What Is Phishing? Types, Examples, Red Flags & How to Protect Yourself

Introduction

Every 11 seconds, a business somewhere in the world falls victim to a cyberattack, and phishing is the single most common way those attacks begin. In 2026, phishing remains the dominant social-engineering threat, costing organizations and individuals billions of euros each year. But what is phishing, exactly? In plain terms, phishing is a type of cybercrime where an attacker pretends to be a trusted person or organization, tricking you into handing over sensitive information like passwords, payment details, or personal data.

Despite decades of awareness campaigns, phishing still works. The reason is simple: it targets people, not software. No matter how strong your firewall or antivirus program may be, a convincing message that exploits urgency, fear, or curiosity can bypass every technical defense in seconds. And with the rise of AI-generated content, deepfake voice calls, and QR code scams, phishing in 2026 looks nothing like the crude spam emails of the early 2000s.

This guide covers everything you need to know: what phishing is, how it works, every major attack type (from spear phishing and smishing to AI phishing and quishing), real-world examples that caused millions in losses, the red flags that give attackers away, and the concrete steps you can take to protect yourself and your organization. Whether you manage finances for a company or simply want to keep your personal accounts safe, this article is for you. And because phishing increasingly targets financial accounts and crypto wallets, we will also touch on how self-custodial tools like Bleap, which gives you full control of your funds without relying on a centralized third party, add a meaningful layer of protection to your financial life.

Let's start at the beginning.

Phishing is the number 1 way people lose money online. Your financial setup matters. Bleap's self-custodial Mastercard means no centralized account for attackers to drain, plus 0% FX fees and up to 20% cashback on everyday spending. Learn more about Bleap →

1. A Brief History of Phishing: From AOL Scams to AI-Powered Attacks

Phishing has been around almost as long as the internet itself. The term was first coined in the mid-1990s, when attackers on America Online (AOL) used instant messages and emails to "fish" for users' passwords and credit card numbers. These early scams were crude but effective, tricking AOL users into giving up login credentials so attackers could hijack accounts and steal billing information. The metaphor stuck: just as a fisherman uses a lure, phishers use fake messages designed to hook unsuspecting victims.

By the early 2000s, phishing had graduated from chatroom pranks to large-scale email campaigns targeting bank customers. Fake emails impersonating major financial institutions like PayPal, eBay, and high-street banks flooded inboxes around the world. The messages were generic, the grammar was often poor, and the fake websites were rough, but millions of people still fell for them.

The 2010s brought a significant shift. Attackers moved from spraying millions of identical emails toward targeted spear phishing, researching individual victims and crafting personalized messages. Nation-state actors entered the picture, using phishing as a primary tool for espionage and infrastructure disruption.

From 2020 onward, the landscape changed again. The COVID-19 pandemic drove massive increases in remote work, which expanded the attack surface. Mobile phishing (smishing and vishing) exploded. Business Email Compromise (BEC) fraud became the costliest cybercrime category by dollar value. And most recently, AI-powered phishing tools have made it possible for attackers to generate flawless, personalized messages at scale, erasing the "bad grammar" red flag that once helped users identify scams.

The through-line is clear: phishing has evolved from crude mass emails into sophisticated, personalized, multi-channel attacks. Understanding that evolution is essential to defending against today's threats.

2. What Is Phishing and How Does It Work?

The Core Definition

Phishing is a form of cybercrime in which an attacker impersonates a trusted entity, such as a bank, employer, delivery service, or government agency, to trick a victim into revealing sensitive information, clicking a malicious link, or taking a harmful action like transferring money.

What makes phishing distinct from other cyber threats like malware injection or brute-force hacking is that it targets human psychology, not software vulnerabilities. The attacker does not need to break through a firewall or exploit a coding flaw. They need only to convince 1 person to do 1 thing.

The primary goals of phishing attacks include:

• Credential theft: Stealing usernames, passwords, and login details to access accounts.
• Financial fraud: Tricking victims into making payments or providing card details.
• Malware delivery: Getting victims to download software that gives attackers ongoing access or encrypts files for ransom.
• Unauthorized access: Using stolen credentials to move deeper into a company's network.

The Anatomy of a Phishing Attack (Step-by-Step)

Understanding how a phishing attack unfolds makes it far easier to spot one in progress. Here is the typical lifecycle:

Step 1. Reconnaissance. The attacker gathers information about the target. For mass phishing, this could be as simple as obtaining a list of email addresses. For targeted attacks (spear phishing, whaling), the attacker studies social media profiles, company websites, press releases, and even LinkedIn org charts to learn names, roles, reporting lines, and recent activities.

Step 2. Lure creation. The attacker crafts a convincing message or website designed to look legitimate. This includes spoofing sender email addresses, cloning real websites pixel-by-pixel, and writing copy that matches the tone of the impersonated organization. In 2026, AI tools can generate near-perfect phishing content in seconds.

Step 3. Delivery. The lure is sent through the chosen channel: email, SMS, phone call, QR code, social media message, or even a collaboration platform like Slack or Microsoft Teams.

Step 4. Hook. The victim interacts with the lure. They click a link, open an attachment, scan a QR code, or provide information over the phone. This is the critical moment the attacker has designed everything around.

