Phishing is a cyber-attack that uses disguised email as a weapon. The goal is to trick the email recipient into believing that the message is something they want or need. For example: a request from their bank, an email from their boss asking for a wire transfer or gift card purchase, or a note from someone in their company. Often, the email comes with an attachment or an embedded link. When the user downloads the attachment of clicks on the link, the attacker can install malicious software or capture usernames and passwords to online accounts.

What really distinguishes phishing is the form the message takes: the attackers masquerade as a trusted entity of some kind, often a real or plausibly real person, or a company the victim might do business with. It's one of the oldest types of cyber-attacks, dating back to the 1990's, and it's still one of the most widespread types of attack. Phishing messages and techniques becoming increasingly sophisticated and continually evolve.

"Phish" is pronounced just like it's spelled, which is to say like the word "fish" — the analogy is of an angler throwing a baited hook into the water (the phishing email) and hoping you bite The term dates back to the mid 1990’s among hackers aiming to trick AOL users into giving up their login information. The "ph" is part of a tradition of whimsical hacker spelling, and was probably influenced by the term "phreaking," short for "phone phreaking," an early form of hacking that involved playing sound tones into telephone handsets to get free phone calls.

It is estimated that nearly a third of all system/password compromises involve some type of phishing attack, according to the 2019 Verizon Data Breach Investigations Report. For cyber-espionage attacks, that number jumps to 78%.