What Is Phishing?

Phishing is a form of social engineering attack in which cybercriminals impersonate trusted entities — banks, tech companies, delivery services, government agencies — to trick you into revealing sensitive information or clicking malicious links. The name is a play on "fishing," because attackers cast a lure and wait for victims to bite.

Despite being one of the oldest tricks in the hacker's playbook, phishing remains highly effective because it targets human psychology rather than technical vulnerabilities.

Common Types of Phishing

Email Phishing

The most prevalent form. Attackers send bulk emails designed to look like they come from legitimate companies. They typically create a sense of urgency ("Your account will be suspended in 24 hours!") to pressure you into acting without thinking.

Spear Phishing

Unlike mass phishing campaigns, spear phishing is targeted. The attacker researches a specific individual or organization and crafts a highly personalized message. These are much harder to detect because they reference real details about you, your employer, or your colleagues.

Smishing (SMS Phishing)

Phishing via text message. Common examples include fake package delivery notifications ("Your parcel could not be delivered — click here to reschedule") or fake bank alerts. The short message format leaves less room for the telltale signs that expose email phishing.

Vishing (Voice Phishing)

Phone-based phishing, often involving callers posing as technical support representatives, bank fraud departments, or government officials. AI voice-cloning technology is making these attacks increasingly convincing.

Clone Phishing

Attackers intercept or duplicate a legitimate email you've already received, replace any links or attachments with malicious ones, and resend it — often claiming it's a "resend" of a previous message. Because the email looks nearly identical to a real one you received, it can be very deceptive.

Warning Signs of a Phishing Attempt

  • Mismatched or suspicious sender address — the display name looks legitimate, but the actual email domain is wrong (e.g., support@paypa1-secure.com)
  • Generic greetings — "Dear Customer" instead of your actual name
  • Urgent or threatening language — pressure to act immediately or face consequences
  • Unexpected requests — asking for passwords, payment details, or personal information via email or link
  • Suspicious or mismatched URLs — hover over links (without clicking) to check where they actually lead
  • Poor grammar and spelling — though AI-generated phishing is increasingly polished
  • Unexpected attachments — especially .zip, .exe, .docm or .xlsm files
  • Requests to "verify" account information — legitimate companies will not ask for your password via email

How to Check a Suspicious Link Safely

  1. Hover before you click — your browser or email client will show the actual destination URL in the status bar.
  2. Check the domain carefully — look for subtle misspellings: paypa1.com, arnazon.com, g00gle.com.
  3. Use URLScan.io or VirusTotal — paste the URL into a scanner to check its reputation before visiting.
  4. Go directly to the website — if an email claims your bank account has a problem, navigate directly to your bank's website by typing the address yourself rather than clicking any link.

What to Do If You Clicked a Phishing Link

  1. Do not enter any information on the page if it loaded.
  2. Close the page immediately.
  3. Run a malware scan on your device.
  4. Change the password for any account the email was impersonating.
  5. Enable two-factor authentication on that account.
  6. Monitor your accounts for unusual activity.
  7. Report the phishing email to your email provider and the impersonated organization.

Protecting Yourself Long-Term

  • Use a password manager — it won't autofill credentials on a fake domain, providing a natural phishing check.
  • Enable two-factor authentication (2FA) everywhere possible — even if credentials are stolen, 2FA blocks access.
  • Keep your email client and browser updated — both include increasingly sophisticated phishing filters.
  • Be skeptical by default — no legitimate service will ever ask for your password via email or text.

The Human Factor

Technical defenses help, but phishing fundamentally exploits human trust and urgency. The best protection is a combination of good tools and an informed, skeptical mindset. When something feels off — even slightly — pause, verify through a separate channel, and trust your instincts.