← All articles

What is phishing? A plain-English guide

GottaPhish Team · June 24, 2026

Phishing is one of the most common ways criminals try to trick people online — and you don't need to be technical to understand it or protect yourself. This guide explains what phishing is, how it works, and what to watch for, in plain English.

What phishing actually is

Phishing is a type of scam where someone pretends to be a trustworthy person or organisation to trick you into doing something you shouldn't. That "something" is usually one of three things:

The name comes from the idea of "fishing": the attacker casts out bait (a convincing message) and hopes someone bites.

How a typical attack works

Most phishing arrives as a message — an email, a text, or even a chat. It's designed to look like it comes from somewhere you trust: your bank, a delivery company, a colleague, or your own IT department.

The message almost always tries to make you act quickly, often by creating a sense of urgency or fear:

"Your account will be suspended in 24 hours. Click here to confirm your details."

When you click the link, you're taken to a page that looks genuine but is controlled by the attacker. Anything you type there — your username, your password — goes straight to them.

Where phishing shows up

Phishing isn't limited to email. It comes in several forms:

The channel changes, but the goal is always the same: to trick you into trusting something you shouldn't.

Why it works on smart people

It's easy to assume only careless people fall for phishing. That's not true. These messages are designed by professionals who understand human psychology. They rely on:

When you're busy or distracted, these triggers can override your usual caution. Falling for a phishing attempt is a mistake anyone can make — it doesn't mean you're careless.

Simple habits that protect you

You don't need special software or technical skills to stay safe. A few calm habits go a long way:

If something feels off, trust that instinct. It's completely fine to slow down and double-check.

What to do if you're unsure

If you receive a suspicious message, don't click anything and don't reply. Report it to your IT or security team if you have one — they would much rather hear about ten false alarms than miss one real attack. Reporting also helps protect your colleagues, who may have received the same message.

How GottaPhish helps

Phishing works by tricking busy people into clicking, replying, or handing over passwords before they stop to think — and GottaPhish, together with our expert support team, helps you address exactly that. We run safe, realistic simulated phishing campaigns that mirror the tricks real attackers use, back them with short, practical awareness training, and give you clear dashboards showing where confidence is growing. Our support and experts team works hands-on with you to set up campaigns, design believable scenarios, and interpret the results, so that spotting phishing becomes second nature across your whole team.