Threat Glossary

What is phishing?

Phishing is a social-engineering attack in which a criminal impersonates a trusted person or organization — a bank, an employer, a delivery service — to trick you into revealing sensitive information (passwords, codes, card numbers) or taking a harmful action, such as wiring money or installing malware.

Phishing is the most common way attacks begin, because it targets the one thing no firewall protects: human trust. A convincing message, arriving at the right moment and referencing real details about you, can bypass every technical control simply by getting you to click, type, or pay. Understanding the varieties and the tells is the best defense. Here’s how phishing works and how to recognize it.

How phishing works

A phishing attack has three moving parts: a pretext (a believable reason to act), a lure (urgency, fear, or reward), and a payload (a fake login page, a malicious attachment, or a request to send money or codes). The attacker impersonates a trusted sender, creates pressure — “your account will be suspended,” “confirm this payment now” — and directs you to a page or action that hands them what they want. The more they know about you (often from breaches and data brokers), the more convincing the pretext.

The main types of phishing

  • Email phishing. Mass, generic messages impersonating well-known brands.
  • Spear phishing. Targeted messages tailored to a specific person using real details — your name, employer, or a recent purchase — making them far more convincing.
  • Whaling. Spear phishing aimed at executives and other high-value targets.
  • Smishing. Phishing via SMS text message (fake delivery notices, bank alerts).
  • Vishing. Voice phishing over the phone, often impersonating support desks, banks, or government agencies.
  • Clone phishing. A copy of a legitimate message you’ve seen before, with the links swapped for malicious ones.

How to spot a phishing attempt

Common tells include a sense of manufactured urgency, a mismatched or look-alike sender address, generic greetings, links whose real destination differs from the visible text, unexpected attachments, and any request for a password, one-time code, or payment. When a message pressures you to act right now, that pressure is itself the warning sign — legitimate organizations give you time and never ask for your full password or your two-factor code.

Rule of thumb: never enter credentials or codes by following a link in a message. Navigate to the site yourself, or call the organization back on a number you look up independently.

How to protect yourself

Concrete steps you can take today to reduce your exposure.

Verify the sender independently

Don’t trust the display name. Check the real address, and when in doubt, contact the organization through a channel you looked up yourself.

Never act on urgency alone

Urgency is the phisher’s primary weapon. Slow down and verify before you click, type, or pay.

Don’t enter credentials via links

Type the website address yourself or use a saved bookmark. A password manager also won’t auto-fill on a look-alike domain, which is a useful safety check.

Turn on two-factor authentication

If a phish does capture your password, a second factor — especially a hardware key — can stop the attacker from logging in.

Reduce the data that makes phishing convincing

Spear phishing relies on real details about you. Removing your data from brokers and securing breached accounts starves the attacker of raw material.

Report and delete

Report phishing to your provider or employer and delete it. Reporting helps protect others and improves filters.

Frequently asked questions

What is the difference between phishing and spear phishing?

Phishing usually means mass, generic messages sent to many people. Spear phishing is targeted — the attacker researches a specific person and tailors the message with real details like their name, employer, or recent activity, which makes it much harder to spot.

What should I do if I clicked a phishing link?

If you only clicked, close the page and don’t enter anything. If you entered a password, change it immediately — and anywhere you reused it — then enable two-factor authentication. If you entered a code or payment details, contact the affected account or your bank right away, and watch for follow-on scams.

How do attackers make phishing messages so convincing?

They use real information about you, much of it gathered from data breaches and data brokers — your name, employer, recent purchases, or contacts. The more accurate the detail, the more the message feels legitimate, which is why reducing your data exposure lowers your phishing risk.

See what’s exposed about you — free

Attackers start with the data that’s already public: your leaked passwords, your breached accounts, and your address on data-broker sites. Run a free scan to see exactly what’s out there about you — then remove it.

The first scan is free with no signup. Broker removals are filed as your authorized agent under CCPA and state-equivalent law. Your results are private to you — we never sell your data.