Phishing is one of the curses of the internet age. If you’ve ever received an email which outwardly seems legitimate, only to find that it seeks to take you to a completely irrelevant web page, you’ve been phished. And if you’ve been prompted by an email to download an attachment that you didn’t ask for, there’s a good chance that phishing is to blame.

These days, if you fall victim to the various types of phishing, the results can be devastating, both financially and psychologically. So it makes sense to find out what is a phishing email, and how to avoid becoming prey to the online world’s most devious predators.

Where does phishing come from?

The word phishing is a relatively recent creation. In the 1980s and 90s, a vibrant hacking scene developed around something called “phreaking”, which often involved breaking into the communications systems of government departments of companies.

When email took hold and the World Wide Web developed, a group of phreakers started to exploit the potential of email to reach a huge audience of potential victims. They quickly realized that by sending misleading emails, they could persuade ordinary internet users to give away valuable information.

Because their emails were a hit and miss affair, someone in the scene christened the practice “phishing” – a mixture of phreaking and fishing, and the name stuck.

What is phishing all about?

If you’re wondering how does phishing work, you might be surprised by how simple the practice actually is. This isn’t a form of hacking which relies on cutting edge coding skills or specialist equipment. In fact, a successful phishing email resembles a magic trick more than a sophisticated hack.

All types of phishing have key similarities. Most importantly, phishing email examples will be persuasive. Their central aim is to convince the recipient that the sender is a legitimate individual or organization and that their words should be taken seriously.

That’s why you’ll often receive phishing emails from respected companies like Amazon or the Inland Revenue department. People are more likely to open emails from organizations they trust or respect.

At the same time, there’s a technical side to the question what is a phishing email. Phishers can’t just write a persuasive text. They also work hard to make their emails look as much like the “real thing” as possible, incorporating graphics and layouts which mimic legitimate communications.

And they also have to include a way to harvest information from recipients. This could entail clicking a link to a fake website, downloading an attachment with a Trojan horse, or calling a fake customer service hotline which gives hackers the opportunity to control your computer.

When you bring all of these elements together, it’s easy to see why people need to know what is a phishing email. These attackers tend to be very effective at targeting people who aren’t security-conscious, and they prey on vulnerable internet users.

Become familiar with phishing email examples

If you aren’t sure how to detect phishing emails, checking out some phishing email examples is definitely recommended. There’s no single template for these emails, but there are some categories which appear again and again.

Spear fishing

Spear fishing is a very precise form of phishing, where attackers work hard to include personal details such as the names of colleagues, past purchases, and contact information. By doing so, these emails try to establish a personal connection with the recipient. They tend to be associated with social networks like LinkedIn, where users regularly receive unsolicited (but legitimate) emails from recruiters.


Pharming is one of the most devious kinds of phishing attack. In these attacks, phishers actually “poison” the DNS server of a website and redirect users to the site of their choice. So the links in phishing emails can seem totally accurate, but users can still be sent to dangerous sites. This makes it very important to take care when clicking any email links.

Simple deception

The classic answer to the question what is phishing attack, simple phishing emails are just generic appeals to take a particular action. In the past, they may have told stories about long-lost relatives in distant countries, and sudden inheritances. Nowadays, those stories have less power, and other narratives are employed. So always be sceptical about people contacting you out of the blue.


Whaling is a specific form of phishing which plays on the way businesses are structured. In these attacks, phishers target people high up in corporate hierarchies, probably hoping that they don’t have the security savvy of those lower down the food chain. So anyone in a position of authority should tighten up their anti-phishing knowledge.

Cloud phishing

With the rise of cloud-based apps like Google Docs and Dropbox, new forms of phishing email have emerged, expanding the answer to the question how does phishing work. In these scams, users of cloud-based services can be directed to completely fake versions of the apps they rely on. So if you use these apps, 2-step verification is advisable.

These are the most common types of phishing, but there are probably hundreds of sub-varieties. In all cases, they try to make their emails seem as persuasive as possible, but very few phishers are totally successful.

Secure email providers to avoid phishing

One basic line of defense against phishing attempts is to use a secure email provider. These providers can help to deploy basic spam filters to warn you when an email is suspicious and possibly phishing-related.

There are quite a few secure email providers that we’ve tested and that we can recommend. One of our favorites is the Swiss-based ProtonMail, which has rightly gained a reputation for being one of the strongest, most secure email providers available.

Another favorite is FastMail, which is often seen as a veteran in the email industry. Their spam filter is world-class, and they have pretty good options for even free users, with a starting allowance of 2 GB storage.

Economic impact of phishing

Despite this, phishing remains a huge drain on the digital economy. According to the FBI, scams targeting corporate officers (also known as business email compromise phishing) alone have cost $4.5 billion. Forbes reports that phishing in general costs the US economy $500 million every year, while the average US company has to spend $3.7 million per year guarding against phishers.

Given figures like that, it’s no wonder that security experts are so keen to explain what is a phishing email, and how to counteract the various types of phishing.

Nevertheless, individuals remain extremely vulnerable. And that’s not surprising, because phishers continue to innovate.

For instance, clone phishing is becoming ever more sophisticated. In these attacks, phishers monitor a person’s emails and uses their research to create an accurate copy of an email received by the user. When the copy enters their inbox, users can easily be deceived into clicking on it.

And phishing isn’t limited to emails alone. Criminals are happy to combine phone phishing with the phishing email examples we talked about earlier. By posing as IT experts from companies like Microsoft on the phone, and sending emails from the same company, they can create a powerful illusion – at least for certain internet users.

Take action to counteract the threat of phishing

There’s no reason to be caught out by phishers any more. So stop asking yourself how does phishing work, and start changing your behavior to detect the specific strategies that cyber-criminals use.

Anyone has the skills to decide what is phishing attack and what isn’t, but you need to take care. And don’t be afraid to bring in specialist security solutions like VPNs, which can screen email accounts against illicit emails.