What Is Phishing? The Internet's Oldest (and Best) Trick
Phishing is a social engineering attack where an attacker impersonates a trusted entity (your bank, employer, a popular service) through email, text message, or fake websites to trick you into revealing sensitive information like passwords, credit card numbers, or personal data. Despite decades of awareness campaigns, phishing remains the most successful cyberattack vector because it targets human psychology rather than technical vulnerabilities. Over 90% of data breaches begin with a phishing email.
Types of Phishing
Email phishing: The classic. You receive an email that looks like it’s from your bank/PayPal/Netflix/Amazon saying there’s a problem with your account and you need to “verify” your information. The link goes to a convincing replica of the real website.
Spear phishing: Targeted phishing. Instead of blasting millions of generic emails, the attacker researches you specifically. They might reference your actual employer, recent transactions, or colleagues by name.
Whaling: Spear phishing targeting executives. Higher effort, but a compromised CEO email account can authorize wire transfers and access sensitive corporate data.
Smishing: Phishing via SMS text messages. “Your package couldn’t be delivered. Update your address here.” The link leads to a credential harvesting page.
Vishing: Phishing via phone call. Caller claims to be from tech support, the IRS, your bank, or law enforcement.
Clone phishing: The attacker takes a legitimate email you actually received, recreates it with a malicious link replacing the real one, and resends it claiming to be an “updated version.”
How to Spot Phishing
Look for these red flags:
- Urgency: “Your account will be suspended in 24 hours!” Legitimate organizations don’t threaten you via email
- Generic greeting: “Dear Customer” instead of your name
- Suspicious domain:
paypa1.cominstead ofpaypal.com(look carefully) - Mismatched URLs: Hover over links before clicking. Does the text say “paypal.com” but the URL goes to
login-security-paypal.sketchy-domain.com? - Poor grammar: Legitimate companies proofread their emails
- Unexpected attachments: Especially .exe, .zip, .doc with macros
- Free email sender: Real companies don’t send from @gmail.com
What to Do If You’re Phished
- Change your passwords immediately, starting with the compromised account
- Enable MFA on all important accounts (this prevents further access even with stolen passwords)
- Contact your bank if financial information was exposed
- Scan for malware if you downloaded anything
- Report the phishing to the impersonated company and to your email provider
Test It Yourself
Check Any URL
Analyze any suspicious URL's headers, certificates, and security configuration before visiting it.