Phishing Explained: How the Internet's #1 Attack Works, and How to Stop It
Phishing is the most reported cybercrime on earth and the way most breaches begin. How the lure works, the many forms it now takes, how it defeats two-factor login, and the defenses that actually stop it.
Of every kind of online crime reported to the FBI last year, one was reported more than any other, by a wide margin: phishing. It is the oldest trick on the internet and still the most effective, the single most common way a data breach begins. And it has quietly evolved. The clumsy "Dear customer" email full of typos has given way to flawless AI-written messages, fake login pages that defeat two-factor authentication, malicious QR codes, and video calls where the boss asking you to wire money is a deepfake. This is how phishing actually works in 2026, every form it now takes, and the defenses that genuinely stop it.
What phishing actually is
Phishing is social engineering by impersonation. An attacker pretends to be someone you trust, a bank, an employer, a delivery company, a colleague, to trick you into handing over something valuable: a password, a one-time code, a payment, or simply a click that installs malware. The United States cyber agency, CISA, defines it as using email or malicious websites to solicit personal information by posing as a trustworthy organisation.
What makes phishing so durable is that it targets people, not machines. You can patch a server, but you cannot patch the human instinct to obey an urgent message from the boss. That is why, even with modern defenses, the human element is involved in roughly 60 percent of all breaches, according to Verizon's 2025 Data Breach Investigations Report.
The anatomy of a phishing attack
However sophisticated, almost every phishing attack runs the same four-beat play. Spotting any one stage is a chance to stop it.
- The lure. A message designed to provoke action: a security alert, a failed payment, an unpaid toll, a shared document. It impersonates a brand or person you trust and manufactures urgency so you act before you think.
- The hook. A link to a spoofed login page that looks pixel-perfect, or a malicious attachment or QR code. The fake page exists for one reason: to capture what you type.
- The capture. You enter your username, password, and often your one-time code, and the attacker harvests them in real time, or the attachment quietly installs malware.
- The exploitation. With your credentials or access, the attacker drains an account, wires money, steals data, or uses your inbox to phish the next victim. Speed is everything: stolen access is often used within minutes.
The many faces of phishing
"Phishing" is an umbrella. The lure is the same; the channel and the targeting change. These are the forms you will actually meet.
| Type | What it is |
|---|---|
| Email phishing | Mass, untargeted fake emails impersonating a known brand to harvest logins or deliver malware. |
| Spear phishing | Aimed at a specific person, using real details about them to be believable. |
| Whaling | Spear phishing aimed at senior executives, the "big fish". |
| Business email compromise | Impersonating a boss or supplier to trick staff into wiring money or data. Often no link at all, just abused trust. It cost victims over 3 billion dollars in 2025. |
| Smishing | Phishing delivered by SMS text, the fake delivery or bank alert on your phone. |
| Vishing | Phishing by phone call, increasingly using AI-cloned voices. |
| Quishing | A malicious QR code that hides the link inside an image to slip past filters. |
| Clone phishing | A genuine email you already received, copied and resent with the links swapped for malicious ones. |
| Angler phishing | Posing as a brand's support account on social media to intercept customers asking for help. |
| Pharming | Poisoning DNS so that even a correctly typed web address lands you on a fake site. |
Phishing by the numbers
The data tells a consistent story: phishing is both the most common attack and a rising one, even as defenses improve.
One older but striking finding from Verizon's 2024 research still frames the danger: the median time for a person to click a phishing link was about 21 seconds, and under a minute to then hand over their data. Phishing wins on speed and habit, not on technical genius.
How modern phishing beats two-factor login
For years the advice was simple: turn on two-factor authentication and a stolen password is useless. Attackers adapted. The technique now is called adversary-in-the-middle, and it is why not all multi-factor authentication is equal.
The fake login page is no longer just a look-alike. It is a live relay sitting between you and the real website. When you type your password and then approve the genuine two-factor prompt, the relay passes it all to the real site and quietly steals the resulting session cookie, the token that proves you are logged in. Replaying that cookie logs the attacker in as you, no code required. Crucially, this is not a flaw in two-factor itself; the token is stolen after you authenticate.
This capability is now rented as a service. Kits such as Tycoon 2FA, EvilProxy, Mamba 2FA and Sneaky 2FA let low-skill criminals run these attacks at scale, with Tycoon 2FA alone dominating in early 2025 before a March 2026 takedown. The defense is the same token theft cannot beat: phishing-resistant MFA such as passkeys and security keys, which are cryptographically bound to the real website and simply will not work on a fake one.
The AI upgrade
Generative AI removed phishing's biggest tell. The broken English and clumsy formatting that once gave scams away are gone; AI now writes flawless, personalised lures in any language in minutes. IBM found generative AI cut the time to craft a convincing phishing email from about 16 hours to roughly 5 minutes, and that one in six breaches now involve attackers using AI, most often for phishing.
It goes beyond text. Attackers clone a voice from a few seconds of audio to power AI voice-cloning scams, and stitch together video deepfakes for high-value fraud. The landmark case remains the engineering firm Arup, where in 2024 a finance worker paid out about 25.6 million US dollars after a video call in which the chief financial officer and colleagues were all AI-generated fakes. For the wider picture, see the deepfake fraud economy.
