What is phishing?

Key takeaways:

  • Phishing involves fraudulent emails to steal sensitive information.

  • Hackers mimic trusted authorities like banks to deceive victims.

  • Victims may unknowingly install malware or share credentials via fake websites.

  • Tools like phishing kits make phishing attacks widespread and persistent.

Phishing is the act of using fraudulent emails in an attempt to gain sensitive information about a victim.

A hacker sends an authentic-looking email from a trusted authority, such as a bank, that asks the recipient to download an attachment or click a link. If the victim downloads the attachment, it installs a virus on the victim’s computer (e.g., a keylogger that gains personal data). If the victim clicks on the link, the user is redirected to an authentic-looking website that asks for credentials. Once the user clicks the “Next” button, the hacker receives the information and redirects them to the web page.

With the advancements in technology and the introduction of new tools, like phishing kits, these attacks are as widespread today as they were when they first emerged.

How is phishing carried out?

  1. Create fake communications:

    1. Attackers send emails, messages, or even social media notifications that appear to be from legitimate sources, such as banks, government agencies, or popular websites.

  2. Mimick trusted websites:

    1. Victims are directed to fraudulent websites that closely resemble real ones, where they unknowingly enter sensitive details.

  3. Use urgency or fear:

    1. Phishing messages often claim that an account has been compromised or requires immediate action, pressuring users to respond quickly.

  4. Embed malicious links or attachments:

    1. Clicking on infected links or downloading harmful attachments can install malware, giving hackers access to the victim’s system.

The mechanism of a phishing attack
The mechanism of a phishing attack

Phishing techniques

Phishing attacks come in various forms, each designed to exploit vulnerabilities and trick individuals into revealing sensitive information. Below, we discuss some common phishing techniques to help you recognize and avoid these scams.

1. Email phishing scam

An attacker sends hundreds of authentic-looking emails, as seen in the example below. These emails do not contain any personal information. The hacker believes that a handful of people will fall prey to such techniques and, therefore, their data can be gathered. The hacker tries to generate an email that mimics the original email as closely as possible. This can trick even the most careful users. The message is usually marked urgent, and therefore, the user will act immediately without confirming that the email is actually from the bank.

2. Spear phishing

Spear phishing is similar to email phishing in that hackers email the victim. These emails, however, are more targeted and may contain the name and information of that particular user. This builds credibility, making the user more likely to fall prey.

3. Whaling

Whaling is similar to an email phishing attack except for targeting high-ranking employees (e.g., CEOs and other high-value targets). These emails claim to require immediate action and are from other corporate or government agencies, which usually ensures that a CEO will click the attachment and become a victim.

The following image shows an example of a phishing email and the ways to identify its authenticity:

Common features

  • Urgent: Phishing emails will usually ask the users to take prompt action as a security risk may be involved.

  • Links: The email may contain links the user is asked to click to update passwords, login, etc.

  • Attachments: The email may contain attachments that ask to be downloaded.

  • Sender: The email will not be sent from an official company, bank, or government email.

  • Offers: Offers from supermarkets or online stores that are too good to be true. Free laptops, phones, or huge discounts may lure the victim.

Preventing phishing attacks

  • Verify requests: Contact the company directly to confirm the email's legitimacy.

  • Avoid clicking links: Instead of email links, visit the company’s official website via a browser search.

  • Use security software: Install software to detect viruses and trojans.

  • Enable multi-factor authentication (MFA): Legitimate websites, unlike fake ones, often require MFA.

  • Check URLs carefully: Look for subtle changes in the URL, such as “.org” instead of “.com.”

  • Ensure secure connections: Verify that the website uses HTTPS for encryption, as most legitimate organizations do.

Test yourself

Before moving on to the conclusion, test your understanding.

1

What is a key characteristic of phishing attacks?

A)

They involve fraudulent phone calls to steal sensitive information.

B)

They use fraudulent emails to trick victims into revealing sensitive information.

C)

They rely on the physical theft of personal documents.

Question 1 of 20 attempted

Conclusion

Phishing attacks, while evolving in sophistication with tools like phishing kits, remain a persistent threat. By understanding common tactics such as email phishing, spear phishing, and whaling, and implementing preventive measures like verifying requests, avoiding suspicious links, and utilizing strong security measures, individuals and organizations can significantly reduce their vulnerability to these cyber threats.

Ready to secure the digital world? Cyber Security Fundamentals equips you with the skills to monitor, detect, and respond to cyber incidents, ensuring your career as a cyber security professional takes off.

Frequently asked questions

Haven’t found what you were looking for? Contact Us

Why is it called phishing?

It’s called phishing because attackers fish for victims by luring them with deceptive bait, similar to fishing in water.

What are the four types of phishing?

  1. Email phishing: Sending fake emails that look legitimate to steal information.
  2. Spear phishing: Targeting specific individuals or organizations with personalized attacks.
  3. Vishing (Voice phishing): Using phone calls to deceive people into sharing confidential details.
  4. Smishing (SMS phishing): Sending text messages that trick people into revealing sensitive information.

Why “ph” in phishing?

The “ph” in phishing originates from “phreaking,” a term used by early hackers who manipulated phone systems, combining it with “fishing” to symbolize luring victims.

What is URL phishing?

URL phishing is a cyberattack where victims are tricked into clicking fake, deceptive links to steal their sensitive information.

What is internet phishing?

Internet phishing is a type of online scam where attackers attempt to trick individuals into revealing sensitive information, such as passwords, credit card numbers, or personal details, by pretending to be a trustworthy entity.

What is phishing in simple words?

Phishing is when someone tries to steal your personal information by pretending to be a legitimate organization, usually through fake emails or websites.

Unlock your potential: Phishing series, all in one place!

To continue your exploration of phishing attacks, check out our series of Answers below:

Free Resources

HowDev By Educative. Copyright ©2025 Educative, Inc. All rights reserved