How phishing scams work

Phishing is the most reported cybercrime in the United States₁. Here is exactly how it works, what forms it takes, and how to recognize it before it causes damage.

What does phishing mean?

Phishing is a cyberattack in which criminals pretend to be someone you trust, like your bank, the IRS, a well-known company, or even a coworker, to trick you into clicking a malicious link, downloading a harmful attachment, or entering personal information on a fake website. Their goal is usually to steal passwords, financial account credentials, Social Security numbers, credit card details, or any other sensitive information that can be used to commit fraud or identity theft.

Phishing works because it targets people, not just devices. Scammers create messages designed to trigger urgency, fear, or curiosity, pushing the target to act before they have time to think critically. A message claiming your bank account has been suspended, that a package failed to deliver, or that you owe taxes immediately are all classic phishing formats designed to prompt a reflexive reaction.

Unlike malware that requires installation, phishing requires only one thing: a single click or form submission from the person being targeted.

Phishing

/ˌFISH-ing/

noun

1.: A common scam tactic in which criminals impersonate a trusted contact through text, email, or other messages to trick victims into revealing sensitive information "Phishing uses deceptive tactics to trick victims,"

How a phishing attack works, step by step

Step 1: The scammer chooses a target and a story.

Some phishing scams are sent to thousands or even millions of people at once. Others are more targeted on a specific individual or organization. In targeted attacks, called spear phishing, criminals study their victim’s job title, employer, recent activity, and contacts to craft a message that appears completely legitimate.

Step 2: A convincing message is sent.

The scam can arrive by email, text (smishing), phone call (vishing), or social media and messaging apps. It may appear to come from a trusted source: a bank, a delivery company, a government agency, an employer, or a familiar brand. Scammers often copy logos, sender names, and formatting to make the message look legitimate.

Step 3: The message pushes you to act.

Most phishing messages contain a link, attachment, or phone number. The link may lead to a fake website designed to look like a legitimate login page, where any credentials entered go directly to the attacker. The attachment may install malware on the device when opened. The phone number may connect to a scammer posing as a support agent.

Step 4: Your personal information is collected.

Once the victim clicks, submits, or downloads, the attacker may gain access to passwords, account details, or other sensitive data. In some cases, they may also install software that tracks activity or helps them access more accounts later.

Step 5: The stolen data is used for fraud.

Once scammers have that information, they may use it to take over accounts, steal money, or commit identity theft. Any data that is not used directly is bundled and sold on dark web marketplaces to other criminals.

Types of phishing scams

Type	Description
Email phishing	The most common form. Mass emails impersonating trusted brands are sent to large lists, directing recipients to fake login pages or malware-laden attachments.
Spear phishing	Targeted attacks on specific individuals. The message uses personal details, name, employer, and recent activity to appear highly credible. Accounts for the majority of successful corporate breaches.
Smishing	Phishing carried out via SMS text message. Common lures include fake package delivery alerts, bank fraud warnings, and prize notifications with malicious links.
Vishing	Voice phishing is conducted over the phone. Scammers impersonate banks, government agencies, or tech support and use pressure tactics to extract account numbers, PINs, or remote device access.
Whaling	A form of spear phishing targeting high-profile executives or individuals. The stakes and sophistication are significantly higher; a single successful whaling attack can cost businesses up to $47 million.
Clone phishing	A legitimate email that was previously received is duplicated with malicious links or attachments substituted for the originals, then resent from a spoofed address that appears identical to the original sender.
QR code phishing (quishing)	Malicious QR codes replace legitimate ones in emails, physical signage, or documents. Because QR codes obscure the destination URL, they bypass many standard email security filters. QR code phishing attacks grew fivefold in a matter of months in 2024.

How to recognize a phishing message

It creates urgency or fear: The message claims your account will be suspended, a payment failed, or legal action is pending unless you act immediately. Urgency is the most reliable psychological tactic phishing attacks use.
The sender address doesn’t look quite right: The email appears to be from a trusted company, but the actual sending address uses a lookalike domain (paypa1.com instead of paypal.com, for example).
It uses a generic greeting: Phishing messages often use “Dear Customer” or “Dear User” rather than your actual name, because they are sent in bulk.
It asks for sensitive information: Legitimate banks, government agencies, and companies do not ask for passwords, PINs, or Social Security numbers by email or text.
The link looks suspicious: Before clicking, hover over the link to see the actual destination URL. If it does not match the claimed sender’s domain, do not click.
There is an unexpected attachment: Unexpected attachments from known contacts can indicate that their account was compromised and is being used to send phishing messages.
It asks you to bypass normal processes: Any message urging you to make a payment, transfer funds, or share credentials outside of the usual process is a significant red flag.

