What Is Phishing?

Phishing is a type of online scam where an attacker impersonates a trusted entity — a bank, a popular website, a government agency, or even a colleague — to trick you into revealing sensitive information or taking a harmful action. The name comes from the idea of "fishing" for victims using bait.

The goal is usually to steal login credentials, financial information, or to get you to install malware on your device. Phishing is one of the most common and effective forms of cybercrime because it targets human psychology rather than technical vulnerabilities.

How Phishing Attacks Are Delivered

  • Email (most common): A fake email designed to look like it's from a real company, urging you to click a link or open an attachment.
  • SMS/Text (smishing): A text message claiming you have a package delivery issue, unpaid toll, or bank alert — with a link to a fake site.
  • Phone calls (vishing): A caller posing as tech support, a bank, or a government official asking for sensitive information.
  • Social media: Fake profiles or messages directing you to fraudulent pages.
  • Search ads: Sponsored search results that mimic legitimate sites but lead to fakes.

How to Spot a Phishing Attempt

Phishing attacks vary in sophistication, but most share common red flags:

1. Urgency and Fear Tactics

Messages that demand immediate action — "Your account will be suspended in 24 hours!", "Unusual activity detected!", "You must verify now!" — are designed to make you act without thinking. Legitimate organizations rarely communicate with extreme urgency via email.

2. Suspicious Sender Address

Check the actual email address, not just the display name. A phishing email might show "PayPal Support" as the name, but the address could be something like support@paypa1-secure.com. Look for misspellings, extra words, or unusual domains.

3. Generic Greetings

Messages like "Dear Customer" or "Dear User" instead of your actual name suggest a mass-sent phishing campaign rather than a personal communication from a company that actually has your account.

4. Suspicious Links

Hover over any link before clicking (on desktop) to see the actual URL. If the link doesn't match the company's real domain, or if it uses a URL shortener to obscure the destination, don't click it.

5. Unexpected Attachments

Unsolicited attachments — especially .zip, .exe, or even Word/PDF files — can contain malware. If you weren't expecting a file, verify with the sender through a separate channel before opening it.

What to Do If You Suspect a Phishing Message

  1. Don't click any links or download attachments.
  2. Go directly to the company's official website by typing the address in your browser rather than following the link.
  3. If the message claims to be from a company you use, contact their support via the number or email on their official website.
  4. Report phishing emails using your email client's "Report Phishing" button — this helps protect others.
  5. If you think you may have already fallen for a phishing attempt, change your password immediately and enable 2FA on that account.

What If You Already Clicked?

Don't panic — but act quickly. If you clicked a link but didn't enter any information, you may be fine. If you entered a password, change it immediately. If you entered financial information, contact your bank. Run an antivirus scan if you downloaded or opened a file.

The Best Defense: Skepticism and Verification

The single best defense against phishing is developing a habit of healthy skepticism. When a message creates urgency, asks for credentials, or comes from an unexpected sender — pause, verify, and then act. That small habit, applied consistently, makes you a much harder target.