Phishing simulation Awareness training Data breach detection About Blog Resources Pricing Contact
Get started Log in

What is phishing?

Phishing is a common cyber threat. Learn how it works, how to recognize phishing attempts, and how to protect yourself from online scams.

31-03-2022 - 10 minute read. Posted in: phishing.

What is phishing?

What is phishing: Definition, examples, and how to protect yourself

Phishing is one of the most widespread and dangerous forms of cyber attacks today. It targets both individuals and organizations by tricking victims into revealing sensitive information. Phishing attacks often aim to steal personal information such as bank account numbers and credit card data, using deceptive messages to trick users into providing these details. But what is phishing exactly, and how can you recognize and prevent these attacks?

Understanding phishing

Phishing is a type of cyber attack in which criminals impersonate legitimate organizations to deceive individuals into sharing personal information. Attackers may pose as a legitimate company or legitimate organization to trick users into providing sensitive data. These attacks often occur through fake emails, text messages, phone calls, or malicious websites designed to look authentic.

Phishing relies on social engineering, a tactic that uses psychological manipulation to influence people into taking unsafe actions such as clicking a link, downloading a file, or submitting sensitive data.

How phishing works

Phishing works by exploiting trust. Attackers send messages that appear to come from trusted entities such as banks, government agencies, or popular brands. These messages are designed to deceive unsuspecting users using various social engineering techniques. These messages typically create a false sense of urgency, prompting the recipient to take immediate action.

The message may ask the user to click a link, which leads to a fake website designed to steal credentials or financial information. In other cases, the message may contain an attachment that installs malware on the victim’s device. Once the attacker gains access, they may commit identity theft, financial fraud, or other malicious acts.

Common types of phishing attacks

There are several types of phishing attacks, each with a different approach but the same goal: to steal information. Increasing phishing awareness is crucial for recognizing and defending against these different types of attacks.

Email phishing

This is the most common form of phishing. Attackers send mass emails that appear to be from trusted sources. These emails often contain fake links or attachments that lead to malicious websites or install malware.

Spear phishing

Spear phishing targets specific individuals or companies. This type of phishing is a targeted attack, often tailored to the victim using personal information to increase its effectiveness. These attacks are more personalized and often use publicly available information to make the messages more convincing.

To learn more about these targeted attacks, see our guide on spear phishing.

CEO Fraud

CEO fraud targets high-level executives. Attackers may impersonate a company leader to trick employees into transferring money or disclosing confidential information. If you're interested in understanding how CEO fraud works and how organizations can protect themselves, you can read more in our full guide on CEO fraud.

Clone phishing

In clone phishing attacks, cybercriminals replicate a previously legitimate email and swap out the original links or attachments with harmful ones designed to deceive the recipient. These fake emails are then sent from addresses that appear to be authentic.

Smishing and vishing

Smishing is phishing conducted via SMS, while vishing uses voice calls. Smishing messages are malicious text messages designed to trick recipients into revealing personal or financial information. In both cases, attackers impersonate trusted individuals or institutions and try to extract personal data or financial information.

For more details, read our articles on smishing and vishing.

Pop-up phishing and angler phishing

Pop-up phishing uses browser-based pop-ups to lure victims into clicking malicious links. Angler phishing takes place on social media, where attackers use fake profiles or messages to deceive users.

What does a phishing message look like?

A malicious message used in phishing often contains urgent or alarming content. Common examples include:

  • Your password is expiring and must be updated

  • Your account has been locked or suspended

  • A package could not be delivered due to unpaid fees

  • You have won a prize or received a gift card

  • You are required to verify your login credentials

If you receive a message that seems suspicious or asks for personal information, be cautious and verify its legitimacy through official channels.

Fake websites and their role in phishing

Many phishing emails include links to fake websites that mimic legitimate ones. These fake websites are designed to steal usernames, passwords, and other sensitive information. Financial details are also commonly targeted by these fraudulent sites.

To avoid falling victim to fake websites:

  • Check for unusual URLs or misspellings in the domain name

  • Look for grammar and spelling errors on the site

  • Avoid submitting sensitive information through unsolicited links

  • Use two-factor authentication to secure your accounts

  • Visit the official website by typing the URL into your browser instead of clicking on links

Why is phishing spelled with “Ph”?

The term phishing is a variation of the word “fishing,” as attackers try to lure victims by casting a wide net of fake messages. The use of “ph” comes from early hackers in the 1990s who referred to themselves as “phreaks,” short for phone freaks, due to their interest in exploiting phone systems.

Common phishing techniques

Phishing attacks typically involve one or more of the following methods. Each method is designed to increase the likelihood of a successful phishing attempt:

Attackers use links that redirect to fake websites or automatically download malware. These links are often disguised to look legitimate and are embedded in emails, texts, or chat messages.

Malicious attachments

These attachments contain malware or viruses and are often disguised as invoices, receipts, or documents. Opening them can allow attackers to gain access to your device and data.

Fraudulent forms

Some phishing messages include fake data-entry forms that ask for login details or financial information. These forms look legitimate but are designed to collect data for criminal use.

Consequences of phishing

Phishing attacks can have devastating consequences for both individuals and organizations. A successful phishing attack often results in the theft of sensitive data, such as login credentials, credit card information, and personally identifiable information. This stolen data can be used for identity theft, leading to unauthorized transactions, account takeover, and the spread of further phishing scams through fraudulent emails.

