Glossary
What is phishing? The types of attack, and defenses surer than 'spotting it'
Phishing impersonates someone you trust to lure you to a fake site and steal passwords or data. It targets people, not software bugs. The types (spear phishing, BEC, smishing, adversary-in-the-middle) and defenses surer than 'being careful' — phishing-resistant MFA, domain checks, email auth — defense-only.
"Pretending to be someone you trust, to lure you to a fake site" — that's phishing. Here are the types and the surer defenses (no attack steps).
How it works: it targets people, not "a hole in the software"
Where XSS or SQL injection exploits a defect in software, phishing exploits human judgment. Messages like "your account is suspended" or "urgent — confirm now" use urgency, authority, and fear to steal the moment you'd otherwise stop and think, then lure you to a pixel-perfect fake site to type your password. A site with zero technical vulnerabilities still leaks credentials if its users are fooled.
The types (different names, same core)
Bulk phishing
blasted to many people
Spear phishing
aimed at a specific person/org
BEC
impersonate a supplier/exec to order a payment
Smishing
over SMS
Vishing
over phone
AiTM
relays login to the real site, defeats MFA
The names differ, but the core is the same: lure you by faking trust. In particular BEC (business email compromise) causes large financial losses without any malware at all — just "a payment request that looks like it's from a supplier." It's a type you stop with a business-process check, not technology.
Defense: stop it with a mechanism, not vigilance
Use phishing-resistant MFA (most important)
A mechanism that doesn't respond to fake sites is the real answer. Passkeys / hardware security keys (FIDO2) are bound to the domain, so on a fake domain the authentication simply can't complete — not even adversary-in-the-middle (AiTM) can relay it. SMS/authenticator codes can be relayed, so move your kingdom keys (email, domain, payments) to resistant MFA first (→ choosing MFA).
Don't click the link — go to the official site yourself
Don't tap links in email or SMS; reach the official site directly via a bookmark or by typing the address. The more a message poses as "account check," "billing," or "delivery," the more you should open it your own way, not through its link.
Cut email spoofing with technology
Set up your domain's SPF/DKIM/DMARC correctly so spoofed mail impersonating your domain can be rejected at the receiving end (→ what SPF/DKIM/DMARC are). A password manager won't autofill on a fake domain, so "it didn't fill" is itself a tell that the site is fake.
Pause under urgency/authority; verify payments out-of-band
"Right now," "from the exec," "you can stop it" — that pressure is the signal of a trap. When you're being rushed, pause. For any request involving a payment or credentials, verify the person through a separate channel like a phone call before acting (the heart of BEC defense).
Easy to defeat
Password plus an SMS/authenticator code only. With a pixel-perfect fake site relaying the code (AiTM), even a careful person has their credentials taken. A defense that assumes "I can spot it."
Actually stops it
A passkey/hardware key bound to the domain. On a fake domain the authentication can't complete, so even a fooled user isn't breached. A mechanism that's "safe even if you can't spot it."
This site's view: 'be careful' is not a defense strategy
We think leaning on "staff training" and "awareness" alone for phishing is shaky. Now that adversary-in-the-middle (AiTM) is routine, no matter how careful someone is, they can't beat a pixel-perfect fake site plus code relay. Awareness can help, but it can't be the last line. The real answer is a mechanism — roll out domain-bound phishing-resistant MFA, kingdom keys first. Investing in a "unbreakable even if you can't spot it" design beats trying to "train people who can spot it." That's the modern answer.
Blind spot: "I won't be fooled" is the most dangerous belief
The biggest pitfall in phishing defense is the overconfidence of "I can spot it." Adversary-in-the-middle (AiTM) shows a pixel-perfect screen and relays the password and one-time code you type to the real site on the spot. In other words, even if you're careful and enter the correct code, that correct code is stolen too. So basing your defense on "vigilance to spot it" is itself the mistake; the right move is to shift to a mechanism — authentication that can't complete on a fake domain (phishing-resistant MFA). Refusing to stop at "be careful" is the starting point of modern phishing defense.
Read next
- Learn: choosing MFA the right way (what phishing-resistant MFA is)
- Glossary: what SPF/DKIM/DMARC are (cut spoofed mail with technology)
- Glossary: what ransomware is (phishing is its top entry route)
- Learn: storing passwords safely (keep stolen credentials from being abused)
FAQ
QCan I just spot phishing if I'm careful?
Believing 'I can spot it' is dangerous overconfidence. Modern phishing uses pixel-perfect fake sites and 'adversary-in-the-middle (AiTM)' relays that pass the password and one-time code you type straight to the real site in real time — so even careful people get their SMS or authenticator codes stolen along with the password. That's why the real defense isn't vigilance but a mechanism that doesn't respond to fake sites: domain-bound phishing-resistant MFA (passkeys/security keys).
QWhat types of phishing are there?
Common ones: bulk phishing blasted to many people; spear phishing aimed at a specific person or org; BEC (business email compromise), impersonating an executive or supplier to instruct a payment; smishing over SMS; and vishing over phone. On top of these, adversary-in-the-middle (AiTM) phishing relays your login to the real site and is especially dangerous because it can defeat ordinary MFA.
QDoes enabling MFA stop phishing?
MFA is strongly recommended, but it depends on the type. SMS and authenticator one-time codes can be defeated when an adversary-in-the-middle relays the code in real time. What can't be relayed is domain-bound phishing-resistant MFA like passkeys or hardware security keys (FIDO2): on a fake domain the authentication simply can't complete. See the guide on choosing MFA for details.