Phishing
A fraudulent message — usually email — designed to trick you into handing over passwords, card numbers, or other sensitive data by impersonating a trusted organisation.
Also known as: credential phishing, email phishing
Last reviewed: 1 June 2026
Phishing is one of the oldest and most common forms of online fraud. An attacker sends a message that appears to come from a bank, government agency, courier, or well-known brand. The message creates urgency ('your account will be suspended') and directs you to a fake website that mimics the real one, where your credentials or payment details are harvested.
Modern phishing campaigns are increasingly convincing: they use real logos, copied HTML from legitimate sites, and HTTPS certificates that give a false sense of security. Some include your real name or partial account number — obtained from previous data breaches — to seem more authentic.
The term is a deliberate misspelling of 'fishing', reflecting the idea of casting a wide net hoping someone takes the bait. Related variants include smishing (SMS), vishing (voice calls), spear-phishing (targeted), and whaling (targeting executives).
Examples
- An email claiming to be from your bank says 'unusual activity detected — verify your details now' with a link to a cloned login page.
- A message purporting to be from a parcel courier asks you to pay a small customs fee via a fake payment portal.