If you're seeing this message, it means we're having trouble loading external resources on our website.

If you're behind a web filter, please make sure that the domains *.kastatic.org and *.kasandbox.org are unblocked.

Main content

Phishing attacks

AP.CSP:
IOC‑2.C (LO)
,
IOC‑2.C.1 (EK)
,
IOC‑2.C.5 (EK)
,
IOC‑2.C.6 (EK)
The Internet is a network of computers filled with valuable data, so there are many security mechanisms in place to protect that data.
But there's a weakest link: the human. If the user freely gives away their personal data or access to their computer, it's much harder for security mechanisms to protect their data and devices.
A phishing attack is an attempt to trick a user into divulging their private information.
Illustration of a phishing attack. An attacker has a fishing line with a hook through a web browser. The web browser has a password field with "UsersR3alP@ssword" filled in.
A phisher puts out some tempting bait, a persuasive website. If the user bites, then the phisher can reel in some tasty private information.

An example attack

A phishing attack typically starts with an email that claims to be from a legitimate website, like a banking website or online store:
Screenshot of a phishing email. Subject line says "Your PayPal Access Blocked !". Email is from "PayPal paypalaccounts@mailbox.com". Email body has heading "Your PayPal Account is Limited, Solve in 24 Hours!" and body "Dear PayPal Customer, We're sorry to say you cannot access all the paypal account features like payment and money transfer. Click here to fix your account now. Why is it blocked? Because we think your account is in danger of theft and unauthorized uses. How can I fix the problem? Confirm all your details on our server. Just click below and follow all of the steps. Confirm Account Details Now." There are two hyperlinked parts of the text.
An email that claims to be from PayPal
The goal of the email is to obtain private data from the user, so it either asks the recipient to reply with personal information or it links to a website that looks remarkably like the original site:
Screenshot of a phishing website. Web browser shows web page title "Log in to your PayPal account". Address bar shows "paypal--accounts.com". Main area of screen contains login box with PayPal logo: an input field for email or mobile number, a password input field, and a "Log in" button.
A website that claims to be a PayPal login screen
If the user is convinced and enters private details on the site, that data is now in the hands of the attacker! If the user filled in login details, they can then use those credentials to log in to the real website, or if the user provided credit card details, they can use the credit card to make purchases anywhere.

Signs of a phishing attack

Fortunately, there are some tell-tale signs of phishing scams.

Suspicious email address

Phishing emails will often come from addresses at domains that don't belong to the legitimate company.
Screenshot of phishing email, cropped to show just the from line. Email is from "PayPal paypalaccounts@mailbox.com". The email address is highlighted with a circle.
Email looks like it's from PayPal but is actually from mailbox.com.
Conversely, a legitimate email address is not a guarantee that an email is 100% safe. Attackers might have figured out a way to spoof the legitimate email address or hacked their way into control over the actual email.

Suspicious URL

Phishing emails will often link to a website with a URL that looks legitimate but is actually a website controlled by the attacker.
Screenshot of a phishing website, cropped to show just the address bar. Web browser shows web page title "Log in to your PayPal account". Address bar shows "paypal--accounts.com". The address is highlighted with a circle.
URL has "paypal" in it, but isn't PayPal's actual domain.
Attackers use a variety of strategies to make tempting URLs:
  • Misspellings of the original URL or company name. For example, "goggle.com" instead of "google.com".
  • A spelling that uses similar looking characters from other alphabets. For example, "wikipediа.org" versus "wikipedia.org". The "e" and the "a" are actually different characters in those two domains.
  • Subdomains that look like the domain name. For example, "paypal.accounts.com" instead of "accounts.paypal.com". PayPal owns the second domain, but they have no control over the first.
  • A different top level domain (TLD). For example, "paypal.io" versus "paypal.com". Popular companies try to buy their domain with the most common TLDs, such as ".net", ".com", and ".org", but there are hundreds of TLDs out there.
Even if an attacker hasn't found a similar looking URL to host their malicious webpage, they can still try to disguise the URL in the HTML.
Consider this very legitimate looking text:
Visit www.paypal.com to change your password.
Now try clicking the link. You didn't land on PayPal, did you? That's because the text of a link isn't the same as the destination of the link.
Here's what the HTML looks like:
Visit <a href="http://malicious-link.com">www.paypal.com</a> to change your password.
An attacker might disguise links in that way in an email message or a webpage. Whenever you click a dubious link, it's important to check the URL in the browser bar to see where your browser actually landed.

Non-secured HTTP connections

Any website that is asking you for sensitive information should be using HTTPS to encrypt the data sent over the Internet.
Phishing websites don't always go through the extra effort to use HTTPS.
Screenshot of a phishing website, cropped to show just the address bar. Web browser shows web page title "Log in to your PayPal account". Address bar shows "Not Secure" and URL "paypal--accounts.com". The "Not Secure" warning is highlighted with a circle.
URL isn't secured over HTTPS, so browser displays "Not secure".
However, according to a report, more than two-thirds of all phishing websites used HTTPS in 2019, so a secured URL does not necessarily equate to a legitimate URL. start superscript, 1, end superscript

Requests for sensitive information

Phishing emails will often ask you to either reply with personal information or fill out a form on a website. Most legitimate companies do not need you to verify personal information after the original account creation.
Screenshot of a phishing website, cropped to show just the login form. Login form has PayPal logo: an input field for email or mobile number, a password input field, and a "Log in" button. The email and password fields are highlighted with circles.

Urgency and scare tactics

Phishing emails use psychological manipulation to lower our guard and get us to respond quickly without thinking through the consequences.
Screenshot of phishing email, cropped to show part of the body. Email body has heading "Your PayPal Account is Limited, Solve in 24 Hours!" and body "Dear PayPal Customer, We're sorry to say you cannot access all the paypal account features like payment and money transfer. Click here to fix your account now. Why is it blocked? Because we think your account is in danger of theft and unauthorized uses." The heading and final line are highlighted with circles.

