What is Phishing?
Phishing is a fake message — usually an email — that pretends to be from someone you trust, designed to trick you into giving up a password, a payment, or access to your systems.
Phishing is deception delivered by message
Phishing is a type of social engineering — an attack that targets people rather than technology. The attacker sends a message that looks like it comes from a brand, colleague, or institution you trust: your bank, Microsoft, a shipping company, your CEO. The message creates a reason to act now, and points you toward a link, an attachment, or a reply. Do what it asks and you've handed the attacker exactly what they wanted.
The name is a play on "fishing" — attackers cast bait and wait for someone to bite. It works because it exploits trust and habit, not a software bug. That's also why it's so common: phishing is cheap to send, scales to millions of recipients, and only needs to succeed once. It remains the single most common way that breaches begin.
How attackers run a phishing attack
A typical phishing attack has three moves. First, the lure: a message engineered to look legitimate and to trigger an emotion — urgency ("your account will be suspended"), fear ("suspicious login detected"), curiosity, or the simple authority of a request from the boss. Second, the hook: a link to a fake login page that looks identical to the real one, or an attachment that installs malware when opened. Third, the catch: you type your password into the fake page or run the file, and the attacker collects the credentials or gains a foothold.
Modern phishing is far slicker than the misspelled "Nigerian prince" emails of the past. Attackers register look-alike domains, copy real branding pixel-for-pixel, and increasingly use AI to write flawless, personalized messages. Some kits even relay your login to the real site in real time so they can steal your session and slip past multi-factor authentication. Assume the polished email in your inbox could be fake — and verify before you act.
The varieties you'll encounter
Bulk phishing
The classic spray-and-pray email blasted to thousands, impersonating a well-known brand and hoping a fraction of people click.
Spear phishing
A targeted message tailored to one person or company, using real details to seem credible. Far more convincing than bulk phishing.
Whaling & CEO fraud
Spear phishing aimed at executives, or impersonating them, to authorize wire transfers — see business email compromise.
Smishing & vishing
Phishing by text message (smishing) or phone call (vishing). A fake "fraud department" call is a common form of vishing.
Clone phishing
A copy of a real email you received, with the links or attachments swapped for malicious ones — exploiting your familiarity with the original.
MFA-bypass phishing
Advanced kits that capture your one-time code or session token in real time, defeating older forms of multi-factor authentication.
Concrete steps to cut your phishing risk
Because phishing targets people, the best defenses combine technology that filters the obvious attacks with habits that catch the clever ones:
- Turn on multi-factor authentication everywhere. A stolen password is far less useful when a second factor is required. Prefer phishing-resistant MFA like passkeys.
- Verify money and credential requests out-of-band. Any unexpected request to pay, change bank details, or share a password gets confirmed by phone or in person — never by replying to the email.
- Configure email authentication. SPF, DKIM, and DMARC make it much harder for attackers to spoof your domain and help filters catch impostors.
- Train and test your team. Brief, regular awareness training plus occasional simulated phishing builds the reflex to pause and check before clicking.
- Make reporting easy. A one-click "report phishing" button turns every employee into a sensor and lets you contain a campaign before it spreads.
No filter catches everything, so the goal is a culture where verifying an odd request is normal and reporting a mistake is safe. If you want to know how your team would actually fare against a realistic campaign, Red Hound's penetration testing includes social-engineering assessments that test exactly this.
Common questions about phishing
What is phishing in simple terms?
Phishing is when an attacker sends a fake message — usually email — that pretends to be from someone you trust, to trick you into clicking a malicious link, opening an attachment, or handing over passwords or money.
What are the warning signs of a phishing email?
Common red flags include urgency or threats, requests for passwords or payment, a sender address that doesn't quite match, links that point somewhere unexpected, unexpected attachments, and small spelling or branding mistakes. When in doubt, verify through a separate channel.
What should I do if I clicked a phishing link?
Disconnect the device from the network, change the password for any account you may have entered, enable or reset multi-factor authentication, and report it to your IT or security team immediately so they can check for further compromise.
Does multi-factor authentication stop phishing?
MFA dramatically reduces the damage when a password is stolen, but determined attackers can sometimes bypass it with real-time phishing kits or MFA fatigue. Phishing-resistant MFA such as passkeys or hardware security keys offers the strongest protection.
Get the free SMB Security Baseline Checklist
A short, plain-English checklist covering the email and identity controls that block most phishing — built for small and mid-sized businesses.
Or get plain-English security tips by email: