Phishing, explained: how the scam works and how to spot it
Phishing is one of the most common ways people get hacked, and it relies less on clever code than on human psychology. The scam impersonates a trusted source — a bank, an employer, a delivery service — to trick you into revealing a password, a payment, or sensitive information.
How it works
A typical phishing attempt arrives as an email, text, or message that looks legitimate. It creates a reason to act quickly: your account is locked, a payment failed, a package is held. It then points you to a link. That link leads to a fake page designed to look like the real one, and whatever you type — usually a username and password — goes straight to the attacker.
More targeted versions, sometimes called spear phishing, personalize the message using details about you or your workplace, which makes them far more convincing. The common thread is security by deception: the attacker borrows a trusted identity.
How to spot it
A few habits catch the large majority of attempts:
- Check the sender and the link. Hover over links before clicking and look at the real web address. Slight misspellings and odd domains are red flags.
- Distrust urgency. Messages that pressure you to act right now are a classic tactic.
- Go direct. Instead of clicking a link, open the app or type the known website address yourself.
- Guard credentials. Legitimate organizations do not ask for your password by email or message.
- Use extra protection. Turning on two-factor authentication means a stolen password alone is not enough to get in.
The takeaway
Phishing works because it targets trust and haste, not technology flaws. Slowing down, verifying who is really asking, and never entering credentials on a page you reached by clicking a link will stop most scams before they start — a small set of habits that protects almost everything else you do online.