Phishing explained
Phishing is social engineering by email, text, or phone. Attackers pretend to be someone you trust to steal credentials, money, or data. It works because it exploits how people actually behave under pressure.
Mass phishing
Mass phishing sends the same message to thousands of people. Typical examples: fake "Your account has been locked" emails from banks, or "You have a package waiting" texts with a tracking link. The goal is to get you to enter your password on a fake site or download malware. Attackers rely on volume—even a 1% success rate can be profitable.
Defenses: use a password manager so you never type passwords into sites you reached via email links. Check the URL before entering credentials—phishing sites often use misspellings (paypa1.com) or unrelated domains. When in doubt, open your bank or service in a new tab by typing the address yourself.
Spear phishing
Spear phishing targets specific people or organizations. The attacker researches you— LinkedIn, company press releases, breached databases—and crafts a message that sounds plausible. A classic example: an email to a finance employee pretending to be the CEO, asking for an urgent wire transfer. These attacks are harder to spot because the details are tailored.
The defense is process, not technology. For wire transfers or sensitive changes, require verification through a separate channel—a call to a known number, or an in-person confirmation. Never approve a transfer based solely on an email, no matter how urgent it sounds. Attackers create urgency on purpose.
Clone sites and lookalike pages
Attackers copy real login pages and host them on similar-looking domains. You think you are on your bank's site; you enter your password; the attacker captures it. On the dark web, the same trick works with long .onion addresses—one wrong character and you are on a phishing mirror. People are bad at comparing random strings.
Bookmark important sites and use those bookmarks. Do not trust links from emails or messages for login pages. If a site asks for credentials, confirm the URL matches what you expect. Some organizations publish their official addresses; compare carefully.
Voice and chat lures
Vishing (voice phishing) uses phone calls. Someone claims to be from IT support, your bank, or the IRS. They pressure you to reveal a password, install remote-access software, or approve a transaction. Caller ID can be spoofed, so the number on your screen is not proof of identity.
Hang up and call back using a number you look up yourself—from the back of your card, the company website, or a prior statement. Do not use a number the caller gives you. Legitimate organizations will not demand immediate action or threaten you over the phone.
Why two-factor authentication matters
Even if an attacker gets your password via phishing, 2FA can block them. They would need your phone (for app-based codes) or your physical key. Use 2FA on email and banking at minimum—email is the reset point for most other accounts. Prefer phishing-resistant options like hardware keys or authenticator apps over SMS when available.