Skip to content
Suggest a term
SupportedSecurityLast updated: June 1, 2026

Phishing emails

Phishing emails impersonate banks, tech companies, government agencies, or colleagues to trick recipients into clicking malicious links, entering credentials on fake sites, or downloading malware. They are the leading initial attack vector for most cybercrime.

What we know

Phishing emails are fraudulent messages designed to appear legitimate by imitating known brands, institutions, or individuals. The attacker's goal is typically to steal login credentials through fake login pages, install malware through malicious attachments or links, initiate wire transfers or gift card payments through urgency-based deception, or harvest personal information for identity theft.

Modern phishing attacks have grown highly sophisticated. Spear phishing targets specific individuals using personal information gathered from social media or data breaches. Business Email Compromise (BEC) involves attackers impersonating executives or vendors to redirect payments. QR code phishing ('quishing') embeds malicious URLs in QR codes to bypass email filters. AI tools now allow attackers to craft grammatically perfect, contextually plausible messages at scale, eliminating the obvious errors that once served as warning signs.

The FBI IC3 2024 Annual Report recorded 193,407 phishing and spoofing complaints, the highest of any crime category, though actual losses of $70 million were lower per incident than BEC. Protecting against phishing requires multi-factor authentication (so stolen passwords alone are insufficient), security awareness training, email filtering tools, and a policy of verifying unexpected requests through known contact channels rather than phone numbers or links in the message itself. No legitimate organization asks for passwords, full credit card numbers, or gift card codes via email.

Common claims

  • I can spot phishing emails by looking for bad grammarNo longer reliable - AI-generated phishing is increasingly polished
  • Clicking a link can infect my computer even without downloading anythingTrue - drive-by downloads and browser exploits can install malware from malicious pages
  • Multi-factor authentication prevents phishing from workingMostly true - MFA stops credential theft from enabling account takeover in most cases

Evidence hierarchy

01FBI IC3 2024 Annual Report193,407 phishing/spoofing complaints in 2024 - largest single crime category; $70M in losses02CISA Phishing GuidanceFederal cybersecurity agency guidance on recognizing and preventing phishing attacks03Email Attacks Drive Record Cybercrime Losses in 2024 - Proofpoint274% surge in phishing losses 2023 to 2024; QR codes and BEC increasingly used

All sources

Related terms

Tech support pop-up scamsFake invoice / business email compromiseMalicious QR code scams