SQ Magazine

Smarter Insights for a Fast-Moving Digital World

What Is Phishing? How It Works, Types, and How to Spot It in 2026

Published on: June 15, 2026
As Featured In
The New York Times LogoForbes LogoWired LogoDeloitte LogoResearch.com Logo

Phishing was the most-reported internet crime in the United States in 2024, with the FBI’s Internet Crime Complaint Center logging 193,407 phishing and spoofing complaints that year. So what is phishing? Phishing is a form of social engineering in which criminals try to get people to open harmful links, emails, or attachments that request personal information or infect devices, according to the US Cybersecurity and Infrastructure Security Agency.

The mechanics are simple, the volume is enormous, and the window to react is measured in seconds. What follows covers how phishing works, the seven main types, the red flags that give an attack away, and the exact steps to take if you clicked.

Key Takeaways

  • The FBI IC3 received 193,407 phishing and spoofing complaints in 2024, more than any other crime type, with $70,013,036 in reported losses.
  • Phishing appeared in 15% of breaches analyzed in the Verizon 2025 Data Breach Investigations Report.
  • The median time for a user to click a phishing link is just 21 seconds, and the median time to submit data is 28 seconds.
  • The UK’s NCSC groups phishing red flags into five levers: authority, urgency, emotion, scarcity, and current events.
  • Microsoft research found that multi-factor authentication can block more than 99.2% of account-compromise attacks.
  • The NCSC Suspicious Email Reporting Service has taken in more than 55.7 million reported scams, leading to 250,000 scams removed.

What Is Phishing?

Phishing is a form of social engineering, and according to the US Cybersecurity and Infrastructure Security Agency, it ranked as the most-reported crime type to the FBI IC3 in 2024 with 193,407 complaints. Phishing messages, the “bait,” usually arrive as an email, text, direct message on social media, or phone call, designed to look like they come from a trusted source, per CISA.

The UK’s National Cyber Security Centre frames it the same way: criminals use scam emails, text messages, or phone calls to trick victims into visiting a malicious website or handing over bank and personal details. The US Federal Trade Commission and Microsoft describe the same mechanics from the consumer and account-security angles.

CISA splits the attack into two core tactics. The first is credential theft, where the attacker sends an email with a link to an imposter site that convinces the victim to enter a username and password, sometimes also requesting MFA codes in what is called MFA bypass. The second tactic is malware deployment, where harmful links or attachments are used to infect devices.

Why it matters: CISA classifies phishing as social engineering rather than a purely technical exploit. That framing matters because the target is the person, not the software. A patched, fully updated device still falls if the human at the keyboard is persuaded to type a password into the wrong box.

How Phishing Works, Step by Step

The Verizon Data Breach Investigations Report found the median time for a user to click a phishing link is just 21 seconds, with a median time to submit data into the fake form of 28 seconds. Phishing follows a short, repeatable sequence, and its danger lies in that speed: under a minute separates a delivered email from a stolen credential.

The sequence runs in four beats:

  • Bait. The attacker sends a message impersonating a brand, colleague, or agency.
  • Trust. The message is built to look like it comes from a trusted person or organization, prompting a response.
  • Action. The victim clicks a link, opens an attachment, or replies with information.
  • Harvest. A credential-theft attack lands the victim on an imposter site that captures the username and password, while a malware attack runs code on the device.

Because the click-to-compromise window is so narrow, awareness training alone cannot carry the load. That speed is survivable according to Microsoft research, which found MFA can block more than 99.2% of account-compromise attacks. Speed is the reason layered technical controls matter as much as user education. If a credential can be stolen in 28 seconds, the realistic defense is making the stolen credential useless once it leaves the keyboard. This is the gap that controls such as multi-factor authentication are built to close, a pattern the broader phishing email statistics reinforce across organizations.

The Main Types of Phishing

CISA documents several named offshoot variants beyond ordinary phishing, including spear phishing, whaling, smishing, and vishing, separated mainly by channel and target. Adding clone and angler phishing brings the common total to seven variants worth knowing. Knowing the category helps you recognize an attack even when the wording is convincing.

