Phishing is an attempt to trick people into sharing important personal information — banking information, logins, passwords, credit card numbers.

Phishing is an Internet derivation of the word fishing. Fishing is the ideal metaphor for the techniques scammers use. The goal of phishing is to lure people into providing information which the perpetrators sell or use to defraud victims.

“Smishing” is similar to phishing but is perpetrated SMS (text messaging) or messaging apps like WhatApp where phishing uses email.


Phishing is a numbers game. A phishing attempt will typically start with an email sent in bulk to a massive email list (i.e. spam). Scammers are always finding new and inventive ways to get past the spam filters email service providers have in place. Of the messages that are delivered, most will be ignored or reported. The possibility of landing even one victim makes the effort worthwhile for scammers.


Perpetrators of phishing scams will often go to great lengths to make their phishing email appear as a legitimate communication from a trusted and recognized brand or institution. Banks, payment sites (PayPal, Venmo etc.), big retailers (Amazon, WalMart, eBay) and even government bodies (IRA, CRA) are common targets.

Scammers will spoof email addresses to appear legitimate (e.g. fraud@recognizablebrand.com) and in more sophisticated attempts, will use brand elements and language to great effect in an attempt to get the recipient’s guard down.


The bait in a phishing scam can be anything that gets people to click. Some common tactics used in phishing scams are asking users to login to their account to reset a password, deny a transaction or to claim a refund or reward. The bait can be positive — as with a reward or refund — or negative — to avoid monetary loss, to reclaim a compromised account or even to avoid criminal charges.


Clicking on a link in a phishing email will typically take victims to a page that can be a very convincing spoof of a trusted brand or organization. Phishing sites, like the message that brought them there, can be convincing fakes in more sophisticated attempts. The page may appear legitimate. It may even trick browsers into believing it’s “secure” with an https:// prefix and a lock icon. Scammers will also use lookalike characters e.g. I, |, or 1 for l or use non-English alphabets (e.g. Cryrllic) to create a convincing web address.

If the user completes the action and attempts to login with their username and password, enter credit card information etc. this information is now in the hands of scammers and a whole bunch of bad things can start to happen including theft, fraud and identity theft. If the victim used the same username and password for multiple sites, the problem can quickly snowball.


It is important to take action immediately:

  • If you input a credit card number, cancel the card before scammers can use or sell it.
  • If you’ve input a login / password, change that login and password by going directly to the source before scammers can use or sell it.
  • Change your username and password on any site or service where you’ve used the phished username and password.
  • It’s too late to say “don’t use the same username and password on more than one site” but, well, don’t.
  • Reach out to the organization or service that the scammers spoofed in their phishing attempt to tell them your information has been compromised.
  • Create a NetBeacon report to provide the information a registrar, host or other industry partner needs to take action against the phishing site.

Take Action


If you suspect or have witnessed online abuse, sharing a NetBeacon report is the single most impactful action you can take. A NetBeacon report ensures that the information gets into the right hands.


Sign In

Sign up or login to the NetBeacon abuse reporting tool with your email or SSO.



Identify the type of abuse and share any details that might help investigators.



Your report will be reviewed and shared with the appropriate bodies for action.