Most cyberattacks start with an email.

Not a zero-day exploit. Not a brute-force attack against a firewall. An email that looks exactly like something you'd receive from a service you trust — your bank, a SaaS tool your team uses, or your company's IT department. The recipient clicks a link, enters credentials on a page that looks legitimate, and the attacker is in.

Phishing has been the dominant initial access vector for over a decade, and it's only getting more effective. The emails are better written, the infrastructure is more convincing, and the tooling available to attackers has matured into an industry of its own. Understanding how these attacks actually work (not at a high level, but mechanically) is the first step toward building effective defenses.

The Anatomy of a Phishing Email

A well-crafted phishing email has three components working together:

• a believable sender,
• a compelling reason to act
• and a destination that captures credentials.

Spoofed or Lookalike Sender

The first thing a recipient checks (if they check at all) is who the email is from. Attackers handle this in several ways:

• Display name spoofing is the simplest. Email clients prominently show the display name ("QuickPay Security Team") and often hide the actual address behind a dropdown. The real address might be security@qu1ckpay-support.com which is a domain the attacker registered for a few dollars but most recipients never expand it.
• Homograph domains exploit visual similarity between characters. Replacing i with 1, l with I, or using Cyrillic characters that render identically to Latin ones in most fonts. The domain paypa1.com looks remarkably like paypal.com at a glance, especially in mobile email clients with smaller fonts.
• Compromised legitimate accounts are the hardest to detect. If an attacker has already breached one employee's email, they can send phishing emails to other employees from a real internal address. The email passes every authentication check (SPF, DKIM, DMARC) because it genuinely came from the organization's mail server.

Psychological Manipulation

The body of the email is engineered to produce a specific behavior: clicking without thinking. The most common psychological levers are:

• Urgency - "Your account will be suspended in 24 hours." Time pressure short-circuits careful evaluation. When people feel rushed, they skip the verification steps they'd normally follow.
• Fear - "Unauthorized access detected on your account." Fear of loss is a stronger motivator than potential gain. An email threatening account compromise triggers an immediate desire to "fix" the problem.
• Authority - "From: IT Security Department" or "From: CEO." Emails that appear to come from someone with authority receive less scrutiny. Employees are conditioned to respond to requests from leadership or security teams.
• Curiosity - "Your package delivery failed" or "Someone shared a document with you." These tap into routine actions that don't raise alarm bells. You receive legitimate notifications like these regularly, which makes the phishing version blend in.

The Credential Harvesting Page

The link in the email leads to an attacker-controlled page designed to look identical to a legitimate login form. Modern phishing kits make this trivial:

• Cloned pages - Tools like Evilginx, Gophish, and dozens of others can clone any login page with a single command. The result is pixel-perfect: same CSS, same logos, same layout.
• Valid HTTPS certificates - Free certificate authorities like Let's Encrypt mean every phishing page has a padlock icon. The padlock means the connection is encrypted, not that the site is trustworthy but most users don't understand that distinction.
• Convincing domains - Attackers register domains that look plausible: login-microsoftonline.com, accounts-google-verify.com, secure-bankname.com. These pass a quick glance, especially on mobile where the full URL is often truncated.

When the victim enters their credentials, the page either displays an error ("Wrong password, try again") to capture a second attempt, or redirects to the real service so the user never realizes anything happened. Meanwhile, the credentials are already on the attacker's server.

What Happens After the Click

Credential theft is rarely the end goal. It's the beginning.

Account takeover is the immediate consequence. The attacker logs into the compromised account, often within minutes. If it's an email account, they now have access to password reset flows for every other service tied to that address. If it's a corporate account, they have a foothold inside the organization.

Lateral movement follows. A compromised employee account can be used to send convincing internal phishing emails ("Hey, can you review this document?"), access shared drives and internal tools, or escalate privileges through further social engineering.

Data exfiltration is a common objective. Customer databases, financial records, intellectual property, employee PII, whatever the attacker is after, a compromised account with the right access level delivers it.

Ransomware deployment increasingly begins with phished credentials. Initial access brokers are attackers who specialize in gaining footholds and selling them. They frequently use phishing as their primary technique. The credential they steal today becomes the entry point for a ransomware operator next week.

The cascading impact of a single phished credential is why phishing consistently ranks as the most damaging attack vector despite being one of the least technically sophisticated.

