Phishing is the starting point of more cyberattacks than any other technique. It is the method attackers use to steal credentials, install malware, authorize fraudulent wire transfers, and gain the initial foothold that leads to ransomware, data breaches, and business email compromise. According to every major threat intelligence report published in the last five years, phishing accounts for the majority of confirmed data breach incidents.

It is also the attack that most people believe they are immune to. The assumption is that phishing emails are obviously suspicious — full of spelling errors, generic greetings, implausible scenarios. That assumption was roughly accurate ten years ago. It is dangerously wrong in 2026.

AI has fundamentally changed what phishing looks like. Modern phishing emails are grammatically perfect, contextually specific, and increasingly indistinguishable from legitimate communications from people you actually know. Understanding how phishing works — and updating your mental model from the outdated "Nigerian prince" version — is one of the most valuable things you can do for your personal and organizational security.

What phishing actually is

Phishing is a social engineering attack that uses deceptive communications — typically email, but also SMS, phone calls, and social media — to manipulate recipients into taking an action that benefits the attacker. That action is usually one of three things: clicking a link that leads to a credential harvesting page, opening an attachment that installs malware, or taking a direct action like wiring money or sharing sensitive information.

The name is a deliberate misspelling of "fishing" — attackers cast a line and wait to see who bites. Mass phishing campaigns send the same message to millions of addresses hoping a percentage will respond. Targeted campaigns are crafted specifically for individual recipients with personalized context that makes the deception far more convincing.

The types of phishing

MASS PHISHING
Generic phishing
Sent to millions of addresses. Impersonates banks, PayPal, Amazon, Microsoft. Generic enough to apply to many recipients. Volume compensates for low conversion rate.
TARGETED
Spear phishing
Crafted for a specific individual using researched personal context — their name, employer, colleagues, recent activity. Significantly higher conversion rate. Used against high-value targets.
EXECUTIVE
Whaling
Spear phishing targeting senior executives — CEOs, CFOs, board members. Often impersonates legal counsel, regulators, or other executives. High-value targets warrant significant attacker investment.
SMS
Smishing
Phishing via SMS text message. Impersonates delivery services, banks, government agencies. Mobile users are often less cautious and links are harder to inspect on small screens.
VOICE
Vishing
Voice phishing via phone call. Impersonates tech support, IRS, bank fraud departments. AI voice cloning now enables impersonation of specific individuals with three seconds of audio.
SUPPLY CHAIN
Vendor impersonation
Impersonates a trusted vendor or supplier. Requests payment to a new bank account, updated login credentials, or sensitive data. Extremely effective because the relationship is real.

What a modern phishing email looks like

The outdated mental model of phishing — obvious typos, generic greeting, implausible scenario — no longer applies to the attacks that are actually compromising organizations. Below is an annotated example of what modern spear phishing looks like.

Notice what this email does not have: spelling errors, generic greeting, implausible scenario. It uses your real name, references a real service you use, creates genuine alarm, and provides a clear action. This is what modern phishing looks like. AI tools can generate thousands of variants like this per hour, personalized to each recipient using publicly available information.

AI-generated phishing emails now bypass enterprise email filters in 91% of cases according to recent threat intelligence analysis. Visual inspection alone is no longer a reliable defense. Process controls matter more than visual tells.

The red flags that still apply

While the obvious tells of older phishing have largely disappeared, certain patterns remain consistent across phishing attempts regardless of how sophisticated the execution is.

