Phishing Explained: How to Spot Scams Before They Catch You
Phishing is one of the most widespread and dangerous forms of cybercrime. It targets individuals and organisations by tricking them into revealing sensitive information. In this article, we will explore what phishing is, how it works, the different types of phishing attacks, and most importantly, how to protect yourself.
What It Is #
Phishing is a type of social engineering attack where criminals impersonate trustworthy entities to deceive victims. The aim is usually to steal personal data such as login credentials, credit card numbers, or even install malware on the victim’s device.
These attacks often come in the form of emails, text messages, or phone calls that appear legitimate. A phishing message may direct a user to a fake website that closely resembles a real one, where they are asked to enter confidential information.
How It Works #
Phishing attacks typically follow this pattern:
- Bait: The attacker sends a message that looks like it comes from a legitimate source, such as a bank, an online store, or even a colleague.
- Hook: The message contains a link or attachment that seems relevant or urgent. For example, it might say “Your account has been compromised” or “You’ve received a secure message.”
- Capture: The victim clicks the link or opens the attachment, often leading to a fake website or malware installation.
- Exploit: The attacker collects the entered data or uses installed malware to gain unauthorised access.
Anyone Can Be a Victim #
Do not assume it won’t happen to you. Phishing attackers are highly skilled at crafting convincing messages, and even the most tech-savvy people fall for them.
Example: Troy Hunt, the creator of Have I Been Pwned, a trusted website that checks if your passwords have been exposed, publicly shared that he was tricked by a sophisticated phishing attempt. If someone as experienced as Troy can be a target, so can anyone else. Awareness and vigilance are essential for everyone.
Common Attack Types #
| Type | Description |
|---|---|
| Email Phishing | The most common type. Fraudulent emails that mimic trusted senders. |
| Spear Phishing | Targeted phishing aimed at specific individuals or organisations. |
| Whaling | A form of spear phishing targeting high-profile executives. |
| Smishing | Phishing via SMS messages. |
| Vishing | Voice phishing via phone calls, often posing as customer service or IT. |
| Clone Phishing | A legitimate message is duplicated with malicious links or attachments. |
Real-World Scenarios #
Understanding common phishing scenarios can make threats more tangible and help you spot them in your own inbox. Below are some of the most frequently seen phishing scams.
1. Account Suspension Notices #
Description: A message claiming to be from your bank or service provider, stating your account has been locked due to suspicious activity.
What it looks like:
Subject: Urgent: Account Access Suspended
Body: "We've detected unauthorised login attempts on your account. Please verify your identity within 24 hours or your account will be permanently locked."
Link: https://secure-login-banking.onlineReality: The link leads to a fake login page that captures your credentials.
How to avoid it: Go to the official website directly in your browser. Never click email links if the message feels threatening or rushed.
2. Fake Invoices or Payment Requests #
Description: You receive an email that looks like it’s from a vendor or contractor asking for payment via a link or attached invoice.
What it looks like:
Subject: Invoice for Services Rendered
Attachment: invoice_April2025.docx
Body: "Please see the attached invoice and complete the payment within 3 days to avoid late fees."Reality: The attachment may contain malware, or the payment link may redirect to a fake payment processor.
How to avoid it: Always verify unexpected invoices with the sender through a known, official contact channel.
3. Cloud File Share Scams #
Description: An email claims someone has shared a document with you, but the link leads to a phishing login page.
What it looks like:
Subject: [Colleague’s name] has shared a file with you
Link: https://drive-access-verification.net/login
Body: "Please click here to view the shared document."Reality: You’re asked to log into a fake Google or Microsoft account page.
How to avoid it: Verify with the sender via chat or phone. Real sharing links come from domain-verified sources like drive.google.com.
4. Tax Refund or Grant Scams #
Description: Claiming you’re owed a refund or eligible for financial aid.
What it looks like:
Subject: Claim Your HMRC Tax Refund Now
Body: "Our records show that you're eligible for a £248.30 refund. Submit your banking details to receive your funds."Reality: Government agencies never ask for financial info via email.
