How Phishing Actually Works — Standard, Spear, Smishing, Vishing, Quishing, and Deepfakes

The TLDR

Phishing is a social engineering attack on human trust, delivered through every communication channel that exists — email, text, phone, QR codes, social media DMs, and now deepfake video. The mechanics have evolved from obvious Nigerian Prince emails to AI-generated spear phishing that’s grammatically perfect and personally targeted. Software can reduce the exposure. Nothing eliminates it. Understanding how these attacks are built is the closest thing to immunity you’ll get.

The Reality

The FBI IC3’s 2023 report listed phishing as the #1 reported cybercrime by volume. Business Email Compromise — phishing’s corporate cousin — caused $2.9 billion in losses. And those are just the reported cases.

Here’s what a modern spear phishing campaign looks like from the attacker’s side:

1. Reconnaissance: The attacker researches the target using LinkedIn, social media, corporate websites, and data broker records. They learn who reports to whom, what projects are active, and which vendors the company uses.
2. Infrastructure: They register a domain that looks like the target company’s domain — maybe acme-corp.com instead of acmecorp.com. They set up SPF, DKIM, and DMARC on it so the email passes authentication checks.
3. Payload: They craft an email that references a real project, uses the correct internal jargon, and appears to come from a known colleague. The link goes to a cloned login page.
4. Execution: The email arrives. It looks right. It sounds right. The link works. The victim enters their credentials. Game over.

That’s the sophisticated version. The mass-market version uses volume instead of precision — and it works just as well because humans are the vulnerability.

How It Works

Email Phishing — The Foundation

Standard phishing uses volume. Millions of emails sent with a generic hook — “Your account has been suspended,” “Package delivery failed,” “Verify your identity.” The APWG Phishing Activity Trends Report tracks hundreds of thousands of unique phishing sites active at any given time.

How phishing kits work: Attackers don’t build phishing pages from scratch. They buy or download phishing kits — pre-built packages that clone the login pages of banks, email providers, and social media platforms. These kits include credential harvesting backends, anti-detection features, and sometimes real-time session proxying.

Typosquatted domains: paypa1.com, arnazon.com, g00gle.com. These domains cost $10 to register and pass casual inspection. Some attackers use internationalized domain names with lookalike Unicode characters — аpple.com using a Cyrillic “а” instead of Latin “a” looks identical in most fonts.

Smishing — SMS Phishing

Smishing has exploded because people trust text messages more than email. The FTC reported that text message scams cost consumers $330 million in 2022 — more than double the previous year.

How it works technically:

• Short code spoofing: Attackers send texts that appear to come from legitimate short codes (the 5-6 digit numbers banks and services use). Carrier filtering catches some of these, but the infrastructure is fragile.
• The toll road/delivery scam: “Your EZ-Pass has an unpaid toll of $4.35. Pay now to avoid a $50 late fee.” The link goes to a credential harvesting page. This works because the amount is small enough to seem real and urgent enough to click without thinking.
• iMessage link tricks: Apple’s iMessage disables links from unknown senders by default. Smishing texts often include a line like “Reply Y to confirm, then reopen the message” — because replying to the message makes iMessage treat the sender as known, enabling the malicious link.
• Carrier filtering evasion: Attackers rotate through burner SIMs, VoIP numbers, and SIM farms to avoid carrier-level spam filtering. Some use compromised legitimate accounts to send texts from trusted numbers.

Common smishing templates in 2026:

• Bank fraud alerts: “Suspicious activity on your account. Call this number to verify.”
• USPS/FedEx delivery: “Your package couldn’t be delivered. Update your address here.”
• Toll violations: “Unpaid toll of $6.99. Pay within 48 hours.”
• IRS/tax: “Your tax refund of $3,247.00 is pending. Verify your identity.”

Vishing — Voice Phishing

Vishing uses phone calls instead of text. Caller ID spoofing makes the call appear to come from your bank, the IRS, or law enforcement. VoIP infrastructure makes this trivially cheap.

The call center model: Many vishing operations run from organized call centers — primarily in India, Nigeria, and Southeast Asia. The FBI IC3 has documented operations with hundreds of callers working scripts against specific demographics.

The playbook:

1. Call spoofing your bank’s number
2. “We’ve detected suspicious activity on your account”
3. Build urgency: “Your account will be frozen in 30 minutes if we can’t verify”
4. Request: account number, PIN, SSN, or one-time verification code
5. If the victim gets suspicious, transfer to a “supervisor” (another scammer)

IRS/Social Security impersonation: “This is the IRS. A warrant has been issued for your arrest due to unpaid taxes. Press 1 to speak with an agent.” The FTC’s impersonation scam data shows these calls target elderly Americans disproportionately, with losses exceeding $1.1 billion annually.

Quishing — QR Code Phishing

QR codes are the newest delivery mechanism because they bypass email and text filtering entirely.

