What is phishing? A plain-English guide
Phishing is one of the most common ways criminals try to trick people online — and you don't need to be technical to understand it or protect yourself. This guide explains what phishing is, how it works, and what to watch for, in plain English.
What phishing actually is
Phishing is a type of scam where someone pretends to be a trustworthy person or organisation to trick you into doing something you shouldn't. That "something" is usually one of three things:
- Handing over information — passwords, bank details, or personal data.
- Clicking a link that leads to a fake website or installs harmful software.
- Taking an action — paying a fake invoice, approving a request, or forwarding sensitive files.
The name comes from the idea of "fishing": the attacker casts out bait (a convincing message) and hopes someone bites.
How a typical attack works
Most phishing arrives as a message — an email, a text, or even a chat. It's designed to look like it comes from somewhere you trust: your bank, a delivery company, a colleague, or your own IT department.
The message almost always tries to make you act quickly, often by creating a sense of urgency or fear:
"Your account will be suspended in 24 hours. Click here to confirm your details."
When you click the link, you're taken to a page that looks genuine but is controlled by the attacker. Anything you type there — your username, your password — goes straight to them.
Where phishing shows up
Phishing isn't limited to email. It comes in several forms:
- Email phishing — the classic, and still the most common.
- Smishing — phishing sent by text message (SMS).
- Vishing — phishing over a phone call, often pretending to be your bank or a support line.
- QR-code phishing — a fake QR code that sends you to a malicious website.
The channel changes, but the goal is always the same: to trick you into trusting something you shouldn't.
Why it works on smart people
It's easy to assume only careless people fall for phishing. That's not true. These messages are designed by professionals who understand human psychology. They rely on:
- Urgency — "Act now or lose access."
- Authority — pretending to be your boss, your bank, or the tax office.
- Curiosity — "Here's the photo everyone's talking about."
- Fear — "Suspicious login detected on your account."
When you're busy or distracted, these triggers can override your usual caution. Falling for a phishing attempt is a mistake anyone can make — it doesn't mean you're careless.
Simple habits that protect you
You don't need special software or technical skills to stay safe. A few calm habits go a long way:
- Pause before you click. Urgency is a warning sign, not a reason to rush.
- Check the sender. Look closely at the email address, not just the display name.
- Go direct. Instead of clicking a link, open your browser and type the website address yourself, or use the official app.
- When in doubt, ask. Contact the person or company through a channel you already trust.
- Never share passwords or codes. No legitimate organisation will ask for them by email or phone.
If something feels off, trust that instinct. It's completely fine to slow down and double-check.
What to do if you're unsure
If you receive a suspicious message, don't click anything and don't reply. Report it to your IT or security team if you have one — they would much rather hear about ten false alarms than miss one real attack. Reporting also helps protect your colleagues, who may have received the same message.
How GottaPhish helps
Phishing works by tricking busy people into clicking, replying, or handing over passwords before they stop to think — and GottaPhish, together with our expert support team, helps you address exactly that. We run safe, realistic simulated phishing campaigns that mirror the tricks real attackers use, back them with short, practical awareness training, and give you clear dashboards showing where confidence is growing. Our support and experts team works hands-on with you to set up campaigns, design believable scenarios, and interpret the results, so that spotting phishing becomes second nature across your whole team.
