Overview

Phishing is a broad category of fraud in which an attacker impersonates a person, company or service to induce victims to reveal sensitive information such as usernames, passwords, payment details or personal identifiers. Although email is the most familiar medium for phishing, attackers also use text messages, phone calls, social media, instant messaging apps and even postal mail. The goal is usually financial theft, account takeover, or data that can be used for identity fraud.

How phishing schemes work

Typical phishing attacks follow a simple social-engineering pattern: the attacker creates a convincing message that appears to come from a trusted source, includes a reason for urgency or fear, and provides a link, attachment, or phone number to a fake site or a script designed to capture credentials or install malware. Some campaigns are broad and automated, while others are highly targeted and personalized.

  • Spoofed communications: Headers, logos and wording are copied so messages look legitimate.
  • Malicious links: URLs lead to counterfeit login pages or files that deliver malware.
  • Fake attachments: Documents or installers that, when opened, execute harmful code.
  • Psychological triggers: Messages often invoke urgency, fear, or reward to prompt quick action.

Common types of phishing

Phishing takes several forms with specific names reflecting their targets or methods.

  • Generic email phishing: Bulk messages sent to many recipients hoping some will respond.
  • Spear phishing: Targeted attacks crafted for a particular person or organization, often using personal details.
  • Smishing and vishing: SMS-based (smishing) and voice-call (vishing) versions of the scam.
  • Business Email Compromise (BEC): Fraud that impersonates company executives or vendors to trick staff into transferring funds or disclosing credentials.
  • Clone and credential-harvesting sites: Near-identical copies of real websites created to collect login data.

Signs of phishing and basic prevention

There are common indicators that a message may be fraudulent: unexpected requests for credentials, misspellings and awkward language, suspicious sender addresses, mismatched URLs, unsolicited attachments, and pressure to act quickly. Basic defensive steps include using unique, strong passwords and a password manager; enabling multi-factor authentication (MFA); verifying requests by contacting the sender by a known channel; and keeping software and security tools up to date.

  • Hover over links to check the real destination before clicking.
  • Do not provide passwords or payment details in response to unsolicited messages.
  • Use MFA and monitor account activity regularly.
  • Train employees and family members to recognize social-engineering tactics.

What to do if you are targeted or compromised

If you suspect a phishing attempt, do not click links or open attachments. If you already entered credentials, change passwords immediately and enable multi-factor authentication where possible. Notify your bank or service providers if financial information was exposed. Report the incident to your organization's IT/security team and to appropriate authorities or fraud-reporting services. For identity concerns, consider placing fraud alerts with credit bureaus and monitoring credit reports.

Phishing has been a persistent threat since the early days of widespread Internet use. While the basic idea—deception to obtain secrets—has not changed, attackers have evolved tactics: targeted spear phishing, account takeover from social networks, automated phishing kits, and use of short-lived domains to evade detection. Organizations respond by improving email authentication (e.g., DMARC), user education, and deploying anti-phishing technologies.

For further information on password safety and guidance on recognizing scams, consult trustworthy resources such as security advisories and official guidance from your service providers. Learn more about common scams at security guidance, verify banking messages via official channels at banking safety, and find identity-theft recovery options at identity protection.