Skip to main content

What is phishing?

Phishing is a common way that security is compromised. Learn how to recognize phishing so you can protect against it.

Features are subject to availability. The steps may look different depending on your device.

  • What is phishing?

    Phishing is one of the most prominent online security threats; it is an attempt to trick you into revealing critical personal or financial information, like a password or bank details. Bad actors use phished information to sign in to and hijack your account.

  • Understanding phishing

    Phishing messages typically try to trick you by suggesting some kind of urgency. They may also fake the identity of someone you know or a trusted third party to appear legitimate.

    Imagine you are at work and get a phone call from a stranger claiming to be your neighbor. They tell you there’s a fire in your yard, and ask for your gate code so they can go put it out right away. Like a phishing attempt, the caller claimed to be a trusted party (neighbor), and used an urgent threat (the fire) to solicit sensitive information (your gate code).

  • How phishing works

    There are two main styles of phishing:

    • Visual confusion: Hijackers create genuine-looking fraudulent websites or fake emails to collect your passwords.
    • Social Engineering: Someone fakes the identity of someone trusted so their request for information doesn’t seem suspicious. These scammers may pose as representatives from a company you trust, a colleague or friend, so you feel safe sharing your details.
  • Prevent a phishing attack

    Phishing messages or emails can look strange, and often have some indicators that they are being sent from a hijacker. Check the following to evaluate if you’re being phished:

    • The sender’s email: Hover over the sender’s name to make sure the email address domain (the information after the @ symbol) is a real and trusted source.
    • Spelling: Messages from phishers will often have spelling errors.
    • Urgency: Messages may contain an urgent request to give sensitive information in exchange for a benefit, such as winning a prize or keeping an account open. The hijacker preys on your emotions to get you to drop your standard protections.
    • Link accuracy: Check the link in an email to confirm that the URL is one you recognize. Google will never link directly to a sign-in page for the account you are currently using.

    Important: To protect your account from bad actors, never forward one-time-passwords, verification codes or any other sensitive information over text message or email.

    Learn more about how to verify whether an email, website, or more is safe.

  • How Google protects you

    One of the best ways to protect your account from hijackers is enabling 2-Step Verification, which prevents 99% of mass phishing attacks.  When 2-Step Verification is active, if Google detects a suspicious sign-in attempt (like from a new location or device), you’ll need to prove that it’s really you.

    2-Step Verification helps keep out anyone who shouldn’t have access to your account by requiring you to verify your access to a trusted device or security key after you enter your password.

    Targeted attacks on individuals called ‘spear-phishing’ can be more sophisticated, but are rare. They try to intercept second factors like verification codes in real-time. Be aware that you will never be sent to a re-authentication page directly from an email or text message, and you will never be required to share a code over phone or email.

  • Additional tools

    In addition to using 2-Step Verification, other strong ways to protect yourself from phishing are using unique passwords, a password manager and/or a security key.

    Password managers take the guesswork out of creating and remembering strong, unique passwords. They generate passwords for different websites and services, store them, and automatically enter them when you reach a login page. Learn more about how to set up Google’s Password Manager.

    Security Keys can be used as a second authentication factor. You can purchase a physical key, or use your phone’s built-in key. Learn more about how to set up a Security Key.

    These tools, along with safe habits, can protect you from bad actors. It’s like keeping your front door secure with a strong lock and not using only one key for many doors.

Was this lesson helpful?

Thanks! You can also provide feedback if you'd like.