Phishing

Your phone buzzes with a text from what looks like your bank. Your inbox holds an urgent email from "IT support." A voicemail warns that your account has been compromised. None of these are real — but each one is designed to feel real enough that you act before you think. That's the core mechanic of phishing, and in 2026 it's powered by artificial intelligence that makes these attacks harder to spot than ever before.

Phishing remains the single most common way cybercriminals breach personal accounts and corporate networks. Understanding how it works — and how the tactics have evolved — is your best defence against it.

How Phishing Actually Works

At its simplest, phishing is impersonation with intent. An attacker pretends to be someone you trust — your bank, a colleague, a government agency, a delivery service — and asks you to do something: click a link, open an attachment, share a password, or transfer money.

The psychological playbook hasn't changed much over the years. Attackers lean on urgency, authority, and fear. What has changed is the execution. According to cybersecurity researchers, over 82% of phishing emails analysed between late 2024 and early 2025 contained AI-generated content. The spelling mistakes and clumsy formatting that once gave scam emails away are largely a thing of the past.

Phishing sits within a broader category called social engineering — the art of manipulating people rather than hacking systems. Why spend weeks breaking through a firewall when a convincing email can get someone to hand over the keys willingly?

The Main Types of Phishing You'll Encounter

Phishing isn't a single tactic. It's a family of attacks, each tailored to a different channel and level of sophistication.

Email Phishing

The most common variety. Attackers send mass emails mimicking trusted brands — banks, software companies, shipping providers — hoping a percentage of recipients will click. These emails typically direct you to a convincing replica of a real login page where your credentials are captured the moment you type them.

Modern email phishing campaigns are increasingly powered by Phishing-as-a-Service (PhaaS) toolkits. These subscription-based platforms let attackers with minimal technical skills launch sophisticated campaigns that can harvest one-time passwords and session tokens in real time, bypassing traditional two-factor authentication.

Spear Phishing

Where mass phishing casts a wide net, spear phishing is a rifle shot. Attackers research their target — your job title, your recent social media posts, your company's organisational chart — and craft a message that reads like it could only have come from someone who knows you.

A typical example: you receive an email that appears to come from your manager, references a real project you're working on, and asks you to review a document. The attachment installs malware or the link leads to a credential-harvesting page. Because it's personal and contextually accurate, spear phishing has a much higher success rate than generic campaigns.

Vishing (Voice Phishing)

Vishing takes phishing off the screen and onto the phone. A caller might impersonate your bank's fraud department, a tax authority, or your company's IT help desk. The goal is the same: extract information or get you to take an action that benefits the attacker.

This is where AI has made the biggest leap. Deepfake voice technology now allows attackers to clone someone's voice from just a few seconds of audio. In a widely reported 2024 case, a finance worker at engineering firm Arup transferred $25 million to fraudsters after joining a video call where every participant — including the company's CFO — was an AI-generated deepfake. Vishing incidents now affect roughly 30% of organisations, and losses from deepfake-enabled fraud exceeded $200 million in just the first quarter of 2025.

Smishing (SMS Phishing)

Smishing exploits the trust people place in text messages. You might receive a message about a missed delivery, a suspicious login, or an expiring subscription — each with a link designed to steal your credentials or install malware on your phone.

Texts feel more personal and immediate than email, and most people are less guarded when reading them. That directness is exactly what attackers exploit.

Quishing (QR Code Phishing)

One of the fastest-growing attack vectors, quishing hides malicious links behind QR codes. You might encounter them in phishing emails, on fake parking meters, in restaurant menus, or even on stickers plastered over legitimate QR codes in public spaces.

QR code phishing attacks increased fivefold between 2023 and 2025, with over 26 million Americans targeted. The technique is especially effective because QR codes bypass most email security filters and force the user onto a mobile device where URL inspection is harder. About 56% of quishing emails impersonate Microsoft two-factor authentication reset prompts, and C-level executives are disproportionately targeted — roughly 40 times more likely to be hit than average employees.

Why Phishing Is More Dangerous Now Than Ever

The phishing landscape has shifted dramatically thanks to generative AI. Security teams report a 1,265% surge in phishing attacks linked to AI tools since 2023. AI-generated phishing campaigns now represent roughly half of all user-reported attacks.

