Security

Phishing Attacks Explained: How Hackers Steal Your Credentials

2026-02-18 ยท 7 min read ยท Steven Adams ยท Last reviewed: March 2026

Phishing is responsible for more account compromises than any other attack type. Understanding how it works makes you dramatically less likely to fall for it.

In This Guide

  1. What Phishing Actually Is
  2. The Main Types of Phishing
  3. How Phishing Bypasses 2FA
  4. How to Identify Phishing Attempts
  5. Practical Defences Against Phishing
  6. What to Do If You Were Phished

What Phishing Actually Is

Phishing is a social engineering attack where an adversary impersonates a trusted entity โ€” a bank, an employer, a tech platform โ€” to trick you into providing credentials, clicking a malicious link, or taking an action that benefits the attacker. The word comes from "fishing" with a lure: you are the target, and the fake login page or urgent email is the bait.

Phishing has become the dominant initial access technique for account takeovers. Verizon's annual Data Breach Investigations Report consistently identifies phishing as responsible for the majority of credential-related breaches. It works not because people are careless, but because well-crafted phishing attempts are genuinely difficult to distinguish from legitimate communications, especially under time pressure.

The Main Types of Phishing

Email phishing is the most common form. Attackers send mass emails pretending to be from a known brand โ€” PayPal, Microsoft, your bank โ€” with an urgent call to action: "Your account has been compromised, click here to secure it." The link leads to a convincing fake login page that harvests your credentials.

Spear phishing targets specific individuals using personalised information. An attacker might reference your employer, a recent purchase, or a mutual colleague to add credibility. Spear phishing messages are far harder to detect than generic campaigns and are typically used against high-value targets.

Smishing (SMS phishing) arrives via text message. Common examples include fake delivery notifications ("Your parcel could not be delivered, click to reschedule") and bank fraud alerts. The same principles apply โ€” fake link, fake site, harvested credentials.

Real-time phishing is the most sophisticated variant. The attacker operates a proxy that sits between you and the real service. You enter your credentials and 2FA code into what looks like the real site; the proxy forwards them to the real site in real time, capturing both. This defeats SMS and TOTP-based 2FA because the attacker uses your code before it expires.

How Phishing Bypasses SMS and TOTP 2FA

Standard 2FA (SMS codes, authenticator app codes) does not protect against real-time phishing. When you enter your TOTP code into a phishing proxy, the attacker's server receives your code and immediately forwards it to the legitimate service, completing authentication before the 30-second window closes. The attacker is now signed in as you.

This is why security researchers consistently recommend phishing-resistant 2FA โ€” hardware security keys and passkeys โ€” for high-value accounts. These methods work differently: instead of you entering a code, your browser cryptographically proves to the server that you are at the correct domain. A phishing site has a different domain, so the proof fails and authentication never completes.

How to Identify Phishing Attempts

Check the sender domain carefully โ€” not the display name, but the actual email address. "PayPal" as a display name with a sender of service@paypa1-support.net is phishing. Look for urgency and fear as manipulation tactics โ€” "your account will be suspended in 24 hours" is a classic pressure technique. Hover over links before clicking to see the real destination URL. Legitimate services use their own domain, not a shortened URL or a different domain. When in doubt, open a new browser tab and navigate directly to the service โ€” never click links in emails for security-related actions.

Practical Defences Against Phishing

The most effective defence is a hardware security key (YubiKey, Google Titan) or a passkey for your most critical accounts. These are cryptographically phishing-resistant โ€” they will not authenticate on a fake domain, full stop. For accounts where hardware keys are not supported, a TOTP authenticator app is still much better than SMS or no 2FA โ€” it defeats automated attacks and most phishing proxies that are not operating in real time. A password manager is also a strong anti-phishing tool because it auto-fills credentials only on the correct domain โ€” it will not fill on a lookalike site, which is often the first warning that something is wrong.

What to Do If You Were Phished

If you realise you entered credentials on a phishing site, act immediately: change the password for the affected account from a trusted device, check for and end any active sessions you did not initiate, enable or update 2FA on the account, and check whether any connected applications were granted access during the attacker's session. If the account is financial or work-related, contact the relevant institution and your IT department right away.

Related Articles

Security

SIM Swapping Explained

The other major attack against SMS 2FA.

Read โ†’
Security

SMS vs Authenticator App: Which Is Safer?

Compare 2FA security methods.

Read โ†’
Security

Hardware Key vs Authenticator App

When to upgrade to FIDO2 security.

Read โ†’

How Modern Phishing Actually Works

Phishing has evolved far beyond the obvious "Nigerian Prince" emails of the early internet. Modern phishing attacks are highly targeted, visually convincing, and exploit both technical vulnerabilities and human psychology. The core mechanism is consistent: trick the victim into believing they are interacting with a legitimate, trusted entity, and use that false trust to capture credentials, install malware, or authorise a fraudulent action. Real-time proxy attacks can capture and use 2FA codes within the same 30-second window they are valid.

Types of Phishing Attacks

Mass phishing sends identical messages to millions of recipients, hoping a small percentage will be fooled. Spear phishing targets specific individuals using personalised information gathered from social media or previous breaches โ€” these emails appear to come from your actual boss or a known colleague. Whaling targets senior executives specifically, often with fake legal documents or board communications. Smishing uses SMS instead of email. Vishing uses phone calls, with attackers impersonating bank fraud departments or technical support.

The Psychology Phishing Exploits and How to Resist It

Phishing attacks consistently exploit: Urgency and fear ("Your account will be permanently deleted in 24 hours"), Authority (messages appearing to come from your CEO or a government agency), and Familiarity (attacks use your actual name or reference real events sourced from social media). The most reliable defence is verification through a separate channel. If you receive an urgent email from your bank, call the number on the back of your card. For any login request, navigate directly to the website by typing the address into your browser rather than clicking the link. A security key or passkey provides automatic protection since it cryptographically verifies the domain.

Frequently Asked Questions

Can phishing attacks bypass 2FA? TOTP-based 2FA can be bypassed by real-time phishing proxies that forward your code to the real site within the 30-second validity window. Hardware security keys and passkeys cannot be bypassed by phishing because they cryptographically verify the domain.

How do I report a phishing attack? Report phishing emails to your email provider, to the company being impersonated (most have a dedicated phishing report email), and to your national cybercrime reporting centre (IC3 in the US, Action Fraud in the UK, ACSC in Australia).

What should I do if I clicked a phishing link? If you clicked but did not enter information: run a malware scan and monitor your accounts. If you entered your password: change it immediately on that service and any other service using the same password. If you entered your 2FA code: assume the account was accessed, change the password, regenerate 2FA, and check account activity for unauthorised actions.