You receive a "bank security alert" urging you to click a link and verify your account within 24 hours or face suspension. This is a classic phishing attack. According to the FBI's 2025 Internet Crime Report, phishing remains the costliest category of cybercrime, causing over US$3.5 billion in losses globally every year. This guide walks you through how phishing works, how to identify fake URLs, and how to protect yourself.
1. What Is Phishing?
Phishing is when attackers impersonate trusted entities — banks, government agencies, tech companies — to trick victims into surrendering credentials, financial information, or performing harmful actions like wire transfers or malware installation.
| Type | Description | Common Impersonation Targets |
|---|---|---|
| Email phishing | Mass-sent spoofed emails | Banks, PayPal, Netflix, government agencies |
| Spear phishing | Targeted, highly personalized attack | Executives, specific company employees |
| Smishing | Fake links via SMS | Delivery companies, banks, tax agencies |
| Vishing | Phone calls impersonating support or officials | Bank customer service, police, healthcare |
| Quishing | Forged QR codes linking to phishing sites | Parking meters, restaurant menus, ads |
2. Notable Recent Phishing Campaigns
AI-Powered Vishing (2025–2026)
Attackers have begun using AI voice robots to impersonate bank customer service agents, "helping" victims resolve account issues while extracting one-time passwords (OTPs) in real time — a technique that bypasses traditional caller ID defenses.
Business Email Compromise (BEC)
After gaining the trust of procurement staff via spear phishing, attackers impersonate suppliers requesting a change of bank account details. BEC losses in the Asia-Pacific region continue to rise, with individual cases reaching tens of millions.
3. How to Spot a Fake URL
Homograph attacks
Attackers substitute visually similar characters:
paypa1.com— the digit 1 replacing the letter lаpple.com— a Cyrillic "а" replacing a Latin "a"g00gle.com— zeros replacing the letter o
Subdomain misdirection
The real domain is everything after the last dot before the path. For example:
secure.bank.com→ real domain isbank.com✓bank.com.secure-login.net→ real domain issecure-login.net✗ (phishing!)
URL encoding obfuscation
Percent-encoding can be used to obscure domain names in URLs, making them hard to read at a glance.
Short URL concealment
Short URLs completely hide the true destination. To preview before clicking, append a + to a Bitly link (e.g., bit.ly/xxxxx+), or use a short-URL expander service.
4. Social Engineering Psychology
| Technique | Example | Red flag |
|---|---|---|
| Urgency | "Your account will be frozen in 2 hours" | Legitimate banks don't set extreme deadlines via email |
| Fear | "Suspicious activity detected — verify now" | Government agencies don't demand wire transfers by phone |
| Authority | Impersonating banks, tax authorities, police | Always verify through official channels (website, app) |
| Greed | "You've won a prize / have unclaimed tax refund" | Nothing is free — if it sounds too good to be true, it is |
| Familiarity | Spear phishing using your name, job title, recent events | Personalization ≠ legitimacy; still verify the channel |
5. How to Verify a Suspicious Email
Check the sender's domain
Display names can be spoofed — what matters is the domain after the @:
[email protected]→ legitimate (official domain after @)[email protected]→ phishing (domain is not paypal.com)
Hover before you click
On desktop, hover over a link without clicking — the real URL appears in the browser's status bar. On mobile, long-press the link to preview the destination.
Go directly to the official site
Never use the link in the email. Type the official URL directly in your browser or use a bookmark. Any genuine account issue will be visible after logging in through the real site.
6. Technical Account Protections
- Enable two-factor authentication (2FA): Even if your password is stolen, attackers still need a second factor. Prefer a TOTP authenticator app over SMS (SMS can be intercepted via SIM swap attacks)
- Use a password manager: Password managers only autofill on the correct domain — they won't fill your credentials on a phishing site, providing an extra layer of protection
- Unique password per account: Prevents one breach from cascading to other accounts
7. If You've Already Clicked a Suspicious Link
- Don't enter any data — clicking alone doesn't compromise you; the damage comes from what you type
- Close the tab immediately if prompted to install extensions or download files
- Scan for malware if you downloaded anything
- Change passwords for any account whose credentials you may have entered, and check for reuse elsewhere
- Notify the relevant institution — if bank-related, call the official number immediately to freeze the account
Summary
- Phishing combines fake URLs, psychological pressure, and trusted appearances — it's the costliest category of cybercrime
- Identify URLs: real domain is after the last dot before the path; watch for homograph substitutions and URL encoding
- Verify emails: check the domain after @, hover before clicking, go directly to official sites
- Technical defenses: enable 2FA, use a password manager, unique password per account
- Already clicked: don't enter data, close the tab, scan for malware, change passwords, notify the institution