What Is Phishing?

Phishing is a cyberattack where criminals impersonate trusted entities — your bank, a streaming service, a government agency — to trick you into handing over passwords, credit card numbers, or other sensitive data. It typically arrives via email, SMS (smishing), or even phone calls (vishing).

The attacks have grown dramatically more convincing. AI tools now let attackers write flawless, personalized messages at scale. The old advice of "check for spelling errors" is no longer enough.

How to Spot a Phishing Attempt

1. Check the Sender's Email Address

The display name might say "PayPal Support," but the actual address might be support@paypa1-help.net. Always click or hover over the sender name to reveal the real address. Legitimate companies use their own domains.

2. Watch for Urgency and Fear Tactics

Phrases like "Your account will be suspended in 24 hours" or "Unusual login detected — act now" are designed to bypass your rational thinking. Slow down. Real companies give you time to respond through official channels.

3. Hover Over Links Before Clicking

On desktop, hovering over a link reveals its true destination in the browser's status bar. If a button says "Verify your account" but points to a random IP address or misspelled domain, don't click it.

4. Be Suspicious of Unexpected Attachments

Attachments ending in .exe, .zip, .docm, or .xlsm from unknown senders are high-risk. Even PDFs can contain malicious links. Don't open them unless you were specifically expecting the file.

How to Protect Yourself

Enable Multi-Factor Authentication (MFA)

MFA is your best defense. Even if an attacker steals your password, they still can't log in without your second factor (an app code, hardware key, or biometric). Enable it everywhere — especially email, banking, and social media.

Use a Password Manager

Password managers like Bitwarden (free) or 1Password only autofill credentials on the exact domain they were saved for. If you land on a spoofed site, your password manager won't fill in your details — a clear red flag that something is wrong.

Keep Software Updated

Browser updates regularly patch vulnerabilities that phishing sites exploit. Enable automatic updates for your browser and operating system.

Use a DNS-Level Blocker

Free services like Cloudflare 1.1.1.1 or NextDNS can block known malicious domains before your browser even loads them.

Verify Through Official Channels

If you receive a suspicious email from your bank, don't click any links. Instead, open a new browser tab and navigate directly to your bank's website, or call the number on the back of your card.

What to Do If You've Been Phished

  1. Change your password immediately on the affected account and any accounts using the same password.
  2. Enable MFA if it wasn't already on.
  3. Check for unauthorized activity — sent emails, account changes, linked apps.
  4. Notify your bank if financial information was exposed.
  5. Report the phishing attempt to the impersonated organization and your email provider.

Stay Skeptical, Stay Safe

The most powerful anti-phishing tool you have is a healthy skepticism. Before clicking any link or entering any credentials, ask yourself: Was I expecting this? Does the sender make sense? Can I verify this through another channel? A few extra seconds of thought can prevent months of headaches.