Phishing in the wild
These verified cases show how phishing drives real-world losses, from rented attack kits to voice-phished corporations.
| Case | When | What happened |
|---|---|---|
| Tycoon 2FA takedown | March 2026 | Law enforcement seized 330 domains of the dominant two-factor-bypass phishing kit. Attackers simply dispersed to rivals, and overall attack volume kept rising. |
| Scattered Spider | Through 2025 | A prolific crew that used help-desk voice phishing in nearly every intrusion to seize corporate logins, and was behind the 2024 Snowflake data-theft wave that hit scores of companies. |
| Arup deepfake call | 2024 | A finance worker wired about 25.6 million US dollars after a video meeting in which every other participant, including the CFO, was an AI deepfake. |
How to spot a phish
The lures share a handful of tells. Learn these and you will catch the overwhelming majority.
- Manufactured urgency or fear. "Your account will be suspended," "payment failed," "act now." Panic is the whole point.
- A sender address that does not match. The display name says your bank; the actual email domain does not. On a phone, tap the sender to reveal the real address.
- Generic greetings. "Dear customer" instead of your name often means a mass send.
- Links that do not go where they claim. Hover on a computer, or long-press on a phone, to preview the real destination before tapping.
- Any request for a password, one-time code or payment. Legitimate organisations never ask for your OTP. Ever.
- Unexpected attachments or QR codes. Especially invoices, "voicemails," or a code you did not ask for.
Defenses that actually work
No single product stops phishing. A few layers, together, make you a hard target.
- Use phishing-resistant MFA. Passkeys and security keys (the FIDO2 standard) are bound to the real website and cannot be relayed by a fake one. CISA calls them the only widely available phishing-resistant option.
- Treat SMS codes as the weak option. One-time codes by text can be intercepted or relayed. Prefer an authenticator app, and a passkey wherever you can.
- Let a password manager guard you. It only fills your login on the genuine domain, so a look-alike site gets nothing, and that silence is itself a warning.
- Lock down your email domain. SPF, DKIM and DMARC are DNS settings that stop criminals spoofing your organisation to others.
- Train people and make reporting one click. A report-phishing button beats a memo; trained staff catch and report far more.
- Keep devices and browsers updated. Many lures rely on an unpatched flaw to land their payload.
How to report phishing
Reporting is fast, free, and genuinely helps shut attacks down.
| Where | How to report |
|---|---|
| United States | Forward phishing emails to [email protected], spam texts to 7726, and report fraud to the FBI at ic3.gov. Type the address yourself; the FBI warns that spoofed IC3 sites exist. |
| India | Call 1930 immediately for any financial fraud so banks can freeze funds, then file the complaint at cybercrime.gov.in. |
| United Kingdom | Forward suspicious emails to [email protected] and texts to 7726. |
If you have already clicked
Do not panic, but move quickly and in order.
- Change the password now, from a different, clean device, on that account and anywhere you reused it.
- Turn on MFA, ideally a passkey, on the affected accounts.
- Call your bank if you entered card or account details, and ask them to watch or freeze the account.
- Report it using the channels above. In the US you can also file at reportfraud.ftc.gov.
- Watch for the second wave. Victims are frequently targeted again by fake "recovery" services promising to get the money back for a fee.
Watch: how phishing works
A two-minute primer on the mechanics, from IBM.
Frequently asked questions
What is the difference between phishing and spear phishing? Ordinary phishing is a mass, untargeted net. Spear phishing is aimed at one specific person using real details about them, which makes it far more convincing and dangerous.
Can phishing get past two-factor authentication? Yes. Adversary-in-the-middle attacks relay your login in real time and steal the session token after you approve the prompt. Phishing-resistant methods like passkeys and security keys defeat this; SMS codes do not.
What is quishing? Phishing that uses a QR code. The malicious link is hidden inside the image, which helps it slip past filters and pushes you onto your phone, where warning signs are harder to see.
Is AI making phishing worse? Yes. It removes the bad grammar that used to give scams away, writes personalised lures in seconds, and powers voice and video deepfakes. The defenses, however, are unchanged: verify independently, and use phishing-resistant MFA.
I clicked a link but did not enter anything. Am I safe? Usually, if you entered no credentials and no download ran. To be safe, close the page, do not enter anything, run a security scan, and change the password for the impersonated account from a clean device.
Sources
- FBI IC3 2025 Internet Crime Report (phishing #1 complaint type)
- Verizon 2025 Data Breach Investigations Report
- IBM Cost of a Data Breach Report 2025
- APWG Phishing Activity Trends Report, Q2 2025 (PDF)
- Microsoft Security, inside the Tycoon 2FA AiTM phishing kit
- SecurityWeek, Tycoon 2FA takedown and the surge in AiTM kits
- CISA, Implementing Phishing-Resistant MFA (PDF)
- CISA, Recognize and Report Phishing
- CNN, Arup confirmed as victim of the 25 million dollar deepfake scam
- KnowBe4 2025, training cuts phishing click rates by 86%
- NCSC UK, report a scam email