Phishing
Deceptive emails, texts and sites that trick you into revealing passwords, codes or card details.
Last reviewed: 1 June 2026
What this scam is
Phishing is the use of deceptive messages — most commonly emails, but also text messages (smishing), voice calls (vishing), or messages on social and workplace platforms — to impersonate a trusted organisation and trick you into revealing sensitive information. This information typically includes passwords, one-time security codes, credit or debit card numbers, or other personal details that enable financial fraud or account takeover.
Phishing has three main delivery formats. Email phishing is the most familiar: a message impersonating a bank, online retailer, government body, or workplace service directs you to a fake website where your credentials are harvested. Smishing uses SMS messages with similar lures. Vishing involves a caller who impersonates support, your bank, or a government agency and verbally requests sensitive details.
A more targeted form — spear phishing — tailors the message to the specific recipient, using their name, employer, or known relationships to appear more credible. This is common in workplace attacks where someone may receive a convincing email appearing to come from a colleague or manager.
Phishing is one of the most common entry points for fraud globally because the marginal cost per attempt is extremely low for attackers, and even a small success rate across millions of messages yields significant returns.
How it works
A phishing message is designed to create a plausible reason for you to take an action — clicking a link, opening an attachment, or calling a number. Common pretexts include a suspicious login on your account, a failed payment, a package delivery requiring action, an invoice attached for your records, or an account about to be suspended.
The message generates urgency: there are only hours to respond, your account will be locked, or your parcel will be returned. This urgency is designed to suppress the pause that might otherwise lead you to question the message.
The link in the message leads to a website that is visually identical to the real organisation's site, down to logos, colour schemes, and layout. The domain, however, will be subtly wrong — an extra word, a replaced letter, or a completely different domain with a convincing subdomain. You enter your login details, which are captured by the attacker. The page may then redirect you to the real site to prevent suspicion.
In more sophisticated attacks, the fake page captures your password and immediately uses it on the real site, passing you a second prompt for your one-time code, which is then also captured in real time — bypassing two-factor authentication.
Attachments in phishing emails can contain malicious macros or executables that install malware when opened.
Why this scam works
Phishing succeeds because it hijacks the trust you already have in organisations you deal with every day. When a message looks like it came from your bank, your employer, or a service you use, your first instinct is to take it at face value.
Urgency plays a critical role. When you believe your account is about to be locked or your parcel returned, the pressure to act immediately reduces the likelihood that you will pause, verify the sender, or navigate to the site independently.
The visual quality of fake login pages has improved considerably over time. When a page looks identical to the real thing, the design provides no warning signal — only the URL can betray it, and many people do not habitually check URLs before entering credentials.
A typical pattern
A person receives an email that appears to come from their bank, warning of a suspicious login from an unrecognised device. The email uses the bank's logo and standard formatting. A link labelled 'Secure your account now' leads to a page that looks identical to the bank's real login screen. The person enters their username and password. The fake page immediately prompts for their one-time code, which it uses in real time on the genuine site. Moments after submitting the code, the person receives a genuine notification from their bank that a new payee has been added and a transfer is pending.
Common red flags
- Urgent requests to verify or log in via a link in a message
- Sender address or domain that differs slightly from the real organisation
- Generic greeting ('Dear Customer') from a service that should know your name
- Requests for your password, full card details, or one-time security codes
- Unexpected attachments, especially Office files asking to enable macros
- Links that don't match the displayed text when you hover over them
- Pressure — act now, account will be suspended, your data is at risk
- Official-looking message asking you to call a number to 'verify' your identity
Sanitized example messages
Illustrative, sanitized examples. Personal details are replaced with placeholders such as [phone number] and [fake link].
Security alert: a new device has logged into your account. If this wasn't you, verify your identity here: [fake link].
Your payment failed. Update your billing information within 24 hours to avoid account suspension: [fake link].
You have a parcel held for delivery. Confirm your address and pay a small delivery fee: [fake link].
HMRC / IRS: You are owed a tax refund. Claim it by entering your details at [fake link] before the deadline.
Action required: unusual login detected on your account. Confirm your identity or access will be restricted: [fake link].
