If you're seeing this message, it means we're having trouble loading external resources on our website.

If you're behind a web filter, please make sure that the domains *.kastatic.org and *.kasandbox.org are unblocked.

Main content

Phishing attacks

The Internet is a network of computers filled with valuable data, so there are many security mechanisms in place to protect that data.
But there's a weakest link: the human. If the user freely gives away their personal data or access to their computer, it's much harder for security mechanisms to protect their data and devices.
A phishing attack is an attempt to trick a user into divulging their private information.
A phisher puts out some tempting bait, a persuasive website. If the user bites, then the phisher can reel in some tasty private information.

An example attack

A phishing attack typically starts with an email that claims to be from a legitimate website, like a banking website or online store:
An email that claims to be from PayPal
The goal of the email is to obtain private data from the user, so it either asks the recipient to reply with personal information or it links to a website that looks remarkably like the original site:
A website that claims to be a PayPal login screen
If the user is convinced and enters private details on the site, that data is now in the hands of the attacker! If the user filled in login details, they can then use those credentials to log in to the real website, or if the user provided credit card details, they can use the credit card to make purchases anywhere.

Signs of a phishing attack

Fortunately, there are some tell-tale signs of phishing scams.

Suspicious email address

Phishing emails will often come from addresses at domains that don't belong to the legitimate company.
Email looks like it's from PayPal but is actually from mailbox.com.
Conversely, a legitimate email address is not a guarantee that an email is 100% safe. Attackers might have figured out a way to spoof the legitimate email address or hacked their way into control over the actual email.

Suspicious URL

Phishing emails will often link to a website with a URL that looks legitimate but is actually a website controlled by the attacker.
URL has "paypal" in it, but isn't PayPal's actual domain.
Attackers use a variety of strategies to make tempting URLs:
  • Misspellings of the original URL or company name. For example, "goggle.com" instead of "google.com".
  • A spelling that uses similar looking characters from other alphabets. For example, "wikipediа.org" versus "wikipedia.org". The "a" is actually a different character in those two domains.
  • Subdomains that look like the domain name. For example, "paypal.accounts.com" instead of "accounts.paypal.com". PayPal owns the second domain, but they have no control over the first.
  • A different top level domain (TLD). For example, "paypal.io" versus "paypal.com". Popular companies try to buy their domain with the most common TLDs, such as ".net", ".com", and ".org", but there are hundreds of TLDs out there.
Even if an attacker hasn't found a similar looking URL to host their malicious webpage, they can still try to disguise the URL in the HTML.
Consider this very legitimate looking text:
Visit www.paypal.com to change your password.
Now try clicking the link. You didn't land on PayPal, did you? That's because the text of a link isn't the same as the destination of the link.
Here's what the HTML looks like:
Visit <a href="https://www.khanacademy.org/computer-programming/this-isnt-the-right-page/5778954880073728">www.paypal.com</a> to change your password.
An attacker might disguise links in that way in an email message or a webpage. Whenever you click a dubious link, it's important to check the URL in the browser bar to see where your browser actually landed.

Non-secured HTTP connections

Any website that is asking you for sensitive information should be using HTTPS to encrypt the data sent over the Internet.
Phishing websites don't always go through the extra effort to use HTTPS.
URL isn't secured over HTTPS, so browser displays "Not secure".
However, according to a report, more than two-thirds of all phishing websites used HTTPS in 2019, so a secured URL does not necessarily equate to a legitimate URL. 1

Requests for sensitive information

Phishing emails will often ask you to either reply with personal information or fill out a form on a website. Most legitimate companies do not need you to verify personal information after the original account creation.

Urgency and scare tactics

Phishing emails use psychological manipulation to lower our guard and get us to respond quickly without thinking through the consequences.

Handling a phishing attack

Every phishing scam will vary in its sophistication, so some emails may be very obviously fake while other emails can be incredibly convincing.
If you ever suspect an email is a phishing attack, do not click on any links or download any attached files.
Find another way to contact the supposed sender to see if the email is legit. If the email's from a company, you can search online for their phone number. If it's from a friend or colleague, you can message them or give them a call.

Spear phishing

There's a new type of phishing that's even more popular and dangerous: spear-phishing. Instead of sending a similar email to many users, a spear phisher will research a user and send an email specifically targeting them.
Spear phishing attacks often target people within a organization, with the goal of gaining access to the organization's data.
One of my colleagues received this spear phishing email that claimed to be from Sal Khan himself:
Fortunately, it was obviously a spear phishing email from the sender's email address.
But not all spear phishing attempts are so obvious and not all targets are so vigilant. If just one person in an organization accidentally reveals their credentials or downloads malware onto their work computer, an attacker can potentially breach their entire company database. That's not just one person's data, that's thousands or millions of people's data. 😬
🔍 Can you spot a phishing scam? Test your skills with this Phishing Quiz from Google.
🙋🏽🙋🏻‍♀️🙋🏿‍♂️Do you have any questions about this topic? We'd love to answer—just ask in the questions area below!

Want to join the conversation?