Here's what's changed:

Better language, fewer tells. AI produces grammatically perfect, contextually appropriate text in any language. The broken English and odd phrasing that once flagged phishing emails are disappearing.

Scalable personalisation. Large language models can ingest public data about a target — LinkedIn profiles, company websites, social media posts — and generate highly personalised spear-phishing messages at scale. What once required hours of manual research per target can now be automated.

Convincing deepfakes. Voice cloning and video deepfakes are no longer theoretical risks. One in four adults has encountered an AI voice scam, and roughly one in ten has been personally targeted. The technology continues to improve while becoming cheaper and more accessible.

Multi-channel coordination. Attackers now combine email, voice, text, and QR code phishing into coordinated campaigns. You might receive an email about a security issue, followed by a phone call from "your bank" confirming the problem, followed by a text with a link to "resolve" it. Each touchpoint reinforces the illusion.

How to Protect Yourself

Phishing exploits human behaviour, so the most effective defences combine technical tools with habits of mind.

Slow Down and Verify

The single most powerful defence against phishing is pausing before you act. Attackers rely on urgency — they want you to click, call, or transfer before your critical thinking kicks in.

If you receive an unexpected request involving passwords, payments, or personal information, verify it through a separate channel. Call the organisation directly using a number from their official website — not one provided in the suspicious message. If a colleague or boss makes an unusual request by email, walk over and ask them or call them on a number you already have.

Inspect Before You Click

Hover over links to see the actual URL before clicking. Look for subtle misspellings in domain names — attackers frequently use lookalike characters (replacing a Latin "a" with a Cyrillic "а", for instance). On mobile, long-press links to preview them. Be especially cautious with QR codes in public spaces or unexpected emails — use your phone's built-in QR scanner, which typically shows the URL before opening it.

Adopt Phishing-Resistant Authentication

Traditional two-factor authentication using SMS codes or authenticator app one-time passwords is better than a password alone, but it's no longer enough. PhaaS toolkits can intercept these codes in real time, and MFA fatigue attacks — where attackers bombard you with push notifications until you approve one — appeared in 14% of security incidents in the 2025 Verizon Data Breach Investigations Report.

The current gold standard is passkeys based on the FIDO2/WebAuthn standard. Passkeys are cryptographic credentials bound to a specific website domain. There is no password to steal, no code to intercept, and no way to trick you into entering them on a fake site. Major platforms including Google, Apple, and Microsoft now support passkeys, and adoption is accelerating.

For high-security accounts, consider a hardware security key (like a YubiKey) that provides the same phishing-resistant protection in a physical device.

Keep Your Software Updated

Many phishing attacks deliver malware that exploits known software vulnerabilities. Keeping your operating system, browser, and applications up to date closes these entry points. Enable automatic updates wherever possible.

Use Layered Security Tools

No single tool catches everything, but layers help. Enable your email provider's built-in phishing filters. Use a reputable browser that flags known phishing sites. Consider a DNS-based filtering service like Quad9 or Cloudflare's 1.1.1.2 that blocks connections to known malicious domains at the network level.

Build a Verification Reflex

Treat any request for credentials, money, or sensitive information as suspicious by default — even if it appears to come from someone you know. This isn't paranoia; it's a reasonable response to a world where any voice can be cloned and any email address can be spoofed. The few seconds it takes to verify through a separate channel could save you from serious financial or personal harm.

Key Takeaways

• Phishing is impersonation designed to exploit trust and urgency. It arrives by email, text, phone call, and QR code — often in coordinated multi-channel campaigns.
• AI has supercharged phishing with flawless language, scalable personalisation, and convincing voice and video deepfakes.
• QR code phishing (quishing) is one of the fastest-growing attack vectors, with attacks increasing fivefold since 2023.
• Passkeys and FIDO2-based authentication are the most effective technical defence against credential theft — they eliminate the shared secret that phishing relies on.
• Your most reliable protection is a habit of mind: pause, verify through a separate channel, and never act on urgency alone.

The next time something feels urgent, that's exactly when you should slow down. Verify the sender, check the link, and confirm through a channel you trust. That moment of hesitation is the one thing no phishing attack — no matter how sophisticated — can overcome.