How to avoid it: Always access government services via official websites.
5. Two-Factor Authentication Bypass #
Description: You receive a legitimate-looking 2FA prompt or code, even though you didn’t request one.
What it looks like:
Message: "Your 2FA code is 493217. If you did not request this, contact support."Reality: An attacker is trying to log into your account and hoping you'll forward or enter the code.
How to avoid it: Never share 2FA codes. Always investigate unsolicited 2FA notifications immediately.
6. Prize or Lottery Scams #
Description: Claiming you’ve won a prize, lottery, or contest you never entered.
What it looks like:
Subject: Congratulations! You’re a Lucky Winner
Body: "Click here to claim your 500 EUR Amazon gift card. Limited time only!"
Link: https://claim-reward-prize-gift.comReality: These often lead to malware or data harvesting sites.
How to avoid it: If it seems too good to be true, it probably is.
Detection Techniques #
Phishing attempts are becoming increasingly sophisticated, making them harder to spot. With the rise of AI, attackers can now craft convincing messages with little to no obvious signs of fraud. However, by staying vigilant and looking out for key warning signs, you can still protect yourself.
1. Lookalike Domains #
Attackers subtly modify email addresses to resemble legitimate ones, often by changing a single character:
Example:
| Legitimate Address | Spoofed Address | Trick Used |
|---|---|---|
| [email protected] | [email protected] | Capital "I" instead of lowercase "l" |
| [email protected] | [email protected] | Zero instead of "o" |
| [email protected] | [email protected] | Double "l" |
2. Urgent Language and Pressure Tactics #
Phishing emails often try to scare or rush you into clicking.
Example:
"Your account will be suspended in 12 hours. Click here to verify immediately!"
3. Misleading or Misspelled Links #
Hovering over links can reveal mismatched or suspicious URLs.
Example:
- Text:
https://www.bank.com/login - Actual link:
https://www.banlk-secure-login.com
4. Unexpected Attachments #
Phishing emails may contain attachments that install malware or steal data.
Example:
- Subject: "Your invoice is attached"
- Attachment:
Invoice-April2025.docm(macro-enabled Word file)
5. Requests for Sensitive Information #
Legitimate companies don’t ask for sensitive information by email.
Example:
"Please reply with your full name, account number, and sort code to confirm your identity."
Prevention and Mitigation #
The best defence is awareness. Stay vigilant, think critically, and always verify before trusting. If it can happen to cybersecurity experts, it can happen to you.
Technical Defences #
- Enable multi-factor authentication (MFA)
Requires at least two forms of verification, such as a password and a code sent to your device. Even if your password is stolen, MFA prevents unauthorised access. - Use a password manager
Stores and generates strong, unique passwords. Password managers can help detect phishing sites by not autofilling credentials on illegitimate websites. - Keep all software and browsers up to date
Apply updates promptly to patch known vulnerabilities. Outdated systems are easier targets for phishing campaigns and malware. - Check for HTTPS
Ensure the site uses encrypted connections before entering sensitive data. However, treat HTTPS as a minimum requirement, not a guarantee of legitimacy. Phishing sites can still use valid HTTPS certificates.
Safe Online Behaviour #
- Never act on unsolicited requests
Treat unexpected messages asking for credentials or money with suspicion. Phishing often uses social engineering tactics like urgency or authority to trick you. - Go straight to the official website
Avoid clicking links in emails or texts. Instead, manually type the URL into your browser to ensure you're visiting the authentic site. - Avoid public Wi-Fi for sensitive logins
Public networks are insecure. Use a VPN to encrypt traffic or delay sensitive actions until you're on a trusted network. - Educate colleagues and family members
Regularly share knowledge about phishing techniques and red flags. A well-informed group is far less likely to fall victim.
Reporting Phishing Attempts #
Reporting phishing attempts can help protect others and reduce their spread:
- Email clients
Use built-in tools such as “Report phishing” to notify the provider and help filter similar attacks. - Organisations
Report attempts to your IT or security team immediately. Quick action can prevent others from falling for the same attack and allows technical teams to block malicious sources.