Phishing Attacks – How They Work

Reading Time: 8 minutes

Phishing is one of the oldest and most common online threats used by cybercriminals to trick users into revealing sensitive information or installing malware by way of email.

Email phishing is the most widely known form of phishing where scammers send fake emails that seem to come from authentic sources in a ruse to get users into revealing personal and financial information. However, attackers can also use phone calls, text messages or social media to try to fraudulently acquire your details.

While some very complicated schemes can be devised, virtually all types of phishing are based on a basic concept: millions of untargeted phishing emails are sent out each day asking for confidential information or encouraging recipients to visit a fake website where they’re asked to update personal information.

What phishers will do is message customers with an email ostensibly from a trusted organization (such as Microsoft, your bank, Facebook, PayPal, Amazon, etc.). They know that people are more inclined to pay attention to those types of messages.

Sometimes, it can be practically impossible for the average customer to determine that the email message is not the official one of the organisation it is meant to come from. This is because it will often have the organisation’s logo and format and will look exactly like the organisation’s official email. The “From” field of the e-mail may have the .com address that looks like the company’s official website. The message will usually include a spoofed link that you can follow to conveniently login to a webpage and update your information. But the website is a spoofed version of the legitimate site. It was established with the sole purpose of stealing your personal information or infect your computing device with malware.

While this is a basic example of how phishing generally works, there are numerous accounts of increasing complexity that are typically used to try to steal confidential information. With the huge increase in remote working thanks to COVID-19, cybercriminal activities like phishing continues to be on the rise. According to security experts, as many as 3 in 10 workers worldwide clicked a phishing link in 2020. In the US, it’s 1 in 3.

So, how did these scammers get hold of your private email address in the first place? Well, here are a few methods they use.

  1. They use bots to harvest email addresses by crawling the web for the @ sign. If your email address is publicly available on any website, a scammer is likely to find it and add it to their database.  
  2. They buy lists legally or through the dark web. This is why it is important to read the privacy policy before you sign up or submit your details to an online service. You need to know exactly what they are going to do with your email address.
  3. They use specialist tools to generate common usernames and pair them with well-known domains. For example, they might send email to, and thousands of other combinations of names.

Examples of phishing attacks

Since the first lockdown in March 2020, the number of sites impersonating online services have skyrocketed. In fact, during the first lockdown period from March 2020 to July 2020, at least 1 in 5 people worldwide received phishing emails related to covid-19. In addition, phishing email scams targeting Netflix subscribers have increased by 646%. Cybercriminals have also faked the email addresses of the NHS test and trace service, the HMRC, Amazon and Tesco. Email phishing scams have also targeted at drivers where they are asked to verify their driving license details or highlight a failed tax payment asking for banking information.

Another type of phishing scheme involves sending out emails targeting customers of well-known carrier companies. The expectation is that only very few recipients will respond. For example, over the festive period, a number of users received fake emails claiming to be from Royal Mail and delivery firm DPD, informing them that they had been unable to deliver their parcel. The legitimate looking emails asked recipients to click a link to pay a shipping fee so the parcel could be re-delivered. People who were actually expecting a package reported being caught out by the spam.

If you have any suspicions that an email or text message that you get is a phishing attempt, your first step should be to contact the company immediately. What you should also realize is that most legitimate businesses will never ask you for your password in an email. Your usernames and passwords are personal to you. You should never give your login credentials to anyone who asks you for them.

Phishing attack types:

Spear phishing

Where most phishing attacks typically cast a wide net, spear phishing are often personalized and targeted at a specific and well-researched individual, business or organization. As with other phishing attacks, the aim is to infect the recipient’s computer with malware or to steal information. Attackers tend to use information gathered from sources such as social media and other public platforms to hone in on their target. For example, if you let it be known that you will be travelling to the Caribbean on holiday, you may receive an email from a “colleague” that recommends an eatery to check out. If you click the link or attachment that is included in the email, malware is likely to be downloaded into your computer.


This type of phishing attack is delivered to smartphone users through text messages, enticing you to click on link in the message. For example, a victim might receive a text advising that your bank account has been disabled due to suspicious activity being detected on your account, and to click a link included in the text to recover your account. These links are always dangerous and you should never click on them. They’re designed to direct you to spoofed websites that impersonate your accounts and attempt to infect your phone with malware or steal information. Some text messages specifically target HSBC customers. These messages are sent out to thousands of mobile numbers in the hope that it will reach some HSBC customers.

