A common feature of phishing emails hackers use is that they model the message to look similar to legitimate internal communications.

Phishing hinges on social engineering: the attacker tries to pass as a trusted message from within the organization. By modeling the email to resemble legitimate internal communications—using familiar sender names, logos, formatting, and wording—the message feels trustworthy and reduces suspicion. This deception is what makes phishing effective, because recipients are more likely to open links or attachments or enter credentials when the communication looks like something they would normally receive from IT, HR, or leadership. While some phishing attempts do carry malware, others aim solely for credential theft or data exposure; the key feature is the convincing imitation of legitimate internal messages, not the presence of malware. Also, attackers don’t always use unfamiliar domains—they often spoof or compromise genuine internal addresses to appear legitimate, which reinforces the trust the message seeks to exploit.