What Phishing Is, and How to Spot It
Phishing tricks you into handing over passwords or money by impersonating someone you trust. It is behind a huge share of breaches, and the warning signs are learnable.
Photo: Wikimedia Commons, via Wikimedia Commons (CC BY-SA)
Most successful cyberattacks do not break through firewalls. They walk in through the front door, because someone was tricked into opening it. That trick is phishing, and it is one of the most common and effective threats online. The good news is that once you know the tells, most phishing is surprisingly easy to catch.
What phishing is
Phishing is a form of social engineering: an attacker impersonates a person or organization you trust, a bank, an employer, a delivery service, in order to trick you into doing something harmful. Usually that means clicking a malicious link, entering your password on a fake login page, or sending money or sensitive information.
The message is designed to feel legitimate and, crucially, urgent. Your account will be closed, a payment failed, a package is held. The urgency is deliberate: it pushes you to act before you stop to think.
The main varieties
- Email phishing, the classic version, sent in bulk hoping a few recipients bite.
- Spear phishing, targeted at a specific person using personal details to seem convincing.
- Smishing, phishing by text message, often a fake delivery or bank alert with a link.
- Vishing, phishing by voice call, such as someone posing as tech support or the IRS.
The channel changes, but the goal is the same: get you to trust a stranger and act quickly.
The tells
Most phishing attempts share a few recognizable warning signs:
- A sense of urgency or threat. Act now, or else.
- A mismatched or odd web address. The visible link text may say your bank, but the real destination is a look-alike domain. Hover over links to see where they actually go before clicking.
- Requests for credentials or payment. Legitimate organizations do not ask for your password by email, and rarely demand payment by gift card or wire on the spot.
- Small errors. Awkward wording, a slightly wrong logo, or a greeting that does not use your name.
- An unexpected attachment. Especially one that asks you to enable content or macros.
The address bar is your friend
Before entering a password, glance at the web address. Phishing sites use look-alike domains, such as an extra word or a swapped letter. A password manager helps here: it fills credentials based on the real address, so if it does not offer to autofill, that is a strong hint you are on a fake page.
When a message pressures you to act immediately, that pressure is itself the warning sign. Slow down, and verify through a channel you trust.
What to do
If a message seems off, do not click its links or call its numbers. Instead, contact the organization directly using a phone number or web address you already know, such as the one on the back of your card or in your bookmarks. If you think you have entered a password on a fake site, change it right away, and change it anywhere else you reused it.
Your best defenses
Two habits blunt most phishing. First, two-factor authentication means a stolen password alone is often not enough to get in. Second, a password manager both generates unique passwords, so a single stolen one does limited damage, and quietly refuses to autofill on fake sites. Together they turn a moment of misplaced trust into a near miss rather than a disaster. Attackers rely on haste and habit; a few seconds of skepticism is what defeats them.