Safekipedia

Phishing

Adapted from Wikipedia · Discoverer experience

A computer screen displaying a fake antivirus warning example, showing how phishing scams may appear.

Phishing is a type of trickery where bad people try to get important information from others or make them install harmful software. These attacks can look very real, often copying the look of real websites, which makes it hard to tell they are not real. Because of new technology, these attacks have become even more clever and are now a big problem around the world.

The word "phishing" was first used in 1995 and comes from the idea of "fishing" for information, where attackers use lures to catch what they want. To stay safe from phishing, people need to learn how to spot these tricks, use special safety tools, and be careful online.

Phishing can happen in many ways, like through emails, phone calls, text messages, or even QR codes. As these attacks keep changing and getting more advanced, it is very important for everyone, both at home and work, to know how to protect themselves.

Types

Email phishing

Phishing attacks often come through email. They try to trick people into sharing important information or passwords. Many of these attacks are sent to large groups of people at once. The goal can be to steal money, put harmful software on a computer, or target specific groups. Sometimes, these emails look like they are from places you trust, like a bank or a government office. They might tell you to click a link to sign in, but the link leads to a fake website instead.

Spear phishing

Spear phishing is a more focused type of attack. These messages are made to look like they are from someone you know or a place you trust, and they often use details that make them seem real. They might target people who have access to important information. These attacks can use many ways to contact you, like email, text messages, or phone calls, to make you feel you need to act fast.

Voice phishing (Vishing)

Main article: Voice phishing

Vishing, or voice phishing, uses phone calls to trick people. Attackers might call many people at once, pretending to be from a bank or another trusted group. They might ask for important information or connect you to someone who tries to get your details. This type of attack works because people often trust phone calls more than emails.

SMS phishing (smishing)

Smishing uses text messages to try to trick people. The messages might ask you to click a link, call a number, or email someone. They might pretend to be from a government office, a company you use, or even someone you know. It’s important to be careful with unexpected messages, especially if they ask for personal details.

Page hijacking

Page hijacking tricks people by changing real websites to harmful ones. Attackers might add harmful code to a website you visit, leading you to a fake page that tries to steal your information.

QR code phishing (quishing)

Quishing uses QR codes to trick people. Attackers might put a harmful link inside a QR code, which can look like a normal code you might scan for information. When you scan it, you might be taken to a fake website that tries to steal your details. As QR codes become more common, it’s important to only scan codes from places you trust.

Man-in-the-Middle phishing

Some phishing attacks use special tools to catch information while you’re using a website. These tools act like a middleman, letting attackers use your account even if you have extra security like a second code to sign in. This makes it harder for security systems to spot the attack.

Techniques

Phishing attacks often use tricky links that look like they come from real companies but actually lead to fake websites. These links might spell words wrong or use special web addresses to fool people. When you hold your mouse over a link, some tools can show where it really goes, but clever attackers can sometimes hide this.

A fake virus notification

Phishing also uses tricks to make people do things they shouldn’t, like clicking a bad link or sharing private details. Attackers often pretend to be someone you trust, like a bank, and create a feeling of rush, such as saying your account might be closed. Sometimes, they use fake news stories to get people to click harmful links. These links can lead to websites that look real but are actually used by attackers to try to put harmful software on your device or show you fake warnings.

Today, new technology can make these tricks even better, helping attackers target people more effectively.

History

Main article: List of phishing incidents

Early phishing tricks started in the 1990s when some people used online chat services to try to get others to share private information. The word "phishing" comes from a tool made in 1994 that let people pretend to be support staff and ask for passwords.

In the 2000s, these tricks became more common and focused. They tried to take money from online payment systems and banks. Many people lost money because of these tricks, especially in the United States and the United Kingdom.

In the 2010s, phishing grew a lot. Some big companies and governments were targeted. For example, in 2020, some hackers tricked employees at a big social media site into sharing their passwords, and then took over famous people's accounts to ask for money.

Today, phishing continues to change, with hackers using clever tricks to look like trusted websites or services.

Anti-phishing

Anti-phishing websites show messages that have been spreading online recently, like FraudWatch International. These sites give details about these messages.

Until 2007, not many businesses used ways to stop phishing. There are different methods to fight phishing, like laws and technology. People and groups can both take steps to protect information. Phishing through phone, websites, or email can be reported to the police, as explained below.

User training

Learning about phishing is important for any group trying to stop it. Even though we don’t know much about how well training works, there is a lot of information online about the danger.