Step 5. Exploitation. Once the victim has taken the bait, the attacker harvests the stolen credentials, installs malware, or initiates a fraudulent transaction.

Step 6. Monetization. The attacker converts access into money. This might mean draining a bank account, selling stolen data on the dark web, deploying ransomware, or moving laterally inside a corporate network to access higher-value systems.

The Psychology Behind Phishing

Phishing succeeds because it exploits hardwired cognitive patterns. The most common psychological triggers attackers use include:

• Urgency: "Your account will be locked in 24 hours." Urgency short-circuits rational thinking and pushes victims to act before they analyze.
• Fear: "Unauthorized login detected on your account." Fear triggers a fight-or-flight response, making careful evaluation less likely.
• Authority: "This is from your CEO" or "This is HMRC." People are conditioned to comply with authority figures.
• Curiosity: "You've received a document" or "Someone shared a photo of you." Curiosity is a powerful motivator that overrides caution.
• Scarcity: "Only 2 hours left to claim your refund." Scarcity creates a fear of missing out that drives impulsive action.

Even tech-savvy people fall for phishing. Cognitive biases, multitasking, fatigue, and context switching all reduce the attention we give to each message. A software engineer who would easily spot a scam on a focused workday might click a malicious link while rushing between meetings on their phone. Social engineering underpins every phishing variant, regardless of the delivery channel or technical sophistication.

3. Common Types of Phishing Attacks

Phishing is an umbrella term that covers a wide range of attack vectors. Each type uses a different delivery method, targets different victims, and requires a different awareness strategy. Here are the most common forms you need to know in 2026.

Email Phishing (Deceptive Phishing)

Email phishing, sometimes called deceptive phishing, is the most widespread form. Attackers send mass-distributed emails designed to look like they come from trusted organizations. The messages cast a wide net, and the success of the campaign depends on sheer volume: if 0.1% of 10 million recipients click, that is 10,000 compromised victims.

Common themes in deceptive phishing emails include:

• Account suspension notices ("Your PayPal account has been limited")
• Package delivery updates ("Your parcel is waiting for pickup")
• Invoice or payment requests ("Invoice #29481 attached")
• Security alerts ("Unusual login activity on your account")

Attackers spoof sender addresses by manipulating email headers, registering look-alike domains (like "amaz0n-support.com"), or compromising legitimate email accounts. Many of these emails include links to fake login pages that are visually identical to the real thing.

Spear Phishing

Spear phishing is a targeted form of email phishing aimed at a specific individual or small group within an organization. Unlike mass phishing, spear phishing emails are carefully researched and personalized. The attacker may use the victim's real name, reference their job title, mention colleagues by name, or refer to recent projects or events.

This personalization dramatically increases the success rate. While mass phishing emails might achieve a click rate of 3-5%, spear phishing campaigns regularly exceed 20-30%.

Common spear phishing targets include:

• Finance staff: Targeted with fake invoice or payment redirect requests.
• Executives: Targeted with emails impersonating board members, regulators, or legal counsel.
• HR departments: Targeted with requests for employee records, tax forms, or payroll data.
• IT administrators: Targeted with fake security alerts or vendor communications.

Spear phishing is the gateway to many of the largest data breaches in history. When an attacker can convincingly impersonate a trusted colleague, even experienced professionals can be deceived.

Whaling Attacks

A whaling attack is a specialized form of spear phishing that exclusively targets C-suite executives such as CEOs, CFOs, and CISOs. The stakes are higher, and the payoff for the attacker is correspondingly larger.

In a typical whaling attack, the attacker impersonates a board member, regulator, outside legal counsel, or a fellow executive, requesting an urgent wire transfer, a sensitive document, or confidential business information.

Notable whaling incidents include:

• Snapchat (2016): An employee received an email impersonating the CEO and handed over payroll information for current and former employees.
• Mattel (2015): A finance executive received a whaling email impersonating the new CEO and authorized a €3 million wire transfer to a fraudulent account in China. (The funds were eventually recovered due to the timing of a bank holiday.)

What makes whaling difficult to detect is that the emails are meticulously crafted, the requests are plausible within the context of executive communication, and the targets are senior enough that they may not have the same level of IT oversight as other staff.

Clone Phishing

Clone phishing is a particularly deceptive technique in which the attacker takes a legitimate email that the victim has already received, duplicates it, and replaces the original links or attachments with malicious versions. The cloned email is then re-sent, often from a spoofed address that matches the original sender.

This method works because the victim has already seen the original message and recognizes the content, branding, and context. The familiarity lowers suspicion.

Attackers gain access to the original emails through compromised mailboxes, man-in-the-middle interception, or by simply observing common business communications (like monthly invoices or software update notifications) and replicating them.

Business Email Compromise (BEC) Fraud

Business Email Compromise is one of the most financially devastating forms of phishing. In a BEC attack, the attacker impersonates a company executive, vendor, or business partner to trick an employee into redirecting a legitimate payment or wiring funds to a fraudulent account.

BEC is consistently the costliest category of cybercrime by total dollar value. According to FBI Internet Crime Complaint Center (IC3) data, BEC has caused tens of billions of euros in losses globally over the past decade.

