What is phishing, and how do I recognise it?

Quick answer

Phishing is when someone sends you a fake message — usually email, SMS or chat — that looks like it comes from your bank, your boss, a delivery service or a friend, hoping you click a link, enter a password or transfer money before you notice the small details that give it away.

What it's NOT

Phishing is NOT only about spelling mistakes and ugly websites — in 2026 attackers buy domain names, copy real branding, use AI to write fluent text in your language, and even reuse real email threads. A clean, well-written message can absolutely be phishing. And phishing is NOT only by email; SMS (smishing), phone calls (vishing), QR codes (quishing) and chat apps are now equally common.

More context

Phishing is the broad name for any scam that arrives as a message and tries to trick you into doing something you would not have done if you had known who was really asking — clicking a poisoned link, entering a password on a fake page, paying an invoice that looks like one but isn’t, approving a 2FA prompt, or simply giving information (“can you confirm your date of birth?”) that fuels the next step.

The classic example is the bank email — “we detected suspicious activity, click here to verify”. Modern phishing is far broader and far better:

  • Delivery notices. “Your DHL/La Poste/Chronopost parcel could not be delivered — pay €1.99 for redelivery.” The fee is decoy; the goal is your card number.
  • Boss fraud. A message in your boss’s name, often by SMS or WhatsApp, asking you to buy gift cards or make an urgent wire transfer “before tomorrow’s meeting”.
  • Romance scams. Long conversations on dating apps that move to WhatsApp, end on a crypto-investment platform that is entirely fake.
  • MFA-prompt phishing. You receive a real 2FA push from your real account because the attacker just entered your real password — they want you to approve it.
  • OAuth phishing. “Sign in with Google” buttons that grant a malicious app permission to read your mail or files — the page is real Google, but the app behind the button is not.
  • QR-code phishing (quishing). A sticker on a parking meter, on a charging station, on a flyer — the QR points to a fake payment page that captures your card.

The signals that still work in 2026, even against AI-fluent attackers:

  1. Were you expecting this? A delivery you did not order, a refund you did not request, a login alert for a service you do not use — those are suspicious by context, regardless of how well-written the message is.
  2. The real sender, not the display name. Email apps show “Amazon” or “La Poste” because that is the friendly label the sender chose. Tap it open and read the full address. Mismatches like amazon@billing-secure-update.com give it away.
  3. The real destination of the link. Hover on desktop, long-press on mobile. The domain right before the first single slash is the only one that matters — paypal.com.secure-login.io is not PayPal.
  4. The request itself. Real banks do not ask for your password by email. Real bosses do not request gift cards by SMS. Real tax authorities do not threaten arrest by phone. Real Apple support does not call you.
  5. The pressure to act now. Phishing thrives on urgency: “in the next 24 hours”, “your account will be suspended”, “this is your final notice”. Real institutions can wait an hour while you call them on a number you found yourself.

If you do click, the second-best defence is two-factor authentication: even a stolen password fails to log in without your phone. If you do enter a password, change it immediately on the real site, change anywhere you reused it, and assume the attacker has it for the next few weeks.

People also ask

What does a modern phishing message look like? +

Often, indistinguishable from a real one. A delivery notice with the right logo and tracking number format. A 'your Apple ID was used to sign in from Russia' email with a perfectly normal blue button. A boss asking for a quick gift-card purchase or wire transfer 'while I'm in a meeting'. The right reflex is not 'does this look professional?' — it is 'am I expecting this, and does the sender domain match exactly?'

What should I check before clicking a link in an email or SMS? +

Three things, in this order. (1) The full sender address, not just the display name: 'Amazon' can hide 'noreply@amazon-billing-secure.com'. (2) The actual destination URL — hover on a computer, long-press on a phone — and check the domain, especially the part right before the first single slash. (3) Whether you were expecting this. If you did not just order anything, a delivery notice is suspicious by definition.

What is the difference between phishing, smishing, vishing and quishing? +

Same trick, different channel. Phishing = email. Smishing = SMS. Vishing = voice call ('your bank is calling about a suspicious transfer'). Quishing = QR code (the sticker on a parking meter, the menu QR in a restaurant, the 'pay here' code on a leaflet) that points to a fake page. The defences are the same: check who is actually contacting you, never enter credentials from a link or QR you did not seek out, and call the real institution back on a number you find yourself.

What do I do if I clicked on a phishing link? +

Stay calm. If you only clicked and closed the page without entering anything, the practical risk is low — close the tab, run an antivirus scan if you want belt-and-braces. If you entered a password, change it immediately on the real site and turn on 2FA. If you entered credit-card details, freeze the card. If you transferred money, contact your bank within minutes — fast reporting is the difference between getting it back and not. Then check the account's recent activity over the next week.

Are AI-generated phishing emails harder to spot? +

Yes. The 'classic' tells — broken French/English, weird grammar, unprofessional formatting — are gone. Attackers run text through ChatGPT-like tools and produce fluent messages in any language, often referencing real context they scraped from your social media. The signals that still work are technical: the actual sender domain, the actual URL behind the link, and whether the request fits your real workflow. Beautiful writing is no longer evidence of legitimacy.

Also explained

How do I tell a scam call or text from a real one?

If a call or message creates urgency, asks for a code or password, requests a transfer or gift cards, or threatens you with arrest, fines or account closure, treat it as a scam regardless of who it claims to be — and call the real institution back on a number you find yourself, never on the number the caller gave you.

What is two-factor authentication (2FA), and which kind should I use?

Two-factor authentication adds a second step after your password — a code from an app, a tap on your phone, or a passkey — so that a stolen password alone is no longer enough to log in; in 2026 the best option for most people is a passkey, then an authenticator app, then SMS only as a last resort.

What is a data breach, and what do I do if my information is in one?

A data breach is when an organisation that holds your personal information loses control of it — your email, password, phone number, address, sometimes your credit-card or ID details end up in a leaked file that attackers download and reuse; the practical response is to change the password on that account, change it anywhere else you reused it, and turn on two-factor authentication.

What is a password manager, and is it safe to use one?

A password manager is an app that generates a unique strong password for every account and remembers them for you behind one master password — yes, it is much safer than reusing the same password, even though all your passwords sit in one place.
← Back to everyday cybersecurity