What is phishing?
Phishing is a cyber-fraud technique where criminals send deceptive messages — usually by email — that impersonate trusted organisations to trick recipients into revealing passwords, financial details, or downloading malware.
Last reviewed: 10 June 2026
Explanation
Phishing messages are designed to look legitimate. They copy the branding, logos, and writing style of banks, government agencies, courier services, or popular online platforms. The email or text typically creates urgency: your account will be suspended, your parcel could not be delivered, your payment failed. A link takes you to a fake site that harvests whatever credentials you enter.
Spear phishing is a targeted variant. Instead of mass emails, criminals research specific individuals — using LinkedIn, company websites, or prior breaches — and craft highly personalised messages. A spear phishing email to a company finance director may reference real colleagues by name, recent projects, or authentic-looking internal formatting.
Smishing (SMS phishing) and vishing (voice phishing) follow the same principle through different channels. Smishing sends a fraudulent text; vishing uses phone calls, sometimes with spoofed caller ID showing a legitimate number.
The most reliable defences are pausing before clicking any unexpected link, independently navigating to the organisation's genuine website rather than using the provided link, and using multi-factor authentication so that a stolen password alone is insufficient to access your account.
Common red flags
- An urgent message about account suspension, failed payment, or parcel delivery
- A sender address that looks similar but not identical to a legitimate organisation
- Links in the email go to a different domain from the claimed sender
- Generic greeting ('Dear Customer') rather than your actual name
- Poor grammar, unusual formatting, or mismatched branding
- A request to enter credentials, payment details, or personal information through a link
What to do now
- Do not click the link — navigate directly to the organisation's website
- If you already entered credentials, change your password and enable MFA immediately
- Report phishing emails to your national cyber authority and to the impersonated organisation
- Forward suspicious texts to 7726 (SPAM) in the UK or report to the FTC in the US
- Run a security scan if you clicked a link and downloaded anything
Frequently asked questions
How can I tell if an email is a phishing attempt?
Check the actual sender email address (not just the display name), hover over links to see the true destination URL, look for urgency language, and ask yourself whether you expected this message. When in doubt, go directly to the organisation's website by typing the address yourself.
What is the difference between phishing and pharming?
Phishing tricks you into clicking a link to a fake site. Pharming hijacks the DNS lookup process so that even when you type the correct address, you are silently redirected to a fraudulent site. Pharming is harder to spot but less common. Both are countered by HTTPS certificate checking.