How phishing works — and how your exposed data makes it worse

In short

Phishing has five forms. Mass phishing, spear-phishing, whaling, smishing (SMS), and vishing (voice). Each exploits a different channel; each has different defenses.
The shift over the last two years: AI eroded the gap between mass campaigns (sloppy, easy to spot) and targeted attacks (personalized, convincing). Spear-quality personalization at mass-mailer scale is now routine.
Your data on people-search sites is the raw material for that personalization. Less exposure means less convincing attacks — for you specifically.

6 min read Last reviewed May 2026 Free scan available

What phishing actually is

Phishing is the use of fraudulent communications — email, SMS, voice call, fake website — to trick someone into revealing credentials, transferring money, or installing malware. The defining trait is impersonation: the attacker pretends to be a trusted entity (bank, employer, government agency, family member) to lower the target's guard.

Phishing is the entry point for most contemporary cybercrime. Industry breach investigations have consistently identified it as the leading initial-access vector for over a decade. Whether the eventual goal is ransomware, data theft, wire fraud, or account takeover, the attack chain usually starts with someone clicking something.

The five categories

Mass phishing. Identical message to thousands of people. Low effort per recipient, low conversion rate. Often impersonates global brands (Microsoft, Amazon, FedEx, Bank of America, Netflix). Pre-AI tells: bad grammar, off-brand formatting, mismatched URLs. Post-AI: most of those tells are gone, making mass phishing harder to detect at a glance.

Spear phishing. Personalized to a specific target. Uses the target's name, role, employer, and current context. Requires research per target — historically the constraint that kept this approach niche. AI has automated the research, making spear-quality targeting affordable at scale.

Whaling. Spear-phishing aimed at executives or other high-value targets. CEO impersonation wire-transfer fraud is the canonical example. Often combined with voice-cloning or deepfake video calls for additional persuasion. More on AI-enhanced whaling.

Smishing. Phishing via SMS text message. Common pretexts: package-delivery notifications ("Your USPS package is delayed, confirm address here"), bank fraud alerts ("Suspicious charge detected, verify at this link"), government benefits ("Your IRS refund is pending, claim here"). SMS lacks the spam filtering email has, so click-through rates are higher.

Vishing. Phishing over voice calls. Pre-AI: a person on the line impersonating a bank rep, tech-support worker, or IRS agent. Post-AI: AI voice-cloning can impersonate someone the target recognizes (family member, executive, known colleague), eliminating the "wait, this doesn't sound right" defense.

How exposure feeds phishing

Two distinct data inputs power phishing attacks:

Contact lists. The recipient list for mass and targeted campaigns has to come from somewhere. People-search sites publish phone numbers; leaked data sets and email scrapes from broker profiles populate the lists attackers buy and build. The bigger your data-broker footprint, the more of those lists your contact details are on.
Personalization material. For targeted attacks, the attacker needs to know your role, employer, family, location, recent activity. Most of that is sitting on data broker profiles. The richer the broker data on you, the more convincing the impersonation.

Removing your data from broker sites won't stop phishing entirely — the mass-mailer version will keep running. It cuts the volume and quality of targeted attacks aimed at you specifically.

Your data on people-search sites is the raw material for targeted phishing. Delist removes your personal information from the internet — find out what's out there first.

Run my free exposure scan →

What Delist's Spam Analyzer catches

Delist offers a free Spam Analyzer Chrome extension that screens incoming email and links for known phishing patterns — spoofed sender domains, mismatched display names vs. actual sender addresses, links to recently-registered domains, common phishing-template language. It's not a complete email-security solution; it's a second-opinion layer on top of your provider's filtering.

The analyzer is genuinely useful for catching the obvious phishing that still slips past Gmail and Outlook's filters. It is not effective against the well-crafted spear-phishing and whaling attempts that target high-value individuals — those are the cases where careful human verification (call back through a known channel) is the only reliable defense.

The "stop, look, verify" defense

The single most effective behavioral defense against phishing is a verification ritual:

Stop. Before clicking any link or responding to any request involving money, credentials, or sensitive data, pause for 30 seconds. Phishing relies on urgency-driven snap decisions.
Look. Hover over (don't click) any link — does the URL match the claimed sender's domain? Look at the sender address (not the display name) — does it actually come from where it claims?
Verify. If anything's off, contact the supposed sender through a known channel. Call your bank using the number on your card, not the number in the email. Walk to your CEO's desk, not the one in the urgent video call.

The defense scales to all five phishing categories. None of them survives a careful verify-through-different-channel step.

Multi-factor authentication: the structural defense

Even if you click a phishing link and enter your password, properly-configured MFA prevents account takeover. The hierarchy of MFA strength:

SMS 2FA — better than nothing, but vulnerable to SIM-swap attacks. Use only if no other option.
TOTP authenticator apps (Google Authenticator, Authy, 1Password) — substantially stronger than SMS. Free.
Hardware security keys (YubiKey, Google Titan) — phishing-resistant by design. The key only authenticates against the real domain; it won't unlock for a look-alike phishing page. The gold standard for high-value accounts.
Passkeys — the newer phishing-resistant standard built into modern operating systems. Increasingly the default for major services in 2025-2026.

At minimum: enable TOTP MFA on every account that supports it. For email and financial accounts: use hardware keys or passkeys.

What to do if you clicked

Triage in this order:

Disconnect the device. If the phishing might have delivered malware, get the device off the network before doing anything else. Wi-Fi off, ethernet unplugged, mobile data off.
Change passwords for anything you entered. Start with your email account — it's the recovery anchor for everything else. Then bank, then any account where you reused the password.
Revoke active sessions. Most email providers let you sign out everywhere from account settings. Do this.
Run an anti-malware scan. Or, more conservatively, re-image the device. The cost of paranoia is lower than the cost of missing malware.
Report the phishing attempt. To the impersonated brand (most have a phishing-reporting address), to your email provider, and (for large losses or business-critical) to the FBI's IC3 (ic3.gov).
Monitor your accounts. Watch for unauthorized transactions, password-reset emails you didn't initiate, new accounts opened in your name.

Frequently asked questions

What's the difference between phishing and spear-phishing?

Phishing is the mass-mailer version — same message to thousands of people, hoping a small percentage click. Spear-phishing is the personalized version — message customized to a specific person using their name, role, employer, and recent activity. The 2024-2026 shift is that AI lets attackers send spear-quality personalization at mass-mailer scale.

What is smishing?

Phishing over SMS text message instead of email. Often disguised as package-delivery notifications, bank fraud alerts, or government-benefits messages with a malicious link. Effective because mobile users are more likely to tap a link than to inspect it carefully, and because SMS lacks the spam filters email has.

What is vishing?

Phishing over voice phone calls. Often impersonating banks, IRS agents, tech-support workers, or (with AI voice-cloning) family members. The "grandparent scam" and the wave of fake-IRS calls are vishing variants. AI voice-cloning has materially increased vishing's persuasive power.

How does my data on broker sites feed phishing?

Two ways. (1) Email addresses harvested from broker sites and breach corpora populate the recipient lists for mass phishing campaigns. (2) For spear-phishing, the personalization details — your employer, your role, your address, your family, your recent location — come from broker sites. The less of your data is on broker sites, the less effective both mass and spear phishing become.

What should I do if I clicked a phishing link?

Three immediate steps. (1) Disconnect the device from the network if you suspect malware. (2) Change passwords for any account whose credentials you may have entered, starting with email. (3) Run an anti-malware scan and consider re-imaging if the phishing was for malware delivery. Then report the original phishing attempt to the impersonated brand and to your email provider.