Skip to Main Content


Have you heard of phishing but aren’t sure what it is? Bankrate explains.

What is phishing?

Phishing is a kind of cyberattack that gives hackers access to the victim’s secure data. While traditional hacking involves a brute-force method of trying many different password combinations, phishing uses social engineering to trick users into giving up their login information. A homophone of “fishing”, in that hackers target many users in the hope of a “bite”, phishing costs users billions of dollars worldwide, and has been used by agents of state governments for both economic and political warfare.

Deeper definition

Phishing works by lulling victims into a false sense of security. Often, the targeted user has no idea anything is amiss: the attack will seem to come from a trusted source, such as a colleague or a friend, or from a company like the user’s bank or email provider. Although email has been the primary means of attack, some hackers have used phone communication and texting to target people.

In a phishing attack, a hacker creates a website or email that almost perfectly resembles those commonly seen by users every day. In some cases, the email contains an innocuous-seeming link that installs malware on the user’s computer that can record keystrokes or provide a “tunnel” into the victim’s data. Others often direct users to a login page indistinguishable from the kind people take for granted when they use their email, social media accounts, or online bank. However, data entered into these pages goes directly to the hacker, which allows him to log in and steal information.

Those spoofed websites live on fake URLs that resemble the real ones victims are used to. A typical spoof of the real Gmail URL,, could look something like Note the slight alterations to the name. Such a link might hide behind text, such as “Click here”, to look legitimate. Phishers also use real-looking email addresses, but once they access a victim’s account, they might email other people on her contact list from the victim’s actual email address.

Virtually all email systems have some form of phishing protection that detects fraudulent email addresses or links in the body text of an email and moves that message to the spam folder. However, no automated protection is perfect, and it only takes one successful attack to severely damage an organization.

Did your bank account get compromised by hackers? Take your money out and put it into a new one. Bankrate can help you find a more secure account.

Phishing example

The most prominent recent phishing attack was targeted at the 2016 presidential campaign of Hillary Clinton. Her campaign chairman, John Podesta, who had served as President Bill Clinton’s deputy chief of staff, received an email seemingly from Google indicating that his Gmail account had been compromised by hackers and that he needed to change his password. It wasn’t true; the hackers had themselves sent the email. Still, he entered his old login information, which was sent to the hackers, who then released 20,000 of Podesta’s personal emails to WikiLeaks, and the ensuing fallout was a major factor in Clinton’s loss in the general election. The phishing attempt was so good that it even fooled the campaign’s IT manager, who told Podesta that it was “a legitimate email.”

More From Bankrate