MMango Oasis
← All Articles
Explainer3 min read

What Is Phishing? How to Recognize and Avoid It

Phishing is a scam that tricks you into giving up passwords or personal information by impersonating a trusted source. Here is how it works and how to spot it.

M

Mango Oasis Editorial

2026-03-31

Phishing is a type of scam where an attacker impersonates a trusted person or organization — a bank, a tech company, a government agency — to trick you into handing over sensitive information like passwords, credit card numbers, or personal details. The name is a deliberate misspelling of "fishing": attackers cast a wide net hoping someone bites.

It is consistently one of the most effective attack methods because it targets human judgment, not software vulnerabilities.

How a Phishing Attack Works

The basic structure is always the same:

  1. You receive a message that appears to come from a legitimate source
  2. The message creates urgency — your account is suspended, a payment failed, unusual activity was detected
  3. You are directed to click a link
  4. The link leads to a fake website that looks real
  5. You enter your credentials or personal information
  6. The attacker captures it

The fake website may look pixel-perfect. The email address may look almost correct. That is the point.

Types of Phishing

Email phishing is the most common form — mass emails sent to thousands of addresses hoping a percentage will fall for it.

Spear phishing is targeted. The attacker researches a specific person and crafts a convincing message using real details about them — their name, employer, recent activity. Much harder to detect.

Smishing uses SMS text messages instead of email. Common examples: fake package delivery notifications, fake bank alerts.

Vishing uses phone calls. An attacker calls pretending to be tech support, a bank representative, or a government official.

Clone phishing takes a legitimate email you actually received and replaces links or attachments with malicious ones, sending it as if it were a follow-up.

How to Spot a Phishing Attempt

Check the sender address carefully. The display name can say anything. Look at the actual email address. support@paypa1.com is not PayPal.

Look for urgency designed to bypass thinking. "Your account will be closed in 24 hours" is a pressure tactic.

Hover over links before clicking. The URL that appears in the bottom of your browser may not match the displayed text.

Look for generic greetings. "Dear Customer" instead of your actual name suggests a mass phishing attempt.

Check for poor grammar or unusual phrasing. Not all phishing is poorly written, but many attempts are.

When in doubt, go directly to the site. Instead of clicking a link in an email from your bank, open a browser and type your bank's address manually.

What to Do If You Clicked

If you entered credentials on a phishing site: change your password immediately on the real site, then on any other site where you used the same password. Enable two-factor authentication if you have not already — it limits the damage even when a password is stolen.

If you only clicked but did not enter anything: run a malware scan to be safe.

Summary

Phishing impersonates trusted sources to steal your credentials or personal information. It works by creating urgency and directing you to convincing fake websites. The best defenses are skepticism toward unexpected messages, checking sender addresses carefully, and never clicking links to log in — go directly to the site instead. See also what malware is and what two-factor authentication does.

Found this helpful?

Browse more plain-English explanations of tech and internet terms.

Browse All Articles