--- title: "What Is Phishing? How It Works, Types, and How to Spot It in 2026" date: 2026-06-15 author: "Sofia Ramirez" featured_image: "https://sqmagazine.co.uk/wp-content/uploads/2026/06/what-is-phishing.jpg" categories: - name: "Cybersecurity" url: "/cybersecurity.md" tags: - name: "Insights" url: "/tag/insights.md" --- # What Is Phishing? How It Works, Types, and How to Spot It in 2026 Phishing was the most-reported internet crime in the United States in 2024, with the FBI’s Internet Crime Complaint Center logging **193,407** phishing and spoofing complaints that year. So what is phishing? Phishing is a form of social engineering in which criminals try to get people to open harmful links, emails, or attachments that request personal information or infect devices, according to the US Cybersecurity and Infrastructure Security Agency. The mechanics are simple, the volume is enormous, and the window to react is measured in seconds. What follows covers how phishing works, the seven main types, the red flags that give an attack away, and the exact steps to take if you clicked. ## Key Takeaways - The FBI IC3 received **193,407** phishing and spoofing complaints in 2024, more than any other crime type, with **$70,013,036** in reported losses. - Phishing appeared in **15%** of breaches analyzed in the Verizon 2025 Data Breach Investigations Report. - The median time for a user to click a phishing link is just **21 seconds**, and the median time to submit data is **28 seconds**. - The UK’s NCSC groups phishing red flags into five levers: authority, urgency, emotion, scarcity, and current events. - Microsoft research found that multi-factor authentication can block more than **99.2%** of account-compromise attacks. - The NCSC Suspicious Email Reporting Service has taken in more than **55.7 million** reported scams, leading to **250,000** scams removed. ## What Is Phishing? Phishing is a form of social engineering, and according to the US Cybersecurity and Infrastructure Security Agency, it ranked as the most-reported crime type to the FBI IC3 in 2024 with **193,407** complaints. Phishing messages, the “bait,” usually arrive as an email, text, direct message on social media, or phone call, designed to look like they come from a trusted source, per CISA. The UK’s National Cyber Security Centre frames it the same way: criminals use scam emails, text messages, or phone calls to trick victims into visiting a malicious website or handing over bank and personal details. The US Federal Trade Commission and [Microsoft](https://sqmagazine.co.uk/microsoft-statistics/) describe the same mechanics from the consumer and account-security angles. CISA splits the attack into two core tactics. The first is credential theft, where the attacker sends an email with a link to an imposter site that convinces the victim to enter a username and password, sometimes also requesting MFA codes in what is called MFA bypass. The second tactic is malware deployment, where harmful links or attachments are used to infect devices. > **Why it matters:** CISA classifies phishing as social engineering rather than a purely technical exploit. That framing matters because the target is the person, not the software. A patched, fully updated device still falls if the human at the keyboard is persuaded to type a password into the wrong box. ## How Phishing Works, Step by Step The Verizon Data Breach Investigations Report found the median time for a user to click a phishing link is just **21 seconds**, with a median time to submit data into the fake form of **28 seconds**. Phishing follows a short, repeatable sequence, and its danger lies in that speed: under a minute separates a delivered email from a stolen credential. The sequence runs in four beats: - **Bait.** The attacker sends a message impersonating a brand, colleague, or agency. - **Trust.** The message is built to look like it comes from a trusted person or organization, prompting a response. - **Action.** The victim clicks a link, opens an attachment, or replies with information. - **Harvest.** A credential-theft attack lands the victim on an imposter site that captures the username and password, while a malware attack runs code on the device. Because the click-to-compromise window is so narrow, awareness training alone cannot carry the load. That speed is survivable according to Microsoft research, which found MFA can block more than **99.2%** of account-compromise attacks. Speed is the reason layered technical controls matter as much as user education. If a credential can be stolen in 28 seconds, the realistic defense is making the stolen credential useless once it leaves the keyboard. This is the gap that controls such as multi-factor authentication are built to close, a pattern the broader [phishing email statistics](https://sqmagazine.co.uk/phishing-email-statistics/) reinforce across organizations. ## The Main Types of Phishing CISA documents several named offshoot variants beyond ordinary phishing, including spear phishing, whaling, smishing, and