  • Email phishing is the mass-volume baseline, blasting generic lures to large lists.
  • Spear phishing is targeted. The attacker researches the victim’s job role and contacts to craft a highly personalized message that is harder to detect.
  • Whaling aims at the top. Whaling is a type of spear phishing that targets senior executives, often to facilitate a financial scam such as wire-transfer fraud, and primarily focuses on financial institutions and payment services.
  • Smishing is phishing carried out via SMS text message.
  • Vishing is voice phishing carried out over the phone, often using Voice over Internet Protocol so callers can spoof legitimate numbers.
  • Clone phishing copies a real email and swaps benign links for malicious ones.
  • Angler phishing impersonates customer-support accounts on social media to harvest credentials.
TypeChannelTargetDistinctive trait
Email phishingEmailMass audienceGeneric, high volume
Spear phishingEmailSpecific personResearched, personalized
WhalingEmailSenior executivesWire-transfer and finance focus
SmishingSMS textMobile usersMalicious link in a text
VishingPhone callAnyoneVoIP-spoofed caller ID
Clone phishingEmailPrior correspondentsLegitimate email cloned
Angler phishingSocial mediaAccount holdersFake support agents

Source: CISA, UK NCSC

Voice-based attacks deserve their own attention given how convincing spoofed calls have become; the voice phishing statistics show how fast that channel is growing.

Newsletter
Subscribe To Our Newsletter!

Be the first to get exclusive offers and the latest news.

How to Spot a Phishing Email: Red Flags

The UK’s NCSC groups the manipulation tactics behind phishing into five signs: authority, urgency, emotion, scarcity, and current events, which makes psychological pressure, not spelling mistakes, the most reliable thing to watch for. The US Federal Trade Commission documents the matching stories scammers tell, including claims of suspicious activity or log-in attempts, a problem with your account or payment, a request to confirm personal information, a fake invoice, or a link to make a payment that carries malware.

The five NCSC levers map to concrete tells:

  • Authority: Criminals pretend to be important people or organizations to pressure you.
  • Urgency: Messages give a limited time to respond, such as “within 24 hours” or “immediately”.
  • Emotion: Messages try to make you panicked, fearful, hopeful, or curious, often with threatening language.
  • Scarcity: Offers of something in short supply, like tickets, money, or a cure.
  • Current events: Messages that exploit news stories, big events, or seasonal moments like tax reporting.
Red flagWhat it looks like in an email
Authority“This is your bank’s security team” with an official-looking logo
Urgency“Your account will be closed in 24 hours”
EmotionThreats, alarming warnings, or too-good-to-be-true rewards
Scarcity“Only 3 spots left, claim your refund now”
Current eventsTax-season refunds, parcel-delivery notices, breach alerts

Source: UK NCSC

The takeaway: The NCSC advises that a bank or other official source will never ask you to supply personal information via email or call to confirm full account details. This single rule defeats most credential-phishing attempts. If a message demands that you confirm a password, card number, or one-time code, the message itself is the warning sign.

How do you spot a phishing email quickly?

Check the NCSC’s five manipulation signs first: authority, urgency, emotion, scarcity, and current events. Then verify independently. If you have any doubt, contact the organization directly using the contact details from their official website, not any links or phone numbers printed in the message itself.

Clicking a phishing link is recoverable if you move quickly and in order. The FTC advises that if you clicked a link or opened an attachment, you should update your security software and run a scan, then take further steps if any information was shared. Acting in the first few minutes limits how much an attacker can do with what they captured.

A practical triage sequence:

  1. Disconnect the device from the network to interrupt any download in progress.
  2. Change the exposed password from a different, clean device, starting with email and banking.
  3. Turn on multi-factor authentication so a stolen password alone is not enough.
  4. Scan the device with updated security software, per the FTC’s guidance.
  5. Report the message through the channels in the next section.
  6. Monitor accounts and statements for unfamiliar activity.

If sensitive data was handed over, escalate. The FTC directs anyone who believes a scammer has their Social Security, credit card, or bank account number to go to IdentityTheft.gov for specific recovery steps. Understanding what happens to your data after a breach clarifies why fast password rotation matters.

How to Protect Yourself From Phishing

The strongest single defense against phishing is turning on multi-factor authentication. Microsoft research found that MFA can block more than 99.2% of account-compromise attacks, and the company reported that 99.9% of compromised accounts did not have MFA enabled. MFA helps reduce risk even when a password is stolen, because the attacker still lacks the second factor.

The FTC’s baseline protection checklist is short and effective:

  • Use security software and set it to update automatically.
  • Keep your phone updated by setting its software to update automatically.
  • Turn on multi-factor authentication on your accounts.
  • Back up your data. The FTC advises backing up your data, so you can recover if a device is ever compromised.

