Phishing is a cyberattack where someone sends you a fake message — email, text, phone call, or social media DM — that impersonates a trusted source to trick you into handing over passwords, financial details, or personal information. The word is a play on ‘fishing’ — attackers cast bait and wait for victims to bite.
In 2024, the Anti-Phishing Working Group (APWG) recorded 4.8 million phishing attacks — the highest since the organisation was founded in 2003. In 2025, that figure is projected to exceed 5 million. And the attacks have fundamentally changed: AI-generated phishing emails are now indistinguishable from legitimate messages. The old advice to ‘look for typos and bad grammar’ is, as of 2026, officially dead.
Here is everything you need to know: what phishing is, every major type, real examples from 2025-2026, how to spot attacks that even experts miss, and exactly what to do if you click something you should not have.
What Is Phishing? Definition
Phishing is a type of social engineering attack. Rather than hacking through technical vulnerabilities, attackers exploit human psychology — urgency, fear, authority, and trust — to get victims to take an action that benefits the attacker. That action might be clicking a link, downloading an attachment, entering credentials on a fake website, transferring money, or giving out personal information.
The defining features of phishing:
- Impersonation — the attacker pretends to be a trusted entity: your bank, Microsoft, your employer, Amazon, the IRS, or a colleague
- Deception — the message contains false information designed to create a sense of urgency or legitimacy
- A harmful action — the goal is to make you click, download, enter data, call a number, or transfer money
Every Type of Phishing Attack Explained
| Type | Channel | How It Works |
| Email phishing | Mass fake emails impersonating banks, Microsoft, Amazon, USPS | |
| Spear phishing | Targeted attack on a specific person using personal details | |
| Whaling | Spear phishing aimed at C-suite executives (CEO, CFO) | |
| Smishing | SMS / text | Fake package delivery texts; ‘unusual activity’ bank alerts |
| Vishing | Phone call | Fake IRS, tech support, or bank calls asking for information |
| Quishing | QR code | QR code in email or physical location leads to credential harvester |
| Business Email Compromise (BEC) | Compromised or spoofed business email; requests wire transfer or payroll change | |
| Clone phishing | Exact copy of a real previous email with malicious links replaced | |
| Social media phishing | LinkedIn, DMs | Fake investment offers, job scams, account takeover via DM |
| Search engine phishing | Google Ads | Fake sponsored results above legitimate sites (e.g. fake PayPal login) |
Email Phishing: Still the Most Common Attack
Standard email phishing involves mass-sending fake emails impersonating well-known brands. The most impersonated brands in phishing attacks are Microsoft, Google, Amazon, PayPal, and Apple — all companies with massive user bases where a generic ‘your account has been compromised’ message reaches enough real users to be effective.
Common email phishing templates in 2026:
- ‘Your Microsoft 365 account will be suspended — verify now’ (links to a fake Microsoft login page)
- ‘Your Amazon order could not be delivered — update your payment details’
- ‘Unusual sign-in activity detected on your Google account’
- ‘Your USPS package is on hold — confirm your address’
- ‘Invoice #INV-2026-04812 is attached — please process by end of day’
Financial services account for 23.5% of phishing targets; SaaS and webmail (Microsoft 365, Google Workspace) account for 19.4%; e-commerce (Amazon, PayPal) 14.2%; and social media 12.8% — according to APWG data for 2024-2025.
Spear Phishing: Targeted Attacks
Spear phishing is email phishing with a personal touch. Instead of a generic message, attackers research the target first — using LinkedIn, company websites, social media, and data from previous breaches — and craft a message that uses real names, job titles, current projects, or relationships.
A real spear phishing campaign from May 2025: attackers targeted CFOs and finance executives at US banks, utilities, insurers, and investment firms. They impersonated recruiters from Rothschild & Co., embedded encrypted CAPTCHAs that delivered a script in a ZIP file. This script installed NetBird — a legitimate remote-access tool — effectively giving attackers persistent access for wire transfers and data theft.
Another 2025 example: Illinois’s Office of the Special Deputy Receiver lost $6.85 million to BEC spear phishing. The attacker accessed the CFO’s Outlook account, then sent emails to staff requesting wire transfers. Eight transfers went out before detection. A federal court ruled the loss was not covered under their cyber insurance contract exclusions.
