What Is Phishing?

Phishing is a form of social engineering where an attacker impersonates a trusted entity — a bank, a tech company, a colleague — to trick you into revealing sensitive information or taking a harmful action. The name is a play on "fishing": casting a wide net and waiting for victims to take the bait.

Phishing is one of the most common entry points for cybercrime. It doesn't require sophisticated hacking skills — it exploits human psychology instead of technical vulnerabilities.

Common Types of Phishing

Email Phishing

The classic form. You receive an email that appears to be from your bank, PayPal, or a major retailer, warning you of a problem with your account. A link takes you to a fake login page that harvests your credentials.

Spear Phishing

A targeted attack where the attacker has researched their victim. The email may use your name, reference your employer, or mention recent events to appear convincing. These attacks are significantly more dangerous than bulk phishing campaigns.

Smishing (SMS Phishing)

Malicious links or urgent requests sent via text message. Common examples include fake delivery notifications and fraudulent bank alerts sent to your phone.

Vishing (Voice Phishing)

Attackers call you directly, posing as tech support, government agencies, or financial institutions. They use urgency and authority to pressure you into revealing information or granting remote access to your device.

Clone Phishing

A legitimate email you previously received is duplicated, but with links or attachments replaced by malicious versions. It appears to come from the same sender and references real previous communications.

Red Flags to Watch For

  • Urgency and fear tactics — "Your account will be suspended in 24 hours." Legitimate organizations rarely demand immediate action via email.
  • Mismatched sender addresses — The display name says "PayPal" but the actual email domain is something unrelated.
  • Suspicious links — Hover over links before clicking. The URL may look similar to a real site but with subtle changes (e.g., paypa1.com instead of paypal.com).
  • Generic greetings — "Dear Customer" instead of your actual name can indicate a mass phishing attempt.
  • Unexpected attachments — Especially .zip, .exe, or even seemingly innocent Word documents with macros.
  • Requests for sensitive information — Banks and legitimate services will never ask for your password via email.

What Happens If You Click?

Depending on the attack, clicking a phishing link can lead to:

  1. A fake login page that steals your credentials
  2. A drive-by malware download that silently installs on your device
  3. A form asking for personal or financial information
  4. Ransomware deployment on your system

How to Protect Yourself

  • Enable multi-factor authentication (MFA) — Even if an attacker gets your password, they can't log in without your second factor.
  • Go directly to websites — Instead of clicking email links, type the address directly into your browser or use a saved bookmark.
  • Use a password manager — It won't auto-fill credentials on fake phishing sites, acting as a built-in check.
  • Keep software updated — Security patches close vulnerabilities that drive-by downloads exploit.
  • Report suspicious emails — Use your email client's "report phishing" button to help protect others.

If You Think You've Been Phished

Act quickly. Change the compromised password immediately, enable MFA if you haven't already, check for any unauthorized activity, and notify your bank or the relevant service. Run a malware scan on your device if you clicked a link or opened an attachment.