What Is Phishing?
What is phishing? It is a scam where someone pretends to be a trusted company, agency, coworker, or person you know so you will click a link, share private information, send money, or download malware. The message may arrive by email, text, phone call, direct message, or QR code.
Phishing works because it feels familiar and urgent. The message may say your account is locked, a package is waiting, a payment failed, or someone needs help. The scammer’s goal is to move you quickly before you verify the source.
The safest response is simple: pause, do not click the link, and contact the organization through a channel you already trust. If a suspicious message includes a phone number, a reverse phone lookup can help you check the caller before you respond.
How Does Phishing Work?
Most phishing attacks follow a predictable path. First, the scammer chooses a trusted identity to imitate. That might be a bank, delivery company, government office, social network, employer, online store, or customer support team.
Next, the message creates pressure. It may warn that your account will close, your payment failed, your package cannot be delivered, your device is infected, or a legal problem is waiting. The pressure is designed to make the link or phone number feel like the fastest solution.
Then the scammer sends you to a fake page, asks you to reply with information, or tries to keep you on a call. If you enter a password, card number, one-time code, or Social Security number, the scammer may use it directly or sell it to someone else.
| Phishing Channel | What It Looks Like | What the Scammer Wants | Safer Response |
|---|---|---|---|
| Email phishing | A fake alert, invoice, account notice, or document link | Login details, payment data, malware install | Go to the site directly instead of using the link |
| Smishing | A text about a package, toll, bank alert, or prize | A tap, reply, card number, or code | Do not tap; verify through the official app or website |
| Vishing | A phone call claiming urgency or authority | Money, codes, passwords, remote access | Hang up and call a verified number |
| Quishing | A QR code on a sign, flyer, email, or parking notice | A visit to a spoofed payment or login page | Check the URL before entering information |
| Spear phishing | A message tailored to your job, family, or account | Trust, access, files, or wire transfers | Verify through another channel before acting |
What Is a Phishing Scam?
A phishing scam is the full deception, not just the link. It includes the fake identity, the urgent story, the delivery method, and the request. The message may be short and polished, or it may be messy and full of errors.
Many people picture phishing as a badly written email, but modern scams can look professional. Some use copied logos, clean templates, real company names, and sender names that look close to legitimate addresses. Others use text messages because people react faster on phones.
The FTC’s consumer scam hub at consumer.ftc.gov/scams is a practical starting point for recognizing common scam patterns and learning how to report them. If a message asks you to move money, share a code, or bypass normal verification, treat it as suspicious until proven otherwise.
What Is a Phishing Attack?
A phishing attack is an attempt to get access, money, or information through deception. It can target one person, thousands of consumers, or a specific employee with access to company systems. The attack may last seconds or unfold over several messages.
Some attacks are broad and generic. You may receive a fake delivery text even if you are not expecting a package. Other attacks are targeted and personal. A scammer may use your job title, a real vendor name, or details from social media to make the message feel credible.
Security Magazine reported that researchers found more than 1.76 billion phishing emails sent worldwide in 2023, a reminder that this is a high-volume threat, not a rare edge case. That figure came from its coverage at securitymagazine.com.

What Is a Phishing Link?
A phishing link is a URL that sends you somewhere unsafe while pretending to be legitimate. It may lead to a fake login page, a fake payment page, a malware download, or a form that asks for sensitive personal information.
Some links are obviously strange. Others hide behind shortened URLs, buttons, QR codes, or display text that says one thing while the actual destination is different. On a phone, the screen may be too small to show the full address clearly.
Before you click, ask whether the message expected you to act quickly, whether the link matches the real organization, and whether you can complete the same task by opening the official app or typing the website yourself. If you can verify independently, you do not need the message link.
Examples of Risky Link Clues
A fake link may swap letters, add extra words, use an unfamiliar domain ending, or place the real brand name in the wrong part of the address. A link can also be hidden behind a button that says “view invoice” or “track package,” so the visible words are not enough.
On mobile, press-and-hold previews can help, but they are not perfect and can still be confusing. When the message involves money, passwords, account recovery, or identity documents, skip the embedded link and navigate from a clean browser tab instead.
Common Types of Phishing
Email phishing is the classic version. It may imitate a bank, streaming service, cloud storage provider, tax agency, school, online store, or workplace tool. The message often asks you to review a document, fix a payment, confirm a password, or open an attachment.
Smishing is phishing by text message. These messages often claim a package is stuck, a toll is unpaid, a bank transaction needs review, or a prize is waiting. Because texts feel personal and quick, people may tap before thinking.
Vishing is voice phishing. A caller may claim to be from fraud prevention, tech support, a government agency, or a company you use. They may ask for one-time passcodes, remote access to your device, or payment through gift cards, wire transfers, crypto, or payment apps.
Quishing uses QR codes. A fake QR code can appear on a parking meter, restaurant table, flyer, email, or poster. The code may send you to a spoofed payment page or login screen that looks close enough to fool a rushed user.
Spear phishing is targeted. Whaling is a targeted attack aimed at executives or high-value employees. Clone phishing copies a real message and swaps in a malicious link. A watering hole attack compromises or imitates a site that the intended victims are likely to visit.