Smishing: Phishing via Text Message
Smishing (SMS phishing) has grown significantly as email filters have improved. Text messages have no equivalent of email spam filtering, and people are generally less suspicious of texts than emails. Common smishing scenarios:
- Fake USPS, FedEx, or UPS delivery notifications: ‘Your package is held — pay £1.50 to release it’ (link to a fake delivery site)
- Fake bank alerts: ‘Suspicious activity on your account — verify your identity now’
- Government impersonation: ‘IRS: You have a pending refund of $847 — claim within 48 hours’
- Fake two-factor authentication: ‘Your security code is expiring — click here to reset’
If you receive an unexpected text with a link, do not click it. Go directly to the company’s website by typing the address yourself.
Quishing: QR Code Phishing — The Fastest Growing Vector
Quishing (QR phishing) has exploded since 2024. Attackers embed malicious QR codes in emails, physical posters, parking meters, restaurant menus, and printed documents. When you scan the QR code with your phone, it bypasses corporate email filters entirely — the attack moves to your personal device, which has far fewer security controls than a work computer.
Common quishing scenarios: ‘Scan to listen to your voicemail,’ ‘Scan to re-enroll in MFA,’ ‘Scan to view your invoice.’ Treat any unexpected QR code asking you to authenticate as suspicious. Re-enroll MFA from your normal login flow on a device you trust, not from a QR code in an email.
Business Email Compromise (BEC): The Highest-Cost Attack
BEC is the most expensive phishing variant. The FBI’s IC3 2025 report shows BEC fraud cost US complainants more than $3 billion across 12 months — more than ransomware. BEC attacks work by:
- Compromising a legitimate business email account (usually through phishing credentials first)
- Using the compromised account to send emails requesting wire transfers, payroll account changes, or vendor payment redirects
- The emails come from a real account, pass email authentication checks, and often include real thread history
BEC attacks are particularly effective because the email comes from a real address in your contacts. The solution: verify any money-movement or payroll-change request through a second channel — phone call, in-person confirmation, or a separate Slack message — every single time, regardless of how legitimate the email looks.
How AI Changed Phishing in 2025-2026
Generative AI fundamentally changed phishing in 2024-2025. AI-written phishing emails:
- Have no typos or grammar errors — AI writes fluently in any language
- Are personalised at scale — attackers feed LinkedIn data into AI to generate personalised spear phishing for thousands of targets simultaneously
- Mimic writing style — AI can be trained on a target’s email history to impersonate their communication style precisely
- Bypass content filters — AI can generate novel phrasing that does not match known phishing signatures
The practical implication: you can no longer use ‘bad writing’ as a reliable phishing signal. The email will read perfectly. You must check sender domain, URL destination, and verify through a second channel instead.
7 Red Flags That Still Catch Phishing in 2026
| Red Flag | What to Check |
| Mismatched sender domain | Display name says ‘Microsoft’ but email is from microsoft-alerts@outlook-support.net — not @microsoft.com |
| Urgency + secrecy | ‘Act within 24 hours or your account will be closed’ / ‘Do not tell anyone about this request’ |
| Unexpected MFA prompt | MFA push notification you did not initiate — do not approve; call the sender directly |
| Link mismatch | Hover over the link — visible text says paypal.com but actual URL goes elsewhere |
| QR code asking to authenticate | Any QR code requesting login or MFA re-enrolment should be treated as suspicious |
| Unexpected attachment | PDF, ZIP, or Office file you were not expecting from any sender — even known contacts |
| Request to change payment details | Any email asking you to update bank details or wire transfer instructions — always verify by phone |
Roughly one in three phishing attacks detected in 2025 were delivered outside email — via LinkedIn DMs, Google search sponsored results, text messages, and phone calls. Your email security tools cannot protect you from these vectors.
