What Is Phishing?
Phishing is a social engineering attack in which an attacker masquerades as a trusted entity to trick victims into revealing sensitive information - Such as passwords, credit card numbers, or personal data - Or into installing malware. It is consistently one of the most common and successful cyberattack vectors because it exploits human psychology rather than technical vulnerabilities. It is also a leading cause of data breaches.
Types of Phishing Attacks
| Type | Vector | How It Works | Target |
|---|---|---|---|
| Phishing (standard) | Mass emails impersonating banks, delivery companies, or tech platforms with malicious links or attachments | Broad - Anyone | |
| Spear Phishing | Targeted emails using personal details (name, employer, recent activity) to increase credibility | Specific individuals or organisations | |
| Whaling | Highly targeted spear phishing aimed at executives (CEO, CFO) - Often for large wire transfers | C-suite executives | |
| Smishing | SMS / text message | Text messages with malicious links, often impersonating postal services, banks, or government agencies | Mobile users broadly |
| Vishing | Phone call | Live voice calls impersonating tech support, banks, or government agencies | Older adults, employees |
| Clone Phishing | Duplicates a legitimate email you received previously, replacing a link or attachment with a malicious one | Previous communication recipients | |
| QR Code Phishing (Quishing) | Physical / email | Malicious QR codes embedded in emails or physical materials that redirect to phishing pages | Broad |
Red Flags to Spot a Phishing Attempt
- The sender's email domain does not match the company it claims to be from (e.g. [email protected] instead of @amazon.com).
- The email creates urgency or fear: "Your account will be suspended in 24 hours unless you act now."
- Links in the email point to a domain that looks similar to but is not the real domain - Hover over links before clicking to see the actual URL.
- The email contains grammar errors, unusual formatting, or an unexpected language mix.
- You were not expecting the email - Package delivery notifications, prize wins, or password resets you did not initiate.
- Attachments have double extensions (e.g. invoice.pdf.exe) or are unexpected Office files asking you to "enable macros".
What to Do If You Fall for a Phishing Attack
Act immediately: change the password for the compromised account and any accounts sharing that password. Enable two-factor authentication everywhere possible. Use the breach check tool to see if your credentials are circulating. If financial information was compromised, contact your bank to freeze or monitor your account. Report the phishing email to your email provider and to the Anti-Phishing Working Group at [email protected].