Common BEC scenarios include:

• CEO fraud: An email impersonating the CEO instructs the CFO or finance team to urgently wire funds to a new account.
• Vendor invoice fraud: An attacker intercepts or spoofs vendor emails and changes the bank details on a legitimate invoice.
• Payroll redirect: An attacker impersonates an employee and requests a change to their direct deposit account.

What makes BEC uniquely dangerous is that many BEC emails contain no malicious links, no attachments, and no malware. They rely entirely on social engineering, making them invisible to most email security filters.

Smishing (SMS Phishing)

Smishing is phishing delivered via text message (SMS). The attacker sends a fraudulent text impersonating a bank, delivery service, government agency, or utility company, typically containing a link to a fake website or a phone number to call.

Smishing has grown rapidly in recent years for several reasons:

• SMS has a dramatically higher open rate than email (over 90% of texts are read within 3 minutes).
• Mobile devices offer less screen space to inspect URLs and sender details.
• Mobile security tooling is less mature than email filtering.

Common smishing lures include:

• "Your package has been held at the depot. Confirm delivery: [link]"
• "Unusual activity detected on your account. Verify now: [link]"
• Tax refund scams: "HMRC: You are owed a refund of £438.20. Claim here: [link]"

The links in smishing messages typically lead to credential-harvesting pages or payment forms that capture card details.

Vishing (Voice Phishing)

Vishing uses phone calls, either from real human callers or automated robocalls, to impersonate trusted organizations and manipulate victims into providing sensitive information or taking harmful actions.

Common vishing scenarios include:

• Tech support scams: The caller claims to be from Microsoft or Apple, saying the victim's computer is infected and needs immediate remote access.
• Bank fraud alerts: The caller claims to be from the victim's bank, reporting suspicious activity and requesting account verification or card details.
• Government impersonation: The caller claims to be from HMRC, the IRS, or local police, threatening arrest or fines unless immediate payment is made.

Attackers use caller ID spoofing to make the incoming call appear to come from a legitimate phone number, such as the victim's actual bank. This makes vishing extremely convincing, especially for victims who are not aware that caller ID can be faked.

4. Emerging Phishing Techniques: What's New in 2025-2026

Threat actors do not stand still. As defenses improve, attackers adopt new technology and exploit new channels. This section covers the most dangerous emerging phishing techniques you should be aware of in 2026.

AI-Generated Phishing

The single biggest shift in the phishing landscape over the past 2 years has been the widespread use of AI by attackers. Large language models now allow anyone, even those with no writing skills or command of the target language, to produce grammatically perfect, contextually personalized phishing emails at scale.

This development has effectively eliminated one of the oldest phishing red flags: bad grammar and spelling. In 2026, AI-generated phishing messages are often indistinguishable from legitimate corporate communications.

But AI phishing goes beyond text. Attackers now use:

• Deepfake voice cloning: Using a few seconds of publicly available audio (from a conference talk, YouTube video, or podcast), attackers can clone a person's voice and use it in vishing calls. There have been documented cases of attackers impersonating CEOs on phone calls to authorize six-figure wire transfers.
• Deepfake video: In advanced attacks, deepfake video is used in video calls to impersonate executives or colleagues. A widely reported 2024 incident involved a finance worker in Hong Kong who was tricked into transferring approximately €23 million after attending a video call where every other participant was a deepfake.
• Phishing-as-a-Service (PhaaS): Underground platforms now offer AI-powered phishing kits as a subscription service, complete with email templates, hosting, and credential-harvesting infrastructure. These lower the barrier to entry for cybercrime dramatically.

Quishing (QR Code Phishing)

Quishing is the practice of embedding malicious URLs inside QR codes. When a victim scans the code, they are redirected to a phishing website designed to steal credentials or install malware.

Quishing is effective for a specific reason: most email security tools scan links in email bodies, but they cannot easily analyze the URL encoded within an image of a QR code. This allows attackers to bypass filters that would catch a plaintext malicious link.

Common quishing delivery methods include:

• QR codes embedded in email attachments (fake invoices, delivery notices, or MFA setup instructions)
• Physical QR code stickers placed over legitimate codes on parking meters, restaurant menus, or public signage
• MFA fatigue attacks where victims are sent QR codes to "re-authenticate" their accounts

Major quishing campaigns in 2025 targeted Microsoft 365 credentials, with attackers sending emails containing QR codes that directed victims to convincing replicas of Microsoft login pages.

Hybrid Vishing (Callback Phishing)

Hybrid vishing, also known as callback phishing, is a multi-stage attack that combines email and phone calls to bypass automated defenses.

The typical flow works like this:

1. The victim receives an email about a fake subscription charge, invoice, or security alert.
2. The email does not contain any malicious links or attachments, so it passes through email security filters cleanly.
3. Instead, the email instructs the victim to call a phone number to "resolve" the issue.
4. When the victim calls, they reach a human operator who walks them through downloading malware (disguised as a "cancellation tool" or "security fix") or providing credentials.

Campaigns like BazaCall pioneered this technique, and it has been adopted widely because it exploits a blind spot: security tools scan links and attachments, but they cannot detect a phone number that leads to a social engineer.

Adversary-in-the-Middle (AiTM) Phishing

Adversary-in-the-Middle phishing is a technique that defeats traditional multi-factor authentication (MFA). In an AiTM attack, the phishing site acts as a transparent proxy between the victim and the real website.