What to Do If You Clicked a Phishing Link
If you click a phishing link, act quickly — the window for limiting damage is short:
- Disconnect — immediately disconnect the device from Wi-Fi and mobile data to stop any malware from communicating with the attacker’s server
- Change your password — reset the password for any account that may be compromised, on a different clean device
- Revoke sessions — log out of all active sessions for the affected account (most email providers have a ‘sign out everywhere’ option)
- Check inbox rules — attackers often set up email forwarding rules after compromise; check your inbox rules and delete anything unfamiliar
- Run a security scan — run updated antivirus/EDR software on the affected device
- Report the phishing email — forward to reportphishing@apwg.org (Anti-Phishing Working Group) and report to your IT team if it is a work device
- Report to the FTC — report identity theft and phishing at IdentityTheft.gov if personal information was compromised
How to Report Phishing
| Type | How to Report |
| Phishing email | Forward to reportphishing@apwg.org (Anti-Phishing Working Group) |
| Phishing text (SMS) | Forward the message to 7726 (SPAM) — works on all major US carriers |
| Phishing impersonating the IRS | Forward to phishing@irs.gov |
| Identity theft resulting from phishing | Report at IdentityTheft.gov (FTC) for a personalised recovery plan |
| Business phishing / BEC | Report to the FBI’s Internet Crime Complaint Center at ic3.gov |
| UK phishing (any type) | Forward to report@phishing.gov.uk (National Cyber Security Centre) |
How to Protect Yourself from Phishing
- Use a password manager — unique passwords per site mean a single phished site cannot unlock your other accounts
- Use FIDO2 hardware security keys (YubiKey) for critical accounts — unlike SMS codes or authenticator apps, hardware keys are domain-bound and refuse to authenticate on fake sites
- Enable multi-factor authentication (MFA) everywhere — even imperfect MFA (SMS codes) stops most credential-stuffing attacks
- Verify payment requests out-of-band — always call the person to confirm any wire transfer, payroll change, or payment detail update before acting
- Hover before clicking — check the actual URL destination before clicking any link
- Type URLs directly — go to your bank, Microsoft, or Amazon by typing the address yourself rather than clicking email links
- Use email security tools — Microsoft Defender, Google Workspace’s built-in phishing detection, or third-party tools like Proofpoint or Mimecast reduce email phishing volume significantly
Worried about phishing emails that impersonate TV Licensing in the UK? See our guide to TV Licence scam emails — how to spot and report them for specific examples and what to do.
Got a suspicious text message asking for payment? The FTC’s official guidance on recognising and avoiding phishing is at consumer.ftc.gov/phishing — including how to report to the right agency depending on the type of attack.
Report phishing emails directly to the Anti-Phishing Working Group at reportphishing@apwg.org or forward SMS phishing by texting the message to 7726.
Bottom Line
| What is phishing? | Social engineering attack tricking you into handing over credentials, money, or data |
| Volume in 2024 | 4.8 million attacks recorded by APWG — historic high |
| AI impact | Typos and bad grammar no longer reliable signals — AI generates flawless phishing |
| Costliest type | BEC — $3 billion lost in the US in 2025 alone |
| Fastest growing | Quishing (QR code phishing) — bypasses email filters by moving to your phone |
| Best protection | FIDO2 hardware keys + password manager + verify all payment requests by phone |
| If you clicked | Disconnect, change password, revoke sessions, check inbox rules, run scan |
| Report to | reportphishing@apwg.org (email) / text 7726 (SMS) / ic3.gov (BEC/business) |
Frequently Asked Questions
What is phishing in simple terms?
Phishing is when someone sends you a fake message — email, text, phone call, or social media — pretending to be a trusted company or person, with the goal of tricking you into giving up your password, bank details, or personal information. The name comes from ‘fishing’ — attackers cast bait and wait for victims to take it. In 2024, the Anti-Phishing Working Group recorded 4.8 million phishing attacks — a historic high.
What are the most common types of phishing?
The most common types are email phishing (mass fake emails impersonating banks, Microsoft, Amazon), spear phishing (targeted attacks using personal details), smishing (fake texts about deliveries or bank alerts), vishing (fake phone calls from ‘IRS’ or ‘tech support’), quishing (malicious QR codes), and Business Email Compromise (BEC) where attackers impersonate business contacts to request wire transfers. BEC is the most financially damaging type, costing US businesses over $3 billion in 2025.
How do I spot a phishing email in 2026?
You cannot rely on typos or bad grammar in 2026 — AI writes flawless phishing. Instead check: the actual sender email address (not just the display name), hover over links before clicking to see the real URL, be suspicious of any unexpected urgency (‘act within 24 hours’), never approve MFA prompts you did not initiate, and treat any QR code asking you to log in as suspicious. Verify any money movement request through a separate phone call.
What should I do if I clicked a phishing link?
Act immediately: disconnect the device from the internet (Wi-Fi and mobile data), change the password for any account that may be affected on a clean device, revoke all active sessions, check your email inbox rules for any new forwarding rules set by the attacker, run updated security software, and report the phishing attempt to reportphishing@apwg.org or, if identity theft occurred, at IdentityTheft.gov.
What is the difference between phishing and spear phishing?
Phishing is mass-sent and generic — the same email goes to thousands of recipients with minimal personalisation. Spear phishing is targeted — attackers research a specific individual or organisation and craft a message using real names, job titles, current projects, or relationships to make it highly convincing. Spear phishing has a much higher success rate and is used for high-value targets like executives and finance teams.
