Most successful attacks don’t begin with sophisticated technical exploits. They begin with a message (an email, a text, a phone call), designed to make someone do something they wouldn’t otherwise do. Phishing and social engineering remain among the most effective methods available to attackers precisely because they target human judgement rather than technical defences.
The challenge has become more acute. AI tooling has made it significantly easier to produce convincing, personalised, grammatically clean messages at scale. The era of obvious spelling errors and implausible monetary windfalls is largely over. Modern phishing attempts can be highly targeted, well-researched, and difficult to distinguish from legitimate communication at a glance.
Understanding the methods matters more than any checklist.
How phishing works
Phishing is the use of deceptive messages to obtain credentials, financial access, or a foothold into systems. Email is still the most common vector, but attacks also arrive via SMS (smishing), voice calls (vishing), and increasingly through collaboration platforms and social media.
The goal varies. Some attacks are after login credentials directly, a fake login page that harvests what you type. Others aim to install malware through an attachment or link. Others still are designed to manipulate someone into taking an action, such as transferring funds or changing account details, based on a fabricated but plausible scenario.
Targeted attacks and pretexting
Not all phishing is opportunistic. Spear phishing targets specific individuals, often using information gathered from public sources such as LinkedIn profiles, company websites and press releases to construct a convincing pretext. A message that references your organisation, your role, a recent project, or a colleague by name feels different to a generic broadcast. That familiarity is the point.
Business email compromise is a related and particularly damaging variant, where attackers impersonate senior figures or trusted suppliers to authorise payments or obtain sensitive information. These attacks often involve patience, monitoring communications, understanding relationships and timing the approach carefully.
What to look for
No single indicator is definitive, but certain patterns are worth treating with consistent scepticism.
Urgency is one of the most reliable signals. Legitimate systems and processes rarely demand immediate action under threat of consequence. Requests that create time pressure, an account about to be suspended, a payment that must go today, a security alert requiring immediate login, the requests designed to short-circuit careful thinking.
Unexpected requests deserve scrutiny even when they appear to come from known contacts. Compromised accounts, spoofed addresses and impersonation of trusted figures are massively common. If a request feels unusual, however — a colleague asking for something out of character, a supplier changing payment details unexpectedly — verify through a separate channel before acting.
Links and attachments should be treated with caution as a default. Hovering over a link to check the actual destination, rather than the displayed text, takes seconds and can reveal a mismatch. Attachments from unexpected sources, particularly those prompting you to enable macros or override security warnings, should be treated as suspect until confirmed otherwise.
Social engineering beyond the inbox
Phishing is one form of social engineering, but the broader category includes any attempt to manipulate behaviour through psychological means. Pretexting, where an attacker constructs a false identity or scenario to extract information, can happen over the phone as easily as over email. Attackers may pose as IT support, suppliers, regulators, or colleagues. The information they seek may seem innocuous. A username, a process, a name. But that can be used to build a more complete picture or to authenticate a follow-up approach.
Healthy scepticism is not the same as paranoia. It means having a consistent habit of pausing before acting on requests that involve access, money, credentials, or sensitive information. Regardless of how legitimate they appear.
If something doesn’t feel right
Trust that instinct. Reporting a suspicious message costs very little vs. the alternative. Acting on a compromised one can be significantly harder to recover from. Most organisations have a process for reporting suspected phishing such as a dedicated button in apps such as Outlook, an IT helpdesk, an internal security team. Using it or them, even when uncertain, is always the right call.
The goal of social engineering is to make the target feel that hesitation or verification is unnecessary. Reversing that assumption is one of the most effective defences available.
Further reading:
- NCSC – phishing advice and guidance: https://www.ncsc.gov.uk/section/advice-guidance/all-topics/phishing
- Gov.UK – Avoid and report internet scams and phishing: https://www.gov.uk/report-suspicious-emails-websites-phishing
- Microsoft – Protect yourself from phishing: https://support.microsoft.com/en-us/security/protect-yourself-from-phishing
