What is Phishing?

Phishing is one of the most common cyber threats facing organisations and individuals today. It’s simple to carry out, difficult to stop and relies on human behaviour rather than technical weaknesses. This means anyone can be targeted, regardless of their role, industry or level of technical knowledge. In this article we’ll define and give examples of phishing, explain how to prevent phishing, how to report a suspicious email and what to do if you become a victim of phishing.

---

What is Phishing?

Phishing is a type of cyber attack where criminals attempt to trick people into giving away sensitive personal information by pretending to be a trusted organisation or individual, such as a bank, supplier, colleague or well-known brand. This could include passwords, bank details, personal data or access to business systems.

Phishing is low-cost, easy to scale and often successful because it exploits trust, urgency and fear. A single, convincing message can quickly lead to financial loss, data breaches or wider security incidents for an organisation.

It’s also important to understand that phishing is not limited to email. While email phishing remains common, cyber attackers often use multiple channels to reach their targets. Phishing can take place through text messages, known as smishing, phone calls, known as vishing, and even through social media or messaging apps.

---

Examples of Phishing

Phishing attempts can take many forms and may be tailored to individuals or businesses. Knowing the common patterns can make it easier to spot suspicious messages before any damage is done.

Examples of phishing include:

• An email claiming to be from your bank asking you to confirm your account details due to suspicious activity.
• A text message saying a parcel delivery has failed and asking you to click a link to rearrange delivery.
• An email claiming to come from a senior manager requesting an urgent payment or sensitive information.
• A fake invoice sent to a business that closely resembles a real supplier’s billing format.
• A phone call pretending to be IT support asking for login details to fix a problem with your account.
• A message offering a refund or prize and asking you to provide personal or financial information.

---

How to Prevent Phishing

Preventing phishing requires a combination of awareness of the risks, good habits and basic cyber security controls. While no organisation can eliminate phishing entirely, following these steps can significantly reduce the risk of falling victim to a phishing attack:

• Be cautious with unexpected emails, texts or calls, especially those creating urgency or pressure.
• Check the sender’s email address carefully, not just the display name.
• Avoid clicking links or opening attachments unless you are confident the message is genuine.
• Use strong, unique passwords for different accounts and systems.
• Enable multi-factor authentication wherever possible.
• Keep devices and software up to date with the latest security updates.
• Provide regular phishing and cyber security awareness training for employees.
• Encourage a culture where staff feel comfortable questioning suspicious messages.

---

How to Report a Phishing Email

Reporting phishing is an important step in protecting yourself and others from its effects. It helps organisations identify active threats and prevents similar messages reaching more people. There are several ways to report phishing, depending on the context.

In the workplace, phishing emails should always be reported to your employer following internal procedures. This may involve forwarding the email to the IT or security team or using a dedicated reporting button. Reporting quickly allows your organisation to warn others and take steps to reduce the impact.

If you receive a phishing email outside of work, you can report it to the National Cyber Security Centre (NCSC) by forwarding the message to their reporting service. This helps the NCSC track phishing campaigns and take action against malicious websites.

Most email platforms also allow you to report phishing directly within the service. For example, email providers such as Google and Microsoft have built-in options to mark messages as phishing, which helps improve filtering and protect other users.

What to Do If You Click on a Phishing Link

If you think you’ve clicked on a phishing link or shared information when you shouldn’t have, acting quickly can limit the damage. If you click on a phishing link, follow these steps:

1. Disconnect your device from the internet to stop further communication.
2. Do not enter any information if the page is still open.
3. Change your passwords immediately, starting with the affected account.
4. Contact your IT or security team if this happened at work.
5. Run a security scan on your device using trusted software.
6. Monitor your accounts for unusual activity.
7. Report the phishing attempt through the appropriate channels.

---

Phishing is a threat that affects everyone. By understanding how phishing works, recognising the common warning signs and knowing what to do when something goes wrong, both individuals and organisations can greatly reduce their risk of a cyber attack, phishing attempts can be spotted early and their impact can be kept to a minimum.

---

Further Resources:

• Cyber Security Awareness
• What are the Most Common Types of Cyber Attack?
• What are the Most Common Types of Identity Theft?
• Password Security Guidance