What Is Phishing?

Phishing is a form of social engineering where attackers impersonate trustworthy entities — banks, tech companies, government agencies, or even colleagues — to trick you into revealing sensitive information such as passwords, credit card numbers, or Social Security numbers. Despite being one of the oldest cyber threats, phishing remains one of the most effective, because it targets human psychology rather than technical vulnerabilities.

Types of Phishing Attacks

  • Email phishing: Mass-sent emails impersonating well-known brands, warning of account issues, package deliveries, or prize winnings — with a link to a fake login page.
  • Spear phishing: Highly targeted attacks personalized with your name, employer, or recent activity to appear more credible.
  • Smishing: Phishing delivered via SMS text message, often with a link to a fake website.
  • Vishing: Voice phishing — a caller impersonates tech support, a bank, or a government agency to extract information over the phone.
  • Clone phishing: A legitimate email you previously received is duplicated with malicious links or attachments substituted for the originals.

Red Flags: How to Spot a Phishing Attempt

1. Urgency and Threats

Phishing messages create pressure: "Your account will be suspended in 24 hours!", "Unauthorized access detected — act now!". Legitimate organizations don't typically force you to act in a panic.

2. Mismatched or Suspicious Links

Hover your mouse over any link (without clicking) to preview the actual URL. Watch for:

  • Misspelled domains: paypa1.com, arnazon.com
  • Lookalike domains with extra words: secure-login.bank-of-america-alerts.com
  • HTTP instead of HTTPS on login pages
  • Shortened URLs that obscure the real destination

3. Generic Greetings

Messages starting with "Dear Customer" or "Dear User" rather than your actual name are often mass-phishing attempts. Legitimate services usually address you by name.

4. Unexpected Attachments

An unsolicited attachment — especially a .zip, .exe, .docm, or .pdf file — is a major warning sign. Opening it may silently install malware.

5. Requests for Sensitive Information

No legitimate bank, government agency, or tech company will ask you to confirm a password, PIN, or full Social Security number via email or a pop-up form.

How to Protect Yourself from Phishing

  1. Go directly to websites: Never click links in emails to access banking or important accounts. Type the URL directly into your browser or use a saved bookmark.
  2. Enable multi-factor authentication (MFA): Even if your password is stolen via phishing, MFA prevents attackers from completing login.
  3. Use a browser with phishing protection: Modern browsers flag known phishing sites. Keep your browser updated.
  4. Install security software with anti-phishing features: Many antivirus suites scan URLs in real time and block access to known malicious sites.
  5. Verify unexpected requests independently: If your "bank" emails you about suspicious activity, call the number on the back of your card — not any number in the email.
  6. Train your skepticism: When something feels off, trust that instinct. Take a moment before clicking anything.

What to Do If You've Been Phished

If you suspect you've clicked a phishing link or entered credentials on a fake site:

  • Change your password on the affected account immediately
  • Enable MFA if it wasn't already active
  • Check account activity for unauthorized actions
  • Scan your PC for malware
  • Alert your bank if financial information was involved
  • Report the phishing email to your email provider and the impersonated organization

The Human Firewall

The most powerful defense against phishing is an informed, skeptical user. Technical tools help, but no filter catches everything. Taking a few seconds to question an unexpected message before clicking could save you from serious harm.