Phishing: definition, examples and how to protect yourself

According to the latest FBI Internet Crime Complaint Center annual report, phishing remains the number one cyber threat worldwide, with more than 300,000 reported incidents per year in the United States alone. In France, the Cybermalveillance.gouv.fr platform confirms the trend: phishing accounts for 38% of assistance requests in 2025, far ahead of ransomware and tech support scams. And the most revealing statistic is this: 91% of successful cyberattacks start with a single phishing email.

This should concern anyone who manages a website, an online store or a WordPress admin panel. Phishing does not only target individuals. It also targets web professionals, site administrators and marketing teams, often through fake hosting provider emails, fraudulent WordPress notifications or bogus security alerts.

This guide covers everything you need to know about phishing: its precise definition, the different types of attacks that exist, how to recognize a phishing email before falling into the trap, concrete examples of phishing attempts, and above all the phishing protection measures you should put in place to secure your accounts, your data and your WordPress site.

How to protect yourself from phishing attacks (7 etapes)

1. 1

   Learn to spot phishing red flags — Check sender address, urgency cues, and suspicious links carefully.

2. 2

   Verify URLs before clicking — Hover over links to confirm the domain matches the claimed sender.

3. 3

   Enable two-factor authentication — Activate 2FA on all critical accounts to block stolen credentials.

4. 4

   Use a password manager — Generate unique passwords per site so one breach stays contained.

5. 5

   Keep software and plugins updated — Patch WordPress, themes, and plugins to close known vulnerabilities.

6. 6

   Configure email authentication — Set up SPF, DKIM, and DMARC records to prevent email spoofing.

7. 7

   Report and delete phishing attempts — Forward suspicious emails to your provider and delete them.

What is phishing? A complete definition

Phishing is an online fraud technique that relies on social engineering. The concept is straightforward: an attacker impersonates a trusted entity (bank, government agency, service provider, web host) to deceive the victim and trick them into revealing sensitive information.

The term "phishing" is a wordplay derived from "fishing." The attacker casts bait (an email, an SMS, a fake website) and waits for the victim to "take the hook." The spelling with "ph" is a nod to the hacker culture of the 1990s, where "phreaking" (phone system hacking) already used this convention.

The objectives of a phishing attack

Cybercriminals who engage in phishing pursue several objectives:

• Stealing login credentials: email passwords, online banking accounts, WordPress admin access, hosting dashboards
• Stealing financial data: credit card numbers, CVV codes, bank account details (routing and account numbers)
• Identity theft: harvesting personal information (name, address, Social Security number) to open accounts or take out loans
• Deploying malware: the phishing email contains an infected attachment or a link to a site that downloads malicious software. To learn more about malware that specifically targets WordPress, see our guide on the most common WordPress malware in 2026
• Direct financial fraud: convincing the victim to make a bank transfer to a fraudulent account

Why phishing works so well

Phishing does not rely on a technical vulnerability. It exploits a human one. Attackers use proven psychological levers:

• Urgency: "Your account will be suspended within 24 hours if you do not confirm your information"
• Fear: "We have detected suspicious activity on your account"
• Curiosity: "You have received a shared document"
• Authority: the message appears to come from a supervisor, a government agency or a well-known vendor
• Greed: "You have won a $500 gift card"

It is this psychological dimension that makes phishing so effective. Even tech-savvy users can fall for it when they are rushed, tired or distracted.

The 8 most common types of phishing attacks

Phishing is not limited to emails. Many variants exist, each tailored to a specific context and target. Here are the 8 most widespread types of attacks.

1. Bulk phishing (mass phishing)

This is the most common and oldest form. The attacker sends the same phishing email to hundreds of thousands of recipients. The message typically imitates a well-known brand (bank, delivery service, streaming platform) and contains a link to a fake website.

The success rate is low (less than 1%), but volume compensates: out of 500,000 emails sent, even 0.1% of victims represents 500 compromised accounts.

2. Spear phishing (targeted phishing)

Unlike bulk phishing, spear phishing targets a specific individual or organization. The attacker conducts prior research on their target (LinkedIn profiles, company website, social media posts) to personalize the message.

A spear phishing email might, for example, mention the name of a real colleague, an ongoing project or a recent company event. This level of personalization makes the attack far more convincing and difficult to detect.

3. Whaling

Whaling is a variant of spear phishing that specifically targets corporate executives: CEOs, CFOs, board members. The messages are extremely polished and often reference strategic topics (mergers and acquisitions, legal disputes, tax audits).

The goal is typically to obtain a large bank transfer or access to confidential company data.