vishing, separated mainly by channel and target. Adding clone and angler phishing brings the common total to seven variants worth knowing. Knowing the category helps you recognize an attack even when the wording is convincing. - Email phishing is the mass-volume baseline, blasting generic lures to large lists. - Spear phishing is targeted. The attacker researches the victim’s job role and contacts to craft a highly personalized message that is harder to detect. - Whaling aims at the top. Whaling is a type of spear phishing that targets senior executives, often to facilitate a financial scam such as wire-transfer fraud, and primarily focuses on financial institutions and payment services. - Smishing is phishing carried out via SMS text message. - Vishing is voice phishing carried out over the phone, often using Voice over Internet Protocol so callers can spoof legitimate numbers. - Clone phishing copies a real email and swaps benign links for malicious ones. - Angler phishing impersonates customer-support accounts on social media to harvest credentials. TypeChannelTargetDistinctive traitEmail phishingEmailMass audienceGeneric, high volumeSpear phishingEmailSpecific personResearched, personalizedWhalingEmailSenior executivesWire-transfer and finance focusSmishingSMS textMobile usersMalicious link in a textVishingPhone callAnyoneVoIP-spoofed caller IDClone phishingEmailPrior correspondentsLegitimate email clonedAngler phishingSocial mediaAccount holdersFake support agents*Source: CISA, UK NCSC* Voice-based attacks deserve their own attention given how convincing spoofed calls have become; the [voice phishing statistics](https://sqmagazine.co.uk/voice-phishing-statistics/) show how fast that channel is growing. ## How to Spot a Phishing Email: Red Flags The UK’s NCSC groups the manipulation tactics behind phishing into five signs: authority, urgency, emotion, scarcity, and current events, which makes psychological pressure, not spelling mistakes, the most reliable thing to watch for. The US Federal Trade Commission documents the matching stories scammers tell, including claims of suspicious activity or log-in attempts, a problem with your account or payment, a request to confirm personal information, a fake invoice, or a link to make a payment that carries malware. The five NCSC levers map to concrete tells: - **Authority:** Criminals pretend to be important people or organizations to pressure you. - **Urgency:** Messages give a limited time to respond, such as “within 24 hours” or “immediately”. - **Emotion:** Messages try to make you panicked, fearful, hopeful, or curious, often with threatening language. - **Scarcity:** Offers of something in short supply, like tickets, money, or a cure. - **Current events:** Messages that exploit news stories, big events, or seasonal moments like tax reporting. Red flagWhat it looks like in an emailAuthority“This is your bank’s security team” with an official-looking logoUrgency“Your account will be closed in 24 hours”EmotionThreats, alarming warnings, or too-good-to-be-true rewardsScarcity“Only 3 spots left, claim your refund now”Current eventsTax-season refunds, parcel-delivery notices, breach alerts*Source: UK NCSC* > **The takeaway:** The NCSC advises that a bank or other official source will never ask you to supply personal information via email or call to confirm full account details. This single rule defeats most credential-phishing attempts. If a message demands that you confirm a password, card number, or one-time code, the message itself is the warning sign. ### How do you spot a phishing email quickly? Check the NCSC’s five manipulation signs first: authority, urgency, emotion, scarcity, and current events. Then verify independently. If you have any doubt, contact the organization directly using the contact details from their official website, not any links or phone numbers printed in the message itself. ## What to Do if You Clicked a Phishing Link Clicking a phishing link is recoverable if you move quickly and in order. The FTC advises that if you clicked a link or opened an attachment, you should update your security software and run a scan, then take further steps if any information was shared. Acting in the first few minutes limits how much an attacker can do with what they captured. A practical triage sequence: 1. Disconnect the device from the network to interrupt any download in progress. 2. Change the exposed password from a different, clean device, starting with email and banking. 3. Turn on multi-factor authentication so a stolen password alone is not enough. 4. Scan the device with updated security software, per the FTC’s guidance. 5. Report the message through the channels in the next section. 