What Is Phishing?

Phishing is a type of social engineering attack where cybercriminals impersonate trusted entities — banks, tech companies, government agencies, or even your colleagues — to trick you into handing over sensitive information like passwords, credit card numbers, or personal data.

The term comes from "fishing," because attackers cast a wide net hoping someone takes the bait. And it works: phishing remains one of the most common entry points for data breaches and financial fraud worldwide.

The Most Common Types of Phishing

Email Phishing

The classic form. You receive an email that looks like it's from a legitimate source — your bank, PayPal, Amazon, or a government agency — urging you to click a link and "verify your account" or "update your payment details." The link leads to a fake website designed to steal your credentials.

Spear Phishing

A targeted version of email phishing where the attacker researches their victim and personalizes the message. You might receive an email appearing to be from your actual boss using their real name and referencing a current project. These are much harder to detect.

Smishing (SMS Phishing)

Phishing via text message. Common examples include fake delivery notifications ("Your package is held — click here to reschedule"), fake bank alerts, or prize scams. The urgency and brevity of texts make people more likely to click without thinking.

Vishing (Voice Phishing)

Phone call scams where someone claims to be from your bank's fraud department, Microsoft support, or the tax authority. They pressure you into confirming personal details or installing remote access software.

Clone Phishing

Attackers take a legitimate email you've received previously and create a near-identical copy with malicious links replacing the real ones. It can be very convincing because the email looks familiar.

Red Flags to Watch For

  • Urgency and pressure: "Your account will be suspended in 24 hours!" — creating panic is a classic manipulation tactic.
  • Mismatched sender address: The display name says "PayPal" but the actual email address is something like paypal-support@randomdomain.net.
  • Suspicious links: Hover over any link before clicking. The URL should match the legitimate domain exactly — watch for subtle misspellings like paypa1.com or amazon-support.info.
  • Generic greetings: "Dear Customer" instead of your actual name suggests a mass-sent phishing email.
  • Requests for sensitive information: Legitimate companies will never ask for your password, full credit card number, or Social Security number via email.
  • Unexpected attachments: Be wary of any unsolicited file attachment, especially .exe, .zip, or even Office documents with macros.
  • Poor spelling and grammar: Though many phishing emails today are well-written, errors are still a common indicator.

How to Protect Yourself

  1. Pause before clicking. Never act impulsively on urgent requests. Take a moment to evaluate the email.
  2. Go directly to the source. If you get an alert about your bank account, close the email and type your bank's URL directly into your browser — don't use any link provided.
  3. Enable 2FA on all important accounts. Even if your password is stolen, 2FA can prevent unauthorized access.
  4. Use a password manager. Password managers only autofill credentials on the correct domain, so they won't fill in your details on a fake phishing site.
  5. Report phishing attempts. Forward suspicious emails to your email provider's abuse address and report them to organizations like the Anti-Phishing Working Group.
  6. Keep software updated. Browser and OS updates often include security patches that block known phishing infrastructure.

What to Do If You've Been Phished

If you think you've fallen for a phishing attack, act quickly:

  • Change your password on the affected account immediately.
  • Enable 2FA if you haven't already.
  • Check for unauthorized activity on financial accounts.
  • Run a malware scan if you clicked a suspicious link or opened an attachment.
  • Notify your bank if financial details may have been compromised.

Phishing relies on speed — attackers act fast once they have your credentials. The sooner you respond, the better your chances of limiting the damage.