What is Phishing?

Learn more about phishing scams and how to avoid them

What is phishing?

Have you ever received an email, text, or some other form of electronic communication seemingly coming from a bank that requested you to “confirm” confidential information, such as your credit card PIN? If so, then you already know what a common phishing attack looks like. This method of social engineering is used to obtain valuable user data that can be sold or misused by the attackers for nefarious purposes, such as extortion, monetary theft, or identity theft.


The concept was first described in a 1987 conference paper by Jerry Felix and Chris Hauck called “System Security: A Hacker’s Perspective” (1987 Interex Proceedings 1:6). It discussed the technique of an attacker imitating a reputable entity or service. The word itself is a homophone of “fishing” for targets – as it uses the same “bait-catch” logic. The “ph-” at the beginning is a reference to “phreaks”, a group of hackers who experimented with, and illegally explored the borders of, telecommunication systems in the 1990s.

How does it work?

Phishing has been around for decades, and over time, cyber attackers have developed more sophisticated methods of targeting victims.

The most common phishing technique is to impersonate a bank or financial institution via email, to lure the victim into divulging their account details or login credentials.

In the past, misspelled or misleading domain names were often used for this purpose. Today, cyber attackers resort to more creative methods that include realistic links and web pages that closely resemble their legitimate counterparts. Like this popular Canada Revenue Agency scam.

Read more

Information stolen from the victims is usually misused to empty their bank accounts or is sold online.

Similar attacks can also be performed via phone calls (vishing) as well as SMS messages (smishing).


A more advanced phishing method whereby seemingly authentic phishing messages land in the inboxes of specific groups, organizations or even individuals. Authors of spearphishing emails perform detailed research on their target(s) in advance, making it difficult to identify the content as fraudulent.

Attacks focused on specific, mostly high-profile business individuals – such as top managers or owners – are labeled as “whaling”, due to the size of the potential pay-off (the bad guys going after “the big fish”).

Recognize a phishing attempt

An email or electronic message can contain official logos or other signs of a reputable organization and can still come from phishers. Read on for a few tips that can help you spot a phish.

Read more

  1. Generic or informal greetings – If a message lacks personalization (e.g. "Dear Customer") and formality then there is probably something amiss. 
  2. A request for personal information – Usually avoided by banks, financial institutions and most online services, but frequently used by phishers.
  3. Poor grammar – Spelling mistakes, typos and unusual phrasing often indicates a fake (but the absence of any of these is not proof of legitimacy).
  4. Unexpected correspondence – Unsolicited contact from a bank or online service provider is highly unusual and thus suspicious.
  5. An offer you cannot refuse – If the message sounds too good to be true, it almost certainly is.
  6. Suspicious domain – Would a Canadian bank really send an email from a foreign domain?

Protect yourself

To avoid a phishing bait, be aware of the above indicators where phishing messages commonly give themselves away.

Follow these simple steps

  1. Be aware of new phishing techniques: Follow the media for phishing attack reports, because bad actors are always evolving their techniques to lure victims into a phishing trap.
  2. Don’t give away your details: Always be alert if an electronic message from a seemingly trustworthy entity asks for your credentials or other sensitive details. If necessary, verify the contents of the message with the sender or the organization they seemingly represent (using contact details known to be genuine rather than the details provided in the message).
  3. Think twice before you click: If a suspicious message provides a link or attachment, don’t click or download. Doing so might lead you to a malicious website or infect your device with malware.
  4. Check your online accounts regularly: Even if you don’t suspect that someone is trying to steal your credentials, check your banking and other online accounts for suspicious activity. Just in case…
  5. Use a reliable anti-phishing solution. Apply these techniques and 'Enjoy Safer Technology' 

Cybersecurity training


Boost your cybersecurity awareness with training from ESET security experts.

ESET protects you against phishing

ESET Smart Security Premium

Ultimate internet security for your ultimate performance

Free Download

ESET Smart Security Premium

Ultimate guardian of your online safety

ESET Smart Security Premium

Supreme protection for users who want everything.
Your internet world, finally in safe hands.

Free Download

Discover comprehensive ESET protection for your business.