What Is Phishing?
Phishing is a type of cyberattack where someone sends a fraudulent message — usually an email — designed to trick you into revealing sensitive information like passwords, credit card numbers, or personal details. The word is a play on "fishing," because attackers are casting a wide net hoping someone will take the bait.
Phishing emails often impersonate trusted organizations: your bank, a delivery company, a government agency, or even a colleague. The messages are increasingly convincing, but they almost always contain detectable clues.
Warning Sign #1: The Sender's Email Address Doesn't Match
Always check the actual email address — not just the display name. An email might show the name "PayPal Support" but come from an address like support@paypa1-secure.com. Look for:
- Misspelled domain names (paypa1.com instead of paypal.com)
- Extra words added to a real domain (amazon-security.net)
- Random strings of characters before the @ symbol
Warning Sign #2: Generic Greetings
Legitimate companies typically address you by name. Phishing emails often use vague openers like "Dear Customer," "Dear User," or "Hello Account Holder." This is because attackers send the same email to thousands of people at once and don't know your name.
Warning Sign #3: Urgent or Threatening Language
Phishing emails frequently create a false sense of urgency to pressure you into acting quickly without thinking. Common phrases include:
- "Your account will be suspended in 24 hours"
- "Immediate action required"
- "Unauthorized access detected — verify now"
Legitimate organizations rarely demand immediate action through email. When in doubt, go directly to the organization's website by typing the address yourself.
Warning Sign #4: Suspicious Links
Before clicking any link, hover over it (on desktop) to see where it actually leads. The visible text might say "Click here to verify your account" while the actual URL points somewhere entirely different. Watch for:
- URLs that don't match the organization's official domain
- Very long URLs with odd strings of characters
- URLs that use HTTP instead of HTTPS
- URL shorteners (bit.ly, tinyurl) used to hide destinations
Warning Sign #5: Unexpected Attachments
Be extremely cautious with unexpected email attachments, particularly files with extensions like .exe, .zip, .docm, or .pdf. Malicious attachments can install malware on your device simply by being opened. If you weren't expecting a file, verify with the sender through a separate channel before opening it.
Warning Sign #6: Requests for Sensitive Information
No legitimate bank, government body, or reputable company will ask you to provide your password, full credit card number, PIN, or Social Security/National Insurance number via email. Full stop. If an email asks for this information, treat it as fraudulent.
Warning Sign #7: Poor Spelling and Grammar
While not always present — attackers have improved over time — many phishing emails still contain obvious grammatical errors, awkward phrasing, or inconsistent formatting. These can be signs that the message was generated carelessly or translated poorly.
Warning Sign #8: The Offer Seems Too Good to Be True
Emails promising unexpected refunds, prize winnings, inheritance funds, or exclusive deals that require you to act now are almost always scams. Treat any unsolicited offer involving money with immediate skepticism.
What to Do If You Receive a Suspicious Email
- Don't click any links or open attachments.
- Report it as phishing using your email client's built-in reporting tool.
- If it claims to be from a known organization, contact that organization directly through their official website or phone number.
- Delete the email from your inbox and trash folder.
Staying alert to these signs takes practice, but it quickly becomes second nature. When something feels off about an email, trust that instinct and verify before you act.