Email

Phishing explained: how fake emails and texts steal your passwords and money

A person in a hoodie using a laptop, symbolizing cyber security threats and hacking. Image Source: pexels.com - Nikita Belokhonov

Phishing is one of the simplest, and most effective, forms of cybercrime: an attacker pretends to be someone you trust, then persuades you to click, type or download your way into trouble. At its core, it is a social‑engineering scam that uses fake emails, texts, calls or websites to trick people into handing over passwords, bank details or other sensitive data, or into installing malware on their own devices.

What phishing is, and why it works

Security companies and standards bodies broadly agree on the definition. Microsoft calls phishing “a type of cyberattack where attackers masquerade as trusted sources to steal sensitive information,” often through messages that “look authentic.” IBM describes it as a cyberattack that uses fraudulent emails, texts, phone calls or websites “to trick people into sharing sensitive data, downloading malware or providing access to a network.”

NIST, the U.S. government’s cybersecurity standards agency, defines phishing as “a technique for attempting to acquire sensitive data… through a fraudulent solicitation in email or on a web site, in which the perpetrator masquerades as a legitimate business or reputable person.” Cloudflare sums it up more bluntly: it is an attempt to steal usernames, passwords, credit card numbers or bank details by “masquerading as a reputable source with an enticing request,” much like a fisherman uses bait.

Phishing works not because of sophisticated code but because it targets human psychology, curiosity, fear, urgency, trust in brands, or simple inattention when clearing a busy inbox. It is a form of social engineering rather than a virus in itself, although it is often the doorway through which malware, ransomware or account takeovers begin.

Common types of phishing attacks

Over two decades, phishing has evolved from crude mass emails to a family of targeted scams. Security firms group them into several main types:

  • Email phishing

This is the classic form: bulk emails sent from addresses that imitate banks, delivery firms, government agencies or tech platforms, urging recipients to click a link or open an attachment. Cisco notes that such messages “appear to come from a legitimate and reputable source,” but the links lead to attacker‑controlled sites.

  • Spear phishing

Spear‑phishing emails are tailored to a specific person or organization, often using details from social media or previous breaches to appear convincing. Trend Micro explains that these campaigns target particular individuals—say, a company’s finance lead—rather than casting a wide net, but the goal remains the same: steal credentials or execute fraudulent payments.

  • Whaling

A subset of spear phishing, “whaling” goes after very high‑profile targets such as CEOs or senior officials, often with messages tailored to their role (for example, fake legal threats or board communications).

  • Smishing and vishing (SMS and voice phishing)

Fortinet and UC Berkeley’s security office stress that phishing is not limited to email. Attackers send SMS or messaging‑app texts (“smishing”) or make phone calls (“vishing”) pretending to be banks, tax authorities or tech support, pressuring victims to read out one‑time passwords or install remote‑access tools.

  • Clone phishing and brand impersonation

Attackers copy a legitimate email, such as a shipping notice or a password‑reset alert, and resend it with a malicious link or attachment swapped in. Check Point notes that cloned pages can be pixel‑perfect imitations of real login screens, making URL scrutiny critical.

Despite the variety, Trend Micro points out that “all have the same purpose – to steal your personal details,” whether they come by email, text, or phone.

How phishing attacks actually work

Phishing campaigns typically follow a simple chain:

1. Bait

The attacker crafts a message that looks like it comes from a trusted entity: a bank, PayPal, a cloud service, a parcel company or even a colleague. SecurityMetrics notes that these emails often ask you to “confirm personal data” or “update account information” via a link that appears legitimate.

2. Hook

The message creates urgency or fear, claims of suspicious activity, missed deliveries, account suspension, or limited‑time offers, to push the recipient to act quickly without thinking. CrowdStrike adds that phishing can also be the initial vector for ransomware or account takeover, with a single click leading to major compromise.

3. Capture

The link leads to a fake website designed to capture credentials, payment details or personal information, or it triggers a download of malware. Imperva explains that the victim may be tricked into installing malware, locking their system as part of a ransomware attack, or exposing data via web forms.

4. Exploit

Once the attacker has what they need, they may log into real accounts, move money, open new lines of credit, pivot deeper into corporate networks, or sell the data on criminal markets.

