Phishing is a form of social engineering and a scam where attackers deceive people into revealing sensitive information or installing malware such as viruses, worms, adware, or ransomware. Phishing attacks have become increasingly sophisticated and often transparently mirror the site being targeted, allowing the attacker to observe everything while the victim navigates the site, and transverses any additional security boundaries with the victim. As of 2020, it is the most common type of cybercrime, with the Federal Bureau of Investigation's Internet Crime Complaint Center reporting more incidents of phishing than any other type of cybercrime.

Modern phishing campaigns increasingly target multi-factor authentication (MFA) systems, not just passwords. Attackers use spoofed login pages and real-time relay tools to capture both credentials and one-time passcodes. In some cases, phishing kits are designed to bypass 2FA by immediately forwarding stolen credentials to the attacker’s server, enabling instant access. A 2024 blog post by Microsoft Entra highlighted the rise of adversary-in-the-middle (AiTM) phishing attacks, which intercept session tokens and allow attackers to authenticate as the victim.

The term "phishing" was first recorded in 1995 in the cracking toolkit AOHell, but may have been used earlier in the hacker magazine 2600. It is a variation of fishing and refers to the use of lures to "fish" for sensitive information.

Measures to prevent or reduce the impact of phishing attacks include legislation, user education, public awareness, and technical security measures. The importance of phishing awareness has increased in both personal and professional settings, with phishing attacks among businesses rising from 72% in 2017 to 86% in 2020, already rising to 94% in 2023.