What to do if you clicked a phishing link

Do not enter any information on the page that it opened. Close the tab immediately.
Change the password for any account related to what the message claimed to be. Do this from a different device if possible.
Enable multi-factor authentication on the affected account if it is not already active.
Run a malware scan on your device if you downloaded an attachment or were redirected to a site that attempted to install software.
Check your other accounts that use the same email address or password for unauthorized activity.
Contact your bank or financial institution immediately if financial account details may have been entered.
Report the phishing message to the Anti-Phishing Working Group (reportphishing@apwg.org) and to the FTC at ReportFraud.ftc.gov.
Enroll in dark web monitoring if you are not already protected, so you are alerted immediately if your credentials appear in criminal marketplaces.

Frequently Asked Questions

How do phishing scams work?

Phishing scams work by impersonating a trusted source, a bank, company, or government agency, to trick you into clicking a malicious link, submitting credentials on a fake website, or downloading malware. They exploit urgency and trust rather than technical vulnerabilities, which is why they remain the most common form of cybercrime.

What is the difference between phishing, smishing, and vishing?

Phishing refers to attacks delivered by email. Smishing uses SMS text messages. Vishing is conducted by phone call or voicemail. All three use impersonation and social engineering to steal credentials or personal information; only the delivery channel differs.

What is spear phishing?

Spear phishing is a targeted form of phishing directed at a specific individual or organization. Unlike mass phishing campaigns, spear phishing attacks use personal details about the target, their name, employer, colleagues, or recent activity, to craft a message that is much harder to recognize as fraudulent.

How do I know if an email is a phishing attempt?

Key signs include unexpected urgency, a sender address that does not match the claimed organization’s domain, generic greetings like "Dear Customer," requests for passwords or personal information, and links whose destination URL does not match the sender’s domain. When in doubt, navigate directly to the company’s website rather than clicking any link in the message.

What happens if I click a phishing link?

Change your password for the relevant account immediately, enable two-factor authentication, run a malware scan, and check other accounts that share the same credentials for unauthorized activity. Contact your bank if financial information was entered, and report the incident to the FTC at ReportFraud.ftc.gov.

Can phishing scams steal my identity?

Yes. Phishing attacks that capture your Social Security number, date of birth, banking credentials, or answers to security questions give criminals enough information to open accounts, apply for credit, or file fraudulent tax returns in your name. Dark web monitoring can alert you if captured credentials later appear in criminal marketplaces.

Did you know?

If phishing reminds you of "fishing," you're spot on. The term phishing was coined in the 1990s by hackers trying to “fish” for passwords and financial information from unsuspecting users.

How AI has changed phishing

Phishing scams used to be easier to spot. For years, phishing attempts were identifiable by obvious signs: poor grammar, generic greetings, and clunky formatting. AI has removed nearly all of those tells.

Today, large language models allow criminals to generate polished, personalized phishing messages in seconds. That means scam emails, texts, and even scripts for phone calls can sound more convincing and more human than they used to, and it takes scammers a fraction of the time to create.

AI tools have reduced the time required to create a convincing phishing campaign from 16 hours to approximately five minutes. AI-powered multi-channel phishing campaigns those that combine email, SMS, and phone calls) have a 42% higher success rate than traditional email-only attacks.2

Deepfake technology has added another layer of deception. Criminals can now clone voices to sound like a family member, coworker, or executive and use the voice to pressure someone into sending money or sharing sensitive information.

What this means for protection: Traditional advice (such as looking for typos or checking the sender name) is no longer sufficient. Today’s phishing scams can look polished and sound convincing, which is why stronger protection matters, including tools that can flag suspicious messages, links, and behavior in near-real time.

Sources

FBI, IC3 Report 2024
Tech Magic, Phishing Attack Statistics

← Back to Full Glossary

* Restrictions and exclusions apply. Click here to read full details of insurance coverage. Residents of New York receive $3 million of coverage and are not eligible for ransomware coverage. Click here for New York insurance summary.
^ These features require you to authenticate your identity with TransUnion. This will not impact your credit score.
◊ Elite Plan includes a combined maximum benefit of $100,000: $50,000 for scam protection and $50,000 for ransomware protection. Coverage is in addition to, and does not reduce or limit, ID theft insurance.
† Family Plan: Scam and ransomware protection coverage up to $200,000, the aggregate limit (up to $100,000 per adult member: $50,000 in scam protection and $50,000 in ransomware protection). Family plan primary member may share insurance coverage with household members.
|| This feature is included on the OmniWatch Elite and OmniWatch Family Plan.