What Is Phishing?

Phishing is a type of social engineering attack where someone impersonates a trusted entity — a bank, a tech company, a government agency, or even a colleague — to trick you into revealing sensitive information like passwords, credit card numbers, or personal identification.

The name comes from "fishing": attackers cast a wide net hoping someone takes the bait. And it works. Phishing remains one of the most common entry points for data breaches and account compromises worldwide.

Common Types of Phishing

  • Email phishing: The classic method. A fake email pretends to be from a trusted source and asks you to click a link or provide information.
  • Spear phishing: A targeted version where attackers research you specifically and craft a personalized, convincing message.
  • Smishing: Phishing via SMS text messages. Often impersonates delivery services or banks.
  • Vishing: Voice phishing — phone calls from fake "support agents" or "bank representatives."
  • Clone phishing: An attacker duplicates a legitimate email you received but replaces links with malicious ones.

How to Spot a Phishing Attempt

Train yourself to notice these red flags:

  1. Sender address doesn't match: The display name might say "PayPal" but the actual email address is something like paypal-security@mail-notify247.com. Always check the real address.
  2. Urgency and pressure: "Your account will be suspended in 24 hours!" Attackers use urgency to short-circuit your critical thinking.
  3. Suspicious links: Hover over links (without clicking) to preview the URL. If it doesn't match the claimed sender's domain, don't click it.
  4. Generic greetings: "Dear Customer" instead of your actual name can signal a mass phishing campaign.
  5. Unexpected attachments: No legitimate bank or service will ask you to open an unexpected ZIP file or executable.
  6. Grammar and spelling errors: While sophisticated attacks are well-written, many phishing emails still contain obvious errors.

What to Do If You Receive a Suspicious Message

  • Don't click links — navigate to the site directly by typing the address into your browser.
  • Don't open attachments you weren't expecting.
  • Verify independently — call the company using a number from their official website, not one in the email.
  • Report it — most email clients have a "Report phishing" button. Use it.
  • Delete the message after reporting.

If You Think You've Been Phished

Act quickly if you suspect you've fallen for a phishing attack:

  1. Change your password immediately on the affected account and any others using the same password.
  2. Enable two-factor authentication if it isn't already on.
  3. Check for unauthorized activity in your account history.
  4. Contact your bank if payment information was involved.
  5. Scan your device with reputable antivirus software if you opened an attachment.

The Best Defense Is Skepticism

No technology solution completely eliminates phishing — human judgment is the last line of defense. Develop a habit of pausing before clicking any link in an unsolicited message. Ask yourself: Was I expecting this? Does this make sense? Is there any reason to verify this another way?

A moment of skepticism can prevent hours — or weeks — of dealing with a compromised account.