Here is how it works:

1. The victim clicks a phishing link and lands on a fake login page.
2. The fake page relays the victim's username and password to the real website in real time.
3. When the real website sends an MFA challenge, it passes through the proxy to the victim, who completes it.
4. The proxy captures the authenticated session cookie that the real website issues after successful login.
5. The attacker uses that session cookie to access the victim's account, completely bypassing MFA.

Open-source phishing toolkits like Evilginx and Modlishka have made AiTM attacks accessible to less sophisticated attackers. This means SMS-based MFA and even authenticator app codes are no longer a guaranteed defense. Phishing-resistant methods like FIDO2 hardware keys and passkeys are the most effective countermeasure against AiTM.

Social Media and Collaboration Platform Phishing

Email is no longer the only phishing channel. Attackers increasingly use social media platforms and workplace collaboration tools to deliver phishing lures.

Common channels include:

• LinkedIn InMail: Fake recruiter messages or business proposals containing links to credential-harvesting pages.
• WhatsApp and Telegram: Messages impersonating banks, delivery services, or colleagues, often with shortened links.
• Slack and Microsoft Teams: Phishing messages sent within collaboration workspaces, either from compromised internal accounts or external guest accounts.

These channels carry lower user suspicion than email because people tend to trust messages received through workplace or social platforms more readily. Security tooling on these platforms also tends to be less robust than enterprise email filtering.

Protecting your finances starts with controlling your own funds. Bleap's self-custodial Mastercard keeps you in full control, with no centralized account that phishing attackers can compromise. 0% FX fees and up to 20% cashback come standard. Get the Bleap card →

5. Real-World Phishing Examples and Case Studies

Abstract threats become real when you see how much damage actual phishing attacks have caused. These case studies span major corporations, critical infrastructure, and everyday consumers.

The Twitter/X Bitcoin Scam (2020)

In July 2020, attackers used phone-based spear phishing to target Twitter employees, tricking them into providing access to internal administration tools. With that access, the attackers hijacked high-profile accounts belonging to Barack Obama, Elon Musk, Bill Gates, Apple, and others, posting messages that promoted a Bitcoin scam.

The financial damage was relatively modest (approximately €110,000 in Bitcoin stolen), but the reputational impact was massive. The incident demonstrated that phishing a handful of employees could compromise an entire global platform.

Lesson: Insider-targeting phishing can give attackers the keys to systems far more valuable than individual accounts. This is also why self-custodial financial tools matter. When you hold your own funds, as you do with a Bleap self-custodial account, there is no centralized platform that a single compromised employee can unlock.

The Colonial Pipeline Attack (2021)

In May 2021, the Colonial Pipeline, which supplies nearly half of the fuel consumed on the US East Coast, was shut down after a ransomware attack. The initial entry point was a single compromised VPN credential, believed to have been obtained through phishing or credential stuffing.

The impact was severe: fuel shortages, panic buying, and a ransom payment of approximately €4 million.

Lesson: 1 stolen credential, obtained through 1 phishing email, can trigger catastrophic infrastructure failure. Credential hygiene and phishing-resistant MFA are not optional for critical systems.

FACC AG CEO Fraud (2016)

FACC, an Austrian aerospace parts manufacturer, lost approximately €50 million when an employee in the finance department received an email impersonating the company's CEO, instructing them to transfer funds for a fake acquisition project. The employee complied, and the money was wired to accounts controlled by the attackers.

Lesson: Even well-resourced enterprises with sophisticated operations fall victim to social engineering when proper verification procedures are not enforced for high-value transactions.

Everyday Consumer Phishing Example

Phishing is not only an enterprise problem. Here is a realistic walk-through of what an everyday bank phishing email looks like:

1. The email arrives in your inbox from "security@your-bank-alerts.com" (not the bank's real domain).
2. The subject line reads: "Urgent: Unusual Login Activity Detected on Your Account."
3. The body includes the bank's logo, a professional layout, and a message saying your account will be locked unless you verify your identity within 24 hours.
4. The button says "Verify My Identity" and links to a website that looks identical to your bank's login page, but the URL is "your-bank-verify.com" instead of your bank's actual domain.
5. You enter your credentials, and the page either shows an error or redirects you to the real bank site. Meanwhile, the attacker now has your username and password.
6. Within minutes, the attacker logs in and initiates transfers or changes your contact details.

What you see: a legitimate-looking security alert. What is actually happening: a carefully orchestrated credential theft.

Smishing Example: Fake Parcel Delivery Scam

The "missed parcel" smishing scam is one of the most common consumer phishing attacks globally. Here is how it works:

1. You receive a text message: "Royal Mail: Your parcel could not be delivered. Schedule redelivery: [shortened link]"
2. You click the link, which opens a convincing replica of the Royal Mail website.
3. You are asked to pay a small "redelivery fee" (€1.50 or similar) and enter your card details.
4. The attackers now have your name, address, and full card information, which they use for fraudulent purchases or sell on the dark web.

In more sophisticated versions, the fake site also asks for your online banking credentials, giving attackers direct access to your account.

