Phishing Explained for Absolute Beginners

Updated on May 14, 2026

So What Even Is Phishing?

Imagine you get a phone call from someone claiming to be your bank. Their voice sounds professional, they mention your account number, and they urgently say there's been suspicious activity. They just need you to "confirm" your PIN to protect your account. Except — it's not your bank. It's a scammer pretending to be your bank.

That, in a nutshell, is phishing. The word comes from "fishing" — these criminals are casting a line and hoping you'll bite. Instead of worms, they use fake emails, fake websites, and fake text messages. Instead of fish, they're catching your passwords, credit card numbers, and personal details.

It's one of the oldest tricks on the internet, and it still works incredibly well — not because people are dumb, but because modern phishing attacks are genuinely convincing. Even tech-savvy people get caught out. So let's break down exactly how it works and, more importantly, how to protect yourself.

The Three Flavors of Phishing You'll Actually Encounter

Phishing isn't one single thing. It shows up in a few different forms, and knowing what each looks like makes them a lot easier to spot.

  • Email phishing — The classic. You get an email that looks like it's from Netflix, PayPal, your bank, Amazon, or even your company's IT department. It asks you to click a link and log in. The link takes you to a fake site that steals your credentials.
  • Smishing — Same idea, but via SMS text message. "Your package couldn't be delivered. Click here to reschedule." That link? Fake.
  • Spear phishing — A targeted attack. Instead of blasting the same email to a million random people, the attacker researches you specifically. They might mention your name, your employer, or a recent purchase. These feel much more personal and are harder to catch.
  • Vishing — Voice phishing, like the bank phone call example above. Yes, real humans call you and lie to your face. Or, increasingly, it's an AI-generated voice.

For most everyday people, email and SMS phishing are the two you'll bump into most often. Let's focus there.

How to Spot a Fake Link Before You Click It

This is the skill that will save you more times than anything else. A phishing email's entire job is to get you to click a link. So learn to examine links before you touch them.

Here's a simple way to think about web addresses (URLs). A legitimate URL for your bank might look like this:

https://www.yourbank.com/login

The important part — the part that tells you who actually owns the site — is the section right before the first single slash. In this case: yourbank.com. That's the domain. Everything to the left of it is just a subdomain (which anyone can set).

Now look at what phishing URLs often do:

  • yourbank.com.secure-login.net — Looks like it contains "yourbank.com," but the real domain is secure-login.net. The bank part is just a subdomain, designed to fool you.
  • paypa1.com — Notice the "l" replaced with the number "1"? Easy to miss at a glance.
  • amazon-support-helpdesk.com — Lots of words, but none of them are "amazon.com."
  • netflix.com.account-verify.info — Again, the real domain is account-verify.info.

On a computer, you can hover your mouse over any link without clicking it. The actual destination URL appears in the bottom-left corner of your browser. Always check it before clicking, especially if the email created any sense of urgency or alarm.

On a phone, press and hold the link instead of tapping it — most phones will show you a preview of the real URL before you go anywhere.

The Red Flags in the Email Itself

Beyond the link, the message itself often gives away the game. Here's what to look for:

  1. Urgency and fear — "Your account will be suspended in 24 hours." "Unusual activity detected — act now." Scammers want you panicked and clicking before you think. Legitimate companies rarely threaten you with immediate doom in an email.
  2. Generic greetings — "Dear Customer" or "Dear User" instead of your actual name. Your bank knows your name.
  3. The sender's email address looks off — The display name might say "PayPal Support," but click on it to see the actual address. If it's something like [email protected] instead of @paypal.com, that's a fake.
  4. Requests for sensitive information — No real company will ever email you asking for your password, full credit card number, or Social Security number. Ever.
  5. Unexpected attachments — An invoice you didn't request, a "statement" from a company you don't use, a document that needs you to "enable macros." These are traps.
  6. Something just feels slightly off — Trust that instinct. Maybe the logo looks a little different, or the email font is wrong. Phishing pages are copies, and copies are never quite perfect.

Oh No. I Already Clicked. What Do I Do?

First: don't panic. Clicking a link alone doesn't always mean disaster. What matters most is what happened next.

If you clicked but didn't enter any information: You're likely fine. Close the tab. Run a malware scan with a trusted antivirus program just to be safe. Keep an eye on your accounts for anything unusual over the next few days.

If you entered your username and password: Act fast.

  1. Go directly to the real website (type the address yourself — don't use any links from that email) and change your password immediately.
  2. If you use that same password anywhere else, change it on those sites too. This is the moment you'll be grateful if you don't reuse passwords.
  3. Enable two-factor authentication (2FA) on that account if you haven't already. Even if a thief got your password, 2FA means they still can't get in without a code sent to your phone.