CRITICAL THREATUpdated May 202618 min read

3.4 billion phishing emails are sent every single day. Here's how they work.

Most phishing guides tell you to "look for typos." That advice is five years out of date. Today's phishing emails are AI-generated, grammatically flawless, and personalized to you. Tutela Digitalis shows you how they actually work — from the scammer's perspective.

$25B
Global losses annually
36%
Of breaches start with phishing
82.6%
Phishing emails now use AI
442%
Surge in voice phishing
The short answer

Phishing is a scam where attackers send fake emails, texts, or messages that impersonate a trusted company or person to trick you into revealing passwords, financial details, or clicking malicious links. Modern phishing is often AI-generated and grammatically perfect, so the old advice to "look for typos" no longer works. If you've already clicked something or shared details, skip ahead to our scam recovery guide.

This isn't what you think it is

When most people hear "phishing," they imagine a poorly spelled email from a Nigerian prince. That image is dangerously outdated. Phishing in 2026 is a professional, AI-augmented industry with specialized roles: access brokers who sell compromised credentials, campaign operators who design attacks, and money mules who launder proceeds.

Every second, 39,000 phishing emails are sent. That's enough to fill a 70,000-seat stadium in under two seconds. A 2025 report documented a 400% rise in successful phishing scams attributed to AI tools that generate grammatically perfect, contextually relevant, personalized messages at scale. If a specific message has you uncertain right now, you can run it through our free scam checker for an instant risk assessment.

Sources:APWG Phishing Activity Trends ReportKeepnet 2025 Phishing StatisticsStationX Phishing Statistics 2026
FROM THE FIELD

I've reviewed hundreds of phishing emails from victim cases. The ones that succeed aren't the obvious ones. They succeed because they arrive at the exact moment someone is distracted — a Monday morning, a Friday afternoon, during a busy quarter-end. The scammer doesn't need a perfect email. They need a perfect moment.

The 8 types of phishing you'll actually encounter

"Phishing" is an umbrella term. The attack that hits you depends on the channel and the target. Here are the eight variants worth knowing — each with the single tell that gives it away.

Email phishing

The classic: a mass email impersonating a bank, delivery service, or login page, hoping a small percentage click. Volume is the strategy.

The tell: The sender's real address (not the display name) doesn't match the company's true domain.

Spear phishing

A targeted email crafted for one person, referencing your real name, employer, or a recent event to feel legitimate.

The tell: It knows just enough about you to feel personal — but still pushes you toward a link or payment.

Whaling

Spear phishing aimed at executives and finance staff, usually impersonating a CEO or a key vendor to authorize a transfer.

The tell: Urgency plus authority: a 'CEO' asking for a wire or gift cards, often while 'travelling' and unreachable by phone.

Smishing (SMS)

Phishing by text message — fake delivery notices, bank alerts, or toll/road-fee notices with a short link.

The tell: A link in an unexpected text. Real companies rarely send login or payment links by SMS.

Vishing (voice)

A phone call impersonating your bank's fraud department, a government agency, or tech support, pressuring you to act 'to protect your account.'

The tell: They called you, create panic, and ask you to move money, share a code, or install software.

Quishing (QR code)

A QR code — on a flyer, parking meter, email, or fake invoice — that opens a credential-stealing page when scanned.

The tell: A QR code is asking you to log in or pay. You can't read a QR's destination before scanning, which is the point.

Business Email Compromise (BEC)

A compromised or spoofed business account sends a real-looking invoice or payment-detail change to redirect funds.

The tell: A last-minute change to bank details, or a new invoice that breaks the normal process.

Clone phishing

A copy of a genuine email you already received, resent with the links or attachments swapped for malicious ones.

The tell: A 'resend' or 'updated version' of a message you recognise — but the links now point somewhere new.

The channel changes, but the goal never does: get you to act quickly, on their link, before you think. Voice and QR variants in particular have surged because they sidestep the email filters people have learned to trust. Several of these — especially vishing and deepfake calls — now overlap with AI-powered scams. The same unsolicited-message playbook also kicks off task scams — the fake "easy online job" that arrives by text, WhatsApp, or Telegram out of nowhere.

Sources:APWG Phishing Activity Trends ReportVikingCloud Phishing Statistics

Why "look for typos" is dead advice

For two decades, the standard guidance was simple: spelling mistakes, broken grammar, and clumsy formatting gave scams away. Generative AI erased that overnight. Today the majority of phishing emails are written or refined by AI — the language is clean, the tone matches the brand, and the message can be tailored to you specifically.

