Skip to content
SupportedSecurityLast updated: July 10, 2026

Phishing emails

Phishing remains one of the most common and effective cybercrime techniques, using fraudulent emails that impersonate trusted organizations to trick recipients into revealing credentials or installing malware, and it continues to be a leading cause of data breaches and financial fraud worldwide.

What we know

Phishing refers to fraudulent messages, most often emails but increasingly text messages and social media messages as well, designed to trick recipients into clicking malicious links, downloading malware, or providing sensitive information such as passwords, banking details, or one-time verification codes. The technique has persisted and grown for decades because it exploits human trust and urgency rather than technical vulnerabilities, making it difficult to eliminate through software alone.

According to the FBI's Internet Crime Complaint Center 2023 report, phishing and spoofing were the most frequently reported cybercrime category, with over 298,000 complaints in the United States that year alone, though the associated financial losses from business email compromise, a related and often more costly variant, ranked among the highest of any cybercrime category tracked by the agency, exceeding 2.9 billion dollars in reported losses in 2023. Verizon's annual Data Breach Investigations Report has consistently found that phishing is involved in a large share of confirmed data breaches analyzed each year, frequently serving as the initial access point that leads to larger network intrusions or ransomware deployment.

Modern phishing campaigns have grown more sophisticated, often impersonating specific trusted organizations such as banks, delivery companies, government tax agencies, or even a target's own employer or colleagues, a more targeted variant known as spear phishing. Attackers frequently create urgency, such as warning of a suspended account, an unpaid invoice, or a security alert requiring immediate action, to short-circuit careful evaluation of the message's legitimacy. Techniques such as spoofed sender addresses, lookalike domains that closely resemble a legitimate company's actual web address, and cloned website login pages designed to capture entered credentials are common components of a phishing attack.

The rise of generative artificial intelligence has lowered the barrier to crafting convincing phishing content, enabling attackers with limited English proficiency or writing skill to generate grammatically correct, contextually appropriate messages, and security researchers including those at Google's Threat Analysis Group and Microsoft's threat intelligence teams have documented AI-assisted phishing campaigns increasing in both volume and sophistication since around 2023.

Defense against phishing combines technical and behavioral measures. Email filtering systems using domain authentication protocols such as SPF, DKIM, and DMARC help reduce the volume of spoofed messages reaching inboxes, and organizations including the Cybersecurity and Infrastructure Security Agency (CISA) recommend multi-factor authentication as a critical backstop, since even a successfully stolen password becomes less useful to an attacker without the second authentication factor. User-focused defenses include verifying sender addresses carefully, avoiding clicking links in unsolicited messages, navigating directly to a company's known website rather than following an emailed link, and confirming unusual requests through a separate communication channel before acting.

Because phishing exploits psychological pressure rather than a fixable software flaw, security agencies including CDC, CISA, and the UK's National Cyber Security Centre emphasize that ongoing user education and consistent verification habits remain essential complements to technical filtering, since no email security system catches every fraudulent message before it reaches a recipient's inbox.

Common claims

  • I can spot phishing emails by looking for bad grammarNo longer reliable - AI-generated phishing is increasingly polished
  • Clicking a link can infect my computer even without downloading anythingTrue - drive-by downloads and browser exploits can install malware from malicious pages
  • Multi-factor authentication prevents phishing from workingMostly true - MFA stops credential theft from enabling account takeover in most cases