What Is Phishing? Types, Red Flags, and How to Protect Yourself

The median time it takes someone to fall for a phishing email is under 60 seconds. That is barely enough time to make tea. Here is how to make sure you are not the one who clicks.

If you have ever stared at an email from “your bank” wondering whether that “urgent account verification” link is real or about to drain your savings, congratulations. You have already met phishing. You just did not click. Hopefully.

Phishing is the cybercrime equivalent of a con artist in a uniform. The attacker dresses up an email, text, or phone call to look like it is coming from someone you trust, such as your bank, your boss, Microsoft, or the tax authority. Then they ask you to do something that, on a normal day, you would never do. Click a link. Reset a password. Wire money. Read out a code.

It is the oldest trick on the modern internet, and it still works. According to the Verizon 2024 Data Breach Investigations Report, phishing was the initial step in 15% of all breaches that year. This guide walks you through what phishing actually is, the five types you are most likely to encounter, a real-world example that cost a company $100 million, the red flags that give phishers away, and the free tools that help you fight back.

What is phishing, really?

Phishing is a type of social engineering attack, meaning the target is your brain, not your computer. The attacker is not usually exploiting a software vulnerability. They are exploiting trust, urgency, fear, or curiosity to get you to hand over the keys yourself.

The name is a play on “fishing.” Throw out enough lures and someone bites. The first recorded phishing attacks date back to the mid-1990s on AOL, where attackers impersonated staff to steal passwords and credit card numbers. The technology has changed dramatically since then. The psychology has not.

Modern phishing attacks typically aim for one of three outcomes:

• Credential theft getting you to type your username and password into a fake login page
• Malware delivery getting you to open an attachment or click a link that installs ransomware, a keylogger, or a remote access tool
• Direct financial fraud getting you or a finance team member to wire money or change banking details based on a fake email from “the CEO” or “a vendor”

The 5 types of phishing you will actually see

1. Email phishing (the classic)

Mass-distributed emails pretending to be from a familiar brand like Microsoft, your bank, Netflix, DHL, or the tax authority. They get sent to thousands or millions of inboxes, hoping a fraction will click. The pitch is usually “your account is locked” or “a payment failed” or “a package could not be delivered” with a link to “fix it.”

2. Spear phishing (the targeted version)

Same idea, but personalized. The attacker has done homework. They know your name, job title, who your manager is, and what project you are working on, usually scraped from LinkedIn. The email is crafted just for you. These are dramatically more effective because they do not trip the “this feels generic” instinct.

3. Smishing (SMS phishing)

Phishing via text message. “Your USPS package has a delivery issue, click here.” “Your bank card has been blocked, verify identity here.” Smishing has exploded because text messages bypass most corporate email filters and people tend to trust their phones more than their inboxes.

4. Vishing (voice phishing)

Phishing over the phone. Someone calls claiming to be from Microsoft support, your IT department, or the IRS. Increasingly, attackers use AI-generated voice cloning of someone you actually know. They walk you through “fixing” something while they are really stealing access.

5. Clone phishing

The attacker takes a real email you or a colleague previously received from a legitimate sender, copies it almost exactly, swaps the link or attachment for a malicious one, and resends it. Because you have seen the original before, your brain pattern-matches it as safe.

A real-world example: the MGM Resorts hack

In September 2023, a group called Scattered Spider took down MGM Resorts, the hospitality giant behind the Bellagio, Aria, and dozens of other Las Vegas properties. The damage was roughly 10 days of operational chaos and an estimated $100 million in losses. Slot machines went dark. Digital room keys stopped working. Guests checked in with pen and paper.

The attack did not start with a zero-day exploit or a brilliant piece of malware. It started with a phone call.

The attackers found an MGM employee on LinkedIn, looked up their job details, and called MGM’s IT help desk pretending to be that person locked out of their account. The conversation lasted about ten minutes. By the end of it, the attackers had administrator-level access to MGM’s identity systems.

