In 2020, a phishing campaign impersonated the World Health Organization during the early weeks of COVID-19.
The email looked official. WHO branding, real-sounding sender address, urgent subject line about safety guidelines. It directed recipients to a site that harvested login credentials.
Over 10,000 people clicked. Doctors, researchers, government employees — people who considered themselves tech-literate. Not because they were careless. Because the attack was designed by people who understand human psychology better than most therapists.
This is how phishing actually works — and why it keeps working.
What Phishing Is (And Isn't)
Phishing is not a technical attack. It's a social one.
It doesn't exploit a vulnerability in your software. It exploits a vulnerability in your decision-making. The goal is to get you to take an action — click a link, enter credentials, download a file, send a wire transfer — by creating a situation where that action feels correct.
The technical part is easy. Spoofing a sender address, cloning a website, buying a lookalike domain — none of this requires advanced skills. Phishing kits sell on dark web markets for $50. What takes skill is the psychology.
The 6 Psychological Triggers Every Phishing Email Uses
Security researchers have categorised the tactics for decades. Every effective phishing email uses at least two of these. The WHO attack used five.
1. Authority
The email comes from someone with power — a CEO, a government agency, a bank, a platform you depend on. We're conditioned from childhood to comply with authority. When the IRS emails you, the instinct is to pay attention, not scrutinise.
2. Urgency
"Your account will be suspended in 24 hours." "Action required immediately." "Respond before end of business today."
Urgency short-circuits analysis. When we feel time pressure, we act before we think. This is not a flaw — it's how humans handle genuine emergencies. Phishers exploit it deliberately.
3. Fear
"Unusual activity detected on your account." "Your payment failed." "Legal action will be taken if you do not respond."
Fear narrows focus. When you're worried your bank account is compromised, you're not thinking about whether the sender address looks right.
4. Social proof
"Thousands of employees have already completed this required training." "Your colleagues have updated their credentials — please do the same."
If everyone else did it, it must be legitimate. This trigger is especially effective in workplace phishing.
5. Scarcity
"Only 3 spots remaining." "This offer expires tonight." "Limited access — claim your account now."
Scarcity creates a fear of missing out that overrides critical thinking. It's the same mechanism Black Friday sales exploit.
6. Familiarity
The most dangerous trigger. The email looks exactly like one you've seen before — same branding, same format, same tone. Your brain pattern-matches to "legitimate" before you've read a single word.
The WHO attack worked because the branding was perfect. People recognised the logo before they read anything.
Anatomy of the WHO Attack
Here's what made that specific campaign effective:
The timing was perfect. Early March 2020. The world was scared. People were actively looking for information from health authorities. The email arrived when recipients were primed to engage with exactly this kind of content.
The sender address was almost right. The real WHO domain is who.int. The phishing domain was who-safety.org. Different — but in a moment of fear, with a familiar logo at the top, most people didn't check.
The ask was low-friction. It didn't ask for credit card numbers. It asked recipients to "confirm their WHO subscriber account" to access safety guidelines. One username. One password. Seemed reasonable.
The landing page was a clone. Pixel-perfect copy of the real WHO login page. If you weren't looking at the URL bar, you wouldn't know.
Five triggers. Legitimate-looking execution. 10,000 credentials harvested.
The Red Flags — Trained vs. Untrained Eye
An untrained person sees: WHO logo, urgent subject, familiar format. Clicks.
A trained person checks:
The sender address — the full one
Display names lie. "World Health Organization" is easy to set as a display name for any email address. Click on the name and check the actual address. who-safety.org is not who.int. No legitimate organisation sends security emails from Gmail or Outlook personal accounts.
The domain in every link before clicking
Hover over any link before clicking it. The URL that appears at the bottom of your browser is where you'll actually go. Check the root domain — everything before the first single slash after the https://. who-safety.org/login is not the WHO, no matter what the page looks like after you arrive.
Whether they're asking for credentials
Legitimate services almost never ask you to enter your username and password via an email link. They send you to their app or website — which you navigate to yourself. If an email is asking you to log in, go directly to the site by typing the address. Don't use the link.
The quality of the urgency
Real emergencies from real organisations give you time to verify. "Your account will be deleted in 24 hours unless you click this link" is almost never how legitimate services communicate. Urgency that punishes verification is a red flag.
Unexpected attachments
If you weren't expecting a file, don't open it. This applies to emails from people you know — their account may be compromised and sending malicious files automatically.
Why Smart People Still Get Phished
In pen testing exercises — where security professionals send controlled phishing emails to company employees — click rates are typically 30–40% on the first attempt. At companies with security training, it drops to 10–15%. It never reaches zero.
This is not stupidity. It's three things:
Volume. If you receive 200 emails a day, you cannot scrutinise every one. Attackers know this. They send at high-volume times — Monday mornings, end of quarter, during major news events.
Context switching. A phishing email that arrives while you're in the middle of something else hits when your critical thinking is already occupied. The click happens before the analysis.
Sophistication. Spear phishing — targeted attacks using personal information — can reference your name, your manager, your current project, your colleague's name. This information is available from LinkedIn, company websites, and data breaches. A phishing email that knows your boss's name and references a real meeting isn't obviously fake.
What Actually Protects You
For individuals:
- Enable multi-factor authentication on every account that supports it. Even if an attacker gets your password, they can't log in without the second factor.
- Use a password manager. This has a hidden phishing benefit: password managers autofill based on domain. If you're on a fake site, your manager won't recognise the domain and won't autofill. That pause is often enough to make you look up.
- When in doubt, go directly to the source. Don't click the link. Open your browser and type the real address.
For organisations:
- Simulated phishing training — regular controlled tests — is the only thing that measurably reduces click rates over time. Awareness alone doesn't change behaviour. Practice does.
- Email authentication (SPF, DKIM, DMARC) makes domain spoofing significantly harder. Most organisations have not fully deployed all three.
- Incident response matters more than prevention. When someone does click, how fast can you detect, contain, and recover?
The Honest Summary
Phishing works because it's designed to work. It exploits the same cognitive shortcuts that help us function — trusting authority, responding to urgency, pattern-matching familiar things as safe.
You can't think your way out of every attack in the moment. What you can do is build habits that create friction: check the sender domain, hover before clicking, go directly to sites instead of through email links, and use MFA everywhere.
The 10,000 people who clicked the WHO email weren't careless. They were human. The difference between them and someone who didn't click is almost always one habit — the pause before the click.
Build the pause.