How Phishing Works

How phishing works

Before I get into the details, let’s get some terminology out the way. There are multiple types of phishing, most commonly known are probably the Nigerian scam emails. This type of phishing falls under the generic term Phishing. But Emails specifically made for you are called ‘Spear Phishing’, and if you’re a company CEO we might even call it ‘Whaling’.

In all cases, an attacker plays on your emotions to trick you into opening a malicious file or visiting a fake Website and divulging personal information.

The Components

As most articles on phishing will tell you; phishing emails often use a sense of urgency, risk or gain, false links, emails or names and scare tactics. But that’s a lot of things my coworker might also get wrong when rushed.

So, when I try and judge if an email might be a phishing attack, I look for 3 things: 1 Hook, 2 Line and 3 Sinker. And to keep it interesting, I’ve marked all 3 elements on my favorite phishing email.

The Hook

Most Phishing emails try to hook you in as soon as possible. This hook is usually accomplished by writing something into either the email subject or the first sentence of the email’s contents to trigger an emotional response. In my case, the attack did both for good measure.


Now that you’re hooked the attacker needs to keep you actively engaged in this email because as soon as you search google you are going to find an example of someone who fell for the same email.

When presenting the Line, the attacker will most often try to rationalize the situation for you. In most cases, this rationale falls apart as soon as you take a moment to think about it. In my example, the attacker is trying to rationalize how I was hacked by flooding me with technical jargon that boils down to gibberish if you work in IT.


Now that the attacker has you convinced that this is a very serious and real situation, he will present you with a course of action. This can be anything from; ‘go to this website’ to ‘please send me your social security number’. In my case the attacker just straight up told me to pay him, less creative but probably the most direct way to earn money from phishing.

An important thing to remember is that the website might be a second attack;

You might be directed to a download site, where once you click the link, the malware is automatically downloaded. Or the website could imitate a trusted website and ask for your username and password there.

What if you absolutely must be sure?

If you’re still too scared to just delete the email because you’re still not convinced, consider the following:

Reach out to the person in question via another form of communication, if it’s your boss give them a call to confirm. If it’s the king of Nigeria, send him a Facebook invite and chat with him first.

Just don’t reply to the phishing message, as most attackers will then focus more efforts on you.