
Phishing is a scam in which attackers impersonate a trusted person or organisation to trick you into revealing sensitive information — passwords, card numbers, codes — or into clicking a malicious link or attachment. It’s the most common cyberattack in the world and the starting point for everything from drained bank accounts to corporate ransomware. The good news: once you know the patterns, phishing is one of the most avoidable threats out there.
Reviewed and kept current by the Coppers.io editorial team — see how we research .
How phishing works
The name is a play on “fishing” — attackers cast out bait (a convincing message) and wait for someone to bite. A typical phish:
- Impersonates someone you trust — your bank, a delivery company, an employer, a popular service.
- Creates a reason to act now — a “locked account,” a “failed payment,” a “package on hold.”
- Directs you to act — click a link to a fake login page, open an attachment, or reply with details.
- Harvests what you give — your credentials, card details, or a one-time code go straight to the attacker.
Phishing is the most common form of social engineering — manipulating people rather than breaking technology.
Types of phishing
| Type | How it works |
|---|---|
| Email phishing | Mass deceptive emails impersonating trusted brands |
| Spear phishing | Targeted, personalised attacks on a specific person |
| Whaling | Spear phishing aimed at executives or “big fish” |
| Smishing | Phishing via SMS text messages |
| Vishing | Voice/phone phishing, increasingly with AI voice cloning |
| Clone phishing | A copy of a real message with links swapped for malicious ones |
| Angler phishing | Fake customer-support accounts on social media |
| Pharming | Redirecting you to a fake site even with the right address |
Spear phishing deserves special attention: instead of a generic blast, the attacker researches you and references real details — your name, employer, or recent activity — to be far more convincing. AI has made this kind of personalisation cheap and scalable, as covered in AI phishing scams .
Real warning signs
Even polished, AI-written phishing tends to share tells:
- Urgency or threats — “act within 24 hours or your account closes.”
- Requests for sensitive data — passwords, codes, or card numbers (legitimate firms don’t ask this way).
- Mismatched links — hover to see the real destination; watch for look-alike domains like
paypa1.com. - Generic or odd greetings — “Dear Customer,” or a tone that’s slightly off.
- Unexpected attachments — especially
.zip,.exe, or documents urging you to “enable content.” - A channel switch — pushing you from email to WhatsApp or phone to “resolve” it.
When grammar used to be a giveaway, that’s now unreliable — modern phishing reads perfectly, so judge the intent, not the spelling.
A quick example
From: Netflix Support [email protected] Subject: Your account is on hold “We couldn’t process your payment. Update your billing details within 24 hours to avoid cancellation: [Update Now]”
The tells: a look-alike domain (netf1ix), manufactured urgency, and a link to a fake login page designed to capture your password and card.
How to prevent phishing
- Slow down. Urgency is the universal red flag — verify before you act.
- Never click links in unexpected messages. Go to the site directly by typing the address or using your bookmark.
- Verify through a trusted channel. Call the company on a number from its official site, not the message.
- Use passkeys and 2FA. Phishing-resistant logins mean a stolen password often isn’t enough — see what 2FA is .
- Keep software updated and use anti-malware, since phishing often delivers malware or ransomware .
- Report suspicious messages — to your email provider, your IT team, and authorities like the FTC and CISA . The Anti-Phishing Working Group (forward to [email protected] ) tracks campaigns.
For the wider picture, our cybersecurity basics for beginners puts phishing in context with other everyday threats.
What to do if you’ve been phished
- Change the password immediately on the affected account and anywhere you reused it.
- Enable or strengthen 2FA, ideally a passkey or authenticator app.
- Contact your bank if you shared financial details, and watch for fraud.
- Scan for malware if you opened an attachment.
- Report it so the campaign can be shut down faster.
The bottom line
Phishing tricks you into handing over information by impersonating someone you trust and pressing you to act fast. It comes in many forms — email, spear phishing, smishing, vishing — but they share the same DNA: urgency, impersonation, and a request for data or money. Slow down, verify independently, never click unexpected links, and use passkeys and 2FA. Those habits defuse the world’s most common cyberattack.
FAQs
- Phishing is a scam where attackers pretend to be a trusted person or company to trick you into giving up sensitive information — like passwords or card details — or clicking a malicious link. It usually arrives by email, text, or phone and relies on urgency and impersonation.
- Email phishing is the most common, followed by spear phishing (targeted at a specific person), whaling (aimed at executives), smishing (via SMS), and vishing (via phone calls). They differ in delivery but all rely on impersonation and manipulation.
- Look for urgency or threats, requests for passwords or codes, mismatched or look-alike links, unexpected attachments, and attempts to move you to another channel. Hover over links to check the real destination, and verify directly with the company through a trusted number or website.
- Change the password on the affected account and anywhere you reused it, turn on strong 2FA or a passkey, contact your bank if you shared financial details, scan for malware if you opened an attachment, and report the phishing attempt. Acting quickly usually limits the damage.
- It helps a lot. Standard 2FA means a stolen password alone isn't enough, though some phishing kits try to capture codes in real time. Phishing-resistant methods like passkeys and hardware keys are the strongest defense because they won't authenticate on a fake site.
