What Is Phishing?

Phishing is a type of cyberattack where criminals impersonate trustworthy organizations — banks, tech companies, government agencies — to trick you into revealing sensitive information like passwords, credit card numbers, or Social Security numbers. It's one of the most common and effective attack methods because it exploits human psychology rather than technical vulnerabilities.

Modern phishing attempts have become remarkably convincing. Spotting them requires knowing exactly what to look for.

Common Types of Phishing

  • Email phishing: Mass emails disguised as legitimate companies urging you to "verify your account" or "confirm a transaction"
  • Spear phishing: Targeted attacks using your personal details (name, employer, recent activity) to appear even more convincing
  • Smishing: Phishing via SMS text messages, often claiming to be delivery notifications or bank alerts
  • Vishing: Voice phishing via phone calls from fake "tech support" or "bank fraud departments"
  • Clone phishing: Attackers clone a legitimate email you previously received and resend it with a malicious link substituted

Red Flags in Phishing Emails

Train yourself to notice these warning signs before clicking anything:

  1. Urgent or threatening language: "Your account will be suspended in 24 hours" or "Unusual activity detected — act now." Urgency is designed to override rational thinking.
  2. Mismatched sender address: The display name may say "PayPal Support" but hover over the actual email address — it might be support@paypa1-security.net.
  3. Suspicious links: Hover over any link before clicking. Does the URL match the company's real domain? Watch for subtle misspellings like arnazon.com or netfl1x.com.
  4. Generic greetings: "Dear Customer" or "Dear User" instead of your actual name suggests a mass phishing campaign.
  5. Unexpected attachments: An unsolicited PDF, Word document, or ZIP file is a common delivery mechanism for malware.
  6. Requests for sensitive data: Legitimate companies never ask for your password, full credit card number, or Social Security number via email.

How to Verify a Suspicious Message

If something feels off, take these steps before clicking or responding:

  • Go directly to the source: Instead of clicking the link in the email, type the company's official URL directly into your browser.
  • Call the company: Use a phone number from the official website — not one provided in the suspicious message.
  • Check your account directly: Log in independently to see if there's actually an alert or issue waiting for you.
  • Use email header analysis: Tools like MXToolbox can analyze email headers to reveal where a message truly originated.

What to Do If You've Clicked a Phishing Link

Act quickly but don't panic:

  1. Disconnect from the internet if you downloaded a file
  2. Change the password for any account that may have been compromised
  3. Enable 2FA on affected accounts immediately
  4. Run a malware scan with a trusted tool
  5. If financial information was entered, contact your bank right away
  6. Report the phishing attempt to the organization being impersonated and to your email provider

Building Long-Term Phishing Resistance

The most effective defense is a combination of awareness and tools:

  • Use an email provider with strong spam and phishing filters (Gmail and Outlook both have solid built-in detection)
  • Enable 2FA on all important accounts so a stolen password alone isn't enough
  • Use a password manager — it won't autofill credentials on fake lookalike sites
  • Keep software updated, as phishing often exploits outdated browser or OS vulnerabilities

Phishing succeeds because it's designed to look normal. Slow down, stay skeptical, and verify before you click.