Phishing

Fraudulent attempt to steal credentials or money by impersonating a trusted entity, usually via email or a fake website.

Phishing is the most common form of online fraud — and the entry point for most major data breaches. Attackers send a message (email, SMS, chat, voice call) that pretends to be from a legitimate organization. The message contains either a malicious link, a malicious attachment, or a request to wire money.

The classic phishing email asks the recipient to verify their account, reset their password, or confirm a payment — directing them to a lookalike login page that captures whatever they type.

Modern phishing kits are sold as services (PhaaS) and can be deployed in minutes. Detection requires a combination of URL reputation, brand-impersonation checks, content analysis, and sender authentication (SPF/DKIM/DMARC).

Example

An email from "PayPal Security" telling you your account is suspended, with a link to paypa1-secure-login.tk.

Related terms

Spear phishing

Targeted phishing aimed at a specific person or organization, often using personal information gathered beforehand.

Vishing (voice phishing)

Phishing carried out over a phone call, often using spoofed caller ID and urgency tactics.

Smishing (SMS phishing)

Phishing delivered via SMS text message. Mobile-targeted attacks that exploit the trust placed in text messages.

Credential harvesting

The capture stage of a phishing attack — a fake login page that records whatever the victim types.

Typosquatting

Registering domain names that look like a known brand to catch users who mistype or skim. The infrastructure layer of phishing.

Got a URL you're unsure about?

Paste it into our free scanner — verdict in seconds, 10+ threat-intel sources.

Scan a URL →