Phishing: Definition, How It Works, When You’ll Encounter It, and Related Terms
Phishing is a technique where an attacker impersonates a trusted entity to manipulate a target into revealing sensitive information or performing an action that benefits the attacker (e.g., logging into a fake site, approving an MFA push, opening a malicious attachment).
Phishing is a social engineering attack where an adversary impersonates a trusted person, brand, or internal team to trick you into revealing credentials, approving an MFA prompt, or running a malicious action. Because phishing often leads directly to credential theft and account takeover, it shows up in everyday email and messaging workflows—especially around invoices, HR updates, and “security alerts.”
How phishing works
Phishing succeeds by combining deception, pressure, and a low-friction path to action. While the delivery channels vary, the core workflow is predictable.
1) The lure: get your attention
Attackers craft a message that fits the target’s context:
- Security urgency: “Unusual sign-in detected,” “Password expires today,” “Mailbox storage full”
- Financial triggers: “Invoice attached,” “Wire transfer confirmation,” “Payment failed”
- HR/admin bait: “Updated handbook,” “New PTO policy,” “Benefits enrollment”
- Delivery/consumer hooks: “Package held,” “Refund pending,” “Receipt attached”
- Executive authority: “Need this done in the next 10 minutes—don’t call, just confirm”
They often tailor wording, branding, and timing to match normal business operations (e.g., quarter-end invoicing).
2) Establish trust: make it look legitimate
Common trust-building techniques include:
- Lookalike domains: substituting characters or adding words (e.g.,
micros0ft.example,vendor-payments.example) - Display-name spoofing: the sender name looks right, the actual email is not
- Thread hijacking / reply-chain abuse: a compromised account replies inside a real conversation
- Brand cloning: copied logos, footers, “secure message” banners, fake helpdesk signatures
- Cloud-service abuse: links hosted on legitimate platforms (file sharing, forms) to bypass reputation filters
3) The action: steal credentials or execute code
Phishing usually aims for one of four outcomes:
-
Credential harvesting
A user enters a username/password into a fake login page. Some campaigns proxy the real login flow to capture session tokens. -
MFA interception or bypass
- A user is tricked into sharing a one-time code. - MFA push fatigue: repeated prompts until the user taps “Approve.” - “Helpdesk” calls that pressure users to read codes aloud.
(Related background: see our explainer on MFA at what is multi factor authentication.) -
Malware delivery
Attachments (macro docs, HTML attachments, ISO/ZIP) or links that download installers, remote access tools, or loaders. -
Payment diversion / fraud (BEC-style)
Instead of malware, attackers manipulate workflows: change bank details, redirect invoices, request gift cards, or initiate wire transfers.
4) Post-compromise: persistence and expansion
If the attacker gains an account, typical next steps are:
- Create inbox rules to hide replies or forward mail externally
- Search mail for invoices, payroll, vendor info, MFA resets
- Launch internal phishing from the trusted account
- Register OAuth app consent (in some environments) to maintain access
- Use the compromised identity to access SaaS, VPN, or file shares
Technical notes: quick indicators to look for (email + identity)
Common signs in phishing emails:
- Reply-To differs from From
- Sender domain newly registered or slightly misspelled
- Links whose visible text doesn't match the actual URL
- Attachments with risky types: .html, .iso, .img, .js, .vbs, .lnk, password-protected .zip
- Unusual urgency + request to bypass normal verification
If you administer Microsoft 365 or Google Workspace, prioritize sign-in anomalies after user-reported phishing: impossible travel, new device, unfamiliar IP ranges, or suspicious “consent granted” events.
When you’ll encounter phishing
Phishing isn’t confined to “random spam.” It shows up in everyday workflows—often where speed and trust are high.
