Understand how phishing attacks work, the different types you may encounter, and how to protect yourself and your organisation.
Phishing is a form of social engineering where attackers impersonate trusted entities banks, technology companies, government agencies, or colleagues to deceive victims into revealing sensitive information or taking a harmful action.
The term comes from "fishing" casting a wide net hoping someone takes the bait. Attackers send millions of messages knowing even a small percentage of responses is profitable.
Modern phishing has become highly sophisticated. Attackers now embed malicious content inside images to bypass traditional text-based email filters, register lookalike domains that are visually identical to legitimate ones, and craft psychologically compelling messages using urgency, fear, and authority.
"Your Apple ID has been locked due to suspicious activity. Verify your account within 24 hours to avoid permanent suspension." sent from security@apple-verify.top
Invoice scams are among the most common phishing attacks. Attackers send fake invoices typically for software subscriptions, antivirus renewals, or tech support services claiming a charge has already been made to your account.
The goal is to panic you into calling a phone number, where fraudsters will attempt to gain remote access to your computer or convince you to make a payment to "cancel" the fictional subscription.
Geek Squad (Best Buy), Norton, McAfee, PayPal, Amazon, Microsoft, Apple. These companies are chosen because they have broad recognition and large customer bases.
"Your Norton AntiVirus subscription has been automatically renewed for $299.99. If you did not authorise this charge, call our helpline immediately on +1 (805) 849-2294 within 24 hours."
Credential harvesting attacks direct victims to fake login pages that look identical to the real thing. When you enter your username and password, the attacker captures them instantly and uses them to access your real account.
These attacks target banking, email, social media, and cloud services. Once an attacker has your credentials they may change your password, drain accounts, or sell the credentials to other criminals.
Attackers register domains designed to look legitimate at a glance paypa1.com (using a 1 instead of l), secure-paypal-login.com, or paypal.com.account-verify.xyz. Combined with a perfect visual copy of the real login page, many victims don't notice anything wrong.
Delivery scams are particularly prevalent in Ireland. Attackers impersonate An Post, DHL, FedEx, or other courier services claiming a parcel is being held due to an unpaid customs fee or failed delivery attempt.
The victim is asked to pay a small fee (typically €1-€3) to release the parcel. This small amount makes it feel low-risk, but the real goal is to capture your card details for larger fraudulent charges later.
"Your parcel has been held at our depot due to an unpaid customs fee of €2.99. Please pay within 48 hours to avoid return to sender. Track your parcel: [malicious link]"
BEC is the most financially damaging form of phishing. Attackers impersonate senior executives, finance departments, or trusted vendors to authorise fraudulent wire transfers or change payment details.
Unlike other phishing, BEC emails often contain no links, no attachments, and no obvious red flags they are designed to appear as normal business communications. The FBI reports BEC caused over $2.9 billion in losses in 2023 alone.
CEO Fraud: An email appearing to come from the CEO asks the finance team to urgently transfer funds to a new account. "As discussed, please process the payment of €45,000 to our new vendor details attached."
Vendor Payment Change: A supplier notifies you their bank details have changed and requests future payments to a new account. The email appears legitimate but originates from an attacker who has compromised or spoofed the vendor's email.
Brand impersonation involves copying the logos, colour schemes, typography, and tone of trusted organisations to make phishing content appear legitimate. Almost every major brand is impersonated Apple, Microsoft, PayPal, your bank, Government services.
Attackers invest significant effort in making impersonation convincing. Modern phishing emails are often visually indistinguishable from genuine communications the only difference may be a single character in the sender domain.
Sextortion emails claim the attacker has compromising video footage of the victim and threaten to send it to their contacts unless a cryptocurrency payment is made. These emails are almost always entirely fabricated the attacker has no footage.
The emails are sent in bulk and often include one of the victim's real passwords (obtained from historic data breaches) to appear credible. This is called a "credential stuffing" technique designed to create panic.
Job scams impersonate legitimate companies offering attractive employment opportunities particularly targeting students and recent graduates. The email appears to come from a real company's talent acquisition team and offers remote, flexible, high-paying roles.
The goal is to eventually request bank details for "direct deposit setup", advance payments for equipment, or to extract personal identification documents under the guise of onboarding.
"Hi, we've been following your work and we're impressed. Spotify is hiring for several remote positions that could be a perfect fit. We'd love to schedule a call our talent acquisition team is available this week."
Use this checklist whenever you receive an unexpected email asking you to take an action click a link, make a payment, verify your details, or open an attachment.
The display name can say anything. The actual email address after @ is what matters. apple.com vs apple-security.com are very different.
Hover over any link to see the actual destination URL in your browser's status bar. Does it match what you'd expect?
Phishing relies on panic. "24 hours", "immediately", "act now" are designed to make you act before you think.
Your bank, Apple, Google none of them will email you asking for your password, PIN, or full card details.
Unexpected PDF or Word documents can contain malware. Verify with the sender via a separate channel before opening.
SPF, DKIM, and DMARC failures mean the email may not be from who it claims. Your email client may show a warning.
Do not click links, open attachments, or call phone numbers in the email. Even clicking "unsubscribe" can confirm your address is active.
Use your email client's "Report phishing" option. In Gmail use the three dots → Report phishing. In Outlook use the Phish Alert button if available.
In Ireland, forward phishing emails to report@phishing.gov.ie. In the UK, forward to report@phishing.gov.uk. For An Post scams, report to An Post directly.
Change your password immediately on the real website (typed directly). Contact your bank if financial details were shared. Enable two-factor authentication. Check haveibeenpwned.com.
Upload the image or .eml file to ImageAware+ for a detailed forensic analysis. This can help confirm it's phishing and identify what indicators were present.