Phishing is one of the most common types of cyberattacks. Its origins go back decades to chat rooms (remember those…?), and it’s evolved significantly over the years. Despite it being a relatively simple cyberattack it’s one of the most prevalent causes of email compromise, account takeover, and the spread of malware and ransomware.

Here we go over what it is, how it works and the psychology behind it, different variations, and how to best protect against it in the age of AI.

What is phishing?

Unlike most cybersecurity threats, it’s more psychological than technical. Hackers create counterfeit communications through this social engineering attack that often appear legitimate and come from a trusted source like an employer or financial institution, for example.

When users perform an action from phishing communications like clicking on a link, they’re duped into downloading malware, redirected to an infected site, or provide sensitive information like login credentials or PII (personally identifiable information) to perform data and financial theft.

How phishing works

In this type of attack victims are lured through forms of communication, usually email, that often look legitimate. There are certainly phishing emails that are obviously bogus, but the good ones are alarmingly realistic. Messages often have a sense of urgency tied to them, with the sender goading the recipient into providing sensitive information.

For example, you might get an email or text message (smishing) that appears to be from your supervisor asking you to immediately send the login information to a website or application that your company uses. Or you get a message from your bank asking you to login with a link provided through a mechanism like email or SMS to review your monthly statement. If a user unknowingly clicks the link, they can get redirected to a website that looks almost identical to the real thing. This can result in theft of login information, or the malicious site can download ransomware or malware to the victim’s computer.

Different types of phishing

This type of cyber threat has various offshoots. Spear phishing is a concentrated attack on a person or group. Smishing is the same concept, but instead of using email as the communication mechanism it uses SMS text message. Vishing uses phone calls and voicemails to get victims to reveal personal information.

It doesn’t stop there. Newer variants of this cyberattack include clone phishing, which replicates authentic websites and emails with slight variations to trick users into providing information or downloading malware. Whaling targets high-value individuals like executives. Search engine phishing is where threat actors manipulate search engine results to promote malicious websites, and in social media phishing fake profiles are created to impersonate individuals and organizations.

The psychology behind phishing

Attacks like this rely on a social engineering and psychological component. Tactics like urgency, fear, greed, and curiosity are employed to try to compromise users through clicking on bad links or opening attachments from individuals and companies that appear legitimate.

This is why security awareness training is so critical. Phishing attacks are tailored to look as legitimate as possible, so the onus is on the user to identify suspicious elements in the communication.

How to recognize phishing

Phishing is successful because it capitalizes on human vulnerability, distraction, and errors in judgement. Cybersecurity awareness training is the most important dense against phishing attacks. By educating users on the risks, threats, and dangers and teaching strategies to identify these suspicious communications and avoid compromise.

Some phishing attempts are easy to spot, but more sophisticated ones can fool even the most cyber-aware people. Make sure to critically analyze all parts of communications you might suspect to be fishing like the sender address, subject line, and copy content. Look for misspelling, grammatical and punctuation errors, and sentence syntax issues.

Always look at URL links before clicking on them. To be even more proactive, check them on a resource like AbuseIPDB. Databases like these provide very valuable information. If there is an attachment, make sure you’ve verified it’s coming from a legitimate source before downloading it and scan it with an antivirus tool.

Trust your gut. If you feel something is off it likely is.

Reducing risk of phishing

Compared to other cyberattack types, phishing is low risk for threat actors. Sourcing email address lists is easy, and emails are basically free to send. But it should still be taken seriously.

There are a variety of ways to protect yourself from it. Understanding and knowing how to identify it through security awareness training is critical, as are strong passwords and multi-factor authentication. Always perform updates when they’re available and be very careful when clicking on links in emails and messages.

Tuning email filters is worthwhile, and there are a number of great phishing protection solutions available as well.

It’s getting worse…but it gets better

With the rapid evolution of AI phishing is getting more dangerous and difficult to identify. The way that AI can address spelling errors, sentence syntax, grammar mistakes, and writing styles makes phishing communications eerily convincing. What used to take hours or even days now takes just minutes. Large language models (LLMs) can scrape the internet for identifying information, create very convincing content, and send out messages en masse like never before.

But there is a flipside. AI can also help prevent phishing attacks by fortifying email protection safeguards like content analysis so anything suspicious gets flagged. Anti-phishing tools powered by AI can scan incoming messages for anything that indicates it could be related to a phishing attempt.


Falling victim to a phishing attack can have devastating consequences for organizations and individuals alike. Luckily, it’s fairly easy to spot when someone is attempting to compromise you. As technology evolves phishing attacks get broader and more advanced. This is especially true with the proliferation of AI.

But with some cyber awareness education and common sense you greatly reduce the chances of falling prey to a phishing attempt. Remember, think before you click!