Glossary

Phishing

An attempt to trick you into revealing credentials or installing malware, usually by impersonation.

Definition

Phishing exploits trust, not technology. The attacker sends a message that looks like it's from a familiar sender — your bank, a coworker, an IT helpdesk — and pushes you to act fast: click a link, open an attachment, transfer money. Modern phishing is well-written, well-branded, and increasingly AI-assisted.

Spear-phishing targets a specific person with research-driven personalization. Smishing uses SMS; vishing uses voice calls. The defenses are: slow down, verify out-of-band, never type your password into a link from a message, and use phishing-resistant 2FA.

Example

An email appears to be from Microsoft asking you to re-verify your password before tomorrow. The link goes to login-microsoftt.example (note the double t). Type your password there and the attacker has your account.

Frequently asked questions

How do I tell a phishing email apart?

Check the sender domain, hover over links before clicking, and verify any urgent request through a known channel.

Is hardware-key 2FA phishing-resistant?

Yes. FIDO2 hardware keys cryptographically bind to the real domain; a phishing site can't relay them.

Related guides