3.4 billion phishing emails are sent every single day.
That’s not a typo. Every. Single. Day. And yet, most people still can’t reliably spot one before it’s too late — before they’ve clicked the link, entered their credentials, and handed a cybercriminal the keys to their digital life.
I’ve seen it happen to smart, experienced professionals. People who know better. The truth is, modern phishing attacks aren’t the clumsy, spelling-mistake-riddled scams of the early 2000s. They’re sophisticated, targeted, and alarmingly convincing — designed by people who have studied exactly how you think and what makes you click.
So let’s fix that.
In this article, I’ll break down exactly what phishing is, how to identify a fake email before it does any damage, and the specific red flags you need to train yourself to spot — starting today.
| Quick Answer
Phishing is a type of cyberattack where criminals impersonate trusted organisations via email, text, or fake websites to steal sensitive information like passwords or payment details. Phishing attacks rely on urgency and deception. You can spot them by checking sender addresses, looking for suspicious links, and verifying unexpected requests directly with the source. |
What is Phishing?
Phishing is a form of social engineering — a cyberattack that targets people, not systems. Instead of hacking software, attackers hack human behaviour. They send fraudulent communications that appear to come from legitimate sources: your bank, your employer, a government agency, or even a colleague.
The goal is almost always the same. Get you to click a malicious link, download a dangerous file, or hand over personal data. The name itself comes from “fishing” — attackers cast a wide net and wait for someone to take the bait.
It’s one of the most common and costly cyber threats in existence. According to the FBI’s Internet Crime Report, phishing was the most frequently reported cybercrime in recent years, with losses running into the billions. No industry is safe. No organisation is too small to be targeted.
How Does a Phishing Attack Work?
Understanding the mechanics of a phishing attack is the first step to not falling for one. Here’s how the process typically unfolds:
- The attacker selects a target — either a broad group or a specific individual
- They craft a message designed to look legitimate, using real logos, spoofed email addresses, and convincing language
- The message creates a sense of urgency: “Your account has been compromised,” or “Action required within 24 hours”
- The victim clicks a link leading to a fake login page or downloads an attachment containing malware
- Credentials or data are captured and used for fraud, identity theft, or further attacks
The whole process can take minutes. That’s what makes phishing so dangerous — it doesn’t require complex hacking skills. It just requires one moment of inattention from you.
Types of Phishing Attacks You Need to Know
Email Phishing
The most common form. Mass phishing emails are sent to thousands of addresses at once, often pretending to be banks, delivery services, or government bodies. The messages are generic but effective — especially when they land at the right moment.
What is Spear Phishing?
Spear phishing is a targeted version of a phishing attack. Instead of a generic message, attackers research their victim — pulling information from LinkedIn, company websites, or social media — and craft a highly personalised email. These are far more convincing and far more dangerous.
A spear phishing email might reference your real job title, your manager’s name, or a recent company project. It feels completely legitimate. That’s the point.
Smishing and Vishing
Phishing isn’t limited to email. Smishing uses SMS text messages. Vishing uses voice calls. Both follow the same principle: impersonate a trusted source, create urgency, and extract information. A text claiming your parcel couldn’t be delivered — and asking you to click a link to reschedule — is a classic smishing attack.
What is a Phishing Link?
A phishing link is a URL designed to look legitimate but which redirects you to a malicious site. These links often use slight misspellings (“paypa1.com” instead of “paypal.com”), subdomains that appear credible (“paypal.com.secure-login.net”), or URL shorteners that disguise the real destination.
Always hover over a link before clicking. The actual URL will appear in the bottom corner of your browser. If something looks off — even slightly — don’t click it.
How to Spot a Phishing Email: 8 Red Flags
Most phishing emails share common warning signs. Train yourself to look for these every time something feels even slightly unusual:
| Red Flag | What to Look For |
| Sender address | Check if the domain matches the real company exactly |
| Generic greetings | “Dear Customer” instead of your actual name |
| Urgency or threats | “Act now or your account will be closed” |
| Suspicious links | Hover before clicking — check for misspellings or odd domains |
| Unexpected attachments | Never open attachments you weren’t expecting |
| Requests for sensitive data | Legitimate organisations never ask for passwords by email |
| Poor grammar or formatting | Typos, awkward phrasing, or inconsistent branding |
| Mismatched branding | Logos that look slightly off, wrong colours, blurry images |
What is a Phishing Scam — And Why Are They So Effective?
A phishing scam exploits trust, not technology. That’s what makes it so persistently effective. Attackers study psychology. They know that fear, urgency, and authority bypass rational thinking — and they design their messages accordingly.
A message that claims your bank account has been frozen triggers an emotional response. You’re not thinking analytically — you’re reacting. And that’s exactly when mistakes happen.
