What exactly is a phishing attack and how does it work against me?
Phishing is a deceptive communication — usually an email, text, or fake website — designed to trick you into revealing credentials, financial details, or installing malware by impersonating a trusted entity.
Last reviewed: 10 June 2026
Explanation
Phishing is one of the most successful attack vectors in fraud because it exploits human psychology rather than technical vulnerabilities. A convincing email appearing to come from your bank, a well-known retailer, or a government agency can be almost indistinguishable from the real thing at a glance. The message typically creates urgency — your account will be suspended, a parcel is waiting, a refund is ready — and provides a link to 'resolve' the issue.
That link leads to a fake website built to look like the real one, where you are prompted to enter your login credentials or payment details. Once submitted, those details go to the attacker's server, not the legitimate company. Some phishing pages are sophisticated enough to pass your credentials through to the real site in real time (real-time phishing proxies), so you don't notice anything wrong — you just log in successfully, while the attacker captures your session.
Spear phishing is a targeted variant that uses your name, job title, organisation, or other personal details gathered from social media to seem highly personalised. Vishing (voice phishing) and smishing (SMS phishing) follow the same playbook via phone calls and texts instead of email.
The most reliable defence is to never click links in unsolicited messages to log in. Instead, open a new browser tab and navigate to the site directly from a bookmark or by typing the address yourself. No legitimate company will penalise you for doing this.
Common red flags
- Unsolicited message creates urgency — 'act now or your account will be closed'
- Sender address looks almost right but has a small spelling variation or uses a free email domain
- Link in the email shows a different URL to the legitimate site when you hover over it
- Generic greeting ('Dear Customer') instead of your actual name
- The page that loads looks like the real site but the URL in the address bar is different
- You are asked to provide login details, OTPs, or payment information to 'verify' your account
What to do now
- Never click login links in unsolicited emails or texts — navigate to the site directly
- If you already entered credentials, change that account's password immediately
- Enable two-factor authentication so stolen passwords alone are not enough
- Report phishing emails to your email provider (use the 'report phishing' button)
- Forward suspicious texts to 7726 (SPAM) to report to your carrier
- If financial details were entered, contact your bank immediately
Frequently asked questions
Can my email spam filter catch all phishing emails?
Spam filters catch most phishing but not all — sophisticated campaigns specifically craft messages to evade filters. Treat unexpected urgency or login requests with scepticism regardless of which folder they arrive in.
What is the difference between phishing and spear phishing?
Phishing is a mass campaign sent to many people with generic content. Spear phishing is targeted — the attacker researches you first and personalises the message, making it much more convincing.