What is phishing? How scam messages work and how to spot them

Phishing is when someone pretends to be a person or organisation you trust in order to steal your details. The word comes from "fishing" - the scammer casts a line and waits for someone to take the bait.

It is the most common form of cybercrime worldwide, and the vast majority of online scams - fake banking alerts, parcel delivery texts, HMRC refund emails - are variations of the same basic attack.

---

What is phishing?

Phishing is a social engineering attack in which a scammer impersonates a trusted organisation - a bank, a government service, a delivery company, a retailer - to trick you into handing over your login credentials, payment details, or personal information.

The scammer typically sends a message that creates urgency ("your account will be suspended"), fear ("suspicious activity detected"), or excitement ("you have a parcel waiting"). The message contains a link to a fake website that looks convincing enough for you to enter your details before you realise something is wrong.

Once you've entered your information, the scammer has what they need. Credentials are used to access your accounts directly, or sold. Payment details are used to make fraudulent purchases. Personal information is used in identity fraud.

---

How a phishing attack works

A typical phishing attack follows the same pattern:

1. Contact - You receive an email, text, or call from someone impersonating a trusted organisation
2. Hook - The message creates urgency, fear, or curiosity ("Click here to verify your account before it's closed")
3. Fake page - The link takes you to a convincing-looking website, often at a domain designed to look like the real one at a glance
4. Credential harvest - You enter your login, card number, or personal details, believing the site to be legitimate
5. Exploitation - The scammer uses your details immediately, or sells them

The whole cycle can take minutes. You may not realise anything happened until your bank contacts you, or you try to log into an account and find your password has been changed.

---

Types of phishing

Email phishing

The classic and still the most common. A scammer sends an email claiming to be from your bank, HMRC, Royal Mail, Netflix, Amazon, or any other organisation you're likely to have an account with. The email usually contains a link to a fake login page, or asks you to open an attachment containing malware.

Mass phishing campaigns send millions of emails at once. Even a tiny response rate is enough to make them worthwhile for the scammer.

Smishing (SMS phishing)

Phishing via text message. Common examples include fake parcel delivery notifications, HMRC refund alerts, and bank fraud warnings. Smishing messages often include shortened URLs to hide the destination, or QR codes.

Because people tend to trust text messages more than emails, smishing often has a higher click-through rate than email phishing.

Vishing (voice phishing)

Phishing via phone call. A scammer calls claiming to be from your bank, HMRC, or a tech support company. They use urgency ("fraudulent activity on your account") to pressure you into giving account details, authorising a payment, or allowing remote access to your device.

Banks will never ask you to transfer money to a "safe account" over the phone. That is always a scam.

Spear phishing

Targeted phishing aimed at a specific individual or organisation. Unlike mass-campaign phishing, spear phishing uses personal details gathered from LinkedIn, social media, or data breaches to make the message convincing - using your name, your employer, your colleague's name.

Spear phishing is far more dangerous than generic campaigns because the messages are tailored, and the target is usually someone with access to something valuable: corporate accounts, payroll systems, sensitive data.

Quishing (QR code phishing)

Phishing delivered via QR code rather than a clickable link. A QR code hides its destination completely until you scan it - which means you can't read the URL before interacting with it, and most email security tools can't detect it.

Read more about quishing →

---

How to spot a phishing message

No single tell is definitive, but these signals - especially in combination - are strong warning signs:

• Urgency or threats - "Act within 24 hours or your account will be closed." Scammers want you to react before you think.
• Unsolicited contact - You weren't expecting this message, especially about an account or delivery
• Mismatched sender details - The email looks like it's from HMRC but the address is refund-support@gov-hmrc.net
• Suspicious links - Hover over any link (without clicking) to see the real destination. Does the domain match the organisation?
• Generic greeting - "Dear Customer" instead of your name is a common sign of a mass campaign
• Requests for sensitive information - Legitimate banks and government services will never ask for your full password, PIN, or payment card details over email or text
• Pressure to bypass normal process - "Don't call the number on the back of your card, call us directly"

---

What to do if you receive a phishing message

Don't click the link. If you want to check whether the message is genuine, go directly to the organisation's official website - type the address yourself or use a saved bookmark - and log in there.

Check the link without visiting it. If you want to check where a link actually goes, copy it (without clicking) and paste it into SniffTest. It runs 17 safety checks and returns a plain-English verdict before you've opened anything.

Report it. In the UK, forward phishing emails to report@phishing.gov.uk and phishing texts to 7726 (spells SPAM). In the US, report phishing attempts to the FTC at reportfraud.ftc.gov.

Don't engage with the sender. Replying, even to say "wrong number", confirms your address is active and may lead to more targeting.

---

What to do if you fell for a phishing attack

Speed matters. The sooner you act, the better your chances of limiting the damage.

If you entered your password:

1. Change it immediately on every account where you use the same credentials
2. Enable two-factor authentication if you haven't already
3. Check account activity for anything you didn't authorise

If you entered payment details:

1. Contact your bank immediately - ask them to freeze your card and monitor for fraud
2. Your bank may be able to reverse transactions made in the last 24 hours

If you opened an attachment:

1. Disconnect the device from the internet
2. Run a full antivirus scan
3. Contact your IT department if it was a work device

Report the phishing attempt to the NCSC at report.ncsc.gov.uk (UK) or the FTC at reportfraud.ftc.gov (US). Your report helps protect other people.

---

Frequently asked questions

Q: What is phishing in simple terms?

A: Phishing is when a scammer pretends to be a trusted organisation - your bank, HMRC, a delivery company - to trick you into handing over your password, payment details, or personal information. The name comes from fishing: the scammer casts a message and waits for someone to take the bait.

Q: What is the most common type of phishing?

A: Email phishing is the most widespread, but smishing (phishing via text message) is increasingly common and often has higher click rates because people tend to trust texts more than emails. Parcel delivery notifications, bank fraud alerts, and HMRC refund texts are among the most frequently used lures.

Q: How can I tell if an email is phishing?

A: Check the sender's actual email address, not just the display name - it often contains a suspicious domain. Look for urgency, generic greetings, and requests for sensitive information. Hover over any links without clicking to see where they actually lead. When in doubt, go directly to the organisation's official website rather than clicking the link in the message.

Q: What happens if I click a phishing link?

A: Clicking a link alone does not usually cause harm. The risk comes from what happens next: entering your details on the fake site, or - in some cases - a malicious download starting automatically. If you clicked but entered nothing, close the tab and run the URL through SniffTest to confirm. If you entered credentials or payment details, change your passwords and contact your bank immediately.

Q: Can phishing happen over text or phone?

A: Yes. Phishing via text is called smishing; phishing via voice call is called vishing. Both are common. Smishing messages often impersonate parcel companies, banks, or government services. Vishing calls typically claim to be from your bank's fraud team and pressure you to authorise a payment or share account details. Your bank will never ask you to transfer money to a "safe account" by phone - that is always a scam.

Q: How is phishing different from a scam website?

A: Phishing specifically involves an impersonation - a fake message or site pretending to be a legitimate organisation. A scam website is a broader category that includes fake shops and fraudulent services that may not impersonate a specific brand. Both are designed to steal money or information, and both can be checked with SniffTest before you hand anything over.