Your shared document is ready to view. Open it securely here: [fake link] — [attachment name].docx
Common variations
- Smishing — phishing via SMS, often impersonating parcel delivery, banks, or tax authorities
- Vishing — phishing via voice call, impersonating bank fraud teams or government agencies
- Spear phishing — targeted message using the recipient's name, employer, or relationships
- Whaling — spear phishing aimed at senior executives or high-value targets
- Clone phishing — a legitimate email you received is copied with a malicious link substituted
- Man-in-the-middle phishing — a relay proxy captures your credentials and 2FA code in real time
How to verify before you act
The most reliable safeguard is never using links in messages to reach login pages. Instead, type the organisation's web address directly into your browser, or use your saved bookmark or the official app.
Check the sender's email address in full — not just the display name. The display name can be set to anything; the underlying address often reveals an unrelated domain.
Hover over (or long-press on mobile) any link before clicking to preview the destination URL. Look at the actual domain carefully — not the subdomain. A site at 'secure.yourbank.com.phishing-domain.net' is owned by phishing-domain.net, not yourbank.com.
If you receive an unexpected security alert and want to verify it, log into your account directly (not via the link) and check for any notifications there.
Payment methods used
- Credentials and card details harvested for later use
Who is usually targeted
- Everyone — individuals and employees equally
What to do immediately
- Do not click any link or open any attachment in the suspicious message
- Go to the relevant service directly by typing its address and check whether any action is genuinely needed
- If you already entered your credentials, change your password on the real site immediately
- Enable or upgrade two-factor authentication on the affected account
- Contact your bank immediately if you entered payment card details
- Report the phishing message to the impersonated organisation and to your national reporting body
- If a work account was involved, notify your IT security team
How to prevent it
- Never use a link in an unexpected message to reach a login page — type the address yourself
- Check the actual sender email address, not just the display name
- Enable app-based or hardware two-factor authentication on important accounts
- Use a password manager — it will not auto-fill your credentials on a fake domain
- Be sceptical of any message creating urgency about account access, payment, or delivery
- Forward suspicious emails to the real organisation's abuse or report-phishing address
- Keep your email provider's spam filters active and report phishing to train them
- On mobile, be cautious of SMS messages with shortened or unfamiliar URLs
Evidence to preserve
- The full message including sender address
- The link URL (note it down; do not click it again)
- Screenshots of the fake page if you visited it
- Any attachment name and sender details
- Timestamps of the message and any subsequent account activity
Where to report it
- Action Fraud (UK) — UK national fraud & cybercrime reporting centre
- FTC ReportFraud (US) — US Federal Trade Commission fraud reports
- FBI IC3 (US) — US Internet Crime Complaint Center
- Scamwatch (Australia) — Australian competition & consumer reporting
- Report phishing to the impersonated organisation — Most banks and platforms have a dedicated report-phishing address
Always verify reporting routes and emergency contacts on the official government or agency website for your country.
Frequently asked questions
How can I tell a real login page from a phishing one?
Don't trust links in messages — type the website address yourself or use your saved bookmark or app. Check the domain carefully, and never enter one-time codes or passwords prompted by an inbound message.
I clicked the link but didn't enter anything — am I at risk?
Clicking alone is low risk in most cases. Some sophisticated attacks can exploit browser vulnerabilities just from visiting, but the main risk is entering your details. If you are concerned, run a security scan.
The email used my real name — does that mean it's legitimate?
Not necessarily. Names and email addresses are widely available from data breaches, social media, and mailing lists. A personalised phishing email is called spear phishing and is more convincing, but the same verification steps apply.
Can phishing steal my password if I use two-factor authentication?
Yes — advanced phishing sites relay your login and one-time code to the real site in real time, capturing both. Use a hardware security key or passkey where possible, as these cannot be phished.
How do I report a phishing email?
Forward it to the impersonated organisation's report-phishing address, to your national reporting body (e.g. [email protected] in the UK, the Anti-Phishing Working Group at [email protected]), and to your email provider using their 'Report spam' or 'Report phishing' button.
What is smishing?
Smishing is phishing delivered by SMS rather than email. Common lures include fake parcel delivery fees, bank fraud alerts, and tax refunds. The same rule applies: do not use the link in the message; navigate to the service directly.
Does using a VPN protect me from phishing?
No. A VPN does not prevent you from entering your credentials on a fake page. The protection against phishing is behavioural: not using links in messages and checking URLs before logging in.