Also found in: Dictionary, Thesaurus, Medical, Legal, Financial, Idioms, Wikipedia.


("brand spoofing", "carding", after "fishing") /fishing/ Sending e-mail that claims to be from some well-known organisation, e.g. a bank, to trick the recipient into revealing information for use in identity theft. The user is told to visit a web site where they are asked to enter information such as passwords, credit card details, social security or bank account numbers. The web site usually looks like it belongs to the organisation in question and may silently redirect the user to the real web site after collecting their data.

For example, a scam started in 2003 claimed that the user's eBay account would be suspended unless he updated his credit card information on a given web site.


Pronounced "fishing," phishing is a scam to steal valuable information such as credit card and social security numbers, user IDs and passwords. Also known as "brand spoofing," an official-looking email is sent to potential victims pretending to be from their bank or retail establishment. Emails can be sent to people on any list, expecting that some percentage of recipients will actually have an account with the organization.

Email Is the "Bait"
The email states that due to internal accounting errors or some other pretext, certain information must be updated to continue service. A link in the message directs the user to a Web page that asks for financial information. The page looks genuine, because it is easy to fake a valid website. Any HTML page on the Web can be copied and modified to suit the phishing scheme. Rather than go to a Web page, another option asks the user to call an 800 number and speak with a live person, who makes the scam seem even more genuine.

Anyone Can Phish
A "phishing kit" is a set of software tools that help the novice phisher copy a target website and make mass mailings. The kit may even include lists of email addresses. See pharming, vishing, smishing, twishing and social engineering.

"Spear" Phishing and Longlining
Spear phishing is more targeted and personal because the message supposedly comes from someone in the organization everyone knows, such as the head of human resources. It could also come from a made-up name with an authoritative title such as LAN administrator. If even one employee falls for the scheme and divulges sensitive information, it can be used to gain access to more company resources.

The "longline" variant of spear phishing sends thousands of messages to the same person, expecting that the individual will eventually click a link. The longlining term comes from using a large number of hooks and bait on a long fishing line, and mobile phones are major targets for this approach.

Report a Suspected Scheme
Any suspected phishing scheme can be reported to the Anti-Phishing Working Group at
References in periodicals archive ?
In Q2 2019, Vade's AI engine detected 20,217 unique Microsoft phishing URLs, for an average of more than 222 per day.
NormShield found that potential phishing domains increased by 14% in the first half of 2019 vs.
Commenting that phishing attacks play a part in 90% of all data breaches, she continued: "Phishing is a go-to for attackers, but there's confusion over where it sits in the attack chain.
"Vigilance is key to protecting yourself from phishing," Paz said.
Payment Services and Financial Institution phishing continued to suffer a high number of phishing attacks.
"Current products often rely on legacy systems that use rules to identify phishing emails - a method that is largely ineffective, and is the opposite of Retruster's Deep Learning, tech-forward approach," added Snape.
We will be promoting Cofense's full suite of phishing defense solutions, and jointly help SMBs in the region combat advanced security threats and become cyber-resilient."
The financial sector was hit especially hard: Over 44% of all phishing attacks detected by Kaspersky Lab technologies were aimed at banks, payment systems and online shops.
Over 44 per cent of all phishing attacks detected by Kaspersky Lab technologies were aimed at banks, payment systems and online shops.
In its phishing benchmarking study, KnowBe4 found a radical drop of careless clicking from 27 percent Phish-prone percentage to just 13 percent 90 days after initial training and simulated phishing, and a steeper drop to two percent after 12 months of combined phishing and computer-based training.
As-a-service and pay-as-you go solutions permeate most online service technologies, and phishing is no different - with a range of services increasingly available to attackers.
The combination of Cofenses Triage technology and ADTs managed services skillset brings to market a unique solution focused on thwarting phishing attacks before they cause damage, by moving the detection of such attacks up the kill chain.