Phishing is a scam that tricks you into handing over sensitive information, such as a password, a verification code, or payment details, by pretending to be a person or company you trust. It usually arrives as an email, text message, phone call, or a fake login page that looks almost identical to the real one. The attacker leans on urgency and fear, hoping you act before you think. The reassuring part is that a couple of habits stop the large majority of attempts. This guide explains how phishing works, the red flags to watch for, and how to protect your accounts.
How phishing works
A phishing message impersonates something familiar: your bank, a delivery service, your employer, or a popular app. It presents a reason to act now, like a locked account, a failed payment, or a package that needs confirmation, and gives you a link or attachment. The link leads to a counterfeit page that captures whatever you type, or the attachment installs something harmful. Modern attacks are harder to spot because AI tools produce clean, personalized messages without the obvious spelling mistakes of years past. That makes the underlying request, not the grammar, the thing to scrutinize.
Common phishing tactics
| Tactic |
How it looks |
| Urgent threat |
Your account will be closed unless you act now |
| Fake login page |
A look-alike site that captures your password |
| Smishing |
A scam text about a package or payment |
| Spoofed sender |
A display name that hides a strange real address |
| Prize or refund bait |
You won something or are owed money, just confirm details |
The common thread is pressure to act quickly through a link the sender provided. Many phishing payloads also carry harmful software, which is why our explainer on what malware is in 2026 is a natural companion to this guide.
Red flags to watch for
Several signals should make you pause. An unexpected message that demands urgent action is the biggest one. Look closely at the sender address rather than the display name, and hover over links to see where they really go before clicking. Be wary of generic greetings, requests for passwords or codes that no legitimate company asks for, and slight misspellings in domains. Attachments you did not expect are risky even from known contacts, since accounts get compromised. When something feels off, the safest move is to ignore the message and reach the company through its official app or website on your own.
How to protect yourself
- Never click login links in messages; open the site or app yourself and sign in directly.
- Verify the sender and the real URL before trusting any request for information.
- Turn on extra verification so a stolen password alone cannot unlock your account.
- Slow down when a message creates urgency; that pressure is the scam working.
- Report and delete suspicious messages rather than replying or engaging with them.
What to skip
- Clicking links in unexpected security or delivery alerts; navigate to the source yourself instead.
- Sharing one-time codes with anyone; no legitimate support agent will ask for them.
- Trusting a message because it looks polished; AI now writes convincing scam text.
- Replying to confirm details; legitimate companies do not collect passwords by email or text.
FAQ
What is the difference between phishing and spam?
Spam is unwanted bulk messaging. Phishing is targeted deception designed to steal information or money by impersonating someone you trust.
How can I tell if an email is phishing?
Look for unexpected urgency, a sender address that does not match the display name, links that point to odd domains, and requests for passwords or codes.
Is phishing only an email problem?
No. It also comes by text, phone call, and fake websites. Text-based phishing is often called smishing and follows the same playbook.
What should I do if I clicked a phishing link?
Change the affected password immediately, turn on extra verification, watch your accounts, and run a security scan if you entered anything or downloaded a file.
Where to go next
Learn what scams often deliver in What Is Malware in 2026, add a second lock with What Is Two-Factor Authentication in 2026, and keep junk out of your inbox with How to Block Spam Emails in 2026.