What is email phishing?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

You get an email from your bank. It looks exactly right. The logo, the tone, even the sender name. It says your account has been flagged and you need to verify your details immediately or access will be suspended. You click. You type in your password. And just like that, someone else has it.

That's email phishing. It's the practice of sending deceptive emails that impersonate a trusted source to trick recipients into handing over credentials, money, or access. The word comes from "fishing". Casting a lure and waiting for someone to bite.

What makes phishing work isn't technical wizardry. It's psychology. Attackers rely on urgency ("your account will be closed"), authority ("this is IT security"), fear ("suspicious activity detected"), and familiarity (logos, language, and formatting ripped straight from the real brand). When someone believes a message is genuine, they act without pausing to question it. That moment of hesitation is what phishing is designed to eliminate.

The damage can be significant. A single clicked link can lead to stolen login credentials, unauthorized bank transfers, malware installed silently in the background, or a full account takeover. For organizations, one successful phish is often the entry point for a much larger breach. It's not the exotic hacking from movies. It's an email that looked real enough.

Phishing is also distinct from spam. Spam is bulk, impersonal, and usually just annoying. Phishing has intent. To deceive a specific person or group into taking a harmful action. The two can look similar in your inbox, but the goal is very different.

Want to understand the specific psychological tricks attackers use? Check out how phishing works in detail, or if you think your domain is being impersonated in phishing attacks, our free DMARC generator can help you set up the authentication record that tells mailbox providers to reject those spoofed emails.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Get tailored phishing red flags for your situation

I just read about email phishing and want to go deeper. Based on my situation, what are the most important things to watch for? My role: e.g. individual, team manager, IT admin, email marketer My main concern: [e.g. protecting my own accounts, training staff, protecting my brand from being impersonated] Current setup: [e.g. no formal security training, have a basic spam filter, use Microsoft 365] Please give me: 1. The top psychological triggers my team or I should learn to recognize 2. The most common phishing patterns in my context 3. Practical steps I can take right now to reduce risk

Edit the yellow boxes, then send to the AI of your choice.