What Is a Phishing Attack?

Phishing is a type of social engineering attack in which a malicious actor impersonates a trusted entity — a bank, a tech company, a colleague — to trick you into revealing sensitive information or clicking a dangerous link. The name is a play on "fishing": attackers cast a wide net and wait for someone to take the bait.

Despite being one of the oldest tricks on the internet, phishing remains remarkably effective because it exploits human psychology rather than technical vulnerabilities. No software patch can fix that.

The Anatomy of a Phishing Email

A well-crafted phishing email typically contains several calculated elements:

  • A spoofed sender address: The display name looks legitimate (e.g., "PayPal Support") but the actual email domain is slightly off — like paypa1.com or support-paypal.net.
  • A sense of urgency: "Your account has been suspended." "Unusual activity detected." "Respond within 24 hours." Urgency short-circuits rational thinking.
  • A convincing imitation: Logos, fonts, and layouts are often copied directly from real companies.
  • A deceptive link: The link text might say www.amazon.com but hovering over it reveals a completely different URL.
  • A request for credentials or payment: The goal is always to get you to enter information or transfer money.

Types of Phishing You Should Know About

Spear Phishing

Targeted attacks aimed at a specific individual or organization. The attacker researches their target using social media and crafts a highly personalized message. Far more convincing than generic phishing.

Smishing

Phishing via SMS. You receive a text claiming to be from a courier, your bank, or a government agency. These often include shortened URLs that hide the real destination.

Vishing

Voice phishing — attackers call you pretending to be from tech support or a financial institution. They may already have some of your personal data to seem credible.

Clone Phishing

Attackers take a legitimate email you previously received, clone it, replace legitimate links with malicious ones, and resend it from a spoofed address.

How to Spot a Phishing Attempt

  1. Check the sender's actual email address — not just the display name.
  2. Hover before you click — inspect the URL before opening any link.
  3. Look for spelling and grammar issues — though AI is making phishing emails more polished, inconsistencies still appear.
  4. Be suspicious of urgency — legitimate organizations rarely demand immediate action via email.
  5. When in doubt, go directly to the source — type the company's URL manually in your browser instead of clicking the email link.
  6. Use email security tools — most modern email clients flag suspicious messages, but don't rely on them alone.

What to Do If You've Been Phished

If you suspect you clicked a phishing link or entered your credentials on a fake site, act quickly:

  • Change the compromised password immediately.
  • Enable 2FA on the affected account if not already active.
  • Check for any unauthorized activity or transactions.
  • Report the phishing email to your email provider and, if applicable, to the organization being impersonated.

Awareness is your strongest defense. The more you know about how these attacks are constructed, the harder it is for them to succeed.