Why Phishing Still Works in 2024
Phishing attacks have been a known threat since the mid-1990s, and every major email provider now runs sophisticated filters designed to catch them. Yet phishing remains the initial vector in the majority of data breaches. According to the Anti-Phishing Working Group, over 1.3 million unique phishing sites were detected in 2023 alone. The reason phishing persists is not a failure of technology. It is a success of psychology.
Attackers do not need to break your password manager or exploit a software vulnerability. They need to convince you, for just a few seconds, that an email is legitimate. Once you click a link or enter your credentials, the attack has succeeded regardless of how many security layers protect the account on the other side.
The Anatomy of a Phishing Email
Understanding how phishing emails are constructed makes them far easier to identify. Most phishing emails share the same basic architecture, even when the specific content varies widely.
A spoofed or lookalike sender address. Attackers either spoof the display name (so "PayPal Security" appears as the sender even though the underlying address is random@sketchy.com) or register a lookalike domain (paypa1.com, pay-pal-support.com, paypal-security.net). The display name spoofing works against users who never look past the friendly name. The lookalike domain works against users who glance at the address without reading it carefully.
Urgency and fear. Phishing emails almost universally create a sense of urgency. Your account has been suspended. Unusual activity has been detected. Your payment has failed. Your package cannot be delivered. This urgency is designed to override your critical thinking. When you are alarmed, you act. When you act fast, you do not verify.
A plausible pretext. Effective phishing emails impersonate entities you already have a relationship with: your bank, your email provider, a service you use, a government agency, a delivery company. The attacker's goal is to create a scenario where receiving an email from that sender makes sense.
A single call to action. Phishing emails almost always have one goal: get you to click a link. Occasionally the attack involves an attachment (a malicious document or executable), but the link to a fake login page is the most common mechanism because it is easy to deploy and hard to trace.
A convincing fake page. The link leads to a page that looks exactly like the real service. Modern phishing kits, sold on underground markets, include pixel-perfect copies of major brand login pages. The fake page captures your credentials and may even redirect you to the real site afterward, so you never realise anything happened.
Spear Phishing: When Attackers Know Your Name
Generic phishing sends the same email to millions of addresses hoping some percentage of recipients happen to use the impersonated service. Spear phishing is targeted. The attacker has researched you specifically, knows your name, your employer, a recent purchase, a colleague's name, or another piece of personal information that makes the email seem legitimate.
Spear phishing emails are dramatically harder to detect. They address you by name. They reference real context from your life. They may appear to come from someone you know, whose account has been compromised or whose address has been spoofed. Business Email Compromise (BEC) attacks, where an attacker impersonates a CEO or finance director to authorise a fraudulent payment, are a form of spear phishing that costs businesses billions of dollars per year.
Five Signs an Email Is a Phishing Attempt
1. The sender address does not match the organisation. Look past the display name. Click or hover over the sender to see the actual email address. A legitimate PayPal email comes from a @paypal.com address, full stop. Anything else is suspicious.
2. Links do not match the displayed text. Hover over any link before clicking. Your email client will show you the actual URL. If the link text says "Verify your account at amazon.com" but the URL shows amaz0n-security.net, do not click it.
3. Generic greetings. Legitimate services you have an account with know your name and use it. "Dear Customer" or "Dear User" are signals that the email was not sent by a service with your account details.
4. Grammar and spelling errors. Professional communications from major organisations go through editorial review. Errors in a supposedly official email are a warning sign, though sophisticated attacks are increasingly error-free.
5. Requests for credentials or personal information. Legitimate services never ask for your password, full credit card number, or social security number via email. If an email asks for this information or directs you to a page that does, it is an attack.
What to Do When You Receive a Suspicious Email
If you suspect an email is a phishing attempt, do not click any links, do not download any attachments, and do not reply. If the email purports to be from a service you use, go directly to that service by typing its URL in your browser or using a saved bookmark. Check your account status there. Do not use any contact information provided in the suspicious email.
Report the phishing email using your email provider's built-in reporting tool. Gmail, Outlook, and Apple Mail all have phishing report options. These reports improve filtering for all users.
If you have already clicked a link and entered credentials, change your password immediately from a trusted device. Enable two-factor authentication if it is not already active. Contact the real service to alert them to the incident.
How Limiting Email Exposure Reduces Phishing Risk
Phishing attacks require your email address to reach you. The more widely your address is distributed, the more likely it is to appear in the marketing lists, data broker databases, and breach dumps that attackers use to build their target lists.
Using a temporary email address for low-trust sign-ups limits the distribution of your primary address. Using unique email aliases for different services means that if one service is breached, only that alias is exposed. These are proactive measures that reduce your attack surface rather than relying entirely on your ability to identify attacks after they arrive.
Sources & further reading
External links are provided for verification and are not endorsements. Reviewed against these sources per our editorial policy.
Achyuth Kumar
Founder & editor, TempMailKit
Achyuth builds privacy tools and writes TempMailKit’s guides on email security, spam, and online privacy. Every article is checked against primary sources and our editorial policy before it is published. Questions or a correction? Get in touch.