6. Why Phishing Is So Dangerous: The Real Consequences

Financial Losses

The financial impact of phishing is staggering. According to IBM's Cost of a Data Breach Report, phishing is consistently among the costliest attack vectors, with the average cost of a phishing-related data breach running into millions of euros. The FBI's IC3 Annual Internet Crime Report regularly places losses from phishing and BEC in the tens of billions globally.

For individual consumers, losses from phishing scams range from a few hundred euros to life savings, depending on the type of attack and how quickly the victim responds.

Data Breaches and Regulatory Penalties

Phished credentials are frequently the first domino in large-scale data breaches. Once an attacker has a valid username and password, they can access internal systems, exfiltrate customer data, and potentially compromise entire databases.

Under regulations like GDPR and CCPA, organizations that suffer data breaches can face significant fines, often in the millions. Beyond regulatory penalties, the reputational damage and customer churn resulting from a breach can far exceed the direct financial cost.

Ransomware Delivery

Phishing is the primary initial access vector for ransomware groups. The typical chain is straightforward: phishing email leads to credential theft or malware installation, which leads to network access, which leads to ransomware deployment.

In double extortion scenarios, attackers both encrypt the victim's data and threaten to publish it unless a ransom is paid, multiplying the pressure on the organization.

Business Disruption and Operational Impact

Beyond direct financial losses, phishing attacks cause significant business disruption. System downtime during investigation and recovery can last days or weeks. Productivity plummets as employees are locked out of systems. IT teams are consumed by incident response. And the long-term trust damage with clients, partners, and customers can take years to repair.

7. Who Gets Targeted? Most Attacked Industries and Victim Profiles

Industries Most at Risk

Certain industries are disproportionately targeted by phishing attacks:

• Financial services and banking: The obvious target for credential theft and BEC fraud. Phishing emails impersonating banks remain the single largest category of phishing lures.
• Healthcare: Hospitals and clinics are prime targets for ransomware, and patient data is highly valuable on the dark web.
• Technology companies: Attackers target tech firms for supply chain access, knowing that compromising a software vendor can unlock thousands of downstream customers.
• Government and defense: Nation-state phishing campaigns target government employees for espionage and infrastructure disruption.
• Education and non-profits: These organizations typically have smaller security budgets and less mature defenses, making them attractive soft targets.
• Retail and e-commerce: Payment card data is the prize, with phishing targeting both customers and internal staff.

Individual Victim Profiles

Within organizations, certain roles are phished more frequently than others:

• Finance and accounts payable staff: Targeted for BEC wire fraud and fake invoice schemes.
• HR and payroll personnel: Targeted for employee record theft, tax form scams, and payroll redirect fraud.
• C-suite executives: Targeted by whaling attacks seeking high-value transfers or sensitive strategic information.
• New employees: Particularly vulnerable because they are unfamiliar with internal processes, eager to comply with requests, and less likely to question authority.
• Remote workers: Reduced security oversight, use of personal devices, and reliance on digital communication create additional vulnerability.

Why No One Is Immune

Statistics consistently show that phishing succeeds across all demographics and technical skill levels. Security researchers, IT professionals, and cybersecurity executives have all been caught by well-timed phishing attacks. The role of fatigue, distraction, and multitasking in click rates cannot be overstated. A study by Stanford University found that nearly 88% of data breaches are caused by human error, with phishing being the leading cause.

No technical skill level makes a person immune. The best defense is a combination of awareness, skepticism, and technical controls.

8. How to Recognize a Phishing Attempt: Red Flags to Know

Your first line of defense is knowing what to look for. These phishing red flags apply across email, SMS, and phone calls.

Phishing Email Signs

Suspicious or spoofed sender address. Always check the full email address, not just the display name. Look for domain mismatches (an email from "Amazon" coming from "amazon-security@mail.ru"), extra characters, or homoglyph attacks where letters are replaced with visually similar characters (using "rn" instead of "m," or a Cyrillic "а" instead of a Latin "a").

Generic greetings. Legitimate companies that have your account will usually address you by name. Emails that begin with "Dear Customer," "Dear User," or "Dear Account Holder" should immediately raise your guard.

Urgent or threatening language. "Your account will be suspended in 24 hours," "Immediate action required," or "Failure to respond will result in account closure." Attackers use urgency to override your critical thinking.

Unexpected attachments. Be especially cautious with file types like .zip, .exe, .docm, and .html. Even .pdf files can contain malicious links. If you were not expecting an attachment, verify with the sender through a separate channel before opening it.

Requests for sensitive information. No legitimate bank, government agency, or service provider will ask you to provide passwords, PINs, full card numbers, or one-time codes via email.

Poor grammar and spelling. This is still a red flag, though AI is rapidly eroding its reliability. In 2026, many phishing emails are grammatically perfect, so the absence of errors does not mean an email is safe.

Suspicious Links and URLs

Hover before you click. On a desktop, hover your mouse over any link to see the actual destination URL in your browser's status bar. On mobile, long-press the link to preview the URL.

URL red flags to watch for:

• Misspelled domains: "paypa1.com" (with a number 1 instead of the letter l)
• Suspicious subdomains: "paypal.com.malicious-site.com" (the actual domain here is malicious-site.com)
• URL shorteners (bit.ly, t.co) in emails where the sender should be linking directly to their own website
• Random-looking domains: "secure-login-8xk3f.com"

HTTPS does not equal safe. Phishing sites routinely use SSL certificates, so the padlock icon in your browser address bar tells you the connection is encrypted, not that the website is legitimate.

