Does 2FA protect against phishing?

Standard TOTP 2FA offers partial protection. Sophisticated phishing can relay your code in real time. Hardware security keys (WebAuthn) are fully phishing-resistant.

What is a phishing email?

A phishing email impersonates a legitimate company to trick you into clicking a link and entering your credentials on a fake website that looks identical to the real one.

How can I tell if an email is phishing?

Check the sender's actual email address domain, look for urgency tactics, hover over links before clicking, and go directly to sites by typing the URL rather than clicking links.

Phishing Attacks Explained: How They Work

Phishing is responsible for more account compromises than any other attack type. Understanding how it works makes you dramatically less likely to fall for it.

What Phishing Actually Is

Phishing is a social engineering attack where an adversary impersonates a trusted entity — a bank, an employer, a tech platform — to trick you into providing credentials, clicking a malicious link, or taking an action that benefits the attacker. The word comes from "fishing" with a lure: you are the target, and the fake login page or urgent email is the bait.

Phishing has become the dominant initial access technique for account takeovers. Verizon's annual Data Breach Investigations Report consistently identifies phishing as responsible for the majority of credential-related breaches. It works not because people are careless, but because well-crafted phishing attempts are genuinely difficult to distinguish from legitimate communications, especially under time pressure.

The Main Types of Phishing

Email phishing is the most common form. Attackers send mass emails pretending to be from a known brand — PayPal, Microsoft, your bank — with an urgent call to action: "Your account has been compromised, click here to secure it." The link leads to a convincing fake login page that harvests your credentials.

Spear phishing targets specific individuals using personalised information. An attacker might reference your employer, a recent purchase, or a mutual colleague to add credibility. Spear phishing messages are far harder to detect than generic campaigns and are typically used against high-value targets.

Smishing (SMS phishing) arrives via text message. Common examples include fake delivery notifications ("Your parcel could not be delivered, click to reschedule") and bank fraud alerts. The same principles apply — fake link, fake site, harvested credentials.

Real-time phishing is the most sophisticated variant. The attacker operates a proxy that sits between you and the real service. You enter your credentials and 2FA code into what looks like the real site; the proxy forwards them to the real site in real time, capturing both. This defeats SMS and TOTP-based 2FA because the attacker uses your code before it expires.

How Phishing Bypasses SMS and TOTP 2FA

Standard 2FA (SMS codes, authenticator app codes) does not protect against real-time phishing. When you enter your TOTP code into a phishing proxy, the attacker's server receives your code and immediately forwards it to the legitimate service, completing authentication before the 30-second window closes. The attacker is now signed in as you.

This is why security researchers consistently recommend phishing-resistant 2FA — hardware security keys and passkeys — for high-value accounts. These methods work differently: instead of you entering a code, your browser cryptographically proves to the server that you are at the correct domain. A phishing site has a different domain, so the proof fails and authentication never completes.

How to Identify Phishing Attempts

Check the sender domain carefully — not the display name, but the actual email address. "PayPal" as a display name with a sender of service@paypa1-support.net is phishing. Look for urgency and fear as manipulation tactics — "your account will be suspended in 24 hours" is a classic pressure technique. Hover over links before clicking to see the real destination URL. Legitimate services use their own domain, not a shortened URL or a different domain. When in doubt, open a new browser tab and navigate directly to the service — never click links in emails for security-related actions.

Practical Defences Against Phishing

The most effective defence is a hardware security key (YubiKey, Google Titan) or a passkey for your most critical accounts. These are cryptographically phishing-resistant — they will not authenticate on a fake domain, full stop. For accounts where hardware keys are not supported, a TOTP authenticator app is still much better than SMS or no 2FA — it defeats automated attacks and most phishing proxies that are not operating in real time. A password manager is also a strong anti-phishing tool because it auto-fills credentials only on the correct domain — it will not fill on a lookalike site, which is often the first warning that something is wrong.

What to Do If You Were Phished

If you realise you entered credentials on a phishing site, act immediately: change the password for the affected account from a trusted device, check for and end any active sessions you did not initiate, enable or update 2FA on the account, and check whether any connected applications were granted access during the attacker's session. If the account is financial or work-related, contact the relevant institution and your IT department right away.

Phishing Attacks Explained: How Hackers Steal Your Credentials