What Is Phishing? Types, Examples, and Prevention

What Is Phishing?

Phishing is a type of cyberattack in which an attacker impersonates a trusted entity — such as a bank, employer, government agency, or technology company — to deceive individuals into revealing sensitive information, clicking malicious links, downloading malware, or transferring funds. The term "phishing" is a play on "fishing," reflecting the concept of casting bait to catch victims. It originated in the mid-1990s among hackers targeting America Online (AOL) accounts.

Phishing remains the most common initial attack vector in cybersecurity. According to the FBI's Internet Crime Complaint Center (IC3), phishing and related techniques accounted for over 298,000 complaints in 2023, more than any other cybercrime category. The Anti-Phishing Working Group (APWG) recorded nearly 5 million phishing attacks in 2023 — a record high — demonstrating that despite widespread awareness, phishing continues to grow in scale and sophistication.

How Phishing Works

A typical phishing attack follows a predictable pattern:

Preparation: The attacker creates a convincing impersonation of a trusted entity — a fake website, email template, or phone script
Delivery: The phishing message is sent to targets via email, SMS, voice call, social media, or other channels
Deception: The message creates urgency, fear, or curiosity to prompt immediate action
Action: The victim clicks a link, opens an attachment, provides credentials, or transfers funds
Exploitation: The attacker uses the stolen credentials, installs malware, or completes the fraud

Types of Phishing Attacks

Type	Target	Channel	Description
Email phishing	Broad/mass	Email	Mass emails impersonating trusted brands; relies on volume — even a small success rate yields significant results
Spear phishing	Specific individual	Email	Personalized emails using researched details about the target (name, role, projects, colleagues)
Whaling	Senior executives	Email	Spear phishing aimed at C-suite executives or board members; often involves legal or financial pretexts
Clone phishing	Previous email recipients	Email	Duplicating a legitimate email and replacing links/attachments with malicious versions
Vishing	Varies	Phone/Voice	Voice phishing using phone calls; caller impersonates tech support, banks, or government agencies
Smishing	Varies	SMS/Text	Phishing via text messages with malicious links or requests for information
Angler phishing	Social media users	Social media	Attackers create fake customer service accounts to intercept complaints and extract information
QR phishing (Quishing)	Varies	QR codes	Malicious QR codes placed in emails, documents, or physical locations that direct to phishing sites

Anatomy of a Phishing Email

Understanding the common elements of a phishing email helps with identification. A typical phishing email contains several deceptive elements:

Spoofed sender address: The "From" field is disguised to appear as a legitimate organization (e.g., "security@paypa1.com" with the number 1 replacing the letter l)
Urgency or threat: Subject lines like "Your account will be suspended in 24 hours" or "Unauthorized login detected"
Generic greeting: "Dear Customer" or "Dear User" rather than the recipient's actual name (though spear phishing uses real names)
Malicious link: A hyperlink that appears legitimate but redirects to a fake login page or malware download. Hovering over the link reveals the actual URL
Malicious attachment: Documents (often PDFs, Word files, or Excel spreadsheets) containing macros or exploits that install malware when opened
Brand impersonation: Logos, color schemes, and formatting copied from the real organization to appear authentic
Grammar and spelling errors: While sophisticated phishing can be flawless, many campaigns contain linguistic indicators of fraud

Real-World Phishing Examples

Incident	Year	Type	Impact
Google and Facebook BEC	2013–2015	Spear phishing / BEC	Evaldas Rimasauskas tricked both companies into wiring $100+ million by impersonating a hardware vendor
Sony Pictures hack	2014	Spear phishing	Phishing emails to Sony employees led to a massive breach; unreleased films, emails, and employee data leaked
DNC email breach	2016	Spear phishing	Russian hackers sent targeted phishing emails to Democratic National Committee staff; stolen emails published by WikiLeaks
Colonial Pipeline	2021	Credential phishing (indirect)	Compromised VPN credentials (likely obtained through phishing) enabled ransomware attack; led to fuel shortages across the U.S. East Coast
Twilio breach	2022	Smishing	SMS phishing messages to employees led to account compromise affecting 125+ Twilio customers including Signal users

How to Identify Phishing

Recognizing phishing attempts is the most effective first line of defense. Key indicators to watch for:

Check the sender's email address carefully: Look for misspellings, character substitutions, or unusual domains (e.g., "microsoft-security.com" instead of "microsoft.com")
Hover before clicking: Place your cursor over any link to preview the actual URL. If it does not match the claimed destination, do not click
Evaluate the tone: Legitimate organizations rarely create extreme urgency or threaten account closure via email
Verify independently: If an email claims to be from your bank or employer, contact the organization directly using a known phone number or website — not the contact information provided in the suspicious message
Check for HTTPS: While not foolproof (attackers can obtain SSL certificates), the absence of HTTPS on a login page is a red flag
Be skeptical of attachments: Unexpected attachments — especially from unknown senders — should be treated with extreme caution

Prevention Strategies

For Individuals

Enable multi-factor authentication (MFA): Even if credentials are phished, MFA provides a critical second barrier. Hardware security keys (FIDO2/WebAuthn) are the strongest form, resistant to real-time phishing proxies
Use a password manager: Password managers autofill credentials only on legitimate domains, providing built-in phishing protection
Keep software updated: Patches address vulnerabilities that phishing-delivered malware may exploit
Report suspicious messages: Most email clients have a "Report phishing" button; reporting improves filtering for all users

For Organizations

Email authentication protocols: Implement SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) to prevent domain spoofing
Advanced email filtering: AI-powered email security solutions that analyze sender behavior, content patterns, and link destinations
Security awareness training: Regular, ongoing training with simulated phishing exercises — research shows that simulated phishing reduces click rates by 60% or more over time
DNS filtering: Blocking access to known phishing domains at the network level
Incident response plan: Clear procedures for employees to follow when they suspect or fall victim to phishing, including credential reset protocols and forensic analysis

The Evolution of Phishing

Phishing has evolved dramatically since the early AOL scams of the 1990s. Modern trends include:

AI-generated phishing: Large language models can generate grammatically perfect, contextually appropriate phishing messages at scale, eliminating one of the traditional indicators (poor grammar)
Adversary-in-the-middle (AiTM) attacks: Phishing proxies that intercept MFA tokens in real-time, bypassing traditional multi-factor authentication
Deepfake vishing: AI-generated voice clones used in phone-based phishing to impersonate executives or family members
Phishing-as-a-Service (PhaaS): Commercial phishing kits sold on dark web marketplaces, lowering the technical barrier to entry for attackers

As phishing techniques become increasingly sophisticated, defense strategies must evolve in parallel — combining technical controls, user education, and organizational policies to create layered protection against this persistent and evolving threat.