Skip to main content
PhishingHome & Business5 min read · Updated June 2026
Young woman looking concerned at a laptop screen at home

What is Phishing? A Plain-English Guide

Phishing is the most common cyber attack in the UK — and one of the simplest to fall for. Criminals send fake messages pretending to be your bank, HMRC, or a delivery company, with one goal: trick you into handing over your password or bank details. This guide explains exactly what phishing is, how to spot it, and what to do if you get targeted.

What is phishing?

Phishing (pronounced “fishing”) is a type of social engineering attack. Rather than hacking your device directly, attackers send a convincing fake message and wait for you to hand them the information they need.

The message might claim your account has been compromised, that a parcel is waiting for you, or that you owe a tax refund. Every message has the same goal: get you to click a link and either log in to a fake website or download malicious software.

Types of phishing attack

Email phishing

The most common form. Fake emails impersonate banks, HMRC, delivery companies, or well-known brands like Amazon and PayPal.

Smishing (SMS phishing)

Fake text messages — often claiming to be Royal Mail, DVLA, or your bank — with a link to a fake website.

Vishing (voice phishing)

Criminals call you pretending to be your bank's fraud team or HMRC. They create urgency to pressure you into giving account details over the phone.

Spear phishing

Highly targeted attacks aimed at a specific person or business. The attacker researches you first — your name, employer, and role — to make the message convincing.

How to spot a phishing email

Most phishing emails share the same warning signs. Train yourself to look for these before clicking anything:

  • ⚠️Urgency: "Your account will be suspended in 24 hours" — pressure tactics stop you thinking clearly.
  • ⚠️Generic greeting: "Dear Customer" or "Dear User" instead of your name suggests a mass-sent fake.
  • ⚠️Suspicious sender address: The display name looks legitimate but the actual email address is wrong — e.g. support@amazon-security.net instead of @amazon.co.uk.
  • ⚠️Hover before you click: Hover over any link to see the real URL. If it does not match the company domain, do not click it.
  • ⚠️Requests for passwords or payment: Legitimate organisations never ask for your password or card number via email.
  • ⚠️Unexpected attachments: An invoice or document you were not expecting is a common delivery mechanism for malware.

What to do if you receive a phishing email

  1. Do not click any links or download attachments.
  2. Do not reply — replying confirms your email address is active.
  3. Report it to report@phishing.gov.uk (the UK's National Cyber Security Centre inbox).
  4. Mark it as spam or junk in your email client.
  5. If it impersonates your bank, forward it to phishing@[yourbank].co.uk.

What if you already clicked the link?

Do not panic — but act quickly. The sooner you respond, the less damage is done.

  1. Close the page immediately. Do not enter any information.
  2. Change your password for that account right now — from a different device if possible.
  3. If you entered your email password, change it and then check if any other accounts use the same password.
  4. If you entered banking or card details, call your bank immediately using the number on the back of your card.
  5. Run a malware scan on your device.
  6. Report to Action Fraud: actionfraud.police.uk or 0300 123 2040.

UK phishing statistics

The NCSC processed over 7.1 million phishing reports in 2023 and took down more than 235,000 scam URLs. Despite this, phishing remains the starting point for the majority of UK cyber incidents — including 84% of all reported breaches (DCMS Cyber Security Breaches Survey 2023).

Protect yourself against phishing

These tasks on the Cyber Nova AI platform directly reduce your phishing risk:

Enable two-factor authentication on your email

If attackers get your password via phishing, 2FA stops them getting in.

Use a password manager

Unique passwords mean a phishing attack on one account cannot spread to others.

Keep software and apps up to date

Updates patch security vulnerabilities that phishing-delivered malware exploits.

Frequently asked questions

What is the difference between phishing and spam?

Spam is unwanted bulk email — usually advertising. Phishing is specifically designed to steal something: your password, bank details, or personal information. Phishing is always malicious; spam is usually just annoying.

Can phishing happen on social media?

Yes. Attackers create fake profiles, send direct messages, or post fake links in comments. Common targets are Facebook Marketplace buyers, Instagram giveaways, and LinkedIn connection requests with malicious links.

Does my business need to worry about phishing?

Yes — more so than individuals. Business Email Compromise (BEC) attacks specifically target organisations, often impersonating a CEO or supplier to authorise fraudulent payments. The average UK business phishing attack costs significantly more than an individual one.

Is it safe to open a phishing email without clicking anything?

Generally yes — simply opening a modern email is low risk. The danger comes from clicking links or downloading attachments. Some older email clients can load remote images, but modern email services block this automatically.

Check your phishing protection — free

Cyber Nova AI walks you through the exact steps to protect yourself from phishing and other common attacks. Free account. Takes under an hour.

Start your free security check