QR codes deserve the same scrutiny as links. Treat every QR code as an unknown link. If you scan one, check the URL it opens before entering any information.

Red Flags in SMS Messages

• Unexpected messages from unknown numbers that reference known brands (your bank, a delivery company, a government agency)
• Shortened URLs with no context or explanation
• Requests to call a number or "verify" information urgently
• Messages that create a sense of panic: "Your card has been blocked" or "Suspicious transaction detected"

Vishing and Phone Call Red Flags

• The caller claims to be from your bank, HMRC, the IRS, Microsoft, or law enforcement
• They create extreme pressure to act immediately and discourage you from hanging up or calling back
• They ask for passwords, PINs, or one-time codes. No legitimate organization will ever ask for these over the phone.
• They ask you to install remote access software like AnyDesk, TeamViewer, or Quick Assist
• They ask you to move money to a "safe account" (this is always a scam)

Red Flags Specific to Workplace Phishing

• Unusual payment or wire transfer requests, especially from "executives," particularly when they arrive with urgency framing and a request to bypass normal approval processes
• Requests to change vendor bank details on existing invoices
• Emails from a colleague or manager that feel slightly "off" in tone or style, especially combined with an unusual request
• Out-of-hours requests with urgency framing ("I need this done before the board meeting tomorrow morning")
• Any request to keep a transaction confidential or not discuss it with others

When in doubt, verify. Pick up the phone and call the person directly using a number you already have, not the one in the suspicious message.

9. How to Protect Yourself and Your Organization from Phishing

Phishing prevention requires layering technical controls with human awareness. No single solution is sufficient. Here is a comprehensive defense strategy.

Individual Best Practices

Pause before you click. The single most effective anti-phishing habit is to slow down. Apply skepticism to any unexpected message that requests action, especially when it creates urgency. Ask yourself: "Was I expecting this? Does this make sense?"

Verify independently. If you receive a suspicious email from your bank, do not click the link. Instead, open your browser and navigate directly to the bank's website, or call the phone number on the back of your card. Never use reply-to addresses or phone numbers provided in a suspect message.

Never provide passwords, PINs, or one-time codes to anyone who contacts you. This applies regardless of who they claim to be. Legitimate organizations will never ask for these.

Keep software and operating systems updated. While phishing targets humans, the malware it delivers exploits software vulnerabilities. Keeping your devices patched reduces the damage if you do click a malicious link.

Use a password manager. A password manager generates unique, complex passwords for every account, which eliminates the risk of credential reuse. If 1 account is phished, no other accounts are compromised with the same password. Password managers also help detect phishing: they will not auto-fill your credentials on a fake website because the domain does not match.

Multi-Factor Authentication (MFA)

MFA remains critical even though advanced techniques like AiTM phishing can bypass SMS-based codes. The reason is simple: MFA still stops the vast majority of attacks that rely on stolen passwords alone.

However, not all MFA is created equal:

• Best: Phishing-resistant MFA. FIDO2 hardware keys (like YubiKey) and passkeys are the gold standard. They cryptographically bind authentication to the legitimate website's domain, making them immune to AiTM proxy attacks.
• Good: Authenticator apps. Apps like Google Authenticator or Microsoft Authenticator are significantly better than SMS codes, though they can still be defeated by AiTM phishing in real time.
• Minimum: SMS OTP. Better than no MFA, but the weakest option due to SIM swapping risks and AiTM vulnerability.

If your service supports passkeys or hardware keys, use them.

Technical Controls for Organizations

For organizations, a layered technical defense significantly reduces the phishing threat:

• Email security gateways with properly configured DMARC, DKIM, and SPF records. These protocols authenticate legitimate email senders and help prevent domain spoofing.
• Anti-phishing tools and URL reputation filtering that scan links in emails in real time and block known malicious domains.
• Browser isolation and sandboxing that opens suspicious links in a contained environment, preventing malware from reaching the user's device.
• Endpoint detection and response (EDR) software that detects and contains malware if a user does click a malicious link.
• DNS filtering that blocks connections to known malicious domains at the network level.
• Zero-trust network architecture that limits lateral movement by requiring continuous verification, ensuring that a single compromised credential does not give attackers free rein inside the network.

Security Awareness Training

Technical controls catch many threats, but human awareness catches the rest. Effective security training in 2026 goes beyond an annual compliance checkbox:

• Continuous, bite-sized learning is more effective than annual hour-long sessions. Short modules delivered monthly or quarterly keep phishing awareness top of mind.
• Simulated phishing campaigns test employees with realistic fake phishing emails. The goal is not to punish people who click, but to identify knowledge gaps and provide targeted follow-up training.
• Building a "security-first" culture where reporting suspicious messages is rewarded, not punished. If employees fear blame for clicking a link, they will hide incidents instead of reporting them, delaying response and increasing damage.
• Role-specific training for high-risk groups: finance staff should receive BEC-specific training, executives should learn about whaling, and new employees should receive intensive onboarding on phishing awareness.

