Phishing Attack: How It Works & How to Stop It

Q: Can a phishing attack happen through text messages?

Yes. SMS phishing is called smishing. Attackers send texts from fake banks, parcel firms, or government offices. Do not click links from senders you did not expect.

A phishing attack is one of the most common and costly cyber threats today. In a phishing attack, a criminal pretends to be a trusted source — a bank, a government body, a software vendor, or even a colleague. The goal is simple: trick you into handing over sensitive data or clicking a link that installs malware. Understanding how a phishing attack works is the first step to stopping one. In this guide, you will learn what phishing is, how attackers carry it out, every major variant, the warning signs to watch for, and the exact steps to protect yourself and your organisation.

3.4B/day

Phishing emails sent globally every day

$4.88M

Average cost of a phishing breach (IBM, 2025)

254days

Average time to detect and contain a phishing breach

What Is a Phishing Attack?

A phishing attack is a type of social engineering. The attacker tricks a target into giving up sensitive data — such as passwords or credit card numbers — or into taking an action that causes harm, like installing malware. To do this, the attacker pretends to be a trusted person or organisation.

The US National Institute of Standards and Technology (NIST) defines phishing as tricking people into sharing sensitive data through deceptive digital means. In plain terms: the attacker fakes trust, and the victim pays the price.

The word “phishing” is a play on “fishing.” Attackers cast lures — fake emails, fake websites, and false texts — and wait for victims to bite. The term first appeared in 1995. However, the method itself is much older. It is simply classic con artistry applied to digital channels.

Why Phishing Is So Effective

Phishing targets people, not software. Attackers do not need to break through firewalls. They simply need one person to trust the wrong email. That is why phishing is the most common way attackers get into organisations — responsible for 16% of all data breaches in IBM’s 2025 study.

How a Phishing Attack Works

Every phishing attack follows a clear pattern. Knowing the steps helps you spot and stop the attack early.

Step 1

Reconnaissance

First, the attacker collects data about the target. They look up names, job titles, email addresses, and company details on LinkedIn, social media, and public websites. This research makes the attack look real.

Step 2

Lure Construction

Next, the attacker builds a fake message. They copy a real brand’s logo and email style. They also add urgency: “Your account has been locked” or “Action required within 24 hours.”

Step 3

Delivery

Then the lure reaches the target — via email, SMS, phone call, or QR code. Email is still the top channel. Over 90% of cyberattacks start with a phishing email, according to CISA.

Step 4

Deception

The victim clicks a bad link, opens an infected file, or types their details into a fake login page. At this point, the attacker gets what they came for: credentials, access, or a malware install.

Step 5

Exploitation

Finally, the attacker uses the stolen data. They log into systems, move money, launch ransomware, or attack other people inside the same organisation. Often, the victim does not know this has happened for weeks or months.

Types of Phishing Attack

Phishing is not one technique. It is a family of social engineering attacks spread across many channels. Below are the seven most common types every organisation needs to know.

Email Phishing

The classic form. Fake emails are sent to thousands of people at once. They pretend to be from banks, cloud providers, or government bodies. Volume makes up for the low rate of success on any single message.

Spear Phishing

A targeted phishing attack aimed at one person or company. The attacker uses real personal details to make the message feel genuine. It is far harder to detect than bulk email phishing and is the top method for corporate espionage.

Whaling

Spear phishing aimed at senior executives, board members, or finance leads. A single whaling attack costs an average of $47 million. Business Email Compromise (BEC) losses from these attacks hit $2.77 billion in 2024 (FBI IC3).

Smishing (SMS Phishing)

Phishing via text message. Attackers pose as parcel firms, banks, or tax offices. They send urgent texts with bad links. SMS phishing grew 30–40% quarter-over-quarter in Q4 2025 (APWG).

Vishing (Voice Phishing)

Phone-based social engineering. The attacker pretends to be IT support, a bank fraud team, or a government official. Vishing attacks rose 442% in the second half of 2024, driven by AI voice tools.

Quishing (QR Code Phishing)

Attackers hide bad URLs inside QR codes. This gets past standard email link filters. Mimecast found over 3 million unique malicious QR codes in the 12 months to Q3 2025. Your camera becomes the attack path.

Clone Phishing

The attacker copies a real email the target has already received. They swap out the links or files for bad ones and resend it. Because it looks familiar, most people do not question it.

Spear Phishing: The Targeted Threat

Of all phishing types, spear phishing is the most dangerous. Standard email phishing relies on volume. Spear phishing, by contrast, relies on precision — and precision is much harder to defend against.

A spear phishing attacker starts by researching the target. They check LinkedIn, company websites, and social media. They find the target’s name, job title, manager, and current projects. As a result, the fake message feels completely real — even to people who know about cyber threats.

Here is a simple example. A finance manager gets an email that looks like it came from the CFO. The name is right. The email domain looks right. The message mentions a real supplier. It asks for an urgent wire transfer. Without a phone check, the money is sent. That is spear phishing and credential theft in action at the business level.