The best defence isn’t just technical awareness. It’s training yourself to pause. One second of deliberate checking — verifying the sender, hovering over a link, calling the organisation directly — can stop an attack in its tracks.
How to Prevent Phishing: Practical Steps That Actually Work
Prevention isn’t complicated. It’s consistent. Here’s what you should be doing right now:
- Enable multi-factor authentication (MFA) on all important accounts — even if your password is compromised, MFA adds a critical second layer
- Use a password manager so you’re not reusing credentials across accounts
- Keep your software and browser up to date — security patches close known vulnerabilities
- Install email filtering tools that flag suspicious messages before they reach your inbox
- Verify unexpected requests directly — if an email asks you to do something unusual, call the sender using a number you find yourself, not one in the email
- Train your team — human error is the number one cause of successful phishing attacks
None of these steps are difficult. But they require habit. Make them automatic, and phishing attacks become dramatically less likely to succeed.
How to Report a Phishing Email
Spotted a suspicious email? Don’t just delete it. Reporting it helps protect others and contributes to broader cybersecurity efforts.
- In the UK, forward it to report@phishing.gov.uk (the NCSC’s reporting service)
- In the US, forward it to reportphishing@apwg.org or use the Anti-Phishing Working Group’s tools
- If it impersonates a specific company, report it directly to that organisation’s security team
- Report a scam email to your email provider using the built-in “Report phishing” or “Report spam” function
- If you’ve already clicked a link or provided information, contact your bank immediately and change your passwords
Reporting phishing emails is one of the simplest things you can do to contribute to collective online safety. It takes thirty seconds and it matters.
Define Phishing: Key Terms You Should Know
A quick reference to the language used around phishing — because understanding the terminology helps you stay alert:
| Term | Definition |
| Phishing | A cyberattack using deceptive messages to steal sensitive information |
| Spear phishing | A targeted phishing attack personalised to a specific individual |
| Whaling | Spear phishing aimed at senior executives or high-value targets |
| Smishing | Phishing conducted via SMS text messages |
| Vishing | Phishing conducted via voice calls |
| Phishing link | A fraudulent URL designed to steal credentials or install malware |
| Phishing scam | A broader term for any deceptive scheme using phishing tactics |
| Social engineering | Manipulating people psychologically rather than exploiting technical flaws |
Related Topics Worth Reading
If this article was useful, you’ll also want to explore:
- “What is Malware? How to Detect and Remove It” — understand what happens after a successful phishing attack
- “Cybersecurity Best Practices for Small Businesses” — a full guide to protecting your organisation
- “How to Create a Strong Password” — the foundation of account security
- “Two-Factor Authentication Explained” — why MFA is non-negotiable in 2026
Frequently Asked Questions About Phishing
Q: What is phishing in simple terms?
A: Phishing is a type of online scam where criminals pretend to be a trusted person or organisation — like your bank or employer — to trick you into revealing passwords, financial details, or other sensitive information. It most commonly happens via email, but also through text messages and phone calls.
Q: What is the difference between phishing and spear phishing?
A: Regular phishing is a broad, untargeted attack sent to many people at once. Spear phishing is a highly personalised attack aimed at a specific individual, often using real details about their job, company, or colleagues to appear more convincing.
Q: What should I do if I clicked a phishing link?
A: Don’t panic — but act fast. Disconnect your device from the internet, change the passwords of any accounts you accessed, contact your bank if financial details were involved, and report the incident to your IT team or local cybercrime authority. Run a malware scan on your device as soon as possible.
Q: How do I report a phishing email?
A: In the UK, forward it to report@phishing.gov.uk. In the US, send it to reportphishing@apwg.org. You can also use the built-in “Report phishing” feature in most email clients including Gmail and Outlook. If the email impersonates a specific company, notify that company’s security team as well.
Q: Can phishing attacks target businesses, not just individuals?
A: Absolutely — and businesses are often the primary target. Business Email Compromise (BEC) is a form of spear phishing that specifically targets employees with access to finances or sensitive systems. A single successful attack on a business can result in hundreds of thousands of dollars in losses.
Final Thoughts
Phishing isn’t going away. If anything, it’s getting more sophisticated — more targeted, more convincing, and harder to detect without the right knowledge.
But here’s the thing: awareness is your single most powerful defence. The people who fall for phishing attacks aren’t Neutral — they’re simply caught off guard. Now that you know what a phishing attack looks like, how to spot a fake email, and what to do if you encounter one, you’re significantly better protected.
Share this article with your team, your family, or anyone else who spends time online. The more people understand what phishing is — and how to spot it — the harder it becomes for attackers to succeed.
And if you’re looking to take your organisation’s cybersecurity further, explore our full library of guides on email security, data protection, and cyber threat prevention.