For organizations, the impact of phishing campaigns can extend beyond financial loss to include reputational damage and loss of customer trust. Phishing attempts can also compromise mobile devices, allowing attackers to steal personal and financial information or install malware that further endangers sensitive data.

It’s crucial to report phishing attempts to the appropriate authorities, such as the National Cyber Security Centre or the Anti-Phishing Working Group. By reporting phishing, you help disrupt ongoing phishing campaigns and contribute to broader anti-phishing efforts that protect others from falling victim to similar attacks.

Real-world phishing examples

To understand phishing in action, consider these scenarios:

  • A fake email from your bank asks you to confirm your login by clicking a link. The link leads to a spoofed website that captures your credentials.

  • A text message claims you missed a delivery and asks you to click a link. The link installs malware on your phone.

  • A phone call claims there is a problem with your computer and asks for remote access or payment information. The caller is a scammer impersonating tech support.

How to prevent phishing attacks

Here are some key practices to reduce your risk of falling victim to phishing:

  • Be cautious of emails from unknown senders. If in doubt, verify the sender through official contact information.

  • Hover over links to inspect the destination URL before clicking.

  • Do not download unexpected attachments, especially from unfamiliar sources.

  • Never provide sensitive information via email, text, or phone unless you are certain of the recipient’s identity.

  • Use antivirus software and keep it updated to detect and block malicious files.

  • Access websites directly through your browser rather than by clicking on email links.

  • Enable two-factor authentication for accounts where available.

  • Use email filters to help block phishing emails before they reach your inbox.

  • Report phishing emails to your IT department or relevant authorities to help prevent future attacks.

Phishing simulations: Testing and training for resilience

Phishing simulations are a proactive way for organizations to strengthen their defenses against phishing attacks. These controlled exercises involve sending simulated phishing emails, text messages, or even phone calls to targeted users within an organization. The goal is to test users’ ability to detect phishing attempts, recognize suspicious emails, and report phishing attempts before any real damage occurs.

By regularly conducting phishing simulations, organizations can identify which users may be vulnerable to phishing messages and provide targeted training to improve their awareness. These exercises also familiarize users with the latest phishing techniques cybercriminals use, including voice phishing, smishing, and email phishing. As a result, users become more adept at spotting malicious messages, whether they arrive via email, text message, or phone call.

Phishing simulations are a key component of anti-phishing strategies, helping to build a culture of vigilance and resilience. Encouraging users to report phishing attempts not only protects the organization but also contributes to the wider fight against phishing attacks.

Multi-layered approach to phishing defense

Defending against phishing attacks requires a multi-layered approach that combines technology, best practices, and user education. Organizations should deploy spam filters, monitoring tools, and anti-phishing software to detect and block phishing emails and malicious websites before they reach users. These tools can help identify suspicious emails, prevent access to phishing websites, and stop phishing kits from launching targeted attacks.

However, technology alone is not enough. User education is a critical layer of defense. Training users to recognize phishing attempts, avoid using the same password across multiple accounts, and exercise caution when clicking on links or downloading attachments is essential. Industry groups recommend following best practices, such as using strong, unique passwords and staying alert to the signs of spear phishing attacks, which often target financial institutions and organizations handling sensitive financial information.

By adopting a multi-layered approach, organizations can significantly reduce the risk of phishing attacks, protect sensitive information, and prevent the financial and reputational damage that can result from a successful phishing attack. This comprehensive strategy is the cornerstone of effective anti-phishing efforts in today’s increasingly sophisticated threat landscape.

Phishing in the workplace

Businesses are frequent targets of phishing attacks. Even with security tools in place, employee awareness is critical. Organizations often implement:

  • Phishing simulations for training

  • Email scanning and anomaly detection

  • Security awareness programs

While no solution is perfect, consistent education and vigilance can significantly reduce the risk of successful phishing attacks.

Conclusion

Phishing is a serious and evolving cybersecurity threat that targets individuals and organizations alike. Understanding what phishing is and how it works is the first step toward staying safe online. By recognizing common tactics, avoiding suspicious links and attachments, and practicing good security hygiene, you can reduce your risk of falling victim to a phishing scam.

This post has been updated on 01-07-2025 by Sarah Krarup.

Author Sarah Krarup

Sarah Krarup

Sarah studies innovation and entrepreneurship with a deep interest in IT and how cybersecurity impacts businesses and individuals. She has extensive experience in copywriting and is dedicated to making cybersecurity information accessible and engaging for everyone.

View all posts by Sarah Krarup

Similar posts

Titan Stealer: A new malware emerges
malware

Titan Stealer: A new malware emerges

The Titan Stealer is the newest type of malware - it appeared in 2022 and is only on the rise. Here we give the history of the malware and how to avoid it.

12-04-2023 · 8 min.
How to protect privileged accounts
hacking

How to protect privileged accounts

What are privileged access and accounts - and why do the latter pose a security risk? We'll dive into that in this article.

03-02-2023 · 6 min.
Let's normalise whistleblowing
whistleblowing

Let's normalise whistleblowing

Whistleblowing will ensure a better working culture and increase positive attitudes on work. But the phenomenon needs to be normalised before it happens.

13-03-2023 · 6 min.