Handling a phishing attack

Every phishing scam will vary in its sophistication, so some emails may be very obviously fake while other emails can be incredibly convincing.
If you ever suspect an email is a phishing attack, do not click on any links or download any attached files.
Find another way to contact the supposed sender to see if the email is legit. If the email's from a company, you can search online for their phone number. If it's from a friend or colleague, you can message them or give them a call.

Spear phishing

There's a new type of phishing that's even more popular and dangerous: spear-phishing. Instead of sending a similar email to many users, a spear phisher will research a user and send an email specifically targeting them.
Spear phishing attacks often target people within a organization, with the goal of gaining access to the organization's data.
One of my colleagues received this spear phishing email that claimed to be from Sal Khan himself:
Screenshot of an email with subject line "Request" and sender "Sal Khan executivee197@gmail.com" with body text "When you get a minute, could you please drop me an email. Best regards, Sal Khan, CEO"
Fortunately, it was obviously a spear phishing email from the sender's email address.
But not all spear phishing attempts are so obvious and not all targets are so vigilant. If just one person in an organization accidentally reveals their credentials or downloads malware onto their work computer, an attacker can potentially breach their entire company database. That's not just one person's data, that's thousands or millions of people's data. 😬
🔍 Can you spot a phishing scam? Test your skills with this Phishing Quiz from Google.

🙋🏽🙋🏻‍♀️🙋🏿‍♂️Do you have any questions about this topic? We'd love to answer—just ask in the questions area below!

Want to join the conversation?

  • duskpin ultimate style avatar for user Khoa Nguyen
    At the bottom of the article it says

    "🔍 Can you spot a phishing scam? Test your skills with this Phishing Quiz from Google."

    the link takes me to

    "https://phishingquiz.withgoogle.com/"

    Is this a trick question? Does google actually own "withgoogle.com"?
    (12 votes)
    Default Khan Academy avatar avatar for user
  • leafers ultimate style avatar for user Cluttered Mind
    Do some websites/companies take measures against phishing attacks?

    There used to be a scam call claiming to be from the IRS, but people knew it was fake because the IRS doesn't make calls. What are some other ways to prevent phishing?
    (4 votes)
    Default Khan Academy avatar avatar for user
    • aqualine ultimate style avatar for user bmunoz127025
      There is almost nothing a website/company can do to prevent a phishing attack. A professional attacker will design their own login pages that look similar to those of the actual website. When you enter your information that information will be sent to two places, the actual website and the man in the middle (the attacker). You will then be redirected to the actual website and you wont be able to know if you were phished until the hacker has gained access into your account.

      To prevent a phishing attack I recommend that if you receive an email from Instagram, FaceBook, or any other website go to the actual website and check. Do not click on any link or enter your information directly from the email unless you are 100% sure that the email sent is not a phishing attack.
      (1 vote)
  • piceratops ultimate style avatar for user raphael
    that PayPal link was scary 😳🥶
    (2 votes)
    Default Khan Academy avatar avatar for user
  • duskpin seedling style avatar for user Ava Lockwood
    The website asked for my name and phone number, so i didn't do it. Is it legit?
    (1 vote)
    Default Khan Academy avatar avatar for user
    • aqualine ultimate style avatar for user ThunderSon09
      The simple answer is *Probably So.* Because websites nowadays ask for phone numbers to send a verification text message. Unless the website is unsecure, you should be able to enter the information and not likely to get hacked. Have A Good day & Hope this hekped
      (2 votes)
  • leaf red style avatar for user Gamar
    "Subdomains that look like the domain name. For example, "paypal.accounts.com" instead of "accounts.paypal.com". PayPal owns the second domain, but they have no control over the first."

    I have a hard time understanding which of the domains are "first" and "second" in this instance?
    (1 vote)
    Default Khan Academy avatar avatar for user
    • eggleston blue style avatar for user Allison (tAG54)
      Subdomains come before the main domain. In the second instance, 'accounts' is the subdomain and 'paypal' is the domain. The first example, 'accounts' is the main domain (making it not actually owned by PayPal), but 'paypal' is the subdomain, making it look like the legit PayPal website (but don't be fooled!).
      (2 votes)
  • piceratops ultimate style avatar for user Kami_Giyu
    I got a Trojan horse scam once, it was from an anime website I was trying to watch Kimetsu no yaiba (demon slayer) and I'm wondering if threes anyway to avoid it happening again.
    (1 vote)
    Default Khan Academy avatar avatar for user
    • starky ultimate style avatar for user KLaudano
      Avoid untrusted websites, such as those offering "free" games or videos. Do not download files from untrusted websites, and if you do, make sure you scan the files with antivirus software before opening or running them. Enable stricter security features on your browser. Many of the better antivirus software products have some sort of browser protection as well.
      (2 votes)
  • piceratops seedling style avatar for user Cellular blob
    Joe child
    (1 vote)
    Default Khan Academy avatar avatar for user
  • blobby green style avatar for user shekhar.shakti
    are they any gadgets that can help prevent phishing attacks
    (1 vote)
    Default Khan Academy avatar avatar for user
  • aqualine ultimate style avatar for user adam.school
    I failed the phishing email quiz, but I'll be much more careful if this happened to me IRL, actually
    (1 vote)
    Default Khan Academy avatar avatar for user
  • female robot ada style avatar for user TB
    How did u make the fake link? It says it is PayPal but it didn’t bring me there. 🤔
    (1 vote)
    Default Khan Academy avatar avatar for user