CS Fundamentals
Learn what phishing is, how it works, the different types of phishing attacks, and how to protect yourself from these common cybersecurity threats.
Introduction
You receive an email that looks exactly like it came from your bank: same logo, same colors, same professional formatting. It says there is suspicious activity on your account and you need to verify your identity immediately by clicking a link and entering your password. The link leads to a website that looks identical to your bank's website. You enter your credentials, thinking you are securing your account — but you just handed your username and password to a cybercriminal. This is phishing, and it is the most common cyber attack in the world.
Phishing attacks are responsible for over 80% of reported security incidents. They succeed not because of sophisticated technology but because they exploit human psychology — our trust, fear, curiosity, and sense of urgency. Understanding how phishing works is your best defense against it, because once you can recognize the tactics, they lose their power over you.
What Is Phishing?
Phishing is a type of social engineering attack where criminals impersonate trustworthy entities (banks, companies, government agencies, colleagues, or friends) to trick victims into revealing sensitive information or taking harmful actions. The term comes from "fishing" — the attacker casts out bait (fake messages) hoping someone will bite.
The information phishers target includes login credentials (usernames and passwords), financial information (credit card numbers, bank account details), personal information (Aadhaar numbers, addresses, date of birth), and corporate information (company secrets, employee data). With this information, attackers can steal money, commit identity theft, access corporate systems, or sell the data to other criminals.
How Phishing Works — Step by Step
A typical phishing attack follows a predictable pattern. First, the attacker creates convincing bait — a fake email, text message, or website that closely mimics a legitimate organization. They copy logos, formatting, writing style, and even domain names (using tricks like substituting letters — "paypa1.com" instead of "paypal.com").
Second, the bait is distributed to potential victims — mass emails to thousands of addresses, targeted messages to specific individuals, or fake advertisements on social media. The message contains a hook — a reason to act immediately, such as account suspension, security alert, prize notification, or job offer.
Third, the victim takes the desired action — clicking a link, opening an attachment, or replying with information. If they click a link, they land on a fake website designed to capture credentials. If they open an attachment, malware may install on their device.
Fourth, the attacker uses the captured information — logging into the victim's real accounts, making financial transactions, stealing data, or using the compromised account to attack others.
Types of Phishing Attacks
Email phishing is the most common type — mass emails sent to many recipients hoping some will fall for it. These emails often claim to be from popular services (banks, Amazon, Netflix, PayPal) and warn about account problems requiring immediate action.
Spear phishing targets specific individuals with personalized messages. The attacker researches the victim (through social media, company websites, or previous data breaches) and crafts a convincing message that references real details from their life or work. Because it is personalized, it is much harder to detect and much more effective.
Whaling targets high-value individuals — CEOs, CFOs, and senior executives — with sophisticated attacks designed to extract large financial transfers or sensitive corporate information.
Smishing (SMS phishing) uses text messages instead of email — "Your package delivery failed. Click here to reschedule." Vishing (voice phishing) uses phone calls — someone claiming to be from your bank's fraud department asking you to verify your account details.
Clone phishing creates a copy of a legitimate email you previously received, but replaces links or attachments with malicious ones. Since you recognize the original email, you are more likely to trust the clone.
Red Flags — How to Recognize Phishing
Learn to spot these warning signs that indicate a phishing attempt.
Urgency and threats create panic that overrides careful thinking: "Your account will be closed in 24 hours unless you verify now!" Legitimate organizations rarely demand immediate action under threat.
Generic greetings like "Dear Customer" or "Dear User" instead of your actual name suggest a mass message. Your bank knows your name. Spelling and grammar errors in messages claiming to be from major organizations are suspicious — real companies have editorial teams.
Mismatched URLs are a major indicator. Hover over links (without clicking!) to see the actual URL. The display text might say "www.yourbank.com" but the actual link points to "www.yourbank-verify.maliciousite.com." Check the domain carefully — the real domain is what comes immediately before the .com/.org/.in.
Unexpected attachments, especially from unknown senders, should always be treated with suspicion. Requests for sensitive information via email are almost always illegitimate — no real bank, government agency, or company asks for passwords, PINs, or full account numbers through email.
The sender's email address often reveals the fraud. The display name might show "Amazon Support" but the actual email address is something like "support@amaz0n-security-dept.xyz" — clearly not from Amazon.
How to Protect Yourself
Never click links in emails asking you to verify accounts or confirm information. Instead, open a new browser tab and type the organization's website address directly. If there really is a problem with your account, you will see a notification after logging in legitimately.
Enable two-factor authentication on all important accounts. Even if a phisher captures your password, they cannot access your account without the second factor.
Use a password manager — it will not auto-fill credentials on a fake website because it recognizes the actual domain, even when visually similar domains fool human eyes.
Report phishing attempts — forward suspicious emails to the organization being impersonated and to your email provider's spam reporting. This helps protect others.
Keep software updated — some phishing links exploit software vulnerabilities that patches have already fixed. Updated software reduces the damage even if you accidentally click.
What to Do If You Fell for Phishing
If you entered credentials on a phishing site, immediately change that password (and any other accounts using the same password). Enable two-factor authentication if not already active. Monitor your accounts for unauthorized activity. Contact the real organization to alert them. If financial information was compromised, contact your bank immediately to freeze accounts or cards.
Key Takeaways
- Phishing exploits human psychology, not technical vulnerabilities — awareness is your best defense
- Always verify the sender's actual email address and hover over links before clicking
- Legitimate organizations never ask for passwords or sensitive information via email
- Urgency, threats, and too-good-to-be-true offers are classic phishing indicators
- Type website addresses directly instead of clicking email links for sensitive actions
- Two-factor authentication and password managers provide strong protection even if passwords are compromised
- If you fall victim, act immediately — change passwords, enable 2FA, contact your bank, and monitor accounts
- Phishing is the most common cyber attack — staying vigilant protects you and those around you
Exam Focus
Revise definitions, diagrams, examples, and short-answer points for Phishing Attacks.
Interview Use
Prepare one clear explanation, one practical example, and one common mistake for this Computer Fundamentals topic.
Search Terms
computer-fundamentals, computer fundamentals, computer, fundamentals, cybersecurity, basics, phishing, phishing attacks
Related Computer Fundamentals Topics