Attack vectors:

• Parking meters: Stickers with malicious QR codes placed over legitimate payment QR codes. You think you’re paying for parking — you’re entering your credit card on a phishing site.
• Restaurant menus: Fake QR codes placed on tables redirect to credential harvesting pages disguised as WiFi login portals.
• Fake WiFi codes: “Scan to connect” QR codes in coffee shops and airports that redirect to malicious captive portals.
• Physical mail: QR codes in fake letters from banks, utilities, or the IRS.

Quishing is effective because QR codes are opaque — you can’t see where they lead before scanning. And most people have been trained to scan QR codes without thinking by restaurants and parking meters.

The AI Upgrade

LLM-Powered Phishing

The era of catching phishing by grammar errors is over. Large language models generate flawless, contextually appropriate phishing emails in any language. An attacker can feed an LLM a target’s LinkedIn profile and get a personalized spear phishing email in seconds.

What used to require hours of manual research and writing now takes minutes. The MITRE ATT&CK framework documents this under T1566 — phishing for information and phishing for access.

Voice Cloning for Vishing

Voice cloning technology can replicate a person’s voice from as little as three seconds of audio — pulled from a voicemail greeting, a YouTube video, or a conference recording. Attackers use cloned voices to call employees impersonating their CEO, or to call family members impersonating a relative.

The “grandparent scam” has been supercharged by voice cloning: “Grandma, I’m in trouble, I need money.” When it sounds exactly like your grandchild, the psychological defenses collapse.

Deepfake Video for Whaling

In February 2024, a finance worker at a multinational firm was tricked into transferring $25 million after attending a video call with what appeared to be the company’s CFO and other colleagues. Every person on the call was a deepfake. The FBI issued an advisory on deepfake-enabled fraud after this incident.

Detection is getting harder. The tells — unnatural blinking, mismatched lip sync, edge artifacts — improve with each generation of the technology.

The Family Passphrase

One low-tech countermeasure that still works: establish a passphrase with your family that you share only in person. If someone calls claiming to be your child, spouse, or parent and asks for money, ask for the passphrase. If they can’t provide it, hang up.

Real-Time Phishing Proxies

This is the attack that breaks TOTP-based 2FA.

Tools like EvilGinx2 act as a transparent proxy between you and the real login page. When you enter your password and 2FA code on the phishing page, the proxy forwards them to the real site in real time, captures the authenticated session token, and gives it to the attacker. You see a successful login. The attacker also has your session.

This is why hardware security keys (FIDO2/WebAuthn) and passkeys are critical — they authenticate to the domain, not the page content. A hardware key won’t authenticate to g00gle.com because it knows it’s not google.com. TOTP codes don’t have this protection.

How It Gets Exploited

Business Email Compromise (BEC)

BEC is the highest-dollar phishing variant. The FBI IC3 reported $2.9 billion in BEC losses in 2023. The attack: compromise or impersonate a senior executive’s email, then send a wire transfer request to the finance team. The email looks right. The authority is real. The urgency is manufactured.

Gift Card Scam Infrastructure

“Go to Walmart and buy $500 in Google Play gift cards. Read me the codes.” This sounds absurd, but it works — especially under authority pressure (“This is the IRS”) or urgency (“Your grandson is in jail”). Gift cards are untraceable cash equivalents. The FTC reported $228 million in gift card scam losses in 2022.

Romance Scam Pipelines

Phishing and romance scams converge. The initial contact happens on dating sites or social media. Trust is built over weeks or months. Then: “I need help with a financial emergency,” or “Invest in this crypto platform with me” (pig butchering). The FBI IC3 reported $1.3 billion in romance scam losses in 2022.

What You Can Do

The Technical Defenses

• FIDO2 hardware keys / passkeys are the only reliable defense against real-time phishing proxies. A YubiKey authenticates to the domain cryptographically. It won’t work on a fake site.
• Passkeys (Apple, Google, Microsoft implementations) provide the same domain-bound authentication without a physical device.
• Email filtering catches the majority of mass phishing. But it misses targeted spear phishing designed to evade filters.
• Password managers won’t autofill on a phishing domain — they check the URL. If your password manager doesn’t offer to fill your credentials, that’s a warning sign.

The Human Defenses

• Pause before clicking. Every phishing attack relies on speed. The moment you slow down and verify independently, the attack fails.
• Verify through a separate channel. If you get an email from your CEO requesting a wire transfer, call the CEO on their known phone number. Don’t reply to the email.
• Never provide 2FA codes to someone who contacted you. Your bank will never call and ask for your verification code.
• Assume caller ID is spoofed. If “your bank” calls, hang up and call the number on the back of your card.

Sources & Further Reading

• FBI IC3 Annual Report — cybercrime statistics including phishing, BEC, and romance scams
• APWG Phishing Activity Trends Report — tracking phishing site volume and trends
• MITRE ATT&CK T1566 — Phishing — phishing technique documentation
• FTC Consumer Fraud Data — federal consumer protection scam data
• CISA Phishing Guidance — federal phishing defense recommendations
• EvilGinx2 — real-time phishing proxy (for understanding the threat)
• FIDO Alliance — hardware key and passkey standards documentation