In your inbox (most common)
- Fake Microsoft 365/Google “account issues,” “quarantine release,” or “shared document” notices
- Vendor invoices and purchase orders, especially around payroll and month-end
- “DocuSign”/e-signature requests that lead to credential pages
- “Voicemail” or “fax” notifications with HTML attachments
In collaboration tools and chat
Attackers increasingly use Teams/Slack/Zoom chat invitations, especially if external messaging is enabled:
- “I shared a file with you—open here”
- “Can you review this contract quickly?”
- Links to “secure files” that redirect to credential capture pages
Over SMS and phone (smishing/vishing)
- “Your package is held; pay a small fee”
- “Bank fraud alert—verify your account”
- “IT support—read me the code you just received”
- Calls spoofing known numbers (caller ID cannot be trusted)
In QR codes (quishing)
QR codes can bypass user skepticism because they hide the destination:
- Posters in public places
- Printed invoices
- Emails with “Scan to view secure message”
During high-stress business moments
Phishing spikes when people are rushed or distracted:
- Mergers/acquisitions, layoffs, benefits open enrollment
- Tax season and payroll cycles
- Incident response events (“Reset your password now”)
- Travel and conferences (hotel Wi‑Fi portals, event registration)
Technical notes: immediate triage steps for admins
If a user reports a suspected phish, treat it as both a messaging and identity incident.
1) Contain the message (high level):
- Remove/quarantine the email org-wide (if your platform supports it)
- Block sender domain and known URLs (with care to avoid collateral)
- Search for similar messages by subject/sender/URL patterns
2) If the user clicked or entered credentials:
- Reset password + revoke sessions/tokens
- Enforce MFA re-registration if you suspect MFA interception
- Check for new inbox rules, forwarding, or OAuth app grants
- Review recent sign-ins for new device/IP/geo
3) Verify potential fraud:
- Contact the “requester” via a known-good channel (directory number, ticket system)
- Validate payment changes with a separate approval workflow
If you’re a user and you suspect compromise, see: how do i tell if my email has been hacked.
Prevention basics that actually reduce phishing risk
Use a password manager + unique passwords
A password manager reduces the chance you’ll type credentials into a lookalike site (many managers won’t autofill on the wrong domain). If you need one, consider 1Password here: Try 1Password →.
Run reputable anti-malware protection
Phishing frequently pivots into malware delivery (HTML attachments, installers, “document viewers”). A solid endpoint tool can help stop the second stage; Malwarebytes is one option: Get Malwarebytes →.
Harden remote and public network use
On travel or public Wi‑Fi, phishing pages and fake captive portals are common. A VPN can reduce exposure to some network-layer risks (it won’t “block” all phishing, but it can help protect traffic on untrusted networks). Options include NordVPN: Check NordVPN pricing → or Surfshark: Try Proton VPN →.
Related terms
The broader category—manipulating people to bypass security. Phishing is one of the most common social engineering techniques.
Targeted phishing aimed at a specific person or role (finance, HR, IT admins). Often includes personal details to boost credibility.
Spear phishing aimed at executives or high-impact roles. Typically tied to fraud or sensitive data access.
Fraud using email impersonation or compromised mailboxes to redirect payments or harvest sensitive info. BEC may involve phishing, but often avoids malware.
A legitimate email is copied, and the link/attachment is swapped for a malicious one. Works well against users who recognize the original template.
Phishing via SMS/text messages. Frequently used for package delivery scams and banking prompts.
Voice phishing via phone calls or voicemails. Common in helpdesk/MFA code scams and vendor payment diversion.
Phishing via QR codes. Used to obscure URLs and move victims to mobile devices where inspection is harder.
Redirecting users to malicious sites through DNS poisoning or host-file manipulation—less about persuading the user, more about tampering with resolution.
The specific outcome of many phishing attacks—collecting usernames/passwords (and sometimes MFA codes) via fake login flows.
Repeated MFA push prompts to annoy users into approving. Often paired with a follow-up call: “Approve the sign-in to stop the alerts.”
Registering deceptive domains that resemble trusted ones. A key infrastructure piece behind many phishing campaigns.