Warning Signs of a Phishing Message
The strongest warning sign is pressure. A message that demands immediate action, threatens account closure, claims legal trouble, or says you must keep the matter secret is trying to control your reaction.
Sender details matter too. Look for misspelled domains, extra characters, odd punctuation, unfamiliar email addresses, and links that do not match the organization. A message can use the right logo and still come from the wrong sender.
Requests for private information are another red flag. Be suspicious of any unexpected message asking for passwords, one-time codes, card numbers, bank logins, Social Security numbers, remote access, or payment in gift cards or crypto.
Poor grammar is sometimes a clue, but do not rely on it. Many phishing messages are clean, especially when scammers copy real brand emails or use automated writing tools. The better test is whether the request makes sense through an official channel.
How to Check a Suspicious Message
Start by slowing down. Do not reply, click, call the number in the message, scan the QR code, or open the attachment while you are deciding. Take a screenshot if you need to preserve it.
Open the company’s app or website yourself. If the message claims to be from your bank, use the number on your card or the app you already use. If it claims to be from a government agency, start from an official government site, not the link in the message.
If the message came from a person, verify through a second channel. Call them using a saved number, ask in person, or use a known work channel. If the message involved a new phone number, a people search may help you compare public clues before trusting the sender.
Save evidence before deleting anything. Keep the sender address, phone number, full message text, screenshots, and the time it arrived. If you are reporting to a bank, employer, carrier, or law enforcement agency, those details help them understand what happened and whether other people may be receiving the same lure.

What to Do If You Clicked
Clicking once does not always mean damage was done, but you should act quickly. If you entered a password, change it from a clean browser or device. If you reused that password elsewhere, change it on every account where it appears.
If you shared a one-time code, contact the account provider immediately. If you entered card or bank information, call the financial institution using a verified number. Watch for new transactions, new devices, password reset emails, and account recovery messages.
If you downloaded a file or gave remote access, disconnect from the internet and run security software. For serious cases, get help from a trusted technician. Do not keep following instructions from the same caller or message thread.
If money was stolen or the scam crossed state or national lines, you can file a report with the FBI’s Internet Crime Complaint Center at IC3.gov. The report may not instantly recover money, but it creates an official record and helps investigators track patterns.
If the message involved a work account, tell your manager or IT team quickly, even if you feel embarrassed. Fast reporting can help them reset access, block the domain, warn other employees, and check whether the attacker reached shared files or payment systems.
How to Report Phishing
Use the reporting path that fits what happened. Your email provider may have a report phishing button. Your bank, card issuer, phone carrier, or workplace IT team may have a dedicated fraud or security channel.
You can also report scams and suspicious businesses through BBB Scam Tracker at bbb.org/scamtracker. This is especially useful when the message impersonates a company, marketplace seller, contractor, or customer support team.
If you need to forward phishing email to APWG, check the current Anti-Phishing Working Group instructions before sending because reporting addresses and processes can change. Include full headers when your email tool allows it, but do not forward attachments if your security team tells you not to.
How to Protect Yourself Going Forward
Use multi-factor authentication, but understand that scammers may try to steal your codes too. Never read a one-time code to someone who called you. A real support agent should not need your password or a code that logs into your account.
Use a password manager when possible. It can help create unique passwords and may refuse to autofill on a fake domain. That is not a perfect defense, but it is a useful warning sign when a page looks familiar but the password field does not behave normally.
Keep software updated, especially your browser, phone operating system, and security tools. Turn on account alerts for banks, email, cloud storage, and social accounts. The faster you learn about a suspicious login or transaction, the faster you can limit damage.
Protect your main email account especially well because it is often the reset key for everything else. Use a unique password, recovery options you recognize, and alerts for new sign-ins. If a scammer controls your inbox, they may be able to reset banking, shopping, cloud, and social accounts.
Finally, build a habit of independent verification. Search for the official site, use saved contacts, and be skeptical of messages that ask you to act before you think. Phishing relies on speed; your advantage is slowing the moment down.
Talk about common lures with family members who share devices, phone plans, or financial accounts with you. A warning that seems obvious to one person may be new to someone else, especially when the message uses a familiar brand or a local-looking number.
Frequently Asked Questions
What is phishing?
Phishing is a scam where someone pretends to be a trusted source so you will click a link, share information, send money, or install malware. It can happen through email, text, phone calls, direct messages, websites, or QR codes, and it often starts with urgency.
What is a phishing scam?
A phishing scam is the full setup that tricks you into trusting a fake request. It usually includes a familiar name, urgent message, link or phone number, and a demand for information, money, account access, or a one-time security code.
What is a phishing attack?
A phishing attack is the actual attempt to steal access, data, or money through impersonation. Some attacks are sent to many people at once, while others are targeted using personal, workplace, or account details to make the message more believable.
What is a phishing link?
A phishing link is a URL that appears legitimate but sends you to a fake or unsafe page. It may ask for passwords, payment details, account numbers, or identity information. Instead of clicking, open the official site or app yourself.
How does phishing work?
Phishing works by creating trust and urgency. The scammer imitates a real person or organization, claims there is a problem or opportunity, and pushes you to act before verifying. The action may expose your account, device, money, or personal information.




