The United States Computer Emergency Readiness Team (US-CERT) defines phishing as a form of social engineering that uses email or malicious websites (among other channels) to solicit personal information from an individual or company by posing as a trustworthy organization or entity. Phishing attacks often use email as a vehicle, sending email messages to users that appear to be from an institution or company that the individual conducts business with, such as a banking or financial institution, or a web service through which the individual has an account.
The goal of a phishing attempt is to trick the recipient into taking the attacker’s desired action, such as providing login credentials or other sensitive information. For instance, a phishing email appearing to come from a bank may warn the recipient that their account information has been compromised, directing the individual to a website where their username and/or password can be reset. This website is also fraudulent, designed to look legitimate, but exists solely to collect login information from phishing victims.
These fraudulent websites may also contain malicious code which executes on the user’s local machine when a link is clicked from a phishing email to open the website.
Types of Phishing Attacks
According to USA.gov, phishing scams reported by agencies and corporations show that these emails can take many deceptive forms, including:
- Emails from acquaintances claiming to be stranded abroad and requesting money transfers to return home.
- Messages posing as reputable news outlets, leveraging trending stories and urging recipients to click links—leading to malicious websites.
- Emails impersonating organizations like the FTC or FDIC, referencing complaints or asking recipients to verify bank deposit insurance coverage.
- Threatening emails demanding thousands of dollars under the threat of harm.
- Fake complaint confirmations, prompting recipients to click links or open attachments to “review details”—which actually contain malicious code.
This is certainly not an all-inclusive list. Phishing emails can take any form, making it difficult for recipients to filter out spam and phishing emails from legitimate messages.
Phishing vs. Spear Phishing: What’s the Difference?
Phishing and spear phishing share the same goal: tricking victims into revealing sensitive information. The key difference lies in their approach. While traditional phishing attacks cast a wide net, spear phishing is highly targeted and personalized, making it far more convincing.
Attackers often gather publicly available information about their targets before launching a spear phishing campaign. Using these details, they impersonate trusted contacts—such as friends, colleagues, or family members—to increase the likelihood of success.
Information leveraged in spear phishing attacks can include:
- Employment details
- Organizational affiliations
- Hobbies and interests
- Other personal data from social media profiles and online activity
In many cases, spear phishing serves as the first step in an Advanced Persistent Threat (APT), paving the way for deeper infiltration into an organization’s systems.
How to Identify Phishing Attacks
Phishing attacks are most often delivered via email, but there are clear signs that can help distinguish malicious messages from legitimate ones. Training employees to recognize these indicators is critical as many data breaches occur simply because staff lack the knowledge to spot a phishing attempt.
Here are common red flags to watch for:
- Generic greetings: Phishing emails often use vague salutations like “Dear Customer” instead of addressing recipients by name. Bulk phishing campaigns rely on this tactic, while spear phishing tends to be more personalized.
- Requests for personal information: Legitimate companies rarely ask customers to provide login credentials or sensitive details via email or embedded links. This is a major warning sign.
- Urgent or threatening language: Many phishing emails create a false sense of urgency—claiming your account will be locked or compromised unless you act immediately.
- Spoofed links: Hover over hyperlinks before clicking to verify the actual destination. Look for URLs starting with HTTPS, which indicates encryption. Never click suspicious links to “check” authenticity.
- When in doubt, verify: If an email seems suspicious, contact the company directly using official channels—not the contact information provided in the email. This simple step can prevent costly mistakes.