Organizational Policies and Processes

Technical controls and training are strengthened by clear policies:

• Out-of-band verification for all payment changes or wire transfers. If someone requests a change to bank details, verify via a separate communication channel (phone call to a known number) before processing.
• Clear escalation paths for suspicious communications, so employees know exactly who to contact and how.
• Vendor onboarding controls that validate the identity of new vendors and verify bank details before the first payment.
• Incident response plans that specifically include phishing scenarios, with defined roles, communication protocols, and recovery procedures.
• Regular phishing risk assessments and tabletop exercises that test the organization's readiness against realistic phishing scenarios.

Protecting Against Smishing and Vishing

Smishing and vishing require their own specific defenses:

• Register with call-blocking services such as the Telephone Preference Service (TPS) in the UK or the Do Not Call registry in the US.
• Enable carrier-level spam filtering on your mobile phone (most carriers now offer this).
• Establish a "call back" policy. For any call requesting sensitive information or financial action, hang up and call back using the official number from the organization's website. Never use the number the caller provides.
• Educate everyone on the "no legitimate caller will ask for your OTP" rule. This single piece of knowledge prevents a large percentage of vishing attacks.

This kind of layered protection extends to your financial tools as well. Using a self-custodial financial setup, like Bleap, means there is no centralized customer support line that an attacker can impersonate to gain access to your funds. When you hold full control of your own finances, the attack surface shrinks.

10. What to Do If You've Been Phished: Immediate Response Steps

Acting fast after a phishing attack can significantly limit the damage. Here is exactly what to do.

Immediate Personal Response Steps

1. Don't panic, but act quickly. The first minutes after realizing you've been phished are the most important. Speed reduces the attacker's window to exploit what they've stolen.
2. Disconnect the device from the internet if you clicked a link or downloaded a file. This contains potential malware and prevents it from communicating with the attacker's servers or spreading to other devices on your network. Turn off Wi-Fi and unplug any ethernet cable.
3. Change passwords immediately for the compromised account. If you reuse that password on other accounts (which you should not, but many people do), change those too. Use a password manager to generate strong, unique replacements.
4. Enable or upgrade MFA on the compromised account and any account that shared the same password. If you were using SMS-based MFA, upgrade to an authenticator app or hardware key.
5. Scan for malware. Run a full antivirus/anti-malware scan on the affected device. If you downloaded a file or installed software as part of the attack, consider this step mandatory.
6. Check for unauthorized activity. Log into your financial accounts and review recent transactions. Check your email for forwarding rules the attacker may have set up (a common tactic to intercept password reset emails). Review connected apps and active sessions and revoke anything you do not recognize.
7. Contact your financial provider. If you provided card details or banking credentials, contact your financial institution immediately to freeze or replace your card. If you use a self-custodial account like Bleap, your funds are under your direct control, and there is no centralized account for an attacker to drain through customer support social engineering.

Reporting the Attack

• Report to the impersonated organization. If the phishing email impersonated your bank, forward it to their phishing reporting address (most banks have one).
• Report to national cybercrime authorities. In the UK, report to Action Fraud. In the US, report to the FBI's IC3. In the EU, report to your national CERT.
• Report to your email provider. Mark the message as phishing (not just spam) so the provider can block it for other users.

Organizational Response Steps

If you are part of an organization:

1. Report internally immediately to your IT security team or designated point of contact. Do not delete the phishing email, as IT will need it for analysis.
2. Isolate affected accounts and systems until they can be investigated and remediated.
3. Notify affected parties. If customer or partner data may have been compromised, engage your legal and compliance teams to determine notification obligations.
4. Conduct a post-incident review. Analyze how the phishing email bypassed controls, why the victim clicked, and what process or technical gaps can be addressed to prevent recurrence.
5. Update training and defenses based on the lessons learned.

The key principle: treat every phishing incident as a potential breach until confirmed otherwise. Underreacting is far more dangerous than overreacting.

11. Phishing and Your Financial Security: Why Self-Custody Matters

Phishing overwhelmingly targets financial accounts because that is where the money is. Whether the attacker is after your banking login, your crypto exchange credentials, or your card details, the end goal is almost always to steal your money.

This is where the architecture of your financial tools makes a real difference. Traditional financial accounts, and most centralized crypto platforms, rely on centralized custody. Your funds sit in a system controlled by a company. If an attacker phishes a customer service representative, exploits a compromised internal tool, or tricks you into handing over your login credentials, they can potentially drain your account.

Self-custodial tools fundamentally change this dynamic. With Bleap's self-custodial Mastercard, you hold full control of your own funds. There is no centralized pot of customer funds for attackers to target, and no customer support agent who can be social-engineered into granting account access.

This does not make you immune to phishing. You still need to protect your own credentials and private keys. But it eliminates an entire category of attack: the kind where a breach at the company level compromises your personal funds.

Pairing that with Bleap's 0% FX fees, up to 20% cashback on everyday spending, and fee-free crypto trading means you are not sacrificing convenience or value for security. You get both.

If you are serious about protecting your finances from phishing, the structure of your financial accounts matters just as much as your awareness habits.

