What Is a Phishing Attack?

Phishing is a form of social engineering where an attacker impersonates a trusted entity — a bank, a tech company, a colleague, or a government agency — to trick you into revealing sensitive information or taking a harmful action. The "bait" is typically a deceptive email, text message, or fake website designed to look legitimate.

Despite being one of the oldest tricks in the cybercriminal playbook, phishing remains highly effective because it exploits human psychology rather than technical vulnerabilities.

Common Types of Phishing

  • Email phishing: Mass-sent emails impersonating well-known brands, urging you to click a link or provide credentials.
  • Spear phishing: Highly targeted attacks tailored to a specific individual, using personal details to appear credible.
  • Smishing: Phishing delivered via SMS text messages, often with urgent-sounding links.
  • Vishing: Voice phishing — attackers call you posing as tech support, banks, or government officials.
  • Business Email Compromise (BEC): Attackers impersonate executives or vendors to authorize fraudulent wire transfers or data handovers.

Red Flags to Look For

Most phishing attempts share common warning signs. Train yourself to spot them:

  1. Urgency or threats: "Your account will be suspended in 24 hours!" Pressure tactics are designed to bypass your critical thinking.
  2. Suspicious sender addresses: The display name may look correct, but the actual email address is from a strange domain (e.g., support@amaz0n-help.net).
  3. Mismatched or suspicious links: Hover over any link before clicking. If the URL doesn't match the supposed sender's domain, don't click.
  4. Generic greetings: "Dear Customer" instead of your name can indicate a mass phishing campaign.
  5. Requests for sensitive information: Legitimate organizations rarely ask for passwords, full credit card numbers, or Social Security numbers via email.
  6. Poor spelling and grammar: Though sophisticated attacks are increasingly polished, many still contain language errors.

What to Do If You Suspect a Phishing Attempt

If something feels off, trust your instincts and take these steps:

  • Don't click links or download attachments from the suspicious message.
  • Verify independently: If the message claims to be from your bank, go directly to the bank's official website by typing the URL manually — don't use any links in the message.
  • Report it: Forward phishing emails to your organization's IT team or report them to your email provider.
  • Delete the message after reporting.

Proactive Protections to Put in Place

Beyond recognizing individual attacks, build these habits and defenses:

  • Enable multi-factor authentication (MFA) on all important accounts. Even if your password is phished, MFA adds a critical second barrier.
  • Use a password manager — it won't autofill credentials on a fake lookalike site, providing a built-in safety check.
  • Keep software and browsers updated so known security vulnerabilities are patched.
  • Use email security tools — most modern email providers have spam and phishing filters, but dedicated tools offer additional layers.

Phishing succeeds when people act quickly and without scrutiny. Slowing down, questioning unexpected requests, and verifying before you click are your best defenses.