6. Monitor accounts and statements for unfamiliar activity. If sensitive data was handed over, escalate. The FTC directs anyone who believes a scammer has their Social Security, credit card, or bank account number to go to IdentityTheft.gov for specific recovery steps. Understanding [what happens to your data after a breach](https://sqmagazine.co.uk/what-happens-data-breach/) clarifies why fast password rotation matters. ## How to Protect Yourself From Phishing The strongest single defense against phishing is turning on multi-factor authentication. Microsoft research found that MFA can block more than **99.2%** of account-compromise attacks, and the company reported that **99.9%** of compromised accounts did not have MFA enabled. MFA helps reduce risk even when a password is stolen, because the attacker still lacks the second factor. The FTC’s baseline protection checklist is short and effective: - Use security software and set it to update automatically. - Keep your phone updated by setting its software to update automatically. - Turn on multi-factor authentication on your accounts. - **Back up your data.** The FTC advises backing up your data, so you can recover if a device is ever compromised. A [password manager](https://sqmagazine.co.uk/password-manager-statistics/) strengthens this further by generating unique credentials per site, which limits the blast radius when one password leaks. Our [password statistics](https://sqmagazine.co.uk/password-statistics/) track how passkeys and MFA adoption are shifting the credential-theft picture. For organizations, layered controls and staff training compound, and our guide on [how to secure your business from cyber attacks](https://sqmagazine.co.uk/how-to-secure-your-business-from-cyber-attacks/) sets out a practical sequence. Employees who had recent security training reported simulated phishing emails at a rate of **21%**, a fourfold increase over the roughly **5%** rate among untrained employees, per Verizon, so training measurably raises the odds that an attack gets flagged rather than clicked. > **By the numbers:** Microsoft found MFA blocks more than **99.2%** of account-compromise attacks, and trained employees report phishing at **21%** versus about **5%** untrained. Together these point to the same conclusion: phishing defense works best as a stack, where a missed click is caught by a second factor and a reporting habit. ## Where to Report a Phishing Email Reporting a phishing email does more than clear your inbox; it feeds takedown systems that remove the scam for everyone. In the UK, suspicious emails can be forwarded to the Suspicious Email Reporting Service at report@phishing.gov.uk. The scale of that effort is significant: the service has received more than **55.7 million** reported scams, leading to **250,000** scams being removed across **443,000** URLs. In the United States, the FTC and the Anti-Phishing Working Group run parallel channels: - Forward phishing emails to ReportPhishing@apwg.org. - Forward phishing text messages to SPAM (7726). - Report the attempt to the FTC at ReportFraud.ftc.gov. Across SQ Magazine’s phishing coverage, the same pattern recurs: the scams that get removed fastest are the ones that get reported, not just deleted. A deleted email protects one inbox; a reported one can pull a malicious URL offline before it reaches the next thousand. ## What is phishing in simple terms? Phishing is a scam where criminals pretend to be a trusted company or person to trick you into giving up passwords, money, or personal data, or into installing malware. The NCSC describes it as criminals using scam emails, texts, or calls to make victims visit a malicious site or hand over bank and personal details. ## Are phishing emails dangerous if you do not click anything? Simply receiving a phishing email is generally not harmful on its own, because the risk comes from acting on it. CISA notes the danger arises when victims open harmful links, emails, or attachments that request personal information or infect devices. Deleting or reporting the message without clicking helps reduce that risk. ## How common is phishing? Phishing is extremely common. It was the most-reported crime type to the FBI IC3 in 2024, with **193,407** complaints, and it appeared in **15%** of breaches analyzed by Verizon. ## Conclusion Phishing remains the most-reported internet crime for a reason: it targets people, scales cheaply, and works in seconds. The data sets the stakes plainly, with **193,407** complaints reaching the FBI IC3 in 2024 and a median click time of **21 seconds** leaving almost no room to second-guess a convincing message. The defense is layered rather than singular: recognize the five NCSC red flags, slow down before acting, and let technical controls catch what attention misses. For everyday readers, the highest-value move is turning on multi-factor authentication, which Microsoft credits with blocking more than **99.2%** of account-compromise attacks, and building the habit of reporting suspicious messages so takedown systems can act. Phishing techniques will keep evolving toward AI-generated lures that read flawlessly, which makes the behavioral signals and the second-factor backstop more important, not less. The publications and agencies tracking this field expect the social-engineering core to stay constant even as the surface polish improves.