What Is Phishing?

Phishing is a type of social engineering attack where an attacker impersonates a trusted entity — a bank, a tech company, a colleague, or a government agency — to trick you into revealing sensitive information or taking a harmful action. The goal is usually to steal login credentials, financial details, or to install malware on your device.

Despite being one of the oldest tricks in the cybercriminal playbook, phishing remains highly effective precisely because it exploits human psychology rather than technical vulnerabilities. No amount of software security helps if a person willingly hands over their password.

Common Types of Phishing

  • Email phishing: Mass emails pretending to be from a recognizable organization, directing recipients to fake login pages.
  • Spear phishing: Targeted attacks personalized to a specific individual, often using details gathered from social media or corporate websites.
  • Smishing: Phishing via SMS text messages, often claiming a package is held or an account is compromised.
  • Vishing: Voice phishing — phone calls from "bank representatives" or "tech support" seeking information or remote access.
  • Clone phishing: A legitimate email you received previously is copied and re-sent with a malicious link or attachment replacing the original.

Red Flags to Look For

Phishing messages share common characteristics. Train yourself to notice these warning signs:

  1. Urgency and pressure: "Your account will be suspended in 24 hours." Attackers want you to act before you think.
  2. Mismatched sender address: The display name says "PayPal Support" but the actual email address is something like support@paypal-secure-alerts.net.
  3. Suspicious links: Hover over links before clicking. Does the URL match the legitimate domain? Watch for subtle misspellings like "arnazon.com" instead of "amazon.com".
  4. Unexpected attachments: Any unsolicited attachment — even from a known contact — should be treated with suspicion.
  5. Generic greetings: Legitimate companies usually address you by name. "Dear Customer" or "Dear User" is a common phishing tell.
  6. Requests for sensitive information: Legitimate organizations almost never ask for passwords, PINs, or Social Security numbers via email.

How to Verify a Suspicious Message

If you receive a message that raises any doubt, don't click links in the message itself. Instead:

  • Go directly to the organization's official website by typing the address in your browser.
  • Call the organization using a phone number from their official website, not one provided in the message.
  • Forward suspicious emails to the organization's official phishing report address (many major companies have one, such as reportphishing@[company].com).

Technical Defenses That Help

Beyond awareness, several tools can reduce your phishing exposure:

  • Multi-factor authentication (MFA): Even if attackers steal your password, MFA prevents them from accessing your account without a second verification factor.
  • Password managers: A good password manager will only auto-fill credentials on the exact domain you registered with — it won't fill in your Netflix password on a fake lookalike site.
  • Email filtering: Most email providers have spam and phishing filters. Keep them enabled and report phishing messages to improve the filter for everyone.
  • Browser protection: Modern browsers warn you about known phishing sites. Don't dismiss these warnings.

What to Do If You've Been Phished

If you suspect you've fallen for a phishing attack, act quickly:

  1. Change the compromised password immediately — and on any other accounts where you reuse it.
  2. Enable MFA on the affected account if it isn't already active.
  3. Contact your bank if any financial information was involved.
  4. Scan your device for malware if you opened an attachment or downloaded anything.
  5. Report the incident to your IT department if it occurred on a work device or account.

Phishing succeeds through speed and distraction. Slowing down and developing a habit of skepticism toward unexpected messages is your most reliable defense.