The Ultimate Guide to Phishing
Published on: 21 Jul 2025
Last modified on: 24 Sep 2025

What is Phishing?
In today’s increasingly digital world, so much of what we do, whether it’s for business or pleasure, is carried out online. This increase in online activity has resulted in a massive explosion in cybercrime.
Cybercrime has become a powerful tool for criminals looking to steal our personal data and extort money. The speed, anonymity and convenience of the internet has enabled criminals to launch highly targeted attacks with very little effort.
According to a recent report from cybersecurity firm Norton, cybercriminals stole a total of £130bn from consumers in 2017, including £4.6bn from British internet users.
The most successful and dangerous of all the cyber-attacks is phishing. Research has found that 91% of all cyber attacks start with a phishing email.
Phishing continues to be the most common form of cyber-attack due its simplicity, effectiveness and high return on investment. It has evolved from its early days of tricking people with scams of Nigerian prince’s and requests for emergency medical treatment. The phishing attacks taking place today are sophisticated, targeted and increasingly difficult to spot.

Types of Phishing Attacks
Phishing attacks come in many different forms but the common thread running through them all is their exploitation of human behaviour. The following examples are the most common forms of attack used.
Top Tips to Spot Phishing Attacks
Identifying a phishing email has become a lot harder than it used to be as the criminals have honed their skills and become more sophisticated in their attack methods. The phishing emails that we receive in our inbox are increasingly well written, personalised, contain the logos and language of brands we know and trust and are crafted in such a way that it is difficult to distinguish between an official email and a dodgy email drafted by a scammer.
McAfee estimates that 97% of people around the globe are unable to identify a sophisticated phishing email so the cyber criminals are still successfully tricking people into giving away personal information or downloading malware. Despite the increasing sophistication and convincing nature of these emails, there are still some giveaway signs that may alert us to the presence of a phishing email.


Top Tips to Spot Phishing Attacks
Identifying a phishing email has become a lot harder than it used to be as the criminals have honed their skills and become more sophisticated in their attack methods. The phishing emails that we receive in our inbox are increasingly well written, personalised, contain the logos and language of brands we know and trust and are crafted in such a way that it is difficult to distinguish between an official email and a dodgy email drafted by a scammer.
McAfee estimates that 97% of people around the globe are unable to identify a sophisticated phishing email so the cyber criminals are still successfully tricking people into giving away personal information or downloading malware. Despite the increasing sophistication and convincing nature of these emails, there are still some giveaway signs that may alert us to the presence of a phishing email.
A mismatched URL
One of the first things to check in a suspicious email is the validity of a URL. If you hover your mouse over the link without clicking on it, you should see the full hyperlinked address appear. Despite seeming perfectly legitimate, if the URL does not match the address displayed, it is an indication that the message is fraudulent and likely to be a phishing email.
The email requests personal information
A reputable company will never send out an email to customers asking for personal information such as an account number, password, pin or security questions. If you receive an email requesting this information, it is likely to be a phishing email and should immediately be deleted.
Poor spelling and grammar
Cybercriminals are not renowned for their top-quality spelling and grammar. Whenever legitimate companies send out emails to customers they are often proofed by copywriters to ensure the spelling and grammar is correct. If you spot any spelling mistakes or poor grammar within an email it is unlikely to have come from an official organisation and could indicate the presence of a phishing email.
The use of threatening or urgent language
A common phishing tactic is to promote a sense of fear or urgency to rush someone into clicking on a link. Cyber criminals will often use threats that your security has been compromised and that urgent action is required to remedy the situation. Be cautious of subject lines that claim your account has had an “unauthorised login attempt” or your “account has been suspended”. If you are unsure if the request is legitimate, contact the company directly via their official website or official telephone number.
Unexpected correspondence
How to protect yourself against Phishing Attacks
1. Never click on suspicious links
The most common type of phishing scam involves tricking people into opening emails or clicking on a link which may appear to come from a legitimate business or reputable source.
By creating a sense of urgency, users are tricked into clicking on a link or opening an accompanying attachment. The link may direct you to a fake website where you are prompted to enter your personal details or take you to a website that directly infects your computer with ransomware.
Legitimate businesses will never send emails requesting you click on a link to enter or update personal data.
Simulated Phishing Tests for Employees
2. Educate Staff
Companies may have the strongest security defence systems in place, but it offers little protection if cyber-criminals are able to bypass these traditional technological defences and get straight to an employee to trick them into divulging sensitive information.
Over 90% of all successful cyber attacks are a result of information unknowingly provided by employees. As networks become harder to breach, hackers are increasingly targeting what they perceive as the weakest link in a company’s defences – its employees!
As hackers hone their techniques and become more targeted in their attacks, it’s important to educate staff and provide regular training on what they should be looking out for and how they can play their part in preventing a cyber-attack.
3. Be careful what you post online
The internet and social media has transformed how we communicate with each other on a day to day basis, however this culture of sharing has provided cyber criminals with an easy way to profile potential victims ensuring their phishing attempts are more targeted and harder to spot.
Hackers are turning to social media sites to access personal information such as age, job title, email address, location and social activity. Access to this personal data provides the hackers with enough info to launch a highly targeted and personalised phishing attack.
To reduce your chance of falling for a phishing email, think more carefully about what you post online, take advantage of enhanced privacy options, restrict access to anyone you don’t know, and create strong passwords for all your social media accounts.
Read our guide to protecting yourself from hackers
4. Verify the security of a site
Before entering any information into a website, you should always check that a site is safe and secure. The best way to do this is to look at the URL of a website. If it begins with a “https” instead of “http” it means the site has been secured using an SSL Certificate (S stands for secure). SSL Certificates ensure that all your data is secure as it is passed from your browser to the website’s server. There should also be a small padlock icon near the address bar which also indicates the site is secure.
5. Install Anti-Virus Software
Anti-virus software is the first line of defence in detecting threats on your computer and blocking unauthorised users from gaining access. It is also vital to ensure that your software is regularly updated to ensure hackers are unable to gain access to your computer through vulnerabilities in older and outdated programmes.