Phishing

Phishing is a social engineering technique where an attacker uses messages and fake destinations (emails, texts, DMs, fake login pages, fake support) to trick you into giving them access.

The goal is usually credentials, one-time codes, session tokens, or payment changes.

Why it matters for account recovery

Phishing matters for recovery because it often compromises the control plane first: email inboxes, phone numbers, and identity accounts that can reset everything else.

Good defenses are procedural. The attacker wins when your verification method is chosen for you.

Common failure modes and misconceptions

• Signing in from message links: This is the most common entry point. If you navigate directly, most lures fail.
• Code and prompt abuse: Attackers can trick you into sharing one-time codes or approving prompts. Strong authentication helps, but it does not remove the need for verification discipline (see 2FA).
• Assuming personalization means legitimacy: Breaches and public data make personalized messages cheap.

Safe best practices

• Do not sign in from links in messages. Open the site or app yourself.
• Use a password manager so wrong domains become obvious.
• Treat app permission prompts as a phishing surface. Review OAuth access.
• If you clicked or entered credentials, respond as if sessions are exposed: change passwords, end sessions, and review recovery methods.

Related terms

• Social engineering
• Spear phishing
• Smishing
• Vishing
• Business email compromise (BEC)

Related guides

• What phishing is
• How to identify scam emails
• Train employees to spot phishing emails

Phishing becomes manageable when verification is normalized. When the default is "verify via a known channel", attackers lose the time pressure they depend on.