This is the Trace Id: b9734e1981795f4619db360f1596a11b
Skip to main content
Microsoft Security

What is phishing?

Learn about phishing, what to look for in an attack, and how to protect yourself with tools and tips to stay safe online.
Defend against phishing

Phishing defined

Phishing attacks aim to steal or damage sensitive data by deceiving people into revealing personal information like passwords and credit card numbers.

Key takeaways

  • Phishing is a type of cyberattack where attackers masquerade as trusted sources to steal sensitive information.
  • These attacks work by deceiving individuals into providing information through fake messages designed to look authentic.
  • Phishing attacks can be spotted by their suspicious email addresses, generic greetings, urgent or threatening language, and requests to click on unfamiliar links. 
  • The best way to prevent phishing attacks is to use phishing-resistant multifactor authentication (PR-MFA), being cautious with message links and attachments, and staying informed of the latest phishing tactics.

Common types of phishing attacks

Phishing attacks come from scammers disguised as trustworthy sources trying to facilitate access to all types of sensitive data. While this pervasive type of cyberattack continues to evolve along with emerging technologies, the tactics remain consistent:

Cunning communication
Attackers are skilled at manipulating their victims into giving up sensitive data by concealing malicious messages and attachments in places where people are not very discerning, such as in their email inboxes. It’s easy to assume the messages arriving in your inbox are legitimate but be wary—phishing emails often look safe and unassuming. To avoid being fooled, slow down and examine hyperlinks and senders’ email addresses before clicking.

Perception of need
People fall for phishing because they think they need to act. For example, victims may download malware disguised as a resume because they’re urgently hiring or enter their bank credentials on a suspicious website to salvage an account they were told would soon expire. Creating a false perception of need is a common trick because it works. To keep your data safe, operate with intense scrutiny or install email protection technology that will do the hard work for you.

False trust
Bad actors fool people by creating a false sense of trust—and even the most perceptive fall for their scams. By impersonating trustworthy sources like Google, Wells Fargo, or UPS, phishers can trick you into taking action before you realize you’ve been duped. Many phishing messages go undetected without advanced cybersecurity measures in place. Protect your private information with email security technology designed to identify suspicious content and dispose of it before it ever reaches your inbox.

Emotional manipulation
Bad actors use psychological tactics to convince their targets to act before they think. After building trust by impersonating a familiar source, then creating a false sense of urgency, attackers exploit emotions like fear and anxiety to get what they want. People tend to make snap decisions when they’re being told they will lose money, end up in legal trouble, or no longer have access to a much-needed resource. Be cautious of any message that requires you to “act now”—it may be fraudulent.

The most common types of phishing attacks include:

Email phishing
The most common form of phishing, this type of attack uses tactics like phony hyperlinks to lure email recipients into sharing their personal information. Attackers often masquerade as a large account provider like Microsoft or Google, or even a coworker.

Malware phishing
Another prevalent phishing approach, this type of attack involves planting malware disguised as a trustworthy attachment (such as a resume or bank statement) in an email. In some cases, opening a malware attachment can paralyze entire IT systems.

Spear phishing
Where most phishing attacks cast a wide net, spear phishing targets specific individuals by exploiting information gathered through research into their jobs and social lives. These attacks are highly customized, making them particularly effective at bypassing basic cybersecurity.

Whaling
When bad actors target a “big fish” like a business executive or celebrity, it’s called whaling. These scammers often conduct considerable research into their targets to find an opportune moment to steal login credentials or other sensitive information. If you have a lot to lose, whaling attackers have a lot to gain.

Smishing
A combination of the words “SMS” and “phishing,” smishing involves sending text messages disguised as trustworthy communications from businesses like Amazon or FedEx. People are particularly vulnerable to SMS scams, as text messages are delivered in plain text and come across as more personal.

Vishing
In vishing campaigns, attackers in fraudulent call centers attempt to trick people into providing sensitive information over the phone. In many cases, these scams use social engineering to dupe victims into installing malware onto their devices in the form of an app.

The dangers of phishing

A successful phishing attack can have serious consequences. This might look like stolen money, fraudulent charges on credit cards, lost access to photos, videos, and files—even cybercriminals impersonating you and putting others at risk.

