Phishing

An attack that impersonates a trusted sender (brand, coworker, service) to trick the victim into handing over credentials, card data, or access tokens.

Last updated: April 21, 2026

What is phishing?

Phishing is a social-engineering attack in which the attacker sends a message that imitates a legitimate sender — a bank, a SaaS provider, an internal IT team, a shipping notice — and drives the recipient to a fake login page, a malware payload, or an urgent action like wiring money. The goal is almost always one of three: steal credentials, steal payment data, or plant malware. Email is the dominant channel, but SMS (smishing), voice calls (vishing), and chat-platform DMs are all common.

How phishing campaigns are run

Most bulk phishing runs follow the same pipeline: harvest target addresses (often via an email harvester or a leaked credential dump), spin up lookalike domains or abuse a compromised inbox, send from rented IP ranges, and land clicks on a credential-capture page hosted on throwaway infrastructure. Targeted variants — spear phishing (a named individual) and whaling (an executive) — use higher-quality pretext and reconnaissance, often pulled from LinkedIn and breach data.

Why IP reputation helps detect phishing

The sender IPs, link-destination IPs, and credential-capture hosts in a phishing kit tend to cluster on known-bad hosting ASNs and appear on multiple abuse feeds within hours of going live. Checking a suspicious sender or URL against an IP abuse report checker will often surface prior reports from other targets. Combining IP reputation with SPF/DKIM/DMARC email authentication and user-side link inspection catches the majority of bulk phishing before a credential is submitted.

Frequently Asked Questions

Look for a sender domain that does not exactly match the brand, urgent pressure to act ("your account will be closed in 24 hours"), generic greetings, links whose displayed text does not match the real destination on hover, and unexpected attachments. Legitimate services rarely ask you to confirm credentials through a link.

Clicking alone usually only loads a page and reveals your IP and browser fingerprint. Harm occurs when you then enter credentials or download a file. If you only clicked, close the tab, run an endpoint scan, and watch for unexpected logins. If you submitted a password, change it immediately everywhere you reused it and enable MFA.

Yes. Phishing is prosecuted under wire fraud, computer-misuse, and identity-theft statutes in most jurisdictions, including the US Computer Fraud and Abuse Act, the UK Fraud Act 2006, and the EU NIS2 framework. Penalties range from fines to multi-year prison sentences.

Phishing is a bulk attack sent to large lists with generic pretext. Spear phishing targets a named individual using reconnaissance — job title, colleagues' names, current projects pulled from LinkedIn or breach data — to make the message far more believable. Whaling is spear phishing aimed at senior executives.

Partly. Email gateways catch known-bad sender IPs, failed SPF/DKIM/DMARC checks, and signatures from previous campaigns. Browser safe-browsing lists block known credential-capture domains. But freshly registered lookalike domains and compromised-inbox attacks routinely bypass these filters in the first few hours of a campaign.

Back to glossary