You get a text: "Your parcel is held — confirm your details here." Or an email that looks exactly like your bank, warning your account will be locked. That's phishing — and it's the most common way ordinary people get their accounts and money stolen in 2026. It doesn't break encryption or guess passwords; it tricks you into handing them over. This guide explains what phishing is, the types to recognise, how to spot it, and the defences that actually work.
What phishing is
Phishing is a social-engineering attack: a scammer impersonates someone you trust to trick you into revealing credentials or data, or installing malware. It usually arrives as a message that manufactures urgency ("act now or lose access") and pushes you toward a fake login page or a reply with personal details.
The attack targets human judgement, not technology. That's why it works against even strong passwords — you're persuaded to type them into the attacker's page yourself.
The main types
- Email phishing — the classic mass campaign.
- Spear phishing — personalised to a specific target, far more convincing.
- Whaling — aimed at executives.
- Smishing — by SMS/text; vishing — by voice call (fake "support" or "bank").
- Clone phishing — copies a real message but swaps in a malicious link.
All share one goal: get you to act before you verify.
How to spot it
- Urgency or threats — "your account will be closed."
- A sender address that's subtly wrong — look closely at the domain.
- Mismatched links — hover to see the real destination; it won't match the claimed site.
- Requests for passwords or codes — legitimate services never ask.
- Generic greetings and unexpected attachments.
On mobile, links are harder to inspect — be extra careful. When unsure, don't click: type the address yourself or use the official app.
How to stop it
★ Audit Cure53 2024 · ✓ Plan gratuit · Cross-platform
A password manager won't autofill on a fake site → NordPassAutofills only on the genuine domain · Zero-knowledge vault · Built-in breach scanner→- Never click links in unexpected messages. Navigate to sites directly.
- Turn on two-factor authentication so a stolen password alone isn't enough — and prefer phishing-resistant factors.
- Use a password manager. It only autofills on the genuine domain; if it refuses to fill, the site is probably fake — a built-in warning. (See why password managers are safe.)
- Verify "urgent" requests through a separate, trusted channel.
Why passkeys and managers are phishing-resistant
Both bind to the real domain. A password manager autofills only on the exact legitimate site, so a look-alike page gets nothing. Passkeys and hardware keys (FIDO2/WebAuthn) go further: the login is cryptographically tied to the real site's origin, so even if you land on a fake page, it won't authenticate. That origin-binding is the real defence — see our best authenticator app guide, and if you think you've already been caught, what to do if an account is hacked.
The bottom line
Phishing tricks you into giving up credentials through fake messages and login pages — it beats strong passwords because it targets you, not your encryption. Spot it by its urgency, wrong sender and mismatched links; stop it by never clicking unexpected links, enabling phishing-resistant 2FA, and letting a password manager refuse to autofill on fakes. The habit of verifying before you act is the whole defence.
Editorial guide based on documented phishing techniques (email/spear/smishing/vishing) and standard defences (2FA, passkeys, password-manager domain-binding). Commercial links carry the rel="sponsored nofollow" attribute; an affiliate commission may apply at no extra cost to you.
★ Audit Cure53 2024 · ✓ Plan gratuit · Cross-platform
Get NordPass30-day money-back guarantee · Free plan available→
