What Is Phishing?

Phishing is a type of cyberattack where a malicious actor pretends to be a trustworthy entity — a bank, a tech company, a government agency, or even a colleague — in order to trick you into revealing sensitive information or taking a harmful action. The name is a play on "fishing": attackers cast bait and wait for someone to take it.

The end goal is typically to steal login credentials, financial information, or to install malware on your device. Phishing is consistently one of the most prevalent attack vectors because it exploits human psychology rather than technical vulnerabilities — and that makes everyone a potential target.

Types of Phishing Attacks

Email Phishing

The classic form. You receive an email claiming to be from your bank, PayPal, Amazon, or a similar trusted brand, urging you to click a link and verify your account or resolve an issue. The link leads to a convincing fake website designed to harvest your credentials.

Spear Phishing

A more targeted form where attackers research their victim first. The email might reference your employer, your manager's name, or a recent transaction to appear credible. These are significantly harder to detect and more likely to succeed.

Smishing (SMS Phishing)

Phishing via text message. Common examples include fake delivery notifications ("Your package could not be delivered, click here") or fake bank fraud alerts with urgent calls to action.

Vishing (Voice Phishing)

Phone calls from someone impersonating tech support, a bank representative, or a government official. They may use urgency ("Your account has been compromised") to get you to reveal information or take action quickly.

Clone Phishing

Attackers copy a legitimate email you may have previously received, replace the links with malicious ones, and resend it — often claiming to be a "resend" of the original.

Warning Signs to Watch For

While phishing attempts are becoming more sophisticated, several red flags remain reliable indicators:

  • Urgent or threatening language: "Your account will be suspended in 24 hours" is a pressure tactic designed to stop you from thinking critically.
  • Mismatched sender addresses: The display name might say "PayPal Support" but the actual email address is something like support@paypal-security-alerts.net. Always check the actual address, not just the display name.
  • Suspicious links: Hover over links before clicking. If the URL doesn't match the organization's real domain, don't click.
  • Generic greetings: "Dear Customer" or "Dear User" instead of your actual name suggests a mass campaign.
  • Unexpected attachments: Be especially cautious with .zip, .exe, or Office files asking you to "enable macros."
  • Requests for sensitive information: Legitimate organizations will never ask for your password, PIN, or full card number via email.

How to Verify a Suspicious Message

  1. Don't click the link in the email. Instead, navigate directly to the website by typing the address in your browser.
  2. Call the organization directly using a phone number from their official website — not from the message itself.
  3. Check your account directly. If the email claims there's an issue with your account, log in through the normal method to see if any alerts exist.
  4. Use a tool like Google's Transparency Report or VirusTotal to check whether a URL is flagged as malicious before visiting it.

Protective Measures to Put in Place Now

  • Enable multi-factor authentication (MFA) on all important accounts. Even if your password is stolen, MFA prevents login without the second factor.
  • Use a password manager. Password managers auto-fill credentials only on the correct domain — they won't fill in your bank password on a fake site.
  • Keep software and browsers updated. Many phishing sites exploit browser vulnerabilities patched in recent updates.
  • Use email filtering. Modern email clients (Gmail, Outlook) catch many phishing emails, but no filter is perfect.
  • Be skeptical by default. If something feels off about a message — even from someone you know — verify before acting.

What to Do If You've Been Phished

  1. Change your password immediately for the affected account, and any other accounts using the same password.
  2. Enable MFA if it wasn't already active.
  3. Check for unauthorized activity in your account and financial statements.
  4. Report the phishing attempt to the organization being impersonated and to your email provider.
  5. If you entered payment information, contact your bank or card issuer right away.

Phishing works because it preys on trust and urgency. The single most effective defense is a habit of slowing down and verifying before clicking, calling, or sharing anything sensitive.