Cloudflare notes that phished data is often used to “utilize or sell the stolen information,” with credentials enabling quiet, long‑term access to email, cloud storage or enterprise systems.

How to recognize a phishing message

Recognizing phishing is part pattern recognition, part healthy skepticism. Security firms and university security offices recommend watching for recurring red flags:

  • Unexpected requests for sensitive information

CrowdStrike and SecurityMetrics both say one of the clearest signs is any unsolicited message asking you to provide passwords, full credit‑card numbers, bank details or Social Security numbers, especially via email or a link. Legitimate organizations rarely ask for such details in this way.

  • Suspicious sender address or domain

Many scams use addresses that look similar to real ones but contain extra characters, misspellings or odd domains. Adaptive Security’s 2026 checklist flags this as the first thing to check.

  • Links that don’t match the display text

A link that appears to point to your bank but, when hovered over, shows a different domain is a classic sign. CrowdStrike emphasizes checking where a link actually leads before clicking.

  • Urgent or threatening language

“Act now or your account will be closed” is a standard tactic. Adaptive Security and Imperva note that urgency short‑circuits deliberation, making people more likely to click without verifying.

  • Generic greetings and poor writing

Messages that begin with “Dear Customer,” contain unusual phrasing, or mix languages and logos may indicate a mass phishing campaign rather than a genuine communication.

  • Unexpected attachments

Attachments from unknown senders, or from known contacts but without context, can carry malware. SecurityMetrics warns that backdoors and trojans are often delivered this way.

UC Berkeley’s Information Security Office sums it up succinctly: if something seems off, unexpected contact, pressure to act fast, requests for money or data, slow down and verify through a separate channel before responding.

Why phishing is so dangerous for businesses

While individuals often experience phishing as a stolen card or compromised inbox, for organizations it is one of the main routes into serious breaches.

Cloudflare notes that phishing is frequently used to gain initial access to corporate accounts that protect “usernames, passwords, credit card numbers, bank account information, or other important data.” Once inside, attackers can escalate privileges, move laterally and exfiltrate data.

Check Point describes phishing as a “cybersecurity attack during which malicious actors send messages pretending to be a trusted person or entity” to make users install malicious files or divulge credentials, actions that can “cause data breaches, downtime, and significant financial loss.”

CrowdStrike warns that “a single click on a malicious phishing link” can lead to ransomware deployment, fraudulent account creation or full endpoint compromise. That is why many high‑profile hacks and ransomware incidents begin with a single employee being fooled by a crafted email.

How to protect yourself against phishing

No defense is perfect, but security experts recommend a layered approach combining technology, process, and user behavior:

  • Be skeptical by default

Treat unsolicited emails, texts or calls that ask for money, credentials, or urgent action as suspicious until independently verified.

  • Check senders and URLs carefully

Look closely at email addresses and web addresses; type important URLs manually or use bookmarks rather than clicking links in messages.

  • Enable multi‑factor authentication (MFA)

Microsoft emphasizes that MFA adds a strong layer of defense, because even if an attacker steals a password, they may not have the second factor (such as an app prompt or hardware key).

  • Keep software and filters up to date

Email security filters, browser protections and endpoint security tools can automatically block many phishing attempts and known malicious domains.

  • Use training and simulations

Organizations increasingly run phishing‑simulation campaigns to teach employees how to spot suspicious messages and reward reporting instead of shaming mistakes.

  • Report, don’t just delete

UC Berkeley advises forwarding phishing messages to your organization’s security team or designated address so they can update filters and warn others. Many email providers also offer a “Report phishing” button.

As Simplilearn’s explainer video puts it, phishing is not a virus you catch at random; it is a conversation you can refuse to have. Each time you pause before clicking, verify a sender or ignore an unsolicited demand for data, you reduce the odds that a scammer’s bait will find its mark.

In an online environment where nearly every service you use, from banking to shopping to healthcare, sits behind a login page, the inbox has become a front door for attackers as well as for legitimate communication. Understanding what phishing is, how it works and how to recognize it is no longer niche security advice; it is basic digital literacy.

Related posts

FBI: New ‘Kali365’ phishing kit can break into Microsoft 365 without your password

What is zero trust security? Inside the “never trust, always verify” model reshaping cyber‑defense

Cybercrime Is Exploding Worldwide: Here’s How It Targets You