What Is Phishing?

Phishing is a type of social engineering attack where criminals impersonate a trusted entity — a bank, a delivery company, a government agency, or even a friend — to trick you into handing over sensitive information or clicking a malicious link. The name comes from "fishing": attackers cast a wide net and wait for someone to bite.

Phishing arrives via email most commonly, but also via SMS (called smishing), voice calls (vishing), and increasingly through social media messages.

The Anatomy of a Phishing Attack

Understanding how these attacks are constructed makes them much easier to spot. A typical phishing message contains:

  1. A trusted sender identity — The name and sometimes logo of a company you recognize (Amazon, PayPal, your bank, Netflix).
  2. A manufactured urgency — "Your account will be suspended in 24 hours," "Unusual sign-in activity detected," "Your package is on hold."
  3. A call to action — A button or link labeled "Verify Now," "Confirm Identity," or "Click Here."
  4. A spoofed destination — The link leads to a convincing fake website designed to capture your login credentials or payment information.

Red Flags to Look For

In Emails

  • Mismatched sender address: The display name says "Amazon" but the actual email address is something like support@amaz0n-billing.net.
  • Generic greetings: "Dear Customer" instead of your name suggests a mass phishing campaign.
  • Urgency and fear tactics: Legitimate companies rarely demand you act within hours or face dire consequences.
  • Requests for sensitive data: Banks and reputable services will never ask for your password or full card number via email.
  • Suspicious attachments: Unexpected invoices, package labels, or documents can contain malware.

In Text Messages (Smishing)

  • Messages from unknown numbers claiming to be delivery companies, tax agencies, or your bank.
  • Short links (like bit.ly) that hide the actual destination URL.
  • Requests to "reply STOP" to opt out — this can confirm your number is active to spammers.

In Websites

  • The URL is slightly different from the real one: paypa1.com, amazon-secure-login.com.
  • The page lacks HTTPS (no padlock icon) — though note that phishing sites can have HTTPS too.
  • The site looks slightly off — different fonts, poor spacing, misaligned logos.

What to Do If You Receive a Suspicious Message

  1. Don't click any links or download attachments.
  2. Verify independently. If it claims to be from your bank, call the number on the back of your card — not any number provided in the message.
  3. Report it. Forward phishing emails to your email provider's spam system and to the organization being impersonated (most have a dedicated address like phishing@paypal.com).
  4. Delete the message.

What to Do If You've Already Clicked

Don't panic — act quickly:

  • If you entered a password: change it immediately on that service and any other account using the same password.
  • Enable 2FA on the affected account if you haven't already.
  • If you entered payment details: contact your bank or card issuer immediately to report potential fraud.
  • Run a malware scan on your device if you downloaded anything.
  • Monitor your accounts for unusual activity over the following weeks.

Building Phishing Resistance Over Time

The best defense against phishing is a combination of skepticism, habits, and technical safeguards:

  • Pause before you click — urgency is a manipulation tactic. Take 10 seconds.
  • Use a password manager — it won't autofill credentials on a fake site, giving you a built-in safety check.
  • Enable 2FA — even if credentials are stolen, the attacker can't log in without the second factor.
  • Keep software updated — security patches protect against malware delivered via phishing links.

Phishing works because it exploits trust and urgency. Once you understand that, you hold the advantage.