What Is Phishing?

Phishing attacks are the practice of sending fraudulent communications that appear to come from a reputable source. It is usually performed through email. The goal is to steal sensitive data like credit card and login information or to install malware on the victim's machine. Phishing is a common type of cyber attack that everyone should learn about in order to protect against email threats.

What is phishing?

Phishing attacks are counterfeit communications that appear to come from a trustworthy source but which can compromise all types of data sources. Attacks can facilitate access to your online accounts and personal data, obtain permissions to modify and compromise connected systems--such as point of sale terminals and order processing systems--and in some cases hijack entire computer networks until a ransom fee is delivered.

Sometimes hackers are satisfied with getting your personal data and credit card information for financial gain. In other cases, phishing emails are sent to gather employee login information or other details for use in more malicious attacks against a few individuals or a specific company. Phishing is a type of cyber attack that everyone should learn about in order to protect themselves and ensure email security throughout an organization.

How has phishing evolved?

It has been a few decades since this type of scam was first referenced and the first primitive forms of phishing attacks started in chatrooms. Phishing has evolved to become one of the largest cybercrimes on the internet that leads to BEC and ransomware. Read about the phishing history, evolution, and predictions for the future in The Evolution of Phishing.

How does phishing work?

Phishing starts with a fraudulent email or other communication designed to lure a victim. The message is made to look as though it comes from a trusted sender. If it fools the victim, he or she is coaxed into providing confidential information--often on a scam website. Sometimes malware is also downloaded onto the target's computer.

Cybercriminals start by identifying a group of individuals they want to target. Then they create email and text messages that appear to be legitimate but actually contain dangerous links, attachments, or lures that trick their targets into taking an unknown, risky action. In brief:

  • Phishers frequently use emotions like fear, curiosity, urgency, and greed to compel recipients to open attachments or click on links.
  • Phishing attacks are designed to appear to come from legitimate companies and individuals.
  • Cybercriminals are continuously innovating and becoming more and more sophisticated.
  • It only takes one successful phishing attack to compromise your network and steal your data, which is why it is always important to Think Before You Click.

Dangers of phishing

Personal phishing risks include:

  • Money being stolen from your bank account
  • Fraudulent charges on credit cards
  • Lost access to photos, videos, and files
  • Fake social media posts made in your accounts
  • Cybercriminals impersonating you to a friend or family member, putting them at risk

At work the phishing risks include:

  • Loss of corporate funds
  • Exposing the personal information of customers and coworkers
  • Files becoming locked and inaccessible
  • Damage to your company's reputation

How can my company increase its phishing awareness?

No single cybersecurity solution can avert all phishing attacks. Your company should consider a tiered security approach to lessen the number of phishing attacks and reduce the impact when attacks do occur. This multilayered approach includes employee awareness training. When an attack makes it through your security, employees are typically the last line of defense.

Learn how to account for phishing attacks, how to recognize them, and what to do if you ever discern that you may have accidentally succumb to a phishing attack. Test your phishing knowledge by taking our Phishing Awareness Quiz.

How can I detect phishing?

On any email client: You can examine hypertext links, which is one of the best ways to recognize a phishing attack.

When checking for hyperlinks: The destination URL will show in a hover pop-up window near the hyperlink. Ensure that the destination URL link equals what is in the email. Additionally, be cautious about clicking on links that have strange characters in them or are abbreviated.

On mobile devices: You can observe the destination URL by briefly hovering your mouse over the hyperlink. As a result, the URL will materialize in a small pop-up window.

On web pages: The destination URL will be revealed in the bottom-left corner of the browser window, when hovering over the anchor text.

Anti-phishing tactics to help prevent phishing attacks:

  • Take our phishing quiz as part of your phishing education
  • Monitor your online accounts regularly
  • Keep your browser updated
  • Don't click on email links from unknown sources
  • Be aware of pop-up windows
  • Never give out personal information over email
  • Be wary of social, emotion lures
  • Track the latest phishing attacks with advanced phishing protection
  • Deploy malicious URL detection and content filtering

What should I do if I receive a phishing email?

If you receive a suspicious email, the first step is to not open the email. Instead, report the email to your company or organization as suspected phishing. Most importantly, you never want to assume that a coworker has already reported a phishing attack. The sooner your IT and security teams are forewarned to the potential threat, the sooner your company can take actions to prevent it from damaging your network.

If you discern that you have accidently engaged with a phishing attack and gave out any internal information, you must report the occurrence immediately. If you don't report a phishing attack immediately, you could put your data and your company at risk.

Types of phishing attacks

Spear phishing

Spear phishing targets specific individuals instead of a wide group of people. That way, the attackers can customize their communications and appear more authentic. Spear phishing is often the first step used to penetrate a company's defenses and carry out a targeted attack. According to the SANS Institute, 95 percent of all attacks on enterprise networks are the result of successful spear phishing.

Tips to stop phishing (PDF) Blog: How to Identify a Spear Phish

Microsoft 365 phishing

The methods used by attackers to gain access to a Microsoft 365 email account are fairly simple and becoming the most common. These phishing campaigns usually take the form of a fake email from Microsoft. The email contains a request to log in, stating the user needs to reset their password, hasn't logged in recently, or that there's a problem with the account that needs their attention. A URL is included, enticing the user to click to remedy the issue.

Blog: Spotting fake Office 365 emails >

Business email compromise (BEC)

BEC is carefully planned and researched attacks that impersonate a company executive vendor or supplier.

View business email compromise (BEC) infographic >


When attackers go after a "big fish" like a CEO, it's called whaling. These attackers often spend considerable time profiling the target to find the opportune moment and means to steal login credentials. Whaling is of particular concern because high-level executives are able to access a great deal of sensitive company information.

Social media phish

Attackers often research their victims on social media and other sites to collect detailed information, and then plan their attack accordingly.

Voice phishing

Voice phishing, or "vishing," is a form of social engineering. It is a fraudulent phone call designed to obtain sensitive information such as login credentials. For instance, the attacker might call pretending to be a support agent or representative of your company. New employees are often vulnerable to these types of scams, but they can happen to anyone--and are becoming more common.

Phishing Awareness Quiz