What are common phishing techniques and how to recognize them

Short answer

Phishing tricks people into revealing credentials or installing malware by impersonating trusted entities. Common techniques include email spoofing (fake sender address), credential harvesting (fake login pages), and spear phishing (targeted attacks using personal information). Defense combines technical controls (email authentication, MFA) and user training. For the authentication layer, see authentication vs authorization.

Common techniques

1. Email spoofing: The "From" address appears legitimate but the email comes from a different server. Check the "Reply-To" header and the actual sending domain.
2. Credential harvesting: A fake login page that looks identical to the real one (e.g., g00gle.com instead of google.com). Captures usernames and passwords.
3. Spear phishing: Targeted at a specific person using information from LinkedIn, company websites, or previous data breaches. Much harder to detect than mass phishing.
4. Business Email Compromise (BEC): Attacker impersonates a CEO or CFO and requests urgent wire transfers. No malicious links — just social engineering.
5. SMS phishing (smishing): Text messages with urgent calls to action ("Your package delivery failed, click here").

How to recognize phishing

• Urgency or threats ("Your account will be closed in 24 hours")
• Generic greetings ("Dear Customer" instead of your name)
• Mismatched URLs (hover before clicking — does the link go where it says?)
• Spelling and grammar errors (less common in spear phishing)
• Requests for credentials, payment info, or sensitive data

Tips

• Enable MFA on all accounts — even if credentials are phished, MFA blocks access. See how to implement two-factor authentication in a web app
• Use email authentication protocols: SPF, DKIM, and DMARC to prevent domain spoofing
• Train employees with simulated phishing tests quarterly