# Phishing ## What is Phishing Phishing is a type of social engineering attack that tricks victims into revealing sensitive information such as login credentials and credit card numbers, or into installing malware, by impersonating a trustworthy entity. The word phishing is a play on fishing, with attackers baiting victims to take an action. Phishing is one of the most common and effective attack methods because it exploits human psychology rather than technical vulnerabilities. No technical sophistication is required to fall victim to phishing because the target is the person rather than the computer. ## Email Phishing Email phishing is the most common form. An attacker sends emails impersonating a legitimate organization such as a bank, social media platform, government agency, or employer. The email creates a sense of urgency, such as claiming the account will be suspended unless the user takes immediate action, or offers something valuable like a prize. It contains a link to a fake website that looks identical to the legitimate one. When the victim enters their credentials on the fake site, the attacker captures them. Phishing emails often contain telltale signs such as suspicious sender addresses, generic greetings, spelling errors, and URLs that differ slightly from the legitimate domain. ## Spear Phishing Spear phishing is a targeted form of phishing aimed at specific individuals or organizations. Attackers research their targets using social media, company websites, and other public sources to craft convincing, personalized messages. A spear phishing email might address the victim by name, reference their employer or colleagues, and appear to come from someone the victim knows. The higher level of personalization makes spear phishing much more convincing and difficult to detect than generic phishing. ## Whaling Whaling is spear phishing that targets high-value individuals such as executives and senior officials, the big fish in an organization. A whaling attack might impersonate the CEO sending a request to the CFO, or impersonate a regulatory body or law firm contacting a senior executive. The goal is often to authorize large financial transfers, provide access credentials, or reveal sensitive information. ## Smishing and Vishing Smishing is phishing conducted through SMS text messages. Vishing is phishing conducted through voice calls, where attackers impersonate representatives of banks, government agencies, or technical support. Attackers may use automated systems to make large numbers of vishing calls. ## Defending Against Phishing User education and awareness training is the most important defense. Users should learn to verify sender addresses, check URLs carefully, be suspicious of urgent requests, and contact organizations through known official channels rather than through links in emails. Multi-factor authentication prevents attackers from using stolen credentials alone to access accounts. Email security filters block known phishing emails. Anti-phishing browser extensions warn users about known phishing websites.