What is phishing?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Phishing is a type of social engineering attack where someone pretends to be a trusted source to trick you into handing over sensitive information. Passwords, credit card numbers, login credentials. The goal is always deception.

The word comes from "fishing" for victims. You cast bait, wait for bites. The "ph" spelling is a nod to early hacker culture, specifically phone phreaking from the 1970s. Old trick, new channels.

Email is the most common delivery method, but phishing shows up everywhere. SMS phishing is called smishing. Voice call phishing is called vishing. Then there's phishing via WhatsApp, Slack, LinkedIn, even fake QR codes. The channel changes. The psychology doesn't.

What makes phishing work is that it targets people, not systems. Attackers don't need to break through a firewall if they can convince your accountant to wire money to the wrong account. They exploit three psychological levers that work regardless of the medium:

  • Urgency. "Your account will be suspended in 24 hours." Panic short-circuits critical thinking.
  • Authority. An email appearing to come from your CEO, your bank, or a government agency carries weight. You don't question it the way you'd question a stranger.
  • Trust. A message that looks exactly like a real one from a brand you recognize (right logo, right tone, right layout) feels safe even when it isn't.

On email specifically, phishing exploits the fact that sender addresses and display names can be spoofed or impersonated. An attacker can make an email look like it came from support@yourbank.com without ever having access to that domain. That's why authentication protocols like DMARC exist. They give receiving mail servers a way to verify that an email actually came from who it claims to be.

Defense is two-sided. Technical filters catch a lot. But no filter catches everything, and attackers know how to slip through. Human awareness is the other half. Recognizing urgency as a red flag, verifying requests through a second channel, and pausing before clicking are habits worth building.

If you want to understand how phishing differs from plain spam, or how specific variants like whaling and business email compromise work, those have their own entries in this almanac worth reading next.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Get a personalized phishing defense checklist for your domain

I send legitimate marketing emails and I'm worried my brand could be impersonated in a phishing attack. Tell me: what are the most common psychological tactics phishing emails use, how do attackers spoof legitimate-looking sender addresses, and what technical or sending-side steps can I take to make it harder for someone to impersonate my domain? Give me a ranked list of actions from most to least impactful.

Edit the yellow boxes, then send to the AI of your choice.