Skip to Content

Cybersecurity Knowledge Base

CyberPedia


Your essential guide to cybersecurity threats, attacks, and defenses. Understand the risks. Protect your business.

Phishing

Overview

Phishing is a type of scam where criminals pretend to be someone you trust (like a bank, well‑known company, coworker, or service) to trick you into sharing information, clicking a bad link, or opening a harmful file. The name comes from “fishing”: attackers throw out lots of fake messages hoping someone will “bite” by responding.

In plain terms, phishing is when someone lies to you over email, text, or another channel so you hand over passwords, money, or other valuable data.

Where Phishing Shows Up

Phishing isn’t just email anymore. It commonly appears as:

  • Email messages (“classic” phishing).

  • Text messages (often called “smishing”).

  • Phone calls/voicemails (“vishing”).

  • Social media DMs or fake support chats.

  • Fake websites that look like real login pages (for example, fake Microsoft, Google, bank, or HR portals).

What Phishing Messages Look Like

Phishing messages usually try to create urgency, fear, or curiosity so you act quickly:

  • Fake security alerts

    • “We noticed suspicious activity on your account.”

    • “Your account will be locked in 24 hours. Verify now.”

  • Payment or invoice issues

    • “Your payment failed.”

    • “Past‑due invoice attached, pay immediately to avoid late fees.”

  • Delivery and logistics

    • “Package delivery problem—click to reschedule.”

  • Work‑related requests

    • “New HR policy—login to review.”

    • “Shared document—click to open.”

  • “Too good to be true” offers

    • Prizes, refunds, or deals that appear out of nowhere.

Typical Phishing Attack Steps

The basic pattern is similar across most phishing attacks:

  1. Bait is sent

    • The attacker sends a message that looks like it’s from a trusted source (bank, service, manager, vendor, etc.).

  2. You’re pushed to take quick action

    • Click a link, open an attachment, enter information, or call a number.

  3. You land on a fake page or run something harmful

    • The link takes you to a site that looks real but is controlled by the attacker, or the attachment quietly installs malware.

  4. Data or access is captured

    • You type in your password, approve a login request, or the malware steals information.

  5. Attackers reuse what they stole

    • They log into your accounts, move money, impersonate you, or spread phishing to your contacts.

What Phishers Want

Phishing has a few main goals:

  • Steal passwords and login codes

    • For email, cloud accounts, banking, payroll, or internal company systems.

  • Get personal and financial information

    • Social Security numbers, tax details, credit card numbers, or other data used for fraud or identity theft.

  • Install malware

    • Ransomware, remote‑access tools, or “infostealers” that collect data from your device.

  • Gain a foothold in a business

    • Once one employee is tricked, they can pivot to internal systems, customers, or partners.

Why Phishing Works So Well

Phishing is effective because it targets people, not just technology:

  • Messages copy the look and feel of real brands and internal communications.

  • Attackers use information from social media or previous breaches to sound convincing.

  • People are busy and often scanning messages quickly, especially on phones.

  • Many scenarios (urgent payments, HR notices, security alerts) are common in real life, so it’s easy to assume they’re legitimate.

Phishing vs. Spam

Phishing and spam overlap but are not the same:

  • Spam is unwanted bulk messages (often advertising or low‑value promotions).

  • Phishing is a scam designed to trick you into doing something harmful, even if the message is targeted to just a few people.

Spam is annoying; phishing is about deception and theft.

Common Red Flags in Phishing Messages

You should be suspicious when:

  • The sender address looks slightly off

    • Misspellings, extra numbers, or wrong domains (for example, mybank‑secure.com instead of mybank.com).

  • The message feels rushed or threatening

    • “Act now or lose access,” “You’ll be charged,” “Your account will be closed today.”

  • There are unexpected links or attachments

    • Particularly in messages that claim to be invoices, e‑sign documents, or security updates you weren’t expecting.

  • The language or tone is “off”

    • Strange grammar, odd phrasing, unusual formality or informality for the supposed sender.

  • The link preview doesn’t match the claimed site

    • Hovering over the link (on a computer) shows a URL that doesn’t belong to the company named in the message.

Business Impact

For organizations, a single successful phishing email can lead to:

  • Compromised employee accounts (email, cloud storage, financial systems).

  • Business Email Compromise (fraudulent payments, fake invoices).

  • Malware infections, including ransomware.

  • Data breaches involving customer, patient, or employee information.

  • Downtime, investigation costs, legal and regulatory consequences, and reputational damage.

Key Prevention Tips (Plain‑Language)

For everyday users and staff:

  1. Pause before you click

    • If something feels urgent or emotional, slow down and look more closely.

  2. Verify using a separate channel

    • If a message claims to be from your bank, HR, or IT, contact them using a phone number or website you already trust—not the link or number in the message.

  3. Check the sender and the link

    • On a computer, hover over links to see where they really go.

    • Look carefully at the email address, not just the display name.

  4. Never share passwords via email or text

    • Real organizations will not ask you to send your password or full multi‑factor code in a message.

  5. Be extra careful with attachments

    • Do not open unexpected attachments, especially from unknown or unusual senders.

  6. Use multi‑factor authentication (MFA)

    • Even if a password is stolen, MFA can block many attacks.

    • Still, do not approve MFA prompts you did not initiate yourself.

What Organizations Should Do

Businesses can strengthen defenses against phishing by:

  • Deploying email security filters and anti‑phishing tools.

  • Enforcing MFA on critical systems and remote access.

  • Training staff regularly with real‑world examples and simulations.

  • Creating simple ways for employees to report suspicious messages.

  • Limiting what a single account can access (so one phished account can’t see everything).

What To Do If You Think You Fell for Phishing

If you clicked a link, entered credentials, or opened a suspicious attachment:

  1. Change your password immediately

    • Change it for the affected account, and anywhere else you reused that password.

  2. Turn on or review MFA

    • Make sure MFA is enabled, and remove any unknown devices or app tokens from your account.

  3. Report it

    • At work, notify IT/security right away.

    • For personal accounts, follow the provider’s guidance (for example, account recovery, security review).

  4. Watch for follow‑up attacks

    • Be alert for unusual login alerts, password reset emails you didn’t request, or login approvals popping up unexpectedly.

  5. Scan your device

    • Use up‑to‑date security software to check for malware, especially if you opened a suspicious attachment.