Phishing is one of the most common and damaging forms of cybercrime. It's responsible for the majority of data breaches and financial fraud that affects ordinary people. Despite how prevalent it is, many people have a vague or incomplete understanding of how it actually works — which makes them more vulnerable to it.

What phishing is

Phishing is the practice of sending fraudulent emails that appear to come from legitimate organizations — banks, payment services, government agencies, or popular websites — to trick recipients into taking actions that benefit the attacker. The most common goals are stealing login credentials, financial information, or installing malware.

The term comes from "fishing" — casting a wide net and waiting for someone to take the bait. The attacker sends thousands or millions of emails, knowing that only a small percentage need to succeed to be profitable.

How attackers get your email address

Before a phishing email can reach you, the attacker needs your address. The most common sources are data breaches — leaked databases containing millions of email addresses are sold on underground marketplaces. Harvesting bots that crawl the web for publicly visible email addresses provide another major source. List purchasing from unscrupulous data brokers is a third.

More targeted phishing attacks, called spear phishing, use publicly available information about you — your name, employer, role, or recent activities — to craft convincing personalized messages. These are far more dangerous than generic phishing because they don't look like spam.

What a phishing email looks like

Modern phishing emails are often highly convincing. They replicate the visual design of legitimate services — using the correct logo, color scheme, and email layout of the company they're impersonating. They create urgency: "Your account will be suspended," "Unusual activity detected," "Verify your payment details."

The link in a phishing email leads to a fake website that looks identical to the real one. When you enter your credentials on the fake site, they're captured by the attacker.

How to spot phishing emails: Check the sender's actual email address (not just the display name). Look for generic greetings ("Dear Customer" instead of your name). Hover over links before clicking to see the real URL. When in doubt, go directly to the website by typing the address in your browser rather than clicking the link.

How limiting email exposure reduces your phishing risk

The fewer services that have your real email address, the smaller your attack surface for phishing. If you use a disposable address for low-trust signups and that service is later breached, your real address isn't in the exposed data. The phishing list built from that breach doesn't include you.

It also makes suspicious emails easier to evaluate. If your real email address receives a message claiming to be from a service you've only ever signed up for with a disposable address, you know immediately that something is wrong.