4. Smishing (SMS phishing)

Smishing combines "SMS" and "phishing." The attacker sends a fraudulent text message containing a link to a fake site. The most common scenarios:

• "Your package is awaiting delivery, click here to confirm"
• "Alert from your health insurance: your card is about to expire"
• "Traffic violation: pay your fine online"

Smishing is particularly dangerous because text messages have an open rate of over 95%, compared to 20-30% for emails.

5. Vishing (voice phishing)

Vishing (voice phishing) uses the telephone as an attack vector. The attacker calls the victim while impersonating a bank advisor, a tech support agent or a government official. They use voice manipulation techniques to obtain confidential information or convince the victim to perform compromising actions (installing remote access software, sharing a bank verification code).

6. Clone phishing

Clone phishing is a particularly insidious technique. The attacker intercepts or copies a legitimate email the victim has already received (an invoice, a service notification, a download link) and creates an almost identical copy. The only difference: the link or attachment has been replaced with a malicious version.

This technique is devastating because the victim has already seen the original email and naturally trusts this "second version."

7. Pharming

Pharming does not require any click from the victim. The attacker modifies the DNS settings of a server or infects the hosts file on the target machine to redirect traffic from a legitimate website to a fake one. The user types the correct address in their browser, but lands on a fraudulent site without knowing it.

8. BEC (Business Email Compromise)

BEC, also known as CEO fraud, is the most costly form of phishing. The attacker impersonates a company executive (often by email, sometimes by phone) and asks an employee in the accounting department to make an urgent and confidential wire transfer.

According to the FBI, BEC scams caused more than $2.9 billion in losses in 2023, making it the most costly category of cybercrime.

How to recognize a phishing email: the 7 warning signs

The ability to identify a phishing email before clicking is your first line of defense. Here are the 7 warning signs that should immediately raise your suspicion.

1. The sender's address is suspicious

This is the first reflex to adopt. Before even reading the message content, check the sender's email address. Attackers use addresses that resemble those of well-known brands, but with subtle differences:

• service@paypa1-security.com instead of service@paypal.com (the "l" is replaced by a "1")
• no-reply@ovh-hosting.net instead of @ovh.com
• contact@wordpress-security-alert.com instead of @wordpress.org

Tip: click on the sender's name to display the full email address. On mobile, long-press the name.

2. The message creates a sense of urgency or threat

Phishing emails systematically play on urgency to short-circuit your critical thinking:

• "Action required within 24 hours"
• "Your account will be permanently deleted"
• "Payment declined, update your information immediately"
• "Suspicious activity detected on your WordPress site"

No legitimate company will threaten to delete your account if you do not respond within hours. When in doubt, log in directly to the service in question by typing the URL in your browser, without using the link in the email.

3. Links and buttons point to dubious URLs

Before clicking on a link in an email, hover over it with your mouse (without clicking) to see the destination URL. Warning signs include:

• The URL does not match the sender's official domain
• The URL uses a domain with unusual extensions (.xyz, .info, .click)
• The URL contains suspicious characters or deceptive subdomains like ovh.com.fake-domain.xyz
• The URL is shortened (bit.ly, tinyurl) in a professional context

4. The message contains syntax or grammar errors

Historically, phishing emails were riddled with spelling mistakes. With the rise of generative AI tools, messages are increasingly polished. However, certain clues persist:

• Awkward phrasing or unusual wording
• Inconsistent tone (mixing formal and informal register)
• Special characters displayed incorrectly (encoding issues)
• Approximate translations that "sound off"

Do not rely solely on this criterion anymore. Attackers now use tools like ChatGPT to produce grammatically flawless emails.

5. The greeting is generic

An email from your bank, your hosting provider or your SaaS vendor should use your name. Be wary if the message starts with:

• "Dear customer"
• "Dear user"
• "Dear Sir or Madam"
• "Dear member"

Companies with which you have an account know your name and use it in their communications.

6. The message requests confidential information

No bank, no web hosting provider, no government agency will ever ask you by email for:

• Your password
• Your PIN or credit card code
• Your full Social Security number
• Your WordPress dashboard login credentials

If an email asks you to "confirm" or "update" this type of information via a link, it is phishing. No exceptions.

7. The attachments are unexpected

Malicious attachments remain a major infection vector. Be particularly vigilant with the following file formats:

• .zip and .rar: archives that can contain any type of malicious file
• .exe, .bat, .cmd: Windows executable files
• .docm, .xlsm: Office documents with macros
• .html: local web pages that redirect to a phishing site
• .pdf: increasingly used to host malicious links

If you were not expecting an attachment from this sender, do not open it. Contact the sender directly through another channel to confirm the transmission.

