What Is a Phishing Attack?

Phishing is a type of cyberattack where an attacker impersonates a trusted entity — a bank, a tech company, a colleague, or a government agency — to trick you into revealing sensitive information or taking a harmful action. That action might be entering your password on a fake login page, clicking a link that installs malware, or transferring money to a fraudulent account.

Phishing is persistently effective because it exploits human psychology rather than technical vulnerabilities. No software patch can fix the tendency to trust something that looks official.

Common Types of Phishing

Email Phishing

The most common form. You receive an email that appears to come from a legitimate source (PayPal, your bank, Microsoft, Amazon) warning of an account problem and urging you to "click here to verify." The link leads to a convincing fake website designed to capture your credentials.

Spear Phishing

Targeted attacks that use personal details about you — your name, employer, role, or recent activity — to create a highly convincing message. These are harder to detect and often used against specific individuals or organizations.

Smishing (SMS Phishing)

Phishing delivered via text message. Common examples: fake package delivery notifications, bank fraud alerts, or messages claiming you've won a prize.

Vishing (Voice Phishing)

Phone calls where an attacker poses as tech support, a bank representative, or a government official. They create urgency ("your account has been compromised") to get you to act without thinking.

Clone Phishing

An attacker takes a legitimate email you received previously and creates a near-identical copy with a malicious link or attachment in place of the original.

Red Flags to Watch For

  • Urgency and pressure: "Act now or your account will be closed." Legitimate organizations rarely demand immediate action via email.
  • Suspicious sender address: The display name might say "PayPal" but the actual email address is something like support@paypa1-secure.com.
  • Mismatched or strange URLs: Hover over links before clicking. If the URL doesn't match the supposed sender's domain, don't click it.
  • Poor grammar and spelling: A tell-tale sign of many phishing attempts, though sophisticated attackers have improved significantly.
  • Unexpected attachments: Never open attachments you weren't expecting, especially .exe, .zip, or macro-enabled Office files.
  • Requests for sensitive information: No legitimate company will ask for your password, full credit card number, or Social Security number via email.

What to Do If You Receive a Suspicious Message

  1. Don't click any links — not even "unsubscribe" links in suspicious emails.
  2. Don't download attachments.
  3. Verify independently — if it claims to be from your bank, call the number on the back of your card or navigate directly to their official website.
  4. Report it — most email clients have a "Report phishing" option. Forward suspicious emails to the organization being impersonated if they have a reporting address.
  5. Delete the message.

What to Do If You've Already Clicked

  • If you entered credentials: change your password immediately on the real site and on any other site where you use the same password.
  • Enable two-factor authentication (2FA) on affected accounts right away.
  • If you downloaded something: run a full antivirus/malware scan and consider contacting your IT department if this happened on a work device.
  • If financial information was shared: contact your bank or card issuer immediately.

Your Best Defense: Layered Protection

No single tool stops all phishing. Your strongest defense combines awareness (knowing the signs), technical controls (email spam filters, browser warnings, antivirus software), and good habits (using a password manager so fake sites can't autofill, enabling 2FA everywhere it's offered). When in doubt, the safest action is always to verify through a channel you trust before taking any action at all.