Trace Id is missing
Skip to main content
Microsoft Security

What is phishing?

Phishing attacks aim to steal or damage sensitive data by deceiving people into revealing personal information like passwords and credit card numbers.

Different types of phishing attacks

Phishing attacks come from scammers disguised as trustworthy sources and can facilitate access to all types of sensitive data. As technologies evolve, so do cyberattacks. Learn about the most pervasive types of phishing.

Email phishing
The most common form of phishing, this type of attack uses tactics like phony hyperlinks to lure email recipients into sharing their personal information. Attackers often masquerade as a large account provider like Microsoft or Google, or even a coworker.

Malware phishing
Another prevalent phishing approach, this type of attack involves planting malware disguised as a trustworthy attachment (such as a resume or bank statement) in an email. In some cases, opening a malware attachment can paralyze entire IT systems.

Spear phishing
Where most phishing attacks cast a wide net, spear phishing targets specific individuals by exploiting information gathered through research into their jobs and social lives. These attacks are highly customized, making them particularly effective at bypassing basic cybersecurity.

Whaling
When bad actors target a “big fish” like a business executive or celebrity, it’s called whaling. These scammers often conduct considerable research into their targets to find an opportune moment to steal login credentials or other sensitive information. If you have a lot to lose, whaling attackers have a lot to gain.

Smishing
A combination of the words “SMS” and “phishing,” smishing involves sending text messages disguised as trustworthy communications from businesses like Amazon or FedEx. People are particularly vulnerable to SMS scams, as text messages are delivered in plain text and come across as more personal.

Vishing
In vishing campaigns, attackers in fraudulent call centers attempt to trick people into providing sensitive information over the phone. In many cases, these scams use social engineering to dupe victims into installing malware onto their devices in the form of an app.

Common phishing tactics

Cunning communication
Attackers are skilled at manipulating their victims into giving up sensitive data by concealing malicious messages and attachments in places where people are not very discerning (for example, in their email inboxes). It’s easy to assume the messages arriving in your inbox are legitimate, but be wary—phishing emails often look safe and unassuming. To avoid being fooled, slow down and examine hyperlinks and senders’ email addresses before clicking.

Perception of need
People fall for phishing because they think they need to act. For example, victims may download malware disguised as a resume because they’re urgently hiring or enter their bank credentials on a suspicious website to salvage an account they were told would soon expire. Creating a false perception of need is a common trick because it works. To keep your data safe, operate with intense scrutiny or install email protection technology that will do the hard work for you.

False trust
Bad actors fool people by creating a false sense of trust—and even the most perceptive fall for their scams. By impersonating trustworthy sources like Google, Wells Fargo, or UPS, phishers can trick you into taking action before you realize you’ve been duped. Many phishing messages go undetected without advanced cybersecurity measures in place. Protect your private information with email security technology designed to identify suspicious content and dispose of it before it ever reaches your inbox.

Emotional manipulation
Bad actors use psychological tactics to convince their targets to act before they think. After building trust by impersonating a familiar source, then creating a false sense of urgency, attackers exploit emotions like fear and anxiety to get what they want. People tend to make snap decisions when they’re being told they will lose money, end up in legal trouble, or no longer have access to a much-needed resource. Be cautious of any message that requires you to “act now”—it may be fraudulent.

The dangers of phishing emails

A successful phishing attack can have serious consequences. This might look like stolen money, fraudulent charges on credit cards, lost access to photos, videos, and files—even cybercriminals impersonating you and putting others at risk.

At work, risks to your employer could include loss of corporate funds, exposure of customers’ and coworkers’ personal information, sensitive files being stolen or being made inaccessible, not to mention damage to your company’s reputation. In many cases, the damage can be irreparable.

Fortunately, there are many solutions for protecting against phishing—both at home and at work.

Quick tips for avoiding phishing

Don’t trust display names

Check the sender’s email address before opening a message—the display name might be a fake.

Check for typos

Spelling mistakes and poor grammar are typical in phishing emails. If something looks off, flag it.

Look before clicking

Hover over hyperlinks in genuine-sounding content to inspect the link address.

Read the salutation

If the email is addressed to “Valued Customer” instead of to you, be wary. It’s likely fraudulent.

Review the signature

Check for contact information in the email footer. Legitimate senders always include them.

Beware of threats

Fear-based phrases like “Your account has been suspended” are prevalent in phishing emails.

Protect against cyberthreats

While phishing scams and other cyberthreats are constantly evolving, there are many actions you can take to protect yourself.

A person working in a server room.

Uphold Zero Trust principles

Zero Trust principles like multifactor authentication, just-enough-access, and end-to-end encryption protect you from evolving cyberthreats.

Protect your apps and devices

Prevent, detect, and respond to phishing and other cyberattacks with Microsoft Defender for Office 365.

Secure access

Protect users from sophisticated attacks while safeguarding your organization from identity-based threats.

Frequently asked questions

  • The primary goal of any phishing scam is to steal sensitive information and credentials. Be wary of any message (by phone, email, or text) that asks for sensitive data or asks you to prove your identity.

    Attackers work hard to imitate familiar entities and will use the same logos, designs, and interfaces as brands or individuals you are already familiar with. Stay vigilant and don’t click a link or open an attachment unless you are certain the message is legitimate.

    Here are some tips for recognizing a phishing email:

    • Urgent threats or calls to action (for example: “Open immediately”).
    • New or infrequent senders—anyone emailing you for the first time.
    • Poor spelling and grammar (often due to awkward foreign translations).
    • Suspicious links or attachments—hyperlinked text revealing links from a different IP address or domain.

    Subtle misspellings (for example, “micros0ft.com” or “rnicrosoft.com”)

    1. Write down as many details of the attack as you can recall. Note any information you may have shared, such as usernames, account numbers, or passwords.
    2. Immediately change the passwords on your affected accounts and anywhere else you might use the same password.
    3. Confirm that you’re using multifactor (or two-step) authentication for every account you use.
    4. Notify all relevant parties that your information has been compromised.
    5. If you’ve lost money or been the victim of identity theft, report it to local law enforcement and to the Federal Trade Commission. Provide the details you captured in step 1.

    If you believe you may have inadvertently fallen for a phishing attack, there are a few things you should do:

    Keep in mind that once you’ve sent your information to an attacker it is likely to be quickly disclosed to other bad actors. Expect new phishing emails, texts, and phone calls to come your way.

  • If you receive a suspicious message in your Microsoft Outlook inbox, choose Report message from the ribbon, and then select Phishing. This is the fastest way to remove the message from your inbox. In Outlook.com, select the check box next to the suspicious message in your inbox, select the arrow next to Junk, and then select Phishing.

    If you’ve lost money or been the victim of identity theft, report it to local law enforcement and get in touch with the Federal Trade Commission. They have an entire website dedicated to resolving issues of this nature.

  • No. While phishing is most common over email, phishers also use phone calls, text messages, and even web searches to obtain sensitive information.

  • Spam emails are unsolicited junk messages with irrelevant or commercial content. They may advertise quick money schemes, illegal offers, or fake discounts.

    Phishing is a more targeted (and usually better disguised) attempt to obtain sensitive data by duping victims into voluntarily giving up account information and credentials.

Follow Microsoft Security