Phishing

By Ryan Cole · May 5, 2026 · 1 min read

A social-engineering attack where a fake login page, email, or message tricks the victim into entering credentials that the attacker captures.

Why it matters

Phishing is the most common entry point for account takeovers and ransomware. Modern phishing pages are pixel-perfect copies of real bank, email, and crypto exchange logins. The fastest defense is a password manager that auto-fills only on the real domain — if the URL is fake, the password manager will not autofill, and you'll notice.

The second-fastest defense is a hardware security key (YubiKey) for high-value accounts: even if you fall for the phishing page, the key requires physical proximity to the real domain.

Best practices

Treat any unexpected message asking you to log in as suspect. Type the URL yourself or use a bookmark instead of clicking the link. Enable two-factor authentication (preferably hardware key, then app-based, then SMS as last resort) on every account that supports it.

Report phishing emails to reportphishing@apwg.org and to the impersonated brand. Most phishing sites are taken down within hours of being reported.

Frequently asked

How do I tell if a login page is phishing?

Check the URL bar. The domain should match exactly: paypal.com not paypa1.com or paypal-secure.com. Look for the lock icon (HTTPS) but don't trust it alone — phishing sites use HTTPS too. The single most reliable signal is your password manager: if it does not auto-fill, the page is not the real one.