Phishing is a type of cyberattack in which a malicious actor impersonates a trusted entity, such as a bank, a well-known company, or a colleague, to deceive individuals into revealing sensitive information like passwords, credit card numbers, or personal identification details.
The term is a deliberate misspelling of "fishing," reflecting the idea that attackers cast a wide net of deceptive messages hoping that some recipients will take the bait. Phishing is one of the most prevalent forms of social engineering, a category of attacks that exploits human psychology rather than technical vulnerabilities in software or systems.
How Phishing Works
A phishing attack typically begins with a fraudulent communication, most commonly an email, though text messages (a variant known as smishing) and voice calls (vishing) are also widely used. The message is crafted to appear legitimate, often mimicking the visual design, tone, and sender address of a reputable organization. It usually creates a sense of urgency, warning the recipient of a security breach, an unpaid invoice, or a suspended account, and directs them to click a link or open an attachment.
The link typically leads to a spoofed website that closely resembles the legitimate one. When the victim enters their credentials or payment information, that data is captured directly by the attacker. Malicious attachments, on the other hand, may install malware or ransomware on the victim's device upon opening.
Common Variants
Spear phishing is a more targeted form of the attack in which the message is personalized using information gathered about a specific individual or organization, making it significantly harder to detect. When spear phishing is directed at high-profile targets such as executives or public officials, it is often referred to as whaling. Clone phishing involves duplicating a legitimate email that the victim has previously received and replacing its links or attachments with malicious ones.
Phishing in the Context of Web Security and SEO
For website owners and SEO professionals, phishing carries particular relevance. Search engines like Google actively flag and delist websites identified as phishing pages, and a domain associated with phishing activity can suffer severe, lasting damage to its search rankings and reputation. Websites can also become unwitting hosts of phishing content if they are compromised through a security vulnerability, making regular security audits an important part of maintaining a site's standing with both users and search engines.
Protecting against phishing requires a combination of technical measures, such as enabling multi-factor authentication and deploying email authentication protocols like SPF, DKIM, and DMARC, alongside ongoing user education to help people recognize suspicious communications before acting on them.