3 real-world phishing attempts dissected

Theory matters, but nothing beats real-world examples to develop the detection reflex. Here are three phishing scenarios frequently encountered in the wild.

Scenario 1: the fake delivery notification for a pending package

You receive a text message or an email informing you that a package is awaiting delivery. The message asks you to pay "customs fees" or "re-shipping fees" of a few dollars to release the delivery.

The clues that reveal the trap:

• The sender uses an address like noreply@usps-delivery.info instead of @usps.com
• The amount requested is trivial ($1.99 or $2.50) to avoid raising suspicion
• The link leads to a payment form that collects your full credit card information
• Legitimate delivery services never request payment via email or text message for a package in transit

What happens if you take the bait: the attackers capture your banking details and make fraudulent purchases within hours, often in small amounts to delay detection.

Scenario 2: the Microsoft 365 password renewal email

In a professional context, this scenario is extremely widespread. You receive an email that appears to come from Microsoft, informing you that your password is expiring and that you need to renew it via a link.

The clues that reveal the trap:

• The sender's address contains "microsoft" but with an incorrect domain: security@microsoft-365-update.com
• The "Renew my password" link points to a site that perfectly mimics the Microsoft login page, but with a different URL
• Microsoft never asks you to renew a password via an email containing a direct link
• The email does not mention your username or your organization

What happens if you take the bait: the attacker obtains your Microsoft 365 credentials and gains access to your emails, your OneDrive files, your Teams conversations and potentially your entire company's information system.

Scenario 3: the fake security alert from your WordPress hosting provider

This scenario directly targets WordPress site owners and administrators. You receive an email that appears to come from your hosting provider (SiteGround, Bluehost, WP Engine) or from WordPress itself, alerting you to a "critical security vulnerability" detected on your site.

The clues that reveal the trap:

• The email asks you to click a link to "install a security patch" or "verify your installation"
• The link leads to a fake wp-admin login page that captures your credentials
• The message creates extreme urgency: "Your site will be deactivated within 12 hours if you do not act"
• WordPress.org never sends individual security alert emails to site administrators

What happens if you take the bait: the attacker gains administrator access to your WordPress site. They can then inject malicious code, install backdoors, redirect your visitors to fraudulent sites or use your server to send spam. If your site has been compromised, consult our WordPress cleanup guide after hacking and the telltale signs of a hacked WordPress site.

Complete guide: how to set up effective phishing protection

Phishing protection rests on three pillars: technology, training and procedures. Here are the measures to implement based on your profile.

Protection for individuals

Individuals are the most frequent targets of bulk phishing and smishing. Here are the essential measures:

Enable multi-factor authentication (MFA) on all your accounts

MFA (or 2FA, two-factor authentication) is the single most effective security measure against phishing. Even if an attacker obtains your password, they will not be able to access your account without the second factor (SMS code, authenticator app, physical security key).

Prefer authenticator apps (Google Authenticator, Authy, Microsoft Authenticator) over SMS codes, which can be intercepted through SIM swapping attacks.

Use a password manager

A password manager like Bitwarden, 1Password or KeePass has an often overlooked advantage against phishing: it will not auto-fill your credentials on a fake site. If you visit paypa1-security.com instead of paypal.com, the manager does not recognize the domain and does not offer to fill the form. This is an immediate red flag.

Apply the zero-click rule in emails

Adopt this simple habit: never click on a link in an email to access an important service (bank, email, hosting provider). Instead, open your browser and type the site address directly. This practice alone eliminates the majority of email phishing risks.

Keep your software and browser up to date

Modern browsers include phishing site detection mechanisms (Google Safe Browsing, Microsoft SmartScreen). These protections only work correctly if your browser is up to date.

Protection for businesses

Businesses face more sophisticated attacks (spear phishing, BEC, whaling) and must implement proportionate defenses.

Deploy advanced email filtering solutions

Traditional anti-spam filters are no longer sufficient against AI-generated spear phishing emails. Modern solutions like Microsoft Defender for Office 365, Proofpoint or Barracuda analyze links in real time (sandboxing), detect address spoofing (SPF, DKIM, DMARC) and identify abnormal behavior through machine learning.

Configure email authentication protocols

Three protocols are essential to prevent spoofing of your domain name:

• SPF (Sender Policy Framework): declares which servers are authorized to send emails from your domain
• DKIM (DomainKeys Identified Mail): adds a cryptographic signature to your emails to guarantee their integrity
• DMARC (Domain-based Message Authentication): defines the policy to apply when an email fails SPF or DKIM checks

Without these three protocols properly configured, an attacker can send emails that appear to come from your domain to your customers, partners or employees.

