What Is Phishing and How to Avoid It: A Practical Guide

What Phishing Actually Is (and Why It Works)

Phishing is a social engineering attack in which an attacker impersonates a trusted entity -- your bank, Amazon, Apple, your employer, a government agency -- to trick you into giving up credentials, payment information, or access to your accounts.

It works because it exploits psychology, not technology. The attacker doesn't need to break encryption or guess your password. They just need you to type it into the wrong website. And they're very good at creating the right sense of urgency, fear, or authority to make that happen.

According to the FBI's Internet Crime Complaint Center, phishing is consistently the most reported cybercrime category year over year, with hundreds of thousands of victims annually. The financial losses run into the billions. Understanding how these attacks work is the single most practical security skill you can develop.

The Most Common Phishing Attack Patterns

Email phishing: You receive an email appearing to be from PayPal, your bank, Netflix, or Apple. It claims your account has been suspended, there's suspicious activity, or your payment failed. It asks you to click a link and verify your information. The link goes to a convincing fake website that captures your credentials.

Spear phishing: A targeted version where the attacker has researched you specifically. The email might reference your employer, a recent transaction, or your full name. These are harder to spot and more dangerous. Executives and high-net-worth individuals are frequent targets.

Smishing (SMS phishing): The same concept delivered via text message. Common examples include fake package delivery notifications, bank fraud alerts, and toll payment notices. These are increasingly effective because people are less suspicious of text messages than emails.

Vishing (voice phishing): An attacker calls you impersonating tech support, the IRS, Social Security Administration, or your bank's fraud department. They create urgency and guide you toward giving up information, installing software, or transferring money.

Clone phishing: The attacker intercepts or copies a legitimate email you've previously received, replaces links or attachments with malicious versions, and resends it. This is particularly insidious because the email content is genuine.

How to Recognize a Phishing Attempt

Red flags that should immediately raise suspicion:

Urgency and threats: Phrases like your account will be suspended in 24 hours or that immediate action is required are manipulation tactics. Legitimate companies don't communicate this way.

Suspicious sender address: The display name says PayPal but the actual email address is something like support@paypal-billing-update.com. Always check the real address, not just the display name.

Mismatched URLs: Hover over any link before clicking (on mobile, press and hold). The real URL should match the company's actual domain. Watch for subtle typos: paypa1.com, amazon-support.net, apple-id-verify.com.

Generic greetings: Dear Customer or Dear User instead of your actual name suggests a mass phishing campaign rather than a real communication from a service you use.

Requests for credentials via link: Your bank will never email you a link and ask you to enter your password. If you need to check your account, navigate there directly by typing the URL yourself.

Unexpected attachments: Don't open attachments you weren't expecting, even from known contacts -- their account may have been compromised.

Habits and Tools That Actually Protect You

Use a password manager: This is your strongest defense against phishing. A password manager like Bitwarden autofills credentials only on the exact domain the password was saved for. If you land on paypa1.com instead of paypal.com, your password manager won't fill in your credentials -- giving you a critical moment to realize something is wrong. Use our free password generator to create unique passwords for every account, then save them in a manager.

Enable phishing-resistant 2FA: Hardware security keys (like YubiKey) and passkeys are phishing-resistant -- they cryptographically verify the domain before authenticating, so they won't work on fake sites. TOTP apps (Google Authenticator, Authy) are better than nothing, but can still be phished in real-time relay attacks. SMS codes are the weakest form of 2FA and should be replaced where possible.

Navigate directly, don't click links: When you receive an email about your bank account, don't click the link. Open a new browser tab and type your bank's URL manually. This simple habit defeats most phishing attacks.

Verify unexpected requests by phone: If your IT department emails asking you to install software, or someone calls claiming to be from your bank's fraud team, hang up and call back using the number on the official website or the back of your card.

Enable email filtering and use browser protection: Modern email providers (Gmail, Outlook) have strong built-in phishing filters. Keep them enabled. Browser extensions like uBlock Origin and Google Safe Browsing warn you before visiting known phishing sites.

What to Do If You've Been Phished

If you suspect you've entered credentials on a phishing site, act immediately: 1. Change your password on the real site right now -- use a strong, unique password generated at strongpasswordgenerator.dev. 2. If you reused that password anywhere else, change it on every site. 3. Enable two-factor authentication if you haven't already. 4. Check for any unauthorized activity -- logins from new devices or locations, changed recovery email or phone number. 5. Report the phishing site to Google Safe Browsing and the company being impersonated. 6. If financial accounts were involved, contact your bank or card issuer immediately.

The best time to protect yourself from phishing is before it happens. Strong unique passwords and a reliable password manager close off the most common path attackers use to turn a phishing click into a full account takeover.