Risks to an employer could include loss of corporate funds, exposure of customers’ and coworkers’ personal information, or sensitive files are stolen or made inaccessible. A data breach could also have a lasting negative impact on a company’s reputation. In some cases, the damage can be irreparable.

Some real-world examples tracked by Microsoft Threat Intelligence include:
 
  • Russian threat actor Star Blizzard was observed deploying spear-phishing messages to journalists, think tanks, and non-governmental organizations, in an effort to steal sensitive information.
  • North Korea-based Sapphire Sleet has been reported to have stolen over $10 million in cryptocurrency, primarily by masquerading as a venture capitalist, and secondarily as professional recruiters.
  • Threat actor known as Storm-2372 was discovered to have conducted a device code phishing campaign, where they exploited messaging app experiences to capture authentication tokens.

How to recognize phishing attacks

Threat actors can target a wide range of individuals, especially those with access to sensitive information. Many of these employees are in strategic roles, such as IT, finance, and at the executive level. However, threat actors may also pretend to be a supervisor “requesting” credentials from their employees—which is why everyone must be on the lookout for suspicious messages.

The primary goal of any phishing scam is to steal sensitive information and credentials. Be wary of any message (by phone, email, or text) that asks for sensitive data or asks you to prove your identity.

Attackers work hard to imitate familiar entities and will use the same logos, designs, and interfaces as brands or individuals you are already familiar with. Stay vigilant and don’t click a link or open an attachment unless you are certain the message is legitimate.

Here are some tips for recognizing a phishing email:
 
  • Urgent threats or calls to action, such as open immediately.
  • New or infrequent senders—anyone emailing you for the first time.
  • Poor spelling and grammar, often due to awkward foreign translations.
  • Suspicious links or attachments—hyperlinked text revealing links from a different IP address or domain.
  • Subtle misspellings, such as micros0ft.com or rnicrosoft.com.

Preventing phishing attacks

Here are some practical steps you can take to safeguard yourself against phishing attacks:
 
  1. Recognize the signs. Examples include unfamiliar greetings, unsolicited messages, grammar and spelling errors, a sense of urgency, suspicious links or attachments, and requests for personal information.
  2. Report anything suspicious. Report suspicious messages to your organization’s IT department or flag them through designated reporting tools.
  3. Install security software. Deploy software designed to detect and block phishing attempts, such as antivirus programs or firewalls.
  4. Require multifactor authentication (MFA). This step adds an extra layer of security. Go even further with phishing-resistant MFA (PR-MFA), which protect against social engineering.
  5. Stay informed through education and training. Regular training sessions can help you and your coworkers identify and report phishing attempts through the proper channels. Attack methods are constantly evolving, so it’s best to stay on top of current trends in cybersecurity and updates to threat intelligence.

Responding to a phishing attack

When you encounter a phishing attempt, it's crucial to act quickly to minimize potential damage:
 
  1. Do not respond. Even a simple reply can confirm to an attacker that your email address is active, which could embolden them to keep trying.
  2. Change your passwords. If you suspect that your credentials have been compromised, change your passwords immediately. Implement MFA if you’re not currently using it.
  3. Alert your IT team. Letting them know about the phishing attempt can prompt an incident response to help mitigate damage across your organization’s network.
  4. Report the phishing attempt. Use designated reporting tools or follow any instructions given by your IT team.
  5. Monitor your accounts. Regularly check any account with sensitive data, such as a financial account, for any suspicious activity.
  6. Educate your coworkers. Let your team know about the phishing attempt and what to look out for. This simple step can collectively strengthen defenses.
By applying these steps and taking immediate action, you can significantly reduce the risk of further damage and protect both personal and organizational data.  

Phishing trends

Threat actors use a variety of malware to conduct their phishing schemes. The most common include:
 
  • Ransomware is one of the most common types of malware. It restricts access to data by encrypting files or locking computer screens, then attempts to extort money from victims by asking for a ransom in exchange for access to the data.
  • Spyware infects a device, then monitors activity on the device and online, collecting any sensitive information used, such as login credentials and personal data.
  • Bots allow attackers to infect and take control of devices. Botnets are networks of bots that make use of command and control (C&C) servers to spread an even wider net to conduct malicious activities.
  • Viruses are one of the oldest forms of malware. They attach themselves to clean files and spread to other files and programs. 
  • Trojans disguise themselves as regular software. Once installed, they spread malicious code that can take control of a device and create a backdoor for other malware.
Attacks have also embraced AI-generated malware, which is more sophisticated and harder to detect, as it can mimic legitimate software behavior and regenerates code to evade security.

