Phishing: How to Recognize and Avoid Attacks

Every day, 3.4 billion phishing emails are sent worldwide. Behind these messages lie increasingly sophisticated manipulation techniques. Understanding how they work is the best way to protect yourself.

What is phishing and why does it work?

Phishing is a fraud technique that involves impersonating a trusted organization (a bank, delivery service, or government agency) to steal personal information. Its effectiveness rests on a simple principle: the appearance of legitimacy.

A phishing email replicates the logos, colors, and tone of an official message. Users rely on visual appearance to judge whether a message is trustworthy — and that's exactly the habit attackers exploit. Whether by email, SMS, or even postal mail, the mechanics are the same: create a convincing appearance to trigger a thoughtless action.

How do attackers create a sense of urgency?

Phishing messages use psychological pressure to short-circuit judgment and push people to act quickly, before they have a chance to think. The goal is to provoke an emotional reaction rather than a rational analysis.

The most common pretexts follow a recurring pattern:

  • "Suspicious activity detected on your account — change your password immediately"
  • "Payment issue: your subscription is about to be canceled"
  • "Package on hold — customs fees must be paid within 24 hours"
  • "Security alert on your credit card"

Each message contains a link or button that leads to a fake website, visually identical to the real one. That's where the victim enters their credentials, believing they're logging into the legitimate service.

How do you spot a fake domain name?

The most reliable way to identify a phishing site is to carefully read the URL — specifically the domain name. Attackers use several camouflage techniques to fool the eye.

Let's take example.com as the legitimate domain:

  • Subdomain abuse: example.another-dangerous-site.cam — the real domain here is another-dangerous-site.cam, not example
  • Deceptive hyphen: example-secure-login.cam — an entirely different domain that contains the brand name
  • Different TLD: example.site instead of example.com
  • Typosquatting: examplle.com — a doubled letter, easy to miss when reading quickly

The rule to remember: the real domain is what appears just before the TLD (.com, .fr, .org). Everything to the left of an additional dot is a subdomain, which anyone can create.

Can you verify the authenticity of an email?

Yes, but not by relying on appearance alone. Spam filters catch some fraudulent emails through technical mechanisms like SPF and DKIM, which verify that an email was actually sent from an authorized server for the displayed domain.

SPF (Sender Policy Framework) lists the servers authorized to send emails for a given domain. DKIM (DomainKeys Identified Mail) adds a cryptographic signature that recipients can verify. This information is visible in the message's technical headers.

But these mechanisms have an important limitation: they prove the technical origin of the domain, not the sender's actual identity. An attacker can configure a perfectly valid SPF and DKIM on a domain like support-securite-amazon.com. That's technically clean — but humanly deceptive.

Why is SMS phishing even more dangerous?

Smishing (SMS phishing) exploits the specific characteristics of mobile devices to bypass security instincts. SMS is often perceived as more trustworthy than email, even though the protections are less effective.

Several characteristics make SMS particularly risky:

  • Spam filters are less effective for SMS than for email
  • The mobile interface doesn't display the full URL before you tap
  • The sender's number can be replaced by an alphanumeric name (LaPoste, Ameli) that's easy to spoof
  • The URL in a mobile browser is often truncated
  • A fraudulent message can appear in the same conversation thread as legitimate messages from the same sender

The pretexts are similar to email phishing: package on hold, banking alert, refund to collect, official summons.

How does a password manager protect against phishing?

A password manager compares the actual URL of a site against the one stored for each set of credentials. If the domain doesn't match exactly, it won't offer to fill in the fields. This is a passive protection that requires no effort from the user.

Where the human eye might confuse example.com with examplle.com, the password manager performs a strict, character-by-character comparison. It isn't fooled by visual domain camouflage tricks. This automatic check acts as an everyday safety net: if your password manager doesn't offer to fill in your credentials on a site, that's an immediate red flag.

Why isn't 2FA enough against phishing?

Two-factor authentication (2FA) is a genuine security improvement, but it doesn't protect against automated phishing attacks in real time. In what's known as an AiTM (Adversary-in-the-Middle) scenario, the attacker intercepts and relays each step of the login process.

Here's how it unfolds: the victim enters their credentials on the fake site. The fake site immediately forwards them to the real site, which sends a 2FA code. The victim enters that code on the fake site, which relays it in turn. The attacker ends up logged in with a valid code — in real time.

2FA remains effective against offline attacks — a stolen password database becomes useless if 2FA is active. But against a real-time proxy, the one-time code is intercepted before it expires.

Do passkeys protect against phishing?

Yes. Unlike the password + 2FA code combination, a passkey is cryptographically bound to the exact domain it was created for. On a fake site — even one that looks visually identical — the passkey simply won't activate.

There's nothing to intercept and nothing to replay: authentication relies on a cryptographic exchange between the user's device and the legitimate server. Even a real-time AiTM proxy cannot bypass this protection. Passkeys represent the structural answer to phishing, by eliminating the weak link — the shared secret that a user can unknowingly hand over.

Should you lie on security questions?

Security questions ("What is your pet's name?", "What city were you born in?") often involve semi-public information. An attacker with access to your social media profiles, a data breach, or even a passing acquaintance with you can answer them on your behalf.

There's no rule saying you have to answer truthfully. "What is your favorite animal?" can be answered with "the planet Mars." What matters is being able to retrieve that fake answer — a password manager is the natural place to store it, just like any password.

Key takeaways

  • Phishing relies on the appearance of legitimacy and a sense of urgency: slowing down before clicking is the first reflex to develop
  • The URL is the only reliable indicator: learn to read the real domain name, especially on mobile
  • A password manager checks the URL on your behalf and won't be fooled by fake domains
  • 2FA protects against offline attacks, but not against real-time phishing
  • Passkeys are the only structural protection that makes phishing technically impossible
  • Lie on security questions and store your fake answers in a password manager

Protect your credentials with the Octopussian password manager →

Free signup

No credit card. Sign up in 1 minute

Boost your productivity starting today. Sign up and try for free.

We use your email and name
to create your Octopussian workspace.

or
@ Continue with my email

We respect your privacy. Your information will not be used for any other purpose.
By signing up, you agree to our Terms and Conditions and Privacy Policy