Modern Phishing Techniques

Phishing has evolved well beyond the poorly formatted emails of a decade ago. Several techniques represent the current state of the art:

Adversary-in-the-Middle (AiTM)

Tools like Evilginx2 don't just clone login pages, they act as a transparent proxy between the victim and the real service. The victim enters their credentials, which are forwarded to the real login page. The real service responds with an MFA challenge, which is relayed back to the victim. The victim completes the MFA step, and the attacker captures both the credentials and the authenticated session token.

This means 2FA alone does not protect against modern phishing. The attacker obtains a valid session cookie that bypasses all future authentication checks for that session.

Browser-in-the-Browser (BitB)

This technique renders a fake browser popup window inside the current page using HTML and CSS. The victim sees what appears to be a new browser window with a legitimate URL in the address bar but the entire "window" is actually a div element on the attacker's page. The URL bar is just styled text. It's visually indistinguishable from a real popup on most screens.

QR Code Phishing (Quishing)

As organizations improve email link scanning, attackers have shifted to QR codes embedded in emails or even physical documents. The QR code directs the victim's phone to a phishing page. Since the redirect happens on a mobile device, it bypasses desktop email security controls entirely.

AI-Generated Content

Large language models have eliminated the grammatical errors and awkward phrasing that used to be reliable phishing indicators. Attackers can generate flawless, contextually appropriate email copy in any language, at scale. Some campaigns now use AI to personalize emails based on scraped LinkedIn profiles or company websites, making them significantly more convincing.

Organizational Defenses

Individual awareness matters, but it's not a complete strategy. Organizations need technical controls layered alongside training.

Email Authentication (SPF, DKIM, DMARC)

These protocols verify that incoming emails actually originated from the domain they claim to represent. DMARC with a reject policy is the strongest configuration since it instructs receiving mail servers to drop emails that fail authentication checks. Despite being available for years, many organizations still run DMARC in monitor-only mode, which logs failures but doesn't block them.

Email Security Gateways

Modern email security solutions scan links at time-of-click (not just at delivery), sandbox attachments, and use ML models to detect anomalous sending patterns. They're not foolproof. Attackers routinely test their campaigns against major email security vendors before launching but they raise the cost of attack significantly.

Phishing Simulation Programs

Regular simulated phishing exercises train employees to recognize attacks in a realistic context. The goal isn't to catch people failing but to build the muscle memory of pausing, checking the sender, and hovering over links before clicking. The organizations that see the best results treat simulation failures as training opportunities, not disciplinary events.

Phishing-Resistant Authentication

FIDO2/WebAuthn security keys and passkeys are the strongest defense against credential phishing, including AiTM attacks. Because the authentication is bound to the legitimate domain at a cryptographic level, a phishing page on a different domain simply cannot trigger the authentication flow. This is the only authentication method that is genuinely phishing-proof.

Incident Response Procedures

When (not if) someone clicks, the speed of response determines the blast radius. Organizations need a clear, practiced process:

1. user reports the email
2. security team invalidates the compromised session, forces a password reset, checks for lateral movement, and reviews logs for additional indicators of compromise.

The gap between "credential stolen" and "attacker locked out" should be measured in minutes, not days.

What Individuals Should Do

Technical controls at the organizational level help, but every person with an inbox should develop four habits:

Check the sender's full email address. Not the display name - the actual address. Look for character substitutions, unexpected domains, and addresses that don't match the supposed sender's organization.

Don't click links in emails that demand urgent action. If a service claims there's a problem with your account, open your browser and navigate to the site directly. Type the URL or use a bookmark. If the issue is real, you'll see it after logging in normally.

Hover before you click. On desktop, hovering over a link reveals the actual destination URL in the bottom corner of your browser. On mobile, long-press to preview the link. Check that the domain matches the service the email claims to be from.

Use strong, unique passwords with a password manager, and enable the strongest available MFA. A password manager eliminates password reuse, which limits the blast radius of any single compromise. A hardware security key or passkey eliminates credential phishing entirely.

---

Phishing works because it exploits trust and routine. The emails look like ones you receive every day. The login pages look like ones you use every day. The psychological pressure feels like the kind of urgency you experience every day. Attackers design every element of the attack to feel completely normal.

The only reliable defense is the habit of pausing before you act. Check the sender. Check the URL. Go to the site directly. These small actions break the entire attack chain and they cost nothing but a few seconds of attention.

Want to test your organization's phishing resilience? Get in touch →