Security Awareness
What is Phishing?
How cybercriminals use fake messages to steal your information — and how to spot them before it’s too late.
The Basics
What is phishing?
Phishing is a type of cyberattack where criminals send fake messages — usually emails — designed to trick you into doing something harmful. That might mean clicking a malicious link, entering your password on a fake website, or opening an attachment that installs malware on your device.
The word comes from “fishing” — attackers cast a wide net with convincing-looking messages and wait for someone to take the bait. It’s one of the most common ways businesses get hacked, and it works because it targets people, not just technology.
Why It Matters
Over 90% of successful cyberattacks start with a phishing email. It’s not about being careless — these messages are carefully crafted to look real. Even experienced IT professionals can be fooled by a well-made phishing attempt.
Types of Phishing
Not all phishing looks the same
Attackers use several different approaches depending on their target:
Email Phishing
Mass emails pretending to be banks, delivery services, or software companies.
Spear Phishing
Targeted attacks using your name, role, or company to feel personal and credible.
Smishing
Phishing via text message — fake delivery alerts, bank warnings, or prize notifications.
Vishing
Voice phishing — a caller pretends to be IT support, your bank, or a coworker.
Business Email Compromise (BEC)
A sophisticated form of spear phishing where attackers impersonate your CEO, manager, or a vendor to request urgent wire transfers or sensitive data. These emails often have no links or attachments — just a convincing request.
Spot the Signs
A real phishing email — annotated
Here’s what a typical phishing email looks like, and the red flags to watch for:
The red flags here: the sender domain is misspelled (micros0ft with a zero), the subject creates artificial urgency, and the greeting is generic rather than using your name.
Warning Signs
How to spot a phishing message
Train yourself to pause and check for these warning signs before clicking anything:
Urgency or threats — “Act now or your account will be closed.” Real companies don’t demand immediate action via email.
Suspicious sender address — Hover over the sender name. The actual email domain may be misspelled or completely unrelated to the company.
Unexpected attachments — An invoice, voicemail, or shipping notice you weren’t expecting — especially as a .zip, .exe, or Office file.
Mismatched or strange links — Hover over any link before clicking. The URL shown may look nothing like the real website.
Requests for sensitive information — Passwords, credit card numbers, Social Security numbers. Legitimate companies will never ask for these via email.
Something just feels off — Trust your gut. If a message seems unusual — even from someone you know — verify by calling them directly before responding.
What To Do
If you think you’ve received a phishing email
Don’t click anything. Don’t click links, open attachments, or reply — even to unsubscribe.
Report it. Forward the email to your IT team or use the “Report Phishing” button if available in your email client.
Delete it. Remove it from your inbox and trash so you don’t accidentally open it later.
If you already clicked — tell IT immediately. Don’t wait or try to fix it yourself. Quick action can limit the damage significantly.
Already Entered Your Password?
Change your password immediately on the real site, then contact IT. If you use the same password elsewhere, change those too. Enable multi-factor authentication (MFA) on every account that supports it — it’s your best safety net if a password is ever stolen.
Stay Protected
Habits that make you a harder target
Enable multi-factor authentication (MFA) on your email, banking, and any other critical accounts.
Hover over links before clicking to preview the real destination URL.
When in doubt about a request — even from your boss — verify by calling or messaging through a separate channel.
Use a password manager so every account has a unique password — limiting damage if one is ever compromised.
Never conduct sensitive business — banking, logins, confidential data — over public Wi-Fi without a VPN.
KB-SEC-002 · Security Awareness