“Phishing is the most common initial attack vector we see in enterprise breaches. Spear phishing, in particular, bypasses technical controls because it targets the human layer — and humans are harder to patch than software.”
— IBM X-Force Threat Intelligence Index, 2025

Moreover, spear phishing now delivers ransomware. Once the target clicks a bad link, attackers install ransomware in the background. Ransomware in phishing emails rose 22.6% between September 2024 and February 2025 (IBM). As a result, one spear phishing email can trigger a full ransomware outbreak across an organisation within hours.

Key Takeaway

Spear phishing works because it looks real. The attacker has done their research. Your defence must go beyond email filters. Employee training, call-back checks, and multi-factor authentication are the three layers that close the gap.

Warning Signs of a Phishing Scam

Spotting a phishing scam before you engage with it is your best defence. However, AI now writes phishing content. So the old red flags — bad grammar, odd spelling — no longer work reliably. Instead, focus on the structural signs that appear in every type of phishing attack.

Red Flags — Check These Before You Click

Urgency pressure: “Act within 24 hours or your account will close.” Sender domains that are slightly off: support@micros0ft-help.com instead of microsoft.com. Generic greetings like “Dear Customer.” Requests for passwords, codes, or wire transfers. Links that show a different URL when you hover over them. Files you were not expecting — especially ZIP, DOCM, or HTML types. Any request that skips your normal approval steps.

Above all, trust your gut. If a message makes you feel sudden panic or pressure, stop. Real organisations do not threaten to close your account if you do not act in the next hour. That pressure is the social engineering trick — not a sign of a real problem.

Furthermore, always verify through a second channel. If an email from your bank asks for urgent action, call the bank directly using the number on their official website. Never use contact details from inside the suspicious message.

How Phishing Attacks Steal Credentials

Credential theft is the main goal of most phishing attacks. Around 80% of phishing campaigns target login details — especially for cloud tools like Microsoft 365 and Google Workspace. One stolen password can open many systems at once.

Fake Login Pages

The most common method is the fake login page. The attacker builds a copy of a real login screen — same logo, same layout, same colours. They host it on a web address that looks almost right but differs by one letter. The victim types in their details. The attacker captures them instantly. The victim is then sent to the real site, with no idea anything went wrong.

Adversary-in-the-Middle (AiTM) Attacks

However, attackers have moved beyond simple fake pages. AiTM attacks are a newer and more serious threat. In this method, the fake site sits between the victim and the real service. It acts as a go-between. The victim logs in and passes their multi-factor authentication (MFA) check. However, the attacker grabs the session token — the proof that the login was completed. With that token, the attacker can log in as the victim. They do not need the password or the MFA code. AiTM attacks grew 146% in 2024 (Zscaler / Microsoft Entra). Therefore, MFA alone is no longer enough.

Defending Against AiTM Credential Theft

Hardware security keys (FIDO2 / passkeys) stop AiTM attacks. They tie the login to the real domain, so a fake site cannot intercept the check. If your organisation uses SMS codes or an app for MFA, consider upgrading to FIDO2 keys for your most sensitive accounts — finance, HR, and IT admin.

AI-Powered Phishing: The Evolving Threat Landscape

Phishing has always changed alongside technology. However, AI has sped that change up dramatically. A task that once took a skilled attacker sixteen hours can now be done by an automated tool in under five minutes (IBM).

The results are striking. AI-written phishing emails get a 54% click rate. By comparison, human-written phishing emails get just 12%. That is more than four times the success rate. In 2024, over 73% of phishing emails used AI in some way. For the most advanced attacks, that figure rises above 90%.

Beyond text, voice-cloning tools now power fake phone calls. In several cases in 2024, attackers copied an executive’s voice from public audio clips. They then called employees and approved fake payments. These calls are impossible to tell apart from real ones without a separate check.

In addition, Phishing-as-a-Service (PhaaS) kits have grown 21% year-over-year. Criminals with no technical skills can now buy ready-made phishing tools online. These kits include fake login pages, email sending tools, and live credential dashboards. The result is that more attackers, with less skill, can now run more phishing campaigns than ever before.

Key Takeaway

AI has removed the spelling and grammar errors that once made phishing easy to spot. Your defence can no longer rely on visual checks alone. You need structural verification and technical controls at every layer.

How to Protect Against Phishing Attacks

Good defence against a phishing attack needs more than one tool. It needs layers — technical controls, clear processes, and trained people. No single measure stops every attack. The combination is what builds real email security.

Technical Controls

Technical Tools

Multi-Factor Authentication (MFA): Turn on MFA for every account. Use hardware security keys (FIDO2 or passkeys) for finance and admin accounts to block AiTM attacks.

Email Authentication (SPF, DKIM, DMARC): Set up these three email security standards on your domain. Together, they stop attackers from faking your email address when targeting your customers or partners.

