How does phishing work?

Phishing attacks trick you into entering your username and password at a fake site that looks like your bank, your broker or employer. It may be an email that says, ”We suspect an unauthorized transaction on your account. To ensure that your account is not compromised, please click the link below and confirm your identity.” The problem is it looks like it comes from your bank, but in fact the email links to a phony site that is an exact copy maintained by criminals. Once you enter your username and password they have it and can do anything you could do online at the real site. Typically they will route you through to the real site after stealing your password so you do not even suspect anything is amiss.