  • duskpin ultimate style avatar for user Khoa Nguyen
    At the bottom of the article it says

    "🔍 Can you spot a phishing scam? Test your skills with this Phishing Quiz from Google."

    the link takes me to


    Is this a trick question? Does google actually own "withgoogle.com"?
    (31 votes)
  • male robot hal style avatar for user Vikram Javali
    I must be blind because I cannot see a difference. Pls help
    In parentheses

    (A spelling that uses similar looking characters from other alphabets. For example, "wikipediа.org" versus "wikipedia.org". The "e" and the "a" are actually different characters in those two domains.)
    (14 votes)
    • starky ultimate style avatar for user KLaudano
      In the first "wikipedia.org", all the letters, except the "a" are Latin small letters. The "a" is a Cyrillic small letter. You can't really tell this just by looking at the characters (which is why it is so hard to catch).
      (18 votes)
  • blobby purple style avatar for user Grace
    Why do phishing attacks start with emails and not texts? Is it easier to get emails than phone numbers?
    (3 votes)
  • aqualine ultimate style avatar for user EnochiMushawoom
    the website is definitely not a scam
    (5 votes)
    Default Khan Academy avatar avatar for user
  • leafers ultimate style avatar for user Cluttered Mind
    Do some websites/companies take measures against phishing attacks?

    There used to be a scam call claiming to be from the IRS, but people knew it was fake because the IRS doesn't make calls. What are some other ways to prevent phishing?
    (3 votes)
    • aqualine ultimate style avatar for user bmunoz127025
      There is almost nothing a website/company can do to prevent a phishing attack. A professional attacker will design their own login pages that look similar to those of the actual website. When you enter your information that information will be sent to two places, the actual website and the man in the middle (the attacker). You will then be redirected to the actual website and you wont be able to know if you were phished until the hacker has gained access into your account.

      To prevent a phishing attack I recommend that if you receive an email from Instagram, FaceBook, or any other website go to the actual website and check. Do not click on any link or enter your information directly from the email unless you are 100% sure that the email sent is not a phishing attack.
      (2 votes)
  • aqualine sapling style avatar for user o———|:::::::::::::::::::::::::::>
    How did u make the fake link? It says it is PayPal but it didn’t bring me there. 🤔
    (3 votes)
    • cacteye yellow style avatar for user ZennF
      You can make something called a "anchor tag" in code which makes text blue and gives it a link, however, you can make the text itself say anything you want.
      So you could have some text that says "accounts.google.com/login" but the link in the anchor tag will actually bring you to "info-snatcher.net" which could be a website that looks identical to the google account login.
      (4 votes)
  • duskpin ultimate style avatar for user Ria the Wizard
    When I went to the Phishing Quiz from Google, it said that I could put in a fake email and username if I wanted to, and while it let me do a fake username, it wouldn't take me to the quiz until I put in a real email. Should I be worried about that?
    (3 votes)
    Default Khan Academy avatar avatar for user
  • blobby green style avatar for user colton.horrell
    why should children be worried about this.
    (3 votes)
    Default Khan Academy avatar avatar for user
    • marcimus purple style avatar for user nadinepatchin
      Well, if we don't learn as a kid we might never learn what not to fall for. Its more safe to watch out then it is to not care about your health and safety. You should learn more about it so people cant phish you out of your safety with your passwords. Even if you told someone you trust your password you don't know if they would betray you at any cost. It's better being safe then sorry.
      (3 votes)
  • blobby green style avatar for user dylbre7038
    How do we know if a website is a scam?
    (3 votes)
    Default Khan Academy avatar avatar for user
    • starky tree style avatar for user MUYOUMUDENG
      Determining if a website is a scam requires careful evaluation and consideration of several factors. Here are some steps you can take to assess the legitimacy of a website:

      Check the URL: Look at the website's URL (web address) carefully. Scam websites may use misspelled or slightly altered versions of well-known domains to deceive users. Ensure that the domain name matches the legitimate website you intend to visit.

      Look for Secure Connections: Legitimate websites typically use HTTPS encryption to protect users' personal information. Check for a padlock symbol or "https://" in the website's URL, especially on pages where you are required to enter sensitive information such as passwords or credit card details.

      Review Website Design and Content: Scam websites may have poor design, low-quality graphics, or grammatical errors in their content. Look for inconsistencies or signs of unprofessionalism that could indicate a fraudulent website.

      Check Contact Information: Legitimate websites usually provide clear contact information, including a physical address, phone number, and email address. Verify this information and be cautious if the website only offers a contact form or lacks any contact details.

      Research the Company or Organization: Search for reviews, testimonials, or references about the website or the company behind it. Look for feedback from other users or online forums that can provide insights into the website's reputation and credibility.

      Beware of Unrealistic Offers or Promotions: Be skeptical of websites that offer extremely low prices, unrealistic discounts, or promises of easy money. If an offer seems too good to be true, it likely is.

      Check for Trust Seals and Certifications: Legitimate websites may display trust seals or certifications from reputable organizations, such as Norton Secured, McAfee Secure, or the Better Business Bureau. Click on these seals to verify their authenticity.

      Be Wary of Phishing Attempts: Scam websites may use phishing techniques to trick users into providing personal information or login credentials. Avoid clicking on suspicious links or pop-up ads, and never provide sensitive information unless you are certain of the website's legitimacy.

      Use Antivirus and Security Software: Install antivirus software and browser extensions that can help detect and block malicious websites or phishing attempts.

      Trust Your Instincts: If something feels off or too good to be true, trust your instincts and proceed with caution. It's better to err on the side of caution and avoid potential scams.
      (3 votes)
  • blobby green style avatar for user chandler.ellis
    why is this something for people to worry about at a young age
    (1 vote)
    Default Khan Academy avatar avatar for user
    • sneak peak yellow style avatar for user William Wang
      If you can understand what to avoid early on, you'll be more aware and can prevent being a victim of phishing or other online attacks in the future.

      For instance, if you learn how to identify a secure website early on, you can avoid accidentally providing information on a site that isn't secure or unsafe.
      (2 votes)