Train and test teams regularly

One-time training is not enough. Companies that achieve the best results combine:

• Quarterly awareness sessions with concrete examples
• Regular phishing simulations (sending fake phishing emails to measure click rates)
• A simple reporting process: a "Report as phishing" button integrated directly into the email client
• Individual feedback after each simulation

Establish procedures for sensitive operations

To prevent BEC scams and fraudulent wire transfers:

• Any transfer above a defined threshold must be validated by two people
• Any change to a vendor's bank details must be confirmed by phone at a known number
• Urgent and confidential requests from management must be systematically verified by a direct phone call

WordPress-specific: protecting your site from the consequences of phishing

A WordPress admin account stolen through phishing gives the attacker full access to your site. Here are the specific measures to put in place. For a comprehensive hardening guide, see our WordPress security guide.

Enable two-factor authentication on wp-admin

Enabling 2FA on the WordPress login page is the highest-impact security measure. Plugins like Wordfence, iThemes Security or WP 2FA allow you to implement it in minutes. Even if an attacker obtains your credentials through a phishing email, they will not be able to log in.

Deploy a WAF (Web Application Firewall)

A WAF (Web Application Firewall) acts as a shield between your site and threats. It automatically blocks brute-force login attempts, SQL injection attacks and malicious requests before they reach your server.

Cloud solutions like Cloudflare WAF or Sucuri provide effective protection with minimal impact on your site's performance.

Limit login attempts

Configure a login attempt limit (for example, 5 attempts before a temporary 30-minute lockout). This measure prevents attackers from mass-testing stolen credentials on your wp-login.php page.

Apply the principle of least privilege

Each user on your WordPress site should only have the permissions strictly necessary for their role:

• Editors do not need to be administrators
• Contributors do not need the ability to publish directly
• Remove inactive or unused accounts
• Regularly review the user list in the dashboard

Monitor file integrity

A security plugin like Wordfence or Sucuri Security can monitor file changes on your WordPress installation. If an attacker manages to access your site through stolen credentials, any file modification will be detected and flagged. To learn more about commonly targeted files, see our article on infected WordPress files.

Emergency procedure: what to do if you took the bait

You clicked on a phishing link, entered your credentials on a fake site or opened a suspicious attachment? Do not panic. Here is the procedure to follow, step by step.

Step 1: isolate and contain

If you entered credentials on a fake site:

1. Immediately change the password for the affected account. If you can no longer access the account, use the service's recovery procedure
2. Change the password on all other accounts that use the same password (yes, this is the time to admit you reuse passwords)
3. Enable MFA on the affected account and on all your important accounts
4. Check the account's recent activity: unusual logins, messages sent on your behalf, settings changes

If you opened a suspicious attachment:

1. Immediately disconnect your device from the internet (disable Wi-Fi, unplug the Ethernet cable)
2. Run a full scan with your antivirus software
3. If you are in a business environment, immediately contact your IT department

Step 2: report the attack

Several reporting channels exist:

• IC3 (ic3.gov): the FBI's Internet Crime Complaint Center for reporting phishing in the United States
• Anti-Phishing Working Group (reportphishing@apwg.org): forward phishing emails for analysis
• Google Safe Browsing (safebrowsing.google.com): report a phishing website for blocking
• FTC (reportfraud.ftc.gov): report fraud to the Federal Trade Commission

If banking information has been compromised, immediately contact your bank to block your card and monitor suspicious transactions.

Step 3: clean up and secure (WordPress case)

If your WordPress credentials have been compromised, the attacker has potentially:

• Modified your theme or plugin files to inject malicious code
• Created new administrator accounts
• Installed backdoors to maintain access even after a password change
• Modified the .htaccess file to redirect your visitors

The cleanup procedure is detailed in our guide on securing WordPress after a hack. The key steps:

1. Change all passwords: WordPress, database, FTP, hosting provider
2. Regenerate the security keys in wp-config.php
3. Delete any unknown user accounts
4. Analyze recently modified files
5. Restore WordPress core files from a clean source
6. Check that your site has not been placed on the Google blacklist

Step 4: document and learn

After the incident is resolved:

• Document what happened: which email, which link, which information was compromised
• Identify how the attack succeeded: lack of MFA, password reuse, insufficient training
• Implement corrective measures to prevent recurrence
• In a business setting, share the incident (anonymously if necessary) with the team to raise awareness among colleagues

The real impact of phishing: statistics and costs for businesses

To understand why phishing protection deserves serious investment, just look at the numbers.