This rapid evolution of malware has prompted security professionals to develop similar techniques to take advantage of AI for cybersecurity:  
  • Extended detection and response (XDR) solutions unite tools like endpoint detection and response (EDR), AI and machine learning (ML), and other tools into a single, cloud-based platform.
  • Managed detection and response (MDR) combines technology with human expertise to strengthen cybersecurity.
  • Security information and event management (SIEM) solutions enhance threat detection and incident response by analyzing data from various sources.
By combining these solutions, organizations gain comprehensive cyber threat hunting, AI-powered detection and analysis, and automated response capabilities across their entire digital estate.

Protect yourself against phishing attacks

Protecting yourself and your company from phishing attacks requires a combination of vigilance, education, and robust security measures. Regular training and awareness programs can help you and your coworkers recognize and respond to phishing attempts. Make sure to use strong, unique passwords, implement MFA, and report suspicious messages to your IT department.

Organizations can protect their apps and devices from phishing and other cyberthreats with Microsoft Defender for Office 365. It helps secure email and collaboration tools, providing advanced protection and enhancing the company’s overall security posture. Defender for Office 365 also provides AI-powered threat detection and response capabilities, automated remediation, and cyberattack simulation training to help organizations stay ahead of evolving threats.
Precautions

Quick tips to avoid phishing

Don’t trust display names
Check the sender’s email address before opening a message—the display name might be a fake.
Check for typos
Spelling mistakes and poor grammar are typical in phishing emails. If something looks off, flag it.
Look before clicking
Hover over hyperlinks in genuine-sounding content to inspect the link address.
Read the salutation
If the email is addressed to “Valued Customer” instead of to you, be wary. It’s likely fraudulent.
Review the signature
Check for contact information in the email footer. Legitimate senders always include them.
Beware of threats
Fear-based phrases like “Your account has been suspended” are prevalent in phishing emails.
RESOURCES

Learn how Microsoft Security can protect against phishing

A women working with tab
Solution

Phishing protection and prevention solutions

Help detect and remediate phishing attacks with strong email security and authentication.
Learn more
A men working with tab
Solution

Unified security operations

Outpace cyberthreats with one powerful security operations platform.
Learn more
A women sitting at desk work on laptop
Threat Protection Portal

Cybersecurity and AI news

Discover the latest trends and best practices in phishing protection and AI for cybersecurity.
Get the latest resources

Frequently asked questions

  • Phishing is a type of cyberattack where attackers attempt to deceive individuals into providing sensitive information, such as usernames, passwords, credit card numbers, or other personal details. This is typically done by masquerading as a trustworthy entity in electronic communications, such as emails, text messages, or websites.
  • In most cases, the attacker sends a message to the recipient via email, SMS (text message), phone, or a website. The message is tailored and appears to be from a legitimate source, urgently requesting the recipient to send them sensitive information or to click a link that will take them to a fake website designed to steal credentials.
  • The best way to protect yourself against phishing attacks is to ensure your devices are configured for phishing-resistant multifactor authentication (PR-MFA). You should also report any suspicious-looking content to your organization’s security team. You can also keep yourself informed by participating in training and awareness programs so you know how to recognize and respond to phishing attempts.

  • Common phishing attacks include:  

    • Email phishing (most common): attackers send emails that appear to be legitimate, urging recipients to act quickly to avoid losing access to company resources.
     
    • Smishing: phishing via SMS, urging recipients to click on a link or provide information.
     
    • Spear phishing: A targeted method where attackers impersonate a trusted source, like their boss, to steal information. 
     
    • Vishing: phishing via phone calls to collect sensitive information.
  • Phishing is one of the most effective ways to steal information and can have severe consequences for both individuals and organizations. Successful phishing attacks can expose personal and professional information, and can lead to unauthorized access to sensitive data, financial loss, and reputational damage.

Follow Microsoft Security