What Is a Phishing Attack?
Phishing is a form of social engineering where an attacker impersonates a trusted entity — a bank, tech company, government agency, or even a colleague — to trick you into revealing sensitive information or performing an action that benefits them. The name comes from "fishing": casting a lure and waiting for someone to bite.
Despite being one of the oldest tricks in cybercrime, phishing continues to be devastatingly effective because it targets human psychology rather than software vulnerabilities.
The Main Types of Phishing
| Type | Target | Delivery Method |
|---|---|---|
| Email Phishing | Anyone | Mass email campaigns |
| Spear Phishing | Specific individuals | Personalized emails using gathered info |
| Whaling | Executives (CEOs, CFOs) | Highly targeted, impersonates authority |
| Smishing | Mobile users | SMS / text messages |
| Vishing | Anyone | Phone calls |
| Clone Phishing | Email recipients | Duplicated legitimate emails with malicious links |
How Attackers Build a Convincing Phish
Modern phishing emails are surprisingly polished. Here's what attackers do to make them believable:
- Spoofed sender addresses — The display name says "PayPal Support" but the actual address is something like
support@paypa1-secure.com - Cloned branding — Logos, color schemes, and footer text copied from real company websites
- Urgency and fear — "Your account will be suspended in 24 hours" or "Unusual sign-in detected"
- Legitimate-looking links — URLs that appear correct but redirect through shorteners or use typosquatted domains
- Malicious attachments — PDFs, Word docs, or ZIP files containing malware or macros
Red Flags to Watch For
In Emails
- Generic greeting ("Dear Customer") instead of your name
- Unexpected urgency or threats
- Requests for passwords, payment details, or personal info
- Mismatched or suspicious sender domain
- Grammar or spelling errors (less common in advanced attacks now)
- Hover over links — does the URL match where it claims to go?
On Websites
- No HTTPS padlock (though HTTPS alone doesn't guarantee legitimacy)
- Slightly misspelled domain names (e.g.,
arnazon.cominstead ofamazon.com) - Login pages asking for more information than usual
- Pop-ups requesting credentials or payment information
What to Do If You Receive a Suspicious Message
- Don't click any links — navigate directly to the website by typing the URL manually
- Don't open attachments unless you were expecting them from a verified sender
- Verify through a separate channel — call the company using a number from their official website, not the one in the email
- Report it — forward phishing emails to
reportphishing@apwg.orgor your IT department - Delete it
What to Do If You've Already Clicked
Don't panic — act quickly. Change your password immediately on the affected account, enable two-factor authentication, check for any unauthorized activity, and run a malware scan on your device. If financial information was involved, contact your bank or card provider right away.
Phishing attacks succeed because they're designed to. The best defense is slowing down, staying skeptical, and verifying before you act.