Phishing is when an attacker sends an email (or other electronic message) to a user, in an attempt to trick them into disclosing sensitive information.

Because sending large volumes of email is relatively cheap, an attacker can bulk-mail a list of potential victims in a phishing attack. Only a small number of recipients need to fall for the scam for it to be successful.

A typical phishing attack will spoof the “From” address so it appears to be from a trusted third-party. It will appear to be a legitimate communication from that entity, requesting some action on the user (confirming their credentials, for instance). When the victim clicks on the link, it will take them to a malicious clone of the trusted website, which will harvest their login credentials or other sensitive data. Often the URL is deliberately obfuscated by using subdomains or JavaScript trickery to further hide the fact that the site is malicious.

Email service providers and browser vendors put a lot of effort into protecting their users from phishing attacks. Email services will automatically delete malicious emails when they are detected, and browsers will warn users when they are about to visit a malicious site. For this reason, phishers often use open redirects to bounce traffic from trusted sites to their intended, malicious destination. This allows them to circumvent any protections put in place by an email service provider.

Spear phishing describes phishing attacks aimed at specific individuals or communities, which has become more common in recent years.