PHISHING RED FLAGS — 2026
Urgency and pressureLegitimate organizations rarely demand immediate action under threat of consequence. "Your account will be suspended in 24 hours," "respond immediately," "urgent action required" are manipulation techniques designed to short-circuit deliberate thinking.
Unexpected contactAn email you were not expecting from a person or organization you were not in conversation with should be treated with elevated suspicion, regardless of how legitimate it appears. Legitimate contacts rarely initiate out of nowhere with urgent requests.
Requests that bypass normal process"Please handle this directly, don't go through procurement." "This is confidential, don't mention it to anyone." Any request to circumvent normal channels is a significant red flag regardless of who appears to be making it.
Mismatched sender domainsThe display name can say anything. The actual email address is what matters. finance@company-invoices.net is not the same as finance@company.com. Check the actual address, not just the display name.
Links that do not match what they claimHover over any link before clicking. The URL that appears in the status bar should match the organization the email claims to be from. microsofft-security.com is not Microsoft. secure-paypal-account.com is not PayPal.
Requests for credentials or paymentLegitimate services do not ask you to provide your password via email. Legitimate vendors do not change bank account details via email alone. Any email requesting credentials or redirecting payment should trigger immediate verification through a separate channel.
Generic or slightly wrong personal detailsSpear phishing uses real information but sometimes gets details slightly wrong — your job title from six months ago, a former email address, a project that has already concluded. Slight inaccuracies in what should be specific information are a tell.

The right process when you are suspicious

WHAT TO DO WHEN AN EMAIL SEEMS SUSPICIOUS
1
Stop. Do not click, do not reply, do not forward. The instinct to respond quickly is exactly what phishing is engineered to trigger. Pause deliberately.
2
Check the sender address. Not the display name — the actual email address. Does it match the domain of the organization it claims to be from? Subtle variations (paypa1.com, microsofft.com) are designed to be missed at speed.
3
Hover over links before clicking. The URL in the status bar should match the claimed sender. If you cannot inspect the URL on mobile, do not click.
4
Verify through a separate channel. If the email claims to be from your bank, call the number on the back of your card — not a number in the email. If it claims to be from a colleague, call or message them directly. Never verify a suspicious email by replying to that email.
5
Report it. Use your email client's phishing report button. In an organizational context, forward it to your security team. Reporting helps protect everyone else who may receive the same campaign.
6
If you clicked — act immediately. Change the password for any account you may have entered credentials for. Enable MFA if you have not already. Report to your IT or security team immediately. Speed matters in credential compromise response.

Why training alone is not enough

Organizations spend significant resources on phishing awareness training. Some of it is valuable. None of it is sufficient on its own. The reason is simple: phishing is engineered to exploit human psychology under conditions of distraction, pressure, and trust. No amount of training makes humans reliably phishing-proof under those conditions.

The controls that actually limit phishing damage are technical, not behavioral.

Multi-factor authentication. A phished password is significantly less useful if the attacker also needs the second factor. MFA does not prevent credential theft but it substantially limits what stolen credentials can accomplish.

Email filtering and anti-spoofing. DMARC, DKIM, and SPF records prevent attackers from sending email that appears to come from your domain. Modern email security platforms with AI-powered analysis catch a significant percentage of phishing attempts before they reach users.

Password managers. A password manager that auto-fills credentials only on the legitimate domain will not fill on a lookalike domain. This is a meaningful technical control against credential phishing that most users do not know about.

NV
NordVPN
NordVPN's Threat Protection feature blocks known phishing domains before your browser loads them — an additional layer that catches what email filters miss.
GET DEAL →
1PW
1Password
Auto-fills credentials only on the correct domain — will not fill on a phishing lookalike. One of the most underrated technical controls against credential phishing.
TRY FREE →

The AI phishing problem

AI has fundamentally changed the phishing landscape in ways that most security awareness training has not caught up with. Three developments are most significant.

Perfect grammar and language. The most commonly taught phishing tell — poor spelling and grammar — has been eliminated by AI writing tools. Phishing emails generated by AI are indistinguishable from legitimate communications in terms of language quality.

Personalization at scale. AI tools can scrape LinkedIn, company websites, social media, and news sources to build detailed profiles of targets and generate personalized phishing emails in seconds. Spear phishing that previously required hours of manual research can now be automated against thousands of targets simultaneously.

Voice and video cloning. Vishing attacks using AI-cloned voices of real people — colleagues, executives, family members — are increasingly common. Three seconds of audio is sufficient to clone a voice convincingly. This makes phone-based verification less reliable than it was, though it remains better than no verification at all.

The implication is that visual and linguistic inspection of communications is decreasing in reliability as a defense. Process controls — verifying through separate channels, following established approval workflows, implementing technical controls that do not rely on human judgment — are increasingly the primary defense.