Social media phishing

Cybercriminals use social media sites such as Facebook as a platform to launch cyberattacks designed to steal personal information or spread malware. Some attacks are even used to hijack your accounts to attack your friends.

Examples of social media phishing attacks:

  • You receive an email claiming to be from Facebook that your account has been ‘reported for abuse’. You’re then prompted to login to a spoofed Facebook login page to provide personal information and update your credit card info to prove that your account is legit.
  • You may be prompted to like and share innocuous-looking photos of puppies and other animals on Facebook. These photos are actually posted by cybercriminals to generate tons of likes and shares. Once the photo has received a large number of likes, the fraudster will link the photo to a fake website that downloads malware to the computing device of anyone who subsequently clicks on that photo.
  • During the holidays, you’re likely to come across fake coupons from the major supermarkets, offering a certain amount off your next purchase. The ploy is to get you to fill out the details, which means you will be handing over your personal information to fraudsters.

Search engine phishing

This type of attack occurs through search engines. Cybercriminals setup well-optimized but fraudulent websites that can appear in the organic search results for popular keywords or search terms.

Voice phishing

With voice phishing (also known as vishing), the scammer impersonates a government agency or other organisation on the phone and tries to extract money or sensitive information such as banking details. Vishers use fear tactics to dupe you into thinking your money is in danger and you must act quickly. They threaten people with police arrest, deportation, license revocation, etc. Personal data can be gathered from social media profiles, providing fraudsters with sensitive details to make cyberattacks appear more legitimate. Fraudsters often spoof phone numbers to disguise the real origin of the call.


Pharming is when a hacker manipulates the internet’s domain name system (DNS) by rerouting web traffic to a fake website with the aim of stealing confidential information. These “spoofed” websites can steal your personal data, including usernames, passwords, and banking information, or even install malware on your computer. This type of cybercrime is particularly worrisome because you can have a completely virus-free computer and still fall prey to cybercriminals.

How can I spot a phishing email scam?

The fact of the matter is, anyone can make a mistake.

It only takes a split-second lapse in judgement to fall into the hands of an attacker.

Fortunately, many phishing attacks often share the same warning signs that reveal their true nature as a phishing attempt.

According to Action Fraud, the following characteristics are common to phishing scams:

  1. One of the most obvious signs of a phishing email is that the sender’s email address will always be different from the web address of the legitimate organisation.
Notice a misspelling in the URL that claims to be from Facebook.

2. Most phishing emails often use generic greetings. Most legitimate companies have enough data about their customers to address them by name when communicating with them by email. This lack of personalization is often enough to help separate real emails from fake ones.

3. Never download an attachment from an unsolicited email even when you recognize the sender, as their email might have been hacked. The risk is simply not worth it.

According to the 2019 DBIR, email attachments were the leading cause of malware delivery in 2018 cyber incidents, with 45% of malware coming from attached Microsoft Word documents.

Account disabled phishing scam

3. Phishing email attempts will often seek a quick and emotional response from the recipient using inflammatory or threatening language, such as that your account may be terminated unless you act immediately.

4. The email contains a clickable link to a different site than the one it purports to come from. The destination web address might look like the proper address, but you should always realise that even a single character’s difference means you’re going to a different website.

5. The destination address looks fishy. If the email contains a clickable link and you want to find out where it leads without clicking the link, simply hover your cursor over the link and look at the URL in the bottom left corner.

6. The email includes a request for confidential details such as login information or bank details. Always keep in mind that most legitimate companies never ask for personal details in an unsolicited email.

7. The email claims to be from a leading brand, but is full of spelling and grammatical mistakes.

How can I avoid phishing attacks?

Phishing messages are getting more sophisticated and harder to spot. No matter how observant or vigilant you are, some may still get past you. Here are some tips to help you spot the most common phishing attacks.

  • Configure a spam filter that detects blank senders, spam, viruses, etc.
  • Always hover your mouse over links in emails to check where you’re being directed to.
  • Be especially wary of emails that try to put pressure on you to perform a specific action.
  • Update your operating system and applications with the latest security patches and updates.
  • Get a premium VPN that blocks malicious websites.
  • Install antivirus and antimalware
  • Convert HTML email into text only email.
  • Be wary of emails with links or attachments from people you don’t know.
  • Do not click on links from unfamiliar sources
  • Do not enter your personal details in to any website on the basis of an unsolicited email.

Suspicious Email Reporting Service

National Cyber Security Centre

Report a Suspicious Email to PayPal

Cyber Aware

Leave a Reply

Your email address will not be published. Required fields are marked *