiving people into revealing sensitive information or installing malware — remains one of the most prevalent and successful forms of cybercrime. No matter how sophisticated security software becomes, humans remain targetable through psychology: urgency, fear, trust, and curiosity.

Modern phishing attacks have evolved far beyond the poorly-written "Nigerian prince" emails of the early internet. Today's campaigns are targeted, convincing, and increasingly powered by AI-generated content.

Common Types of Phishing Attacks

  • Email phishing: Mass emails impersonating trusted brands (banks, delivery services, tech companies) to steal credentials or deploy malware.
  • Spear phishing: Highly targeted attacks using personal information about the victim to make the message more convincing. Often aimed at employees or executives.
  • Smishing: Phishing via SMS — fake delivery notifications, bank alerts, or two-factor authentication requests.
  • Vishing: Voice phishing — fake calls from "tech support", "banks", or government agencies.
  • Quishing: Phishing via malicious QR codes embedded in emails, flyers, or fake parking tickets.
  • Clone phishing: Duplicating a legitimate email you've previously received, but replacing links or attachments with malicious versions.

Red Flags to Watch For

Even convincing phishing attempts often leave clues. Train yourself to notice:

  • Urgency or threats: "Your account will be suspended in 24 hours." Urgency is designed to short-circuit careful thinking.
  • Mismatched sender addresses: The display name says "PayPal" but the actual email address is noreply@paypa1-secure.ru.
  • Suspicious links: Hover over any link before clicking. Does the URL match the supposed sender's domain exactly?
  • Unexpected requests: Legitimate organisations will not ask for your password, full card number, or 2FA code via email.
  • Generic greetings: "Dear Customer" instead of your actual name can indicate a mass-targeted attack.
  • Attachments you didn't expect: Especially .zip, .exe, .docm, or .pdf files from unknown senders.

The Rise of AI-Assisted Phishing

Generative AI has lowered the barrier for crafting convincing phishing content. Attackers can now produce grammatically perfect, personalised emails at scale using public data about their targets from LinkedIn, social media, or previous breaches. This makes the old advice of "look for spelling mistakes" increasingly unreliable as a sole defence.

What matters more now: context and verification. Does this email make sense? Did you initiate this interaction? Can you verify the sender through a separate channel?

How to Protect Yourself

  1. Enable phishing-resistant 2FA. Hardware keys and passkeys cannot be phished the way SMS or TOTP codes can.
  2. Use a password manager. It will only auto-fill credentials on the legitimate domain — it won't fill your details into a spoofed lookalike site.
  3. Verify independently. If your bank emails you about suspicious activity, call the number on the back of your card — don't click the email link.
  4. Keep software updated. Many phishing attacks exploit unpatched vulnerabilities in browsers or email clients.
  5. Report phishing attempts. In the UK, forward to report@phishing.gov.uk. In the US, forward to reportphishing@apwg.org or use the FTC's reporting portal.
  6. Use email filtering. Enable your provider's spam and phishing filters, and consider a DNS-level security service like Quad9 or NextDNS.

What to Do If You've Been Phished

Act quickly if you suspect you've fallen for an attack:

  • Change the compromised password immediately — and any accounts using the same password.
  • Enable 2FA if it wasn't already active.
  • Check for any unauthorised account activity or forwarding rules.
  • Run a malware scan if you clicked an attachment or suspicious link.
  • Alert your bank if financial information was involved.

The faster you act, the less damage is done. Phishing succeeds through speed — your defence should too.