A password manager strengthens this further by generating unique credentials per site, which limits the blast radius when one password leaks. Our password statistics track how passkeys and MFA adoption are shifting the credential-theft picture.

For organizations, layered controls and staff training compound, and our guide on how to secure your business from cyber attacks sets out a practical sequence. Employees who had recent security training reported simulated phishing emails at a rate of 21%, a fourfold increase over the roughly 5% rate among untrained employees, per Verizon, so training measurably raises the odds that an attack gets flagged rather than clicked.

By the numbers: Microsoft found MFA blocks more than 99.2% of account-compromise attacks, and trained employees report phishing at 21% versus about 5% untrained. Together these point to the same conclusion: phishing defense works best as a stack, where a missed click is caught by a second factor and a reporting habit.

Where to Report a Phishing Email

Reporting a phishing email does more than clear your inbox; it feeds takedown systems that remove the scam for everyone. In the UK, suspicious emails can be forwarded to the Suspicious Email Reporting Service at report@phishing.gov.uk. The scale of that effort is significant: the service has received more than 55.7 million reported scams, leading to 250,000 scams being removed across 443,000 URLs.

In the United States, the FTC and the Anti-Phishing Working Group run parallel channels:

  • Forward phishing emails to ReportPhishing@apwg.org.
  • Forward phishing text messages to SPAM (7726).
  • Report the attempt to the FTC at ReportFraud.ftc.gov.

Across SQ Magazine’s phishing coverage, the same pattern recurs: the scams that get removed fastest are the ones that get reported, not just deleted. A deleted email protects one inbox; a reported one can pull a malicious URL offline before it reaches the next thousand.

What is phishing in simple terms?

Phishing is a scam where criminals pretend to be a trusted company or person to trick you into giving up passwords, money, or personal data, or into installing malware. The NCSC describes it as criminals using scam emails, texts, or calls to make victims visit a malicious site or hand over bank and personal details.

Are phishing emails dangerous if you do not click anything?

Simply receiving a phishing email is generally not harmful on its own, because the risk comes from acting on it. CISA notes the danger arises when victims open harmful links, emails, or attachments that request personal information or infect devices. Deleting or reporting the message without clicking helps reduce that risk.

How common is phishing?

Phishing is extremely common. It was the most-reported crime type to the FBI IC3 in 2024, with 193,407 complaints, and it appeared in 15% of breaches analyzed by Verizon.

Conclusion

Phishing remains the most-reported internet crime for a reason: it targets people, scales cheaply, and works in seconds. The data sets the stakes plainly, with 193,407 complaints reaching the FBI IC3 in 2024 and a median click time of 21 seconds leaving almost no room to second-guess a convincing message. The defense is layered rather than singular: recognize the five NCSC red flags, slow down before acting, and let technical controls catch what attention misses.

For everyday readers, the highest-value move is turning on multi-factor authentication, which Microsoft credits with blocking more than 99.2% of account-compromise attacks, and building the habit of reporting suspicious messages so takedown systems can act. Phishing techniques will keep evolving toward AI-generated lures that read flawlessly, which makes the behavioral signals and the second-factor backstop more important, not less. The publications and agencies tracking this field expect the social-engineering core to stay constant even as the surface polish improves.

This article has been reviewed and fact-checked by Barry Elad. SQ Magazine follows strict Publishing Principles and a documented Fact-Check Policy to ensure accuracy, transparency, and editorial independence across all content.

Add SQ Magazine as a Preferred Source on Google for updates! Follow on Google News

References

Sofia Ramirez

Sofia Ramirez

Senior Tech Writer

Sofia Ramirez is a technology and cybersecurity writer at SQ Magazine. With a keen eye on emerging threats and innovations, she helps readers stay informed and secure in today’s fast-changing tech landscape. Passionate about making cybersecurity accessible, Sofia blends research-driven analysis with straightforward explanations; so whether you’re a tech professional or a curious reader, her work ensures you’re always one step ahead in the digital world.

Related Posts

Disclaimer: The content published on SQ Magazine is for informational and educational purposes only. Please verify details independently before making any important decisions based on our content.

Reader Interactions

Leave a Comment

Company
Discover
Categories
Internet
Gaming
Technology
Artificial Intelligence
Cybersecurity
Categories
Internet
Gaming
Technology
Artificial Intelligence
Cybersecurity