Phishing is a scam where attackers send fake emails, texts, or messages that impersonate a trusted company or person to trick you into revealing passwords, financial details, or clicking malicious links. Modern phishing is often AI-generated and grammatically perfect, so the old advice to "look for typos" no longer works. If you've already clicked something or shared details, skip ahead to our scam recovery guide.
This isn't what you think it is
When most people hear "phishing," they imagine a poorly spelled email from a Nigerian prince. That image is dangerously outdated. Phishing in 2026 is a professional, AI-augmented industry with specialized roles: access brokers who sell compromised credentials, campaign operators who design attacks, and money mules who launder proceeds.
Every second, 39,000 phishing emails are sent. That's enough to fill a 70,000-seat stadium in under two seconds. A 2025 report documented a 400% rise in successful phishing scams attributed to AI tools that generate grammatically perfect, contextually relevant, personalized messages at scale. If a specific message has you uncertain right now, you can run it through our free scam checker for an instant risk assessment.
I've reviewed hundreds of phishing emails from victim cases. The ones that succeed aren't the obvious ones. They succeed because they arrive at the exact moment someone is distracted — a Monday morning, a Friday afternoon, during a busy quarter-end. The scammer doesn't need a perfect email. They need a perfect moment.
The 8 types of phishing you'll actually encounter
"Phishing" is an umbrella term. The attack that hits you depends on the channel and the target. Here are the eight variants worth knowing — each with the single tell that gives it away.
The classic: a mass email impersonating a bank, delivery service, or login page, hoping a small percentage click. Volume is the strategy.
The tell: The sender's real address (not the display name) doesn't match the company's true domain.
A targeted email crafted for one person, referencing your real name, employer, or a recent event to feel legitimate.
The tell: It knows just enough about you to feel personal — but still pushes you toward a link or payment.
Spear phishing aimed at executives and finance staff, usually impersonating a CEO or a key vendor to authorize a transfer.
The tell: Urgency plus authority: a 'CEO' asking for a wire or gift cards, often while 'travelling' and unreachable by phone.
Phishing by text message — fake delivery notices, bank alerts, or toll/road-fee notices with a short link.
The tell: A link in an unexpected text. Real companies rarely send login or payment links by SMS.
A phone call impersonating your bank's fraud department, a government agency, or tech support, pressuring you to act 'to protect your account.'
The tell: They called you, create panic, and ask you to move money, share a code, or install software.
A QR code — on a flyer, parking meter, email, or fake invoice — that opens a credential-stealing page when scanned.
The tell: A QR code is asking you to log in or pay. You can't read a QR's destination before scanning, which is the point.
A compromised or spoofed business account sends a real-looking invoice or payment-detail change to redirect funds.
The tell: A last-minute change to bank details, or a new invoice that breaks the normal process.
A copy of a genuine email you already received, resent with the links or attachments swapped for malicious ones.
The tell: A 'resend' or 'updated version' of a message you recognise — but the links now point somewhere new.
The channel changes, but the goal never does: get you to act quickly, on their link, before you think. Voice and QR variants in particular have surged because they sidestep the email filters people have learned to trust. Several of these — especially vishing and deepfake calls — now overlap with AI-powered scams. The same unsolicited-message playbook also kicks off task scams — the fake "easy online job" that arrives by text, WhatsApp, or Telegram out of nowhere.
Why "look for typos" is dead advice
For two decades, the standard guidance was simple: spelling mistakes, broken grammar, and clumsy formatting gave scams away. Generative AI erased that overnight. Today the majority of phishing emails are written or refined by AI — the language is clean, the tone matches the brand, and the message can be tailored to you specifically.
Here's what AI actually changed about the attacker's playbook:
- ▸
Flawless language — grammar and spelling are no longer reliable signals — a perfect email is now the norm, not a reassurance.
- ▸
Personalisation at scale — AI scrapes your public LinkedIn, social posts, and company site to reference your real role, colleagues, and recent activity.
- ▸
Polymorphic variants — every email is subtly unique, which defeats the pattern-matching that older spam filters relied on.
- ▸
Conversational follow-up — AI chatbots can hold a convincing back-and-forth, so a reply doesn't prove a human — or a legitimate one — is on the other end.
Stop judging the writing. Judge the request and the route: Does it create urgency? Does it ask you to log in, pay, or share a code via a link? Would the real organisation ever contact you this way? When unsure, ignore every link and go directly to the official site or app yourself.
You clicked a phishing link — what to do right now
Clicking happens — to careful people on bad days. What matters is the next few minutes. Work through these in order:
- 1.
Don't enter anything else — if a login or payment page opened, close it. Do not type credentials, codes, or card details into it.
- 2.
Disconnect if you downloaded a file — if the link triggered a download, disconnect that device from the internet to limit anything that may be running.
- 3.
Change passwords from a different device — start with email and banking. Use a phone or another computer you trust, not the possibly-compromised one.
- 4.
Turn on two-factor authentication — add 2FA to email and financial accounts so a stolen password alone isn't enough.
- 5.
Run a malware scan — use your device's built-in security tools or a reputable scanner before re-connecting.
- 6.
Alert your bank — if you entered card or account details, tell your bank immediately and ask them to watch for or block fraudulent activity.
If money already moved, or you shared sensitive personal details, speed matters even more — follow the full playbook in our scam recovery guide, and if your personal data may be exposed, see identity theft.
How to report a phishing email
Reporting takes a minute and helps providers and investigators shut down the campaign for everyone else. Send it to as many of these as apply:
- ▸
Anti-Phishing Working Group — forward the email to reportphishing@apwg.org, which feeds an industry-wide database of active campaigns.
- ▸
Your email provider — use the built-in "Report phishing" or "Report spam" button — it trains the filter and forwards to abuse teams.
- ▸
Your country's authority — FTC (reportfraud.ftc.gov) in the US, Report Fraud in the UK, Scamwatch in Australia, and equivalents elsewhere.
- ▸
The impersonated company — most banks and big brands have a phishing or abuse address (often abuse@ or security@) so they can warn other customers.
For a full country-by-country directory of where to report different kinds of fraud, see our reporting guide.
Written from real-world experience helping scam victims recover. All statistics are sourced from verified organizations including the FBI, FTC, Verizon, CrowdStrike, and APWG. This guide is updated regularly as new threats emerge.
Frequently Asked Questions
Sources & References
Every statistic in this guide is sourced from verified organizations. Click to verify any claim.
Think you've been phished?
Don't guess. Get expert guidance on your specific situation.
Book a Consultation →