
Phishing
The "you've won a prize" email is old news — today's version knows your boss's name and writes in perfect corporate tone.
Cheat Sheet
- Phishing is a scam that impersonates a trusted sender (a bank, a coworker, a delivery company) to trick you into clicking a link or handing over information.
- Urgency is the classic tell — "your account will be suspended," "act within 24 hours" — designed to make you act before you think.
- Hovering over a link (without clicking) usually reveals the real destination URL, which often doesn't match the sender it's impersonating.
- "Spear phishing" is a targeted version aimed at a specific person, often using real details about them to seem more convincing.
- Two-factor authentication (2FA) is one of the most effective defenses — even a stolen password isn't enough to get in.
- Legitimate organizations essentially never ask for passwords or full card numbers over email.
The 60-Second Version
Phishing is a scam where someone impersonates a trusted source — a bank, a delivery service, a coworker, even a company's IT department — to get you to click a malicious link, download something harmful, or hand over information like a password. The classic tell is manufactured urgency: a message designed to make you act fast, before you stop to question it. More targeted versions, called spear phishing, use real personal details (your name, employer, or a recent purchase) to seem far more convincing than a generic scam email. The best defenses are simple but effective: hover over links before clicking to see the real destination, never enter credentials from a link in an unsolicited message, and use two-factor authentication so a stolen password alone isn't enough to get into an account.
The Long Version
Variants Beyond the Generic Email
Phishing has several specialized variants beyond the generic "you've won a prize" email: "whaling" specifically targets executives or other high-value individuals, "business email compromise" impersonates a company executive or vendor to trick employees into wiring money or sending sensitive files, and "smishing" and "vishing" carry out the same manipulation tactics over text message and phone calls respectively. Each variant exploits the same underlying psychology — trust in a familiar identity, plus manufactured urgency — just delivered through a different channel depending on where the attacker thinks the target is most likely to let their guard down.
The Tricks Behind the Links
Technically, attackers often rely on a handful of recurring tricks to make a fake link look real: "typosquatting" registers a domain that's a near-identical misspelling of a legitimate one (like swapping two letters), while "homograph attacks" use look-alike characters from other alphabets to fake a familiar-looking URL that appears correct at a glance but points somewhere entirely different. These tricks work specifically because most people scan a URL quickly rather than reading every character, which is exactly the habit attackers are counting on.
Defenses, Personal and Organizational
Organizations typically layer several defenses together rather than relying on any single one: automated email filtering that flags suspicious senders and links before they ever reach an inbox, regular security-awareness training so employees recognize the warning signs themselves, and technical controls like requiring multi-factor authentication on every account so a stolen password alone isn't enough to get in. If you do fall for a phishing attempt, quick action matters most: change the affected password immediately (and anywhere else you reused it), enable or verify two-factor authentication, and notify your bank or IT department so they can watch for follow-on fraud before it escalates.
AI Has Changed the Game
The rise of generative AI has made phishing messages notably harder to spot, since attackers can now produce grammatically perfect, highly personalized messages at scale using the same kind of tools that power legitimate writing assistants. That removes what used to be one of the more reliable tells — awkward phrasing, spelling errors, or an oddly generic tone — meaning technical defenses and healthy skepticism toward unsolicited requests matter more than ever, rather than less.
Ad slot (placeholder — set NEXT_PUBLIC_ADSENSE_SLOT_ID once an ad unit is created)
Glossary
- Phishing
- A scam impersonating a trusted sender to trick someone into revealing information or clicking a malicious link.
- Spear phishing
- A targeted phishing attack aimed at a specific individual, using personal details for credibility.
- Spoofing
- Faking a sender's identity (email address, phone number, website) to appear legitimate.