Key phishing statistics for 2025-2026

• 91% of successful cyberattacks start with a phishing email (source: Deloitte)
• 3.4 billion phishing emails are sent every day worldwide (source: Radicati Group)
• 36% of data breaches involve phishing (source: Verizon DBIR 2025)
• 74% of organizations experienced a successful phishing attack in 2024 (source: Proofpoint State of the Phish)
• The average time between clicking a phishing link and full account compromise is 60 seconds

The financial cost of phishing for businesses

According to the IBM Cost of a Data Breach 2025 report, the average cost of a data breach initiated by phishing is $4.76 million. This amount includes:

• Technical costs: forensic investigation, system cleanup, data restoration
• Legal costs: notification of affected individuals (mandatory under GDPR), potential regulatory fines
• Commercial costs: customer loss, reputation damage, revenue decline
• Operational costs: business interruption, IT team overtime

For SMBs, the consequences can be even more devastating proportionally. According to a Hiscox study, 60% of SMBs that fall victim to a cyberattack go out of business within 6 months of the incident. To measure the specific impact on a WordPress site, see our analysis of the cost of WordPress hacking for a business.

Phishing and GDPR: a major legal risk

In Europe, the GDPR (General Data Protection Regulation) adds a legal dimension to the problem. If a phishing attack leads to a leak of your customers' personal data:

• You must notify the relevant supervisory authority within 72 hours of discovering the breach
• You must inform the affected individuals if the risk is high
• You face fines of up to 4% of your annual global turnover or 20 million euros
• Your liability can be engaged if the security measures in place were insufficient

Phishing is therefore not just a technical or financial problem. It is also a legal risk that any organization processing personal data must take seriously.

Phishing in the age of artificial intelligence: new threats

The emergence of generative AI tools has significantly changed the phishing landscape. Attackers now have powerful tools to make their attacks more convincing and harder to detect.

Flawless phishing emails

Until recently, spelling mistakes and awkward phrasing were reliable indicators of a phishing email. With language models like GPT-4, attackers can generate perfectly written emails in any language, including with a tone adapted to the target's professional context.

Deepfakes in the service of vishing

Voice synthesis technologies can now clone a voice from just a few seconds of recording. An attacker can therefore make a phone call imitating the voice of an executive to request an urgent wire transfer. Several cases of CEO fraud using voice deepfakes have been documented since 2023, with amounts sometimes exceeding one million dollars.

Large-scale automated phishing campaigns

AI also enables the automation of attack personalization at scale. Rather than sending the same generic email to 500,000 people, an attacker can use AI to:

• Automatically scrape public information on each target (LinkedIn, website, social media)
• Generate a personalized email for each recipient
• Adapt the pretext based on the target's industry, job title and interests

This "industrialization of spear phishing" makes mass attacks as convincing as targeted ones.

How to defend against AI-enhanced phishing

Faced with these new threats, traditional defenses (error detection, manual verification) are no longer sufficient. Technical measures must be reinforced:

• Multi-factor authentication remains the best defense: even a perfectly AI-crafted email cannot bypass a physical security key (FIDO2/WebAuthn)
• AI-powered detection solutions: modern email filters also use AI to detect behavioral anomalies and phishing patterns
• Zero trust policy: trust no communication by default, systematically verify through an independent channel
• Continuous team training: phishing simulations must evolve to include AI-generated scenarios

Conclusion: vigilance is your best weapon against phishing

Phishing is fundamentally an attack against the human, not the machine. No technical solution can provide 100% protection if users are not trained and vigilant. The very definition of phishing reminds us of this reality: it is a trap that only works if the target takes the bait.

The most effective phishing protection measures always combine technology and human behavior:

• MFA enabled everywhere: this is the highest-impact measure, with a 99% risk reduction
• Systematic verification: never click on a link in an email to access a critical service
• Continuous training: one-time awareness is not enough; regular reminders and simulations are needed
• Documented procedures: every organization must have a clear response plan in case of an incident

For WordPress site owners, security starts with the fundamentals: strong passwords, two-factor authentication on wp-admin, a properly configured WAF, regular updates and file monitoring. A WordPress site compromised through phishing targeting the administrator can cause considerable damage: data loss, Google blacklisting, organic traffic decline and reputational harm to the business.

Cybersecurity is not a destination; it is an ongoing process. Attackers evolve, their techniques improve, and your defenses must evolve accordingly. The best approach remains one of daily vigilance, supported by solid technical tools and clear procedures.