What Is Phishing and How to Protect Yourself

Phishing is a type of social engineering attack where a criminal impersonates a trusted entity – such as a bank, social media platform, or government agency – to trick you into revealing sensitive information.

The term "phishing" comes from "fishing" – the attacker casts a bait (a fake message) and waits for someone to bite. Unlike technical hacking, phishing doesn't exploit software vulnerabilities. It exploits human trust and urgency.

A typical phishing attack works like this:

• You receive a message that looks official (email, SMS, or DM)
• The message creates urgency: "Your account will be suspended," "Suspicious login detected," "Confirm your identity now"
• You click a link that leads to a fake login page that looks identical to the real one
• You enter your credentials – which go directly to the attacker

Phishing is the number one cause of account compromises on platforms like Facebook, email providers, and banking services.

Phishing has evolved far beyond obvious scam emails. Here are the most common forms you'll encounter:

Email phishing

• The classic form – fake emails impersonating banks, platforms, or services
• Often includes urgent language and a link to a counterfeit login page
• Sender address may look similar to the real one but with subtle differences

SMS phishing (smishing)

• Text messages claiming to be from delivery services, banks, or government agencies
• Often contain shortened URLs that hide the true destination
• Increasingly common and harder to filter than email

Social media phishing

• Direct messages from hacked friends' accounts asking you to "check this out" or "vote for me"
• Fake copyright or verification notices on Instagram and Facebook
• Comment scams with links to fake giveaways or login pages

Voice phishing (vishing)

• Phone calls pretending to be from tech support, your bank, or law enforcement
• The caller creates urgency and asks you to provide account details or install software

The common thread: all forms of phishing exploit trust and create a false sense of urgency to make you act before thinking.

Spotting phishing gets easier once you know what to look for. These are the most reliable warning signs:

• Urgency and threats – "Act now or your account will be deleted." Legitimate services rarely threaten you with immediate consequences in a single message.
• Suspicious sender address – look carefully. "support@faceb00k-security.com" is not Facebook. Check the actual email domain, not just the display name.
• Generic greetings – "Dear user" or "Dear customer" instead of your actual name can indicate a mass phishing campaign.
• Mismatched URLs – hover over links (don't click) to see the real destination. If the link text says "instagram.com" but the URL points somewhere else, it's phishing.
• Poor grammar or formatting – while phishing has gotten more polished, many attempts still contain spelling errors, odd formatting, or inconsistent branding.
• Unexpected attachments – legitimate platforms almost never send attachments. If you receive one unexpectedly, don't open it.
• Requests for credentials via message – no legitimate service will ever ask you to send your password, PIN, or verification code through email or chat.

When in doubt, don't click the link. Instead, open a new browser window and go directly to the service's website by typing the address yourself.

If you realize you've clicked a phishing link or entered your credentials on a fake page, don't panic – but act immediately:

• Change your password right away – go directly to the real website (type the URL yourself) and change your password to something completely new.
• Enable 2FA immediately – if you haven't already, enable two-factor authentication on the affected account and your email.
• Check for unauthorized access – review active sessions and recent activity. Log out any devices you don't recognize.
• Secure your email – if you entered your email credentials on a phishing page, your email account is now the priority. A compromised email gives attackers access to everything.
• Check for forwarding rules – attackers often set up email forwarding to receive copies of your messages silently.
• Monitor your accounts – watch for suspicious activity over the next days and weeks, including on accounts that use the same password.
• Report the phishing page – most browsers and email providers have options to report phishing. This helps protect others.

If you entered financial information, contact your bank immediately to freeze or monitor the affected cards or accounts.

The best protection against phishing is a combination of awareness and basic security practices:

• Enable 2FA on all important accounts – even if an attacker gets your password through phishing, two-factor authentication blocks them from logging in.
• Use unique passwords – never reuse passwords across services. A password manager makes this practical.
• Verify before clicking – when you receive a message about account issues, go directly to the website instead of clicking the link in the message.
• Keep software updated – browsers and email clients regularly update their phishing detection. Keep them current.
• Be skeptical of urgency – legitimate companies give you time to act. If a message demands immediate action, that's a red flag.
• Educate yourself and others – the more familiar you are with phishing tactics, the easier they are to spot. Share this knowledge with family and friends.

No single measure is perfect, but layering these practices makes you a dramatically harder target. For a complete security approach, see our guide to protecting your accounts.