That is vishing. A $34 billion company brought to its knees because a help-desk agent did not have a strong enough way to verify who was on the other end of the phone.

How to spot a phishing attempt

Phishing messages have tells. Train yourself to slow down for two seconds and look for these red flags.

• Urgency or fear. “Your account will be closed in 24 hours.” “Unauthorized login detected.” Real companies rarely create artificial panic.
• A request to click, log in, or download. Especially when paired with urgency. This combination is the classic phishing formula.
• A mismatched sender address. The display name says “Microsoft” but the actual email is from microsft-security@outlook-help.ru. Always hover before you click.
• Generic greeting. “Dear customer” or “Dear user” instead of your name. Less common in spear phishing but still a flag in mass campaigns.
• Hover-mismatch on links. The visible link says paypal.com but hovering shows paypal.com.account-verify.xyz. The real domain is whatever comes right before the final .com or .net.
• Unusual sender plus unusual ask. Your CEO has never emailed you directly, and now they want you to buy gift cards “for a client.” That is not a CEO. That is an attacker.

How to protect yourself from phishing

For individuals

• Turn on multi-factor authentication everywhere. Even if a phishing attack steals your password, MFA stops the attacker at the second factor. Use an authenticator app over SMS where possible. Our 2FA guide walks you through setting it up in five minutes.
• Use a password manager. Beyond storing passwords, a good manager will not auto-fill credentials on a fake domain, which is itself a phishing detector. Check our free security tools guide for recommendations.
• When in doubt, go direct. If “your bank” emails you, do not click. Open a new tab, type the bank’s URL yourself, and log in there. Same for any service.
• Report, do not just delete. Most email providers have a “Report phishing” button. Use it. Your report helps train the filters that protect everyone.

For organizations

• Email security gateway. Microsoft Defender for Office 365, Google Workspace’s built-in protections, Proofpoint, or Mimecast all catch a large share of phishing before it reaches inboxes.
• Phishing-resistant MFA. Hardware security keys using FIDO2/WebAuthn are immune to credential-replay phishing in a way that SMS and TOTP codes are not.
• Security awareness training with simulated phishing. Organizations that run regular phishing simulations see significantly higher reporting rates from employees.
• Help-desk verification protocols. The MGM lesson: do not let anyone reset credentials based on a phone call alone. Require a callback to the registered number, manager confirmation, or a verified video call.

Phishing tips for small businesses

You do not need an enterprise security budget to make phishing dramatically harder against your business. Three high-leverage moves on a tight budget:

1. Make MFA mandatory on email, accounting, and admin tools. This single change blocks the majority of credential-theft phishing. If you have not set this up yet, read our password policy guide as a companion piece.
2. Set up a “verify before you send money” rule. Any change of bank details from a vendor, or any request to wire funds, requires a phone call to a known number. Never a number from the email itself.
3. Use free phishing simulation. Tools like Gophish (open source) let you safely send your own team test phishing emails so they get used to spotting them in a low-stakes setting.

Free tools to fight phishing

• VirusTotal paste a suspicious URL or upload a suspicious attachment and it scans against 70+ security engines, showing you reputation history
• urlscan.io visits a URL in a sandbox and shows you exactly what loads, where it redirects, and what domains it contacts. Great for verifying a link without clicking it on your real machine.
• Have I Been Pwned checks whether your email or password has shown up in known data breaches, which often fuels targeted phishing campaigns
• CISA phishing guidance free, regularly updated, written for non-experts

The bottom line

Phishing is not a technology problem you can solve once and forget. It is an ongoing low-grade hum of attempts on your inbox, your phone, and your help desk. The defense is half technical (MFA, email filters, password managers) and half behavioral. The behavioral half is mostly a single habit: when something feels urgent, slow down for ten seconds and verify through a different channel.

That is the trick. The MGM help-desk agent who answered the phone in September 2023 did not lack training. They lacked a moment of “wait, can I verify this another way?” Build that habit, give yourself permission to be a little cautious about it, and you will dodge the vast majority of what is coming for you.