Security for Beginners
by Sergey Okinchuk
Why the Easiest Way In Is a PersonThe Other Cons
Topic 12

Phishing

Concept

Olivia gets a text: "Your delivery is held — confirm your address here." The link looks right, the page it opens looks right, and if she enters her details, they go straight to an attacker. She was never careless; she was simply convinced.

This is phishing — a fake message that lures you to a fake destination, where you hand over information thinking you're somewhere safe. It is the most common social engineering attack by a wide margin, and once you see how it is built, every version of it starts to look the same.

Picture a counterfeit letter on official-looking letterhead. The letterhead is the bait — it makes the letter feel real. It directs you to a fake office that exists only to collect your details. The letter gets you moving; the fake office is where the harm happens. Phishing is that, online.

How a phishing attack moves, step by step
Trusted-looking message"confirm your details"
You click the linkthe bait worked
Look-alike sitea fake of the real page
You type your detailsattacker receives them

What Phishing Actually Is

Phishing is a message that pretends to be from someone you trust, sent to make you do one specific thing: click a link, log in, or hand over information. The message might claim to be your bank, a delivery company, a coworker, or a service you use every day.

The pretending is the whole game. A real bank would never need to trick you, so the message has to look like the real bank closely enough that you don't stop to question it. If you act on it, you've done exactly what the attacker wanted — without ever realizing anything was wrong.

The Fake Destination Is the Heart of It

The message gets a lot of attention, but it is not where the damage is done. The real trap is the page the link leads to — a look-alike site, a copy of a genuine login or payment page built to capture whatever you type into it.

When Olivia enters her username and password on that page, she is not logging in anywhere. She is typing her secrets into a form that emails them straight to the attacker. The page may even forward her to the real site afterward, so nothing seems to have gone wrong.

This is the part worth holding onto: the convincing message is just the delivery van. The fake destination is the trap. Most phishing is some way of getting you to that fake destination — though some messages carry the trap directly, as a malicious attachment.

Spear Phishing: The Version Made Just for You

Most phishing is sent in bulk — the same generic message blasted to thousands of people, hoping a few bite. Spear phishing is the opposite: a single message crafted for one specific person, using real details about them.

An attacker who knows Olivia's name, where she works, and who her manager is can write a message that fits her life exactly — "Hi Olivia, it's Dana from accounts, can you approve this invoice?" Because the details are real, it is far more convincing than a generic blast, and far harder to wave off as junk. The personalization is the weapon.

Bulk phishing vs. spear phishing
Bulk Phishing
Same message, thousands of recipients — impersonal, low effort per target, low hit rate
Spear Phishing
Custom message, one target — personal details, high effort, much more convincing

Why It Works on Careful People

Phishing does not rely on you being foolish. It borrows a brand you already trust, and it adds a reason to hurry — a held delivery, a locked account, an invoice due today. Trust plus urgency makes you act before you examine, which is precisely the point.

That pressure is doing real work on your mind, and it deserves its own look — the psychology behind it comes up later in this chapter. For now, the takeaway is simply that the trick targets normal human reflexes, not a lack of intelligence.

Common Confusions
  • "Phishing is always full of obvious spelling mistakes." Many phishing messages are polished and look exactly like the real thing. The clumsy, typo-ridden ones are just the easy-to-spot end of the range — the dangerous ones read perfectly.
  • "If the sender's name looks right, the message is safe." Sender names and links can both be faked to display whatever the attacker chooses. The name you see proves nothing about who actually sent it.
  • "Phishing only happens over email." It also arrives by text message (sometimes called smishing), by phone, and through chat apps. The channel changes; the trick — impersonate a source you trust to get you to hand over information — stays the same.
Why It Matters
  • Phishing is the way in for a huge share of real breaches and fraud — it is often the first step of a much larger attack.
  • Once you understand the "fake destination" core, you can see what every variant is really doing, no matter what brand it imitates or how it reaches you.
  • Knowing it preys on trust and urgency, not carelessness, takes the blame off the target and puts attention on the trick itself.

Knowledge Check

In a phishing attack, where is the actual harm usually done?

  • On the look-alike page, where you type in your details
  • In the wording of the message itself, before any link is clicked
  • The instant the message lands in your inbox
  • In the sender's name shown at the top

What makes spear phishing different from ordinary bulk phishing?

  • It is aimed at one specific person and uses real details about them
  • It is sent to as many people as possible at once, with no personal targeting
  • It is always sloppy and full of obvious mistakes
  • It can only ever be sent by email

Why is "it had no spelling mistakes, so it must be real" a risky way to judge a message?

  • Because many phishing messages are polished and convincing
  • Because every phishing message is legally required to contain a typo
  • Because only messages with typos are allowed to contain links
  • Because a message with no mistakes is guaranteed to be safe

You got correct