What Is Phishing? How to Spot and Avoid Scams (2026)

More than 90% of cyberattacks still start with a phishing email. Not malware. Not zero-days. A convincingly written message that tricks a real person into typing their password into a fake page. In 2026, AI has made these messages dramatically harder to spot — which is exactly why understanding phishing matters more than ever.

What Is Phishing?

Phishing is a cyberattack where criminals impersonate trusted entities — banks, Google, PayPal, your employer — to trick you into revealing passwords, card numbers or personal data. The name comes from 'fishing': attackers cast a wide net using bait that looks legitimate.

How Phishing Works (Real Example)

1. You receive an email that looks like it's from PayPal: 'Unusual login detected on your account.'
2. There's a 'Secure your account' button.
3. It links to paypa1-security.com — a near-perfect clone of the real PayPal login page.
4. You enter your email and password. The fake page captures both.
5. It then redirects you to the real PayPal site so nothing seems wrong — but the attacker now has your credentials.

Types of Phishing Attacks in 2026

• Email phishing — still the most common.
• Spear phishing — targeted, personalised, often impersonating your boss or a vendor.
• Smishing — phishing via SMS.
• Vishing — phishing over voice calls, sometimes using AI-cloned voices.
• Clone phishing — a real email you've already received, copied with a malicious link swapped in.
• AI-generated phishing — Microsoft's 2025 Digital Defense Report found AI phishing reaches a 54% click-through rate vs 12% for traditional attempts.

How to Spot a Phishing Email (8 Warning Signs)

1. Urgency — 'Your account will be closed in 24 hours.'
2. Mismatched sender address that looks 'almost' right.
3. Hover over links — the real URL doesn't match the claimed site.
4. Generic greetings: 'Dear Customer'.
5. Unexpected attachments, especially .zip or .html files.
6. Poor grammar — still common in low-effort attacks.
7. Requests for your password by email. Legitimate companies never do this.
8. Too-good-to-be-true offers, refunds or prizes.

How to Check If a Website Is Fake

• Look for HTTPS and the padlock — but remember, HTTPS alone doesn't mean safe.
• Read the URL slowly. paypa1.com is not paypal.com.
• Check the certificate issuer and expiry.

What to Do If You Clicked a Phishing Link

1. Do not enter any credentials.
2. Disconnect from WiFi immediately if you suspect a download.
3. Run a full antivirus scan.
4. Change passwords on the affected account and anywhere you reused that password.
5. Enable two-factor authentication.
6. Report the incident to your IT team or bank.

How to Protect Yourself From Phishing (2026 Best Practices)

• Use a password manager — it refuses to autofill on the wrong domain.
• Turn on 2FA everywhere it's offered.
• Use built-in email filters and report suspicious messages.
• Verify unexpected requests by calling the company directly.
• Keep your browser and OS updated.

Frequently Asked Questions

What is the most common type of phishing?

Email phishing is by far the most common type, accounting for the majority of attacks. Attackers impersonate well-known brands like Google, Microsoft, PayPal and major banks.

Can phishing happen through text messages?

Yes. SMS phishing is called smishing. Attackers send fake delivery notifications, bank alerts and prize messages with malicious links.

Does HTTPS mean a website is safe?

No. HTTPS only means the connection is encrypted — it does not mean the website is legitimate. Phishing sites routinely use HTTPS to appear trustworthy.

What should I do if I gave my password to a phishing site?

Change your password immediately on the affected account and any account where you reused that password. Enable two-factor authentication and contact your bank if financial details were shared.

How can I report a phishing email?

In Gmail, click the three-dot menu and select 'Report phishing'. In Outlook, use 'Report' → 'Report Phishing'. You can also forward phishing emails to reportphishing@apwg.org.