Some groups test their workers by sending fake phishing emails to see if the training is working. One study showed that out of almost 860,000 emails sent in a month, about 2% were seen as possible threats. This is one way groups work to fight phishing.

Training helps people spot common signs of phishing, such as:

  • Asking for personal information
  • Not matching email addresses and website addresses
  • Unusual greetings
  • Misspelled words or mistakes
  • Requests that seem urgent
  • Unusual attachments
  • Low-quality pictures

Almost all real emails from companies have something special that scammers can’t easily copy. For example, PayPal talks to customers by their username, so an email that says “Dear PayPal customer” is probably not real. However, just having personal information doesn’t always mean the email is safe.

Frame of an animation by the U.S. Federal Trade Commission intended to educate citizens about phishing tactics

Some studies show that games can help teach people about phishing and make them more careful.

The Anti-Phishing Working Group reports on trends in phishing attacks.

Technical approaches

Filtering out phishing mail

Special spam filters can stop many phishing emails from reaching people’s inboxes. These filters use methods like machine learning and natural language processing to find and block emails with fake addresses.

Browsers alerting users to fraudulent websites

Some web browsers have lists of known bad websites and check addresses against these lists. Browsers like Google Chrome, Microsoft Edge, Mozilla Firefox, Safari, and Opera include these checks. Some browsers get help from trusted partners or special tools. According to a 2026 study, Avast Secure Browser and Norton Security Browser were best at spotting bad sites, blocking 94% of phishing addresses, while Google Chrome blocked 72%.

One way to fight phishing is to use a special DNS service that blocks known phishing addresses.

Augmenting password logins

Screenshot of Firefox 2.0.0.1 Phishing suspicious site warning

Some websites ask users to pick a personal picture that shows when they log in. Users are told to only enter their password when they see their picture. However, not many users refuse to enter passwords if the picture isn’t there. This method, like other forms of extra steps for logging in, can be tricky because it can sometimes be bypassed.

Other methods include showing a colored word in a box or a changing grid of pictures that users must identify before entering their password.

Monitoring and takedown

Some companies help find and remove bad websites and accounts that copy real organizations. While early tools needed a lot of human help, newer tools work faster to fight phishing. People can help by reporting phishing to groups like cyscon or PhishTank. Phishing websites and emails can also be reported to Google.

Multi-factor authentication

Groups can ask for more than just a password when logging in, like a smart card and a password. This helps protect information even if a password is stolen. Some newer methods, like WebAuthn, are designed to be harder to bypass.

Legal responses

In 2004, the U.S. Federal Trade Commission filed the first lawsuit against someone for creating a fake America Online page and taking credit card information. Other countries have also arrested people for phishing. In Brazil, one person was arrested for stealing between $18 million and $37 million over two years. In the UK, two men were jailed in 2005 for a phishing scam connected to a U.S. operation. In 2006, Japanese police arrested eight people for making fake Yahoo Japan websites, making about $870,000. The FBI also detained a group in the U.S. and Europe.

In 2005, a U.S. senator introduced a bill to fine or jail people who use fake websites and emails to trick people. In the UK, a law from 2006 can put people in prison for up to ten years for fraud and for having tools to commit fraud.

Companies have also taken action. In 2005, Microsoft filed many lawsuits in the U.S. against people accused of taking passwords and secret information. In the same year, Microsoft and the Australian government worked together to teach police how to fight cyber crimes, including phishing. Microsoft planned more lawsuits outside the U.S. In 2006, AOL filed lawsuits seeking $18 million, and Earthlink helped charge six men in Connecticut.

In 2007, a man in California was the first to be found guilty under a law about unwanted emails. He was sending thousands of emails pretending to be AOL to get people to give personal information. He was sentenced to 70 months in prison.

Notable incidents

2016–2021 literary phishing thefts

Sector-specific impact

Healthcare

Phishing is a big problem in healthcare, especially in the United States. Many times, hackers use emails to trick people into giving away important health information. This is the most common way hackers start attacks in healthcare.

New rules were suggested in December 2024 to help stop these attacks. These rules want to make it harder for hackers to succeed by requiring extra steps to log in, special training for workers, and better tools to catch bad emails. These ideas came about because of big attacks, like one in 2024 that affected about 100 million people's health records.

Related articles

Email
Fake news
United Kingdom
PayPal
Machine learning
Password

This article is a child-friendly adaptation of the Wikipedia article on Phishing, available under CC BY-SA 4.0.

Images from Wikimedia Commons. Tap any image to view credits and license.