Email Security Gateway: Use an AI-powered email filter that checks links, files, and sender patterns — not just known bad addresses. Modern tools catch new phishing URLs in real time.

Endpoint Detection and Response (EDR): EDR tools catch and stop malware that arrives through phishing files, even after the user has opened them.

Password Manager: A password manager only fills in your details on the real site. It will not fill in a fake page, which gives you automatic protection against look-alike sites.

Human Controls

Phishing Simulation Training: Run fake phishing tests for staff every quarter. Organisations that train regularly see much lower click rates than those that only issue policy documents.

Call-Back Rule for Financial Requests: Require a phone call to confirm any wire transfer, password reset, or data request made by email. No exceptions — even if the email looks like it came from the CEO.

Easy Reporting Culture: Make it simple and safe for staff to report a suspected phishing scam. When people fear looking foolish, they delay reporting — and that delay costs money.

Incident Response Plan: Write down exactly what your team will do when a phishing attack succeeds. Teams that have practised a response close breaches faster — and a faster close means a lower cost.

What to Do If You Fall for a Phishing Attempt

Acting fast after clicking a phishing link limits the damage. These steps apply whether the phishing attempt hit your personal accounts or your work systems.

Disconnect right away. If you think malware was downloaded, unplug your ethernet cable and turn off Wi-Fi. This stops the malware from spreading to other devices on your network.
Change your passwords. Start with the account you think was hit. Then change any other account that uses the same password — reusing passwords turns one breach into many.
Turn on MFA for any account that does not already have it. Do this before the attacker locks you out with your own stolen details.
Run a malware scan. Use a trusted security tool to check your device. Do not rely on the operating system’s built-in scanner on its own.
Tell your IT or security team straight away. In a work setting, they need to know within minutes — not hours. Early notice lets them block the attacker before others in your organisation are hit.
Contact the right bodies. If financial data was exposed, call your bank. In India, report to CERT-In at cert-in.org.in. In the US, forward the email to CISA at phishing-report@us-cert.gov. In the UAE, contact the UAE Cybersecurity Council.
Watch for identity theft. In the weeks after a credential theft, look out for new accounts, odd login alerts, or unexpected charges. Catching these early limits the long-term harm.

Why Speed Matters

Speed Is the Critical Variable

Phishing breaches take an average of 254 days to find and contain (IBM, 2025). Organisations that respond within 24 hours pay far less to fix the damage. Every minute the attacker stays hidden is a minute they can steal more data or launch ransomware.

Frequently Asked Questions

What is the difference between phishing and spear phishing?

A phishing attack sends the same fake message to thousands of people at once. Spear phishing, by contrast, targets one person or company. The attacker uses real personal details — your name, job title, or company — to make the message feel genuine. As a result, spear phishing is far more likely to succeed and far more dangerous.

How do I report a phishing email?

Forward the email to your IT or security team right away. In the US, report to CISA at phishing-report@us-cert.gov. In India, report to CERT-In at incident@cert-in.org.in. In the UAE, contact the UAE Cybersecurity Council. Gmail and Outlook both have a built-in “Report phishing” button. Do not reply to the sender or click any links before you report.

Can a phishing attack happen through text messages?

Yes. SMS phishing is called smishing. Attackers send texts that look like they are from a bank, a parcel firm, or a government office. They urge you to click a link or call a number. The same rule applies: do not click links from senders you did not expect. Always check through the organisation’s official contact details instead.

What should I do immediately if I clicked a phishing link?

Act at once: disconnect from the internet, change your passwords, turn on MFA for all accounts, run a malware scan, and tell your IT team. If you entered bank or card details, call your bank straight away. The faster you respond, the less damage the attacker can do.

Phishing Attack: The Bottom Line

A phishing attack is still the most common way attackers get into organisations worldwide. That is not because defences have not improved. It is because phishing targets people, not software — and people are harder to patch. As AI makes these attacks more convincing, the organisations that layer their defences will be the ones that catch attacks before they cause serious harm.

In short, understanding phishing is not just an IT job. It is a skill every person in your organisation needs. Start with awareness. Add controls. And build a culture where reporting a phishing scam is praised, not punished.

For organisations looking to strengthen their defences against phishing attacks and other cybersecurity threats, Signisys offers security assessments, email security tools, and staff awareness training. Get in touch with our team to talk through your specific risks.

References and Further Reading:

IBM Cost of a Data Breach Report 2025 — annual data on breach costs, attack vectors, and containment times
APWG Phishing Activity Trends Report 2025 — quarterly global phishing volume and attack-type data
FBI Internet Crime Complaint Center (IC3) Annual Report 2024 — official US cybercrime complaint and loss data

Stay Updated

Get the latest terms & insights.

Join 1 million+ technology professionals. Weekly digest of new terms, threat intelligence, and architecture decisions.

What is Phishing Attack? How It Works & How to Stop It.