Here's what AI actually changed about the attacker's playbook:

What to check instead

Stop judging the writing. Judge the request and the route: Does it create urgency? Does it ask you to log in, pay, or share a code via a link? Would the real organisation ever contact you this way? When unsure, ignore every link and go directly to the official site or app yourself.

Sources:Zensec Phishing Statistics 2026CrowdStrike 2025 Global Threat ReportDeepStrike Phishing Statistics 2026

You clicked a phishing link — what to do right now

Clicking happens — to careful people on bad days. What matters is the next few minutes. Work through these in order:

  1. 1.

    Don't enter anything elseif a login or payment page opened, close it. Do not type credentials, codes, or card details into it.

  2. 2.

    Disconnect if you downloaded a fileif the link triggered a download, disconnect that device from the internet to limit anything that may be running.

  3. 3.

    Change passwords from a different devicestart with email and banking. Use a phone or another computer you trust, not the possibly-compromised one.

  4. 4.

    Turn on two-factor authenticationadd 2FA to email and financial accounts so a stolen password alone isn't enough.

  5. 5.

    Run a malware scanuse your device's built-in security tools or a reputable scanner before re-connecting.

  6. 6.

    Alert your bankif you entered card or account details, tell your bank immediately and ask them to watch for or block fraudulent activity.

If money already moved, or you shared sensitive personal details, speed matters even more — follow the full playbook in our scam recovery guide, and if your personal data may be exposed, see identity theft.

How to report a phishing email

Reporting takes a minute and helps providers and investigators shut down the campaign for everyone else. Send it to as many of these as apply:

For a full country-by-country directory of where to report different kinds of fraud, see our reporting guide.

Sources:APWG Phishing Activity Trends ReportFBI IC3 2024 Internet Crime Report
P
Written by Peter
Founder, Tutela Digitalis • Updated May 2026

Written from real-world experience helping scam victims recover. All statistics are sourced from verified organizations including the FBI, FTC, Verizon, CrowdStrike, and APWG. This guide is updated regularly as new threats emerge.

Frequently Asked Questions

What is phishing and how does it work?
Phishing is a type of cyberattack where scammers send fake messages (email, text, or phone calls) pretending to be trusted organizations to steal your login credentials, financial information, or personal data. In 2026, 82.6% of phishing emails use AI to generate convincing, personalized messages.
How can I tell if an email is a phishing attempt?
Check the sender's actual email address (not just the display name), look for urgency language ('act now or your account will be locked'), hover over links before clicking to check the real URL, and be suspicious of unexpected attachments. Never click links in unexpected emails — go directly to the official website instead.
What should I do if I clicked a phishing link?
Disconnect from the internet immediately, do not enter any credentials on the page, change your passwords from a different device (starting with email and banking), enable two-factor authentication, run a malware scan, and alert your bank if financial accounts may be connected.
What is the difference between phishing, smishing, and vishing?
Phishing uses email, smishing uses SMS/text messages, and vishing uses voice phone calls. All three aim to trick you into revealing sensitive information. Vishing surged 442% in 2024, and smishing now accounts for 35% of all phishing attacks.
How do I report a phishing email?
Forward it to reportphishing@apwg.org, report to your country's authority (FTC in the US, Report Fraud in the UK, Scamwatch in Australia), and forward to your email provider's abuse address (abuse@gmail.com or abuse@outlook.com).

Sources & References

Every statistic in this guide is sourced from verified organizations. Click to verify any claim.

FBI IC3 2024 Internet Crime ReportVerizon 2025 Data Breach Investigations ReportCrowdStrike 2025 Global Threat ReportAPWG Phishing Activity Trends ReportKeepnet 2025 Phishing StatisticsStationX Phishing Statistics 2026Zensec Phishing Statistics 2026McAfee: AI Voice Cloning ScamsVikingCloud Phishing StatisticsDeepStrike Phishing Statistics 2026

Think you've been phished?

Don't guess. Get expert guidance on your specific situation.

Book a Consultation →

Continue reading

INVESTMENT

Inside the $11.3 billion crypto scam machine

AI SCAMS

They cloned her voice in 3 seconds

RECOVERY

I've been scammed — the first 24 hours