What is Phishing? Complete Guide for Non-Technical People
In 2025, phishing was the starting point for 91% of all cyberattacks, according to the Cybersecurity & Infrastructure Security Agency (CISA). Over 3.4 billion phishing emails are sent every single day. Your email provider catches most of them, but it only takes one getting through — and one moment of inattention — to compromise your accounts, finances, or identity.
If the word "phishing" sounds technical, don't worry. The concept is simple: someone pretends to be a person or organization you trust, and tricks you into giving them something valuable. This guide explains everything in plain language.
Think you received a phishing message? Paste it into our free scanner →
Phishing in Plain English
Imagine you're at home and your doorbell rings. Someone in a FedEx uniform shows you a clipboard and says you need to sign for a package — but they also need your driver's license number "for verification." You might comply because the uniform creates trust. That's phishing, but in person.
Online phishing works the same way. Instead of a fake uniform, scammers use fake emails, websites, and messages designed to look like they came from companies you trust — your bank, Amazon, Netflix, Microsoft, or your employer. The "clipboard" is a link to a fake website. The "signature" is entering your real username and password.
The Four Types of Phishing
1. Email Phishing (the most common)
You receive an email that appears to be from a legitimate company. It says something designed to make you act without thinking:
"Your Amazon account has been locked due to suspicious activity. Click here to verify your identity and restore access within 24 hours or your account will be permanently deleted."
The email might look nearly identical to a real Amazon email — same logo, same colors, same footer text. The "click here" link goes to a website that looks exactly like Amazon's login page. But the URL is something like "amazon-verify-security.com" instead of "amazon.com." When you enter your username and password, you've just handed them to the scammer.
Got a suspicious email?
Paste it here for an instant analysis.
Free · No signup required · Cmd+Enter to scan
2. Smishing (text message phishing)
The same concept through text messages:
"USPS: Your package is being held due to an incomplete address. Update your delivery info: usps-delivery-update.com"
Text messages feel more urgent and personal than emails, and people are less cautious about clicking links on their phones.
3. Vishing (voice phishing — phone calls)
A caller claims to be from your bank's fraud department, the IRS, Social Security Administration, or tech support. They create urgency ("your account has been compromised") and ask for personal information, payment, or remote access to your computer.
4. Spear Phishing (targeted attacks)
Instead of sending the same email to millions of people, the scammer researches you specifically. They might reference your actual employer, recent purchases, or current events in your life (gathered from social media) to make the message far more convincing.
How to Spot Phishing: The 5-Point Check
You don't need to be a tech expert to identify most phishing attempts. Run through these five checks:
1. Check the sender's email address. Not the display name — the actual email address. A message from "Amazon Customer Service" that comes from "support@amaz0n-secure.net" is fake. Hover over the sender name to see the real address.
2. Hover over links before clicking. On a computer, hover your mouse over any link without clicking. The actual URL appears in the bottom-left corner of your browser. On mobile, press and hold the link. If the URL doesn't match the company's real website, don't click.
3. Look for urgency and threats. "Your account will be deleted," "You'll be arrested," "You have 24 hours." Legitimate companies don't threaten you via email. They give reasonable timeframes and multiple ways to contact them.
4. Check for generic greetings. "Dear Customer" or "Dear User" instead of your actual name can indicate a mass phishing email. Though some sophisticated phishing now includes your real name (gathered from breaches), generic greetings remain a common indicator.
5. Verify independently. Instead of clicking any link in the message, open a new browser tab and go directly to the company's website. If there's really a problem with your account, you'll see it when you log in normally.
IsThisAScam's 6-layer detection system automates this analysis. Paste any suspicious email, text, or message into our scanner, and it checks sender legitimacy, link safety, language patterns, urgency tactics, and known scam templates in seconds.
Real-World Phishing Examples
Here are actual phishing messages reported by users in 2025-2026:
"Microsoft: Your subscription payment failed. Your Office 365 access will be revoked in 12 hours. Update payment method: microsoft365-billing-update.com"
"Hi [name], I've shared a document with you on Google Drive. Click here to view: docs.google.sharepoint-view.com/document"
"Netflix: Your account is on hold. We were unable to validate your billing information. Please update your details at: netflix-account-billing.com/verify"
Every one of these messages was sent from a non-official domain, contained a link to a fake website, and used urgency to prevent careful thinking.
What Happens If You Fall for Phishing
First: don't panic. Second: act fast.
- Change the password for the compromised account immediately (from the real website, not from any link)
- Enable two-factor authentication if you haven't already
- If you entered financial information, contact your bank immediately
- Check for unauthorized activity on the compromised account
- If you used the same password elsewhere, change those accounts too
- Report the phishing email to the impersonated company and to reportphishing@apwg.org
For a more detailed recovery plan, see our guide on what to do after a data breach.
How to Protect Yourself Going Forward
- Use a password manager with unique passwords for every account (password guide)
- Enable two-factor authentication everywhere possible (2FA guide)
- Never click links in emails or texts — go directly to the company's website instead
- Keep your browser and email client updated for the latest phishing protection features
- Use email providers with strong spam filtering (Gmail, Outlook, ProtonMail)
- When in doubt, call the company directly using a phone number from their official website (not from the suspicious message)
Received something suspicious? Check it now for free →