Your money is only as safe as the system that holds it. Bleap's self-custodial Mastercard puts your funds under your control, not a company's. 0% FX fees, up to 20% cashback, and no monthly subscription. Open a Bleap account →

12. Phishing Prevention Checklist: A Quick Reference

Use this checklist as a quick-reference guide for both individuals and organizations:

For Individuals:

• Use a password manager and never reuse passwords
• Enable phishing-resistant MFA (FIDO2 hardware key or passkey) wherever possible
• Always hover over links before clicking and verify the destination URL
• Never provide passwords, PINs, or one-time codes in response to any inbound communication
• Verify unexpected requests by contacting the sender through a separate, trusted channel
• Keep all devices and software updated
• Report suspected phishing to your email provider and national authorities
• Use self-custodial financial tools (like Bleap) to reduce the impact of credential compromise

For Organizations:

• Configure DMARC, DKIM, and SPF on all email domains
• Deploy email security gateways with URL reputation filtering
• Implement phishing-resistant MFA for all staff, starting with privileged accounts
• Run regular simulated phishing campaigns with follow-up training
• Enforce out-of-band verification for all payment changes and wire transfers
• Establish clear incident response and escalation procedures for phishing
• Provide role-specific training for finance, HR, executives, and new employees
• Review and update vendor onboarding and invoice verification processes

Print this, bookmark it, share it with your team. Phishing awareness is a practice, not a one-time event.

Conclusion

Phishing is not a new threat, but it is a constantly evolving one. From the crude AOL password scams of the 1990s to the AI-generated deepfake attacks of 2026, the underlying principle has never changed: attackers manipulate trust to steal information and money. What has changed is the sophistication, the scale, and the number of channels through which phishing can reach you.

The good news is that the fundamentals of defense remain strong. Awareness, skepticism, verification, strong MFA, layered technical controls, and a culture that rewards reporting over blame will stop the vast majority of phishing attacks. No single tool or technique is a silver bullet, but combining them creates a defense that is exponentially harder to penetrate.

And the architecture of your financial life matters. Choosing self-custodial tools for your money removes the centralized points of failure that phishing attacks most commonly exploit. Bleap's self-custodial Mastercard gives you full control of your funds, 0% FX fees, up to 20% cashback, and fee-free crypto trading, all with no monthly subscription. It is not a phishing solution, but it is a smarter financial foundation that reduces what attackers can take from you even if they do get through.

Stay skeptical. Verify everything. And make sure the tools holding your money are as secure as your habits.

FAQ

What is phishing in simple terms?

Phishing is a type of cybercrime where someone pretends to be a trusted organization (like your bank, employer, or a delivery company) to trick you into revealing sensitive information such as passwords, card details, or personal data. The "bait" is usually an email, text message, phone call, or fake website.

What are the most common types of phishing attacks?

The most common types include email phishing (mass-distributed fake emails), spear phishing (targeted emails using personal details), whaling (targeting executives), smishing (SMS phishing), vishing (voice/phone phishing), BEC fraud (impersonating executives to redirect payments), clone phishing (duplicating real emails with malicious links), and quishing (QR code phishing).

How can I tell if an email is a phishing attempt?

Look for these red flags: a mismatched or suspicious sender address, generic greetings ("Dear Customer"), urgent or threatening language, unexpected attachments, requests for passwords or personal information, and suspicious links. Hover over links to check where they actually lead before clicking.

What should I do if I clicked a phishing link?

Disconnect your device from the internet immediately. Change your passwords for the affected account (and any account where you used the same password). Enable or upgrade MFA. Run a full malware scan. Check your financial accounts for unauthorized transactions. Report the incident to your IT team and relevant authorities.

Can phishing bypass multi-factor authentication (MFA)?

Yes. Advanced techniques like Adversary-in-the-Middle (AiTM) phishing use proxy servers to intercept session cookies in real time, effectively bypassing SMS-based and authenticator-app-based MFA. Phishing-resistant MFA methods like FIDO2 hardware keys and passkeys are the strongest defense.

What is the difference between phishing and spear phishing?

Standard phishing uses generic, mass-distributed messages sent to thousands of people at once. Spear phishing is targeted, using personal details about a specific individual (name, role, company, recent activity) to create a highly convincing, customized attack. Spear phishing has a much higher success rate.

What is AI phishing and why is it dangerous?

AI phishing refers to phishing attacks that use artificial intelligence, particularly large language models, to generate grammatically perfect, personalized messages at scale. AI has eliminated the "bad grammar" red flag that once helped identify phishing. Advanced AI phishing also includes deepfake voice and video used in vishing attacks.

How does self-custody protect against phishing?

Self-custodial financial tools, like Bleap, give you direct control over your funds rather than storing them in a centralized system. This means there is no central customer support line for attackers to socially engineer, and no single compromised employee can unlock your money. It does not make you immune to phishing, but it removes a major attack vector.

What is quishing?

Quishing is phishing delivered through QR codes. Attackers embed malicious URLs inside QR codes, which bypass many email security scanners that cannot read image-embedded links. When you scan the code, you are redirected to a phishing website. Always check the URL a QR code opens before entering any information.

How do I report a phishing attack?

Report phishing emails to your email provider by marking them as phishing (not just spam). Forward them to the impersonated organization's phishing reporting address. In the UK, report to Action Fraud. In the US, report to the FBI's IC3. In the EU, report to your national CERT or cybersecurity authority. If you are part of an organization, report internally to your IT security team immediately.