What Is Phishing? How to Spot and Avoid Attacks (2026)

How phishing works

A phishing attack typically follows this pattern:

• ◆You receive an email, text, or social media message from what appears to be a trusted source (your bank, Netflix, PayPal, a colleague, Amazon)
• ◆The message creates urgency: 'Your account will be suspended,' 'Unusual activity detected,' 'Your payment failed'
• ◆You click a link that leads to a convincing but fake website
• ◆You enter your credentials or payment details — which are captured by the attacker
• ◆The attacker logs into your real account and changes the password, steals funds, or sells your credentials

Types of phishing

• ◆Email phishing: Mass emails impersonating banks, streaming services, shipping companies, or government agencies
• ◆Spear phishing: Targeted emails using personal information (your name, company, recent purchases) to appear more convincing
• ◆Smishing (SMS phishing): Text messages claiming to be from FedEx, USPS, banks, or Apple/Google with suspicious links
• ◆Vishing (voice phishing): Phone calls from 'Microsoft Support,' 'IRS,' or 'bank fraud department' requesting remote access or payments
• ◆Clone phishing: A legitimate email is cloned and re-sent with a malicious link replacing the legitimate one

How to spot a phishing email

• ◆Check the sender address: 'paypal-security@paypa1.com' not 'security@paypal.com' — look for character substitutions
• ◆Hover over links (don't click): The URL in the status bar should match the real domain
• ◆Look for urgency and threats: Legitimate companies don't threaten immediate account closure
• ◆Check for generic greetings: 'Dear Customer' instead of your name
• ◆Verify unexpected attachments: Don't open attachments from unexpected senders — even if it looks like a PDF
• ◆Look for poor grammar and spelling: Though AI-generated phishing has improved this significantly in 2025-2026

Technical defenses

• ◆Enable 2FA on all accounts: Even if your password is stolen, the attacker can't log in without the second factor
• ◆Use a password manager: It won't autofill credentials on fake domains — a built-in phishing detector
• ◆Use email filtering: Gmail and Outlook have strong built-in spam/phishing filters. Consider additional services like Proofpoint for work email.
• ◆Enable suspicious login alerts: Most major services (Google, Microsoft, Apple) send alerts for new logins
• ◆Use uBlock Origin browser extension: Blocks known phishing sites proactively

What to do if you fell for a phishing attack

• ◆Change the compromised password immediately — from a different device if possible
• ◆Change the same password on any other site where you used it
• ◆Enable 2FA on the compromised account
• ◆Check recent account activity for unauthorized transactions or changes
• ◆Contact your bank if payment details were entered — they can freeze the card
• ◆File a report: US → reportphishing@apwg.org or the FBI's IC3. UK → report@phishing.gov.uk