What Is Phishing?

Phishing is a type of cyberattack in which criminals impersonate trusted entities — banks, government agencies, employers, or popular services — to trick individuals into revealing sensitive information such as passwords, credit card numbers, or Social Security numbers. The term comes from the analogy of "fishing" with bait to lure victims.

Phishing is not just an email problem. It occurs across nearly every digital communication channel and has become increasingly sophisticated with the help of AI-generated content and deepfake technology.

Types of Phishing Attacks

Email Phishing (Classic Phishing)

Mass emails sent to thousands of recipients, designed to look like they're from legitimate organizations. They typically contain a malicious link or attachment. The goal is to harvest credentials or install malware.

Spear Phishing

Targeted attacks directed at a specific individual or organization. The attacker researches the victim using social media and public information to craft a highly personalized and convincing message.

Whaling

A form of spear phishing aimed at high-level executives ("big fish"). These attacks often impersonate legal notices, board communications, or urgent financial requests.

Smishing (SMS Phishing)

Phishing delivered via text message. Common smishing examples include fake package delivery notifications, bank alerts, and prize winning messages with malicious links.

Vishing (Voice Phishing)

Phone call-based phishing where attackers impersonate bank representatives, the IRS, or tech support to extract information verbally.

Clone Phishing

A legitimate email that was previously delivered is cloned with malicious links replacing the originals, then re-sent from a spoofed address claiming to be a resend or update.

How to Identify a Phishing Attempt

  • Check the sender's email address carefully — scammers use domains like "paypa1.com" or "support-amazon.net"
  • Hover over links before clicking to see the actual destination URL
  • Look for generic greetings like "Dear Customer" instead of your name
  • Be suspicious of urgency — "Your account will be closed in 24 hours"
  • Watch for poor grammar and spelling, though AI has made this less reliable as a sole indicator
  • Unexpected attachments, especially .exe, .zip, or .docm files

What Happens If You Click a Phishing Link?

The consequences can range from credential theft (you entered your password on a fake login page) to malware installation (malicious code is silently downloaded to your device). If you realize you've clicked a suspicious link:

  1. Disconnect from the internet immediately
  2. Run a full antivirus/malware scan
  3. Change any passwords that may have been compromised
  4. Enable multi-factor authentication on all important accounts
  5. Monitor your bank and credit accounts for suspicious activity
  6. Report the phishing attempt to the Anti-Phishing Working Group at reportphishing@apwg.org and to your email provider

Defending Against Phishing

  • Use a reputable email provider with built-in phishing filters
  • Enable multi-factor authentication (MFA) on all accounts
  • Use a password manager to avoid entering credentials on fake sites
  • Keep software and browsers updated to patch known vulnerabilities
  • Educate family members and colleagues — phishing exploits human behavior, not just technology

No security tool replaces a skeptical, informed user. When in doubt, go directly to the official website rather than clicking any link.