How does a phishing email scam work?
Phishing emails impersonate trusted organisations to trick recipients into clicking a malicious link, entering credentials on a fake site, or downloading malware — all to steal accounts or data.
Last reviewed: 10 June 2026
Explanation
A phishing email is engineered to look identical to legitimate correspondence from a bank, delivery company, government agency, or technology platform. The sender address is spoofed or uses a lookalike domain, and the email body copies the real organisation's fonts, logos, and tone exactly. The call to action creates urgency: your account is suspended, a package is held, a refund is pending, or unauthorised access has been detected.
The link in the email leads to a cloned website that can be indistinguishable from the real one. The URL may differ by a single character or use a subdomain like 'secure.bank-name.verification-login.com'. Victims who enter their credentials hand them directly to the attacker. Some phishing pages also harvest two-factor authentication codes in real time by proxying the login to the real site, defeating SMS-based MFA.
Attachment-based phishing installs malware when a victim opens a document or zip file. The malware may log keystrokes, take screenshots, or provide a backdoor for ongoing access. These campaigns are often mass-sent but increasingly tailored ('spear phishing') using personal details harvested from LinkedIn or previous breaches.
After credentials are stolen, attackers typically move quickly: changing the account's email and phone number to prevent recovery, harvesting saved payment methods, forwarding email to monitor for other account details, and testing the same credentials on other sites ('credential stuffing').
Common red flags
- An email creates urgency about your account, a delivery, a tax refund, or a security alert
- The sender domain does not exactly match the real organisation's official domain
- The link URL when hovered is different from the displayed text or contains extra words
- You are asked to confirm credentials or payment details via an email link
- The email contains grammar or formatting inconsistencies despite otherwise official branding
- You did not initiate any action that would prompt the email
What to do now
- Do not click the link — go to the organisation's site by typing its address directly
- If you already entered credentials, change your password immediately from a known-safe device
- Enable multi-factor authentication using an authenticator app, not SMS where possible
- Report the phishing email to the impersonated organisation and your national cybercrime agency
- Run a malware scan if you opened an attachment
- Check account activity for any changes to email, phone, or saved payment methods
Frequently asked questions
Can I tell a phishing email by checking for poor spelling?
Not reliably anymore. Modern phishing emails are often grammatically perfect and visually identical to real communications. Check the sender domain and hover over links instead.
What is spear phishing?
Spear phishing is a targeted version where the attacker personalises the email using your name, employer, or recent activity to increase believability. It is used against specific high-value individuals.
Does clicking a link (without entering anything) put me at risk?
Sometimes. Malicious sites can attempt drive-by download exploits through browser vulnerabilities. Keep your browser and OS updated, and use a security product that blocks known malicious URLs.