Phishing is a cyberattack where criminals impersonate trusted organizations to trick people into revealing passwords, credit card numbers, or other sensitive information. It typically arrives via email, SMS, or fake websites.

How can I tell if an email is a phishing attempt?

Common signs include: unexpected urgency, requests for personal information, links that don't match the sender's domain, generic greetings, and poor grammar. Always check links before clicking using a URL scanner.

What should I do if I click a phishing link?

Don't enter any information. Close the tab immediately. Change your passwords for any accounts that may be affected. Run an antivirus scan. Contact your bank if you entered payment information.

What Is Phishing? How It Works & How to Stay Safe

Phishing is the most common form of cybercrime in the world. In 2024, over 3.4 billion phishing emails were sent every single day. Despite being decades old, phishing remains so effective because it exploits human psychology — not technical vulnerabilities.

This guide explains what phishing is, how different types of attacks work, and eight practical steps to protect yourself.

3.4B

Phishing emails per day

36%

Of breaches involve phishing

$4.9M

Average cost per breach

What Is Phishing?

Phishing is a cyberattack where criminals impersonate a trusted organization — your bank, employer, a delivery company, or a government agency — to trick you into revealing sensitive information. This usually means passwords, credit card numbers, Social Security numbers, or other credentials.

The name comes from "fishing" — attackers cast a wide net and wait for victims to take the bait. The "ph" spelling is a nod to early hacker culture from the 1990s when the technique first emerged.

What makes phishing so dangerous is that it bypasses technical security entirely. You can have the most sophisticated firewall in the world, but if an employee clicks a malicious link and enters their credentials, an attacker has full access.

How a Phishing Attack Works

A typical phishing attack follows a predictable pattern:

The attacker creates a fake page — usually an exact copy of a real login page (bank, email, Microsoft 365, etc.)
They register a lookalike domain — something like secure-paypal-login.com or paypal.account-verify.net
They send the link to victims — via email, SMS, social media DM, or even phone call
The victim clicks and "logs in" — their credentials are captured and sent to the attacker
The attacker uses the credentials — to access the real account, steal money, or sell the data

The entire process can take minutes. The attacker may redirect the victim to the real site after capturing credentials so the victim doesn't realize anything happened.

Types of Phishing Attacks

📧 Email Phishing

The most common type. Mass emails impersonating banks, shipping companies (FedEx, UPS), tech companies (Microsoft, Apple, Google), or government agencies. Usually contains urgent messaging and a link to a fake login page.

📱 Smishing (SMS Phishing)

Phishing via text message. Common examples: fake package delivery notifications ("Your parcel is held — click here to reschedule"), bank fraud alerts, and prize notifications. Links lead to fake sites or install malware.

🎯 Spear Phishing

Targeted phishing aimed at a specific individual. Attackers research their target on LinkedIn, social media, or company websites to personalize the attack. "Hi [Name], as discussed in Tuesday's meeting, please review this invoice." Much harder to detect than mass phishing.

🐋 Whaling

Spear phishing targeting high-value individuals — CEOs, CFOs, or senior executives. Often impersonates a board member, legal firm, or government agency. Typically involves wire transfer requests or sensitive document access.

📞 Vishing (Voice Phishing)

Phishing via phone call. Attackers impersonate bank fraud departments, tech support, or government agencies. "This is Microsoft — your computer is infected and we need remote access to fix it." Often uses spoofed caller IDs to appear legitimate.

🔍 Search Engine Phishing

Fake websites designed to rank in Google search results for queries like "bank login," "Netflix account," or "PayPal sign in." Users searching for legitimate sites end up on convincing fakes. Always navigate directly to important sites — don't search for login pages.

Common phishing pretexts in 2026: Package delivery notifications, bank fraud alerts, "unusual sign-in activity" emails, tax refund notifications, invoice approvals, and job offer scams targeting professionals via LinkedIn.

How to Recognize a Phishing Email

Even well-crafted phishing emails usually have at least one of these telltale signs:

Sender address doesn't match — claims to be PayPal but sent from paypal-security@gmail.com
Generic greeting — "Dear Customer" or "Dear User" instead of your name
Urgency and threats — "Your account will be suspended," "Verify within 24 hours"
Unexpected attachment — an invoice you didn't request, a document you weren't expecting
Suspicious link — hover over the link to see the real URL before clicking
Requests for sensitive information — legitimate companies never ask for passwords via email
Poor grammar or formatting — mistakes a real company's communications team wouldn't make

Received a Suspicious Link?

Paste it into ShieldScan before clicking. Checks against 95+ engines and Google Safe Browsing in seconds.

Scan the Link Now →

8 Ways to Protect Yourself From Phishing

1. Check links before clicking

Never click a link in an unexpected email or text without checking it first. Paste it into ShieldScan or hover over it to see the real destination. If the URL doesn't match the organization sending the message, don't click.

2. Enable two-factor authentication (2FA)

Even if attackers steal your password through phishing, 2FA prevents them from accessing your account without the second factor. Enable it on every account that supports it — especially email, banking, and social media.

3. Use a password manager

Password managers only auto-fill credentials on the correct domain. If you're on a fake site, your password manager won't recognize it and won't auto-fill — a built-in phishing protection that catches lookalike domains automatically.

4. Go directly to sites instead of clicking links

If you receive an email from your bank, don't click the link. Open a new browser tab and type your bank's address directly. This completely bypasses the phishing link.

5. Verify unexpected requests independently

If your "CEO" emails asking you to wire money urgently, call them on a known phone number to verify. If your bank texts about fraud, call the number on the back of your card — not any number in the message.

6. Keep software updated

Browser updates include patches for vulnerabilities that phishing sites may try to exploit. Enable automatic updates for your browser, operating system, and antivirus software.

7. Learn to recognize phishing patterns

Urgency, threats, unexpected messages, requests for sensitive information, and suspicious links are the core tactics of phishing. Awareness is one of the most effective defenses.

8. Report phishing attempts

Report phishing emails to your email provider (in Gmail, click the three dots and "Report phishing"). Report phishing sites to Google at safebrowsing.google.com/safebrowsing/report_phish. This helps protect others.

Remember: No legitimate organization will ever ask for your password, PIN, or full payment card details via email, text, or phone call. If someone is asking for these, it's a scam — no matter how convincing they seem.

Frequently Asked Questions

What is phishing?

Phishing is a cyberattack where criminals impersonate trusted organizations via email, SMS, or fake websites to steal passwords, payment details, or personal information.

How can I tell if an email is phishing?

Signs include: sender address doesn't match the organization, urgent threats, generic greeting, requests for personal information, suspicious links, and unexpected attachments. Always check links before clicking.

What should I do if I clicked a phishing link?

Close the tab immediately. Don't enter any information. Change your passwords for any accounts that may be affected. Contact your bank if you entered payment details. Run an antivirus scan.

Can phishing happen via text message?

Yes — this is called "smishing" (SMS phishing). Fake package delivery texts, bank fraud alerts, and prize notifications are common smishing tactics. Never click links in unexpected texts.

How do I check if a link in an email is a phishing link?

Copy the link without clicking it, then paste it into ShieldScan. It checks the URL against 95+ antivirus engines and Google Safe Browsing to determine if it's a known phishing page.