Skip to main content
< All Topics
Print

Security Awareness

What is Phishing?

How cybercriminals use fake messages to steal your information — and how to spot them before it’s too late.

The Basics

What is phishing?

Phishing is a type of cyberattack where criminals send fake messages — usually emails — designed to trick you into doing something harmful. That might mean clicking a malicious link, entering your password on a fake website, or opening an attachment that installs malware on your device.

The word comes from “fishing” — attackers cast a wide net with convincing-looking messages and wait for someone to take the bait. It’s one of the most common ways businesses get hacked, and it works because it targets people, not just technology.

Why It Matters

Over 90% of successful cyberattacks start with a phishing email. It’s not about being careless — these messages are carefully crafted to look real. Even experienced IT professionals can be fooled by a well-made phishing attempt.


Types of Phishing

Not all phishing looks the same

Attackers use several different approaches depending on their target:

Email Phishing

Mass emails pretending to be banks, delivery services, or software companies.

Spear Phishing

Targeted attacks using your name, role, or company to feel personal and credible.

Smishing

Phishing via text message — fake delivery alerts, bank warnings, or prize notifications.

Vishing

Voice phishing — a caller pretends to be IT support, your bank, or a coworker.

Business Email Compromise (BEC)

A sophisticated form of spear phishing where attackers impersonate your CEO, manager, or a vendor to request urgent wire transfers or sensitive data. These emails often have no links or attachments — just a convincing request.


Spot the Signs

A real phishing email — annotated

Here’s what a typical phishing email looks like, and the red flags to watch for:

From:
Microsoft Security <[email protected]>
⚠ Red flag
Subject:
⚠️ Urgent: Your account will be disabled in 24 hours
⚠ Red flag

Dear Valued Customer,

We have detected unusual sign-in activity on your Microsoft 365 account. Your account will be permanently disabled unless you verify your identity immediately.

Please click the button below to secure your account now. This link expires in 24 hours.

Verify My Account Now

ⓘ Link leads to a fake login page designed to steal your password

The red flags here: the sender domain is misspelled (micros0ft with a zero), the subject creates artificial urgency, and the greeting is generic rather than using your name.


Warning Signs

How to spot a phishing message

Train yourself to pause and check for these warning signs before clicking anything:

Urgency or threats — “Act now or your account will be closed.” Real companies don’t demand immediate action via email.

Suspicious sender address — Hover over the sender name. The actual email domain may be misspelled or completely unrelated to the company.

Unexpected attachments — An invoice, voicemail, or shipping notice you weren’t expecting — especially as a .zip, .exe, or Office file.

Mismatched or strange links — Hover over any link before clicking. The URL shown may look nothing like the real website.

Requests for sensitive information — Passwords, credit card numbers, Social Security numbers. Legitimate companies will never ask for these via email.

Something just feels off — Trust your gut. If a message seems unusual — even from someone you know — verify by calling them directly before responding.


What To Do

If you think you’ve received a phishing email

1

Don’t click anything. Don’t click links, open attachments, or reply — even to unsubscribe.

2

Report it. Forward the email to your IT team or use the “Report Phishing” button if available in your email client.

3

Delete it. Remove it from your inbox and trash so you don’t accidentally open it later.

4

If you already clicked — tell IT immediately. Don’t wait or try to fix it yourself. Quick action can limit the damage significantly.

Already Entered Your Password?

Change your password immediately on the real site, then contact IT. If you use the same password elsewhere, change those too. Enable multi-factor authentication (MFA) on every account that supports it — it’s your best safety net if a password is ever stolen.


Stay Protected

Habits that make you a harder target

Enable multi-factor authentication (MFA) on your email, banking, and any other critical accounts.

Hover over links before clicking to preview the real destination URL.

When in doubt about a request — even from your boss — verify by calling or messaging through a separate channel.

Use a password manager so every account has a unique password — limiting damage if one is ever compromised.

Never conduct sensitive business — banking, logins, confidential data — over public Wi-Fi without a VPN.


Questions? Contact Megabyte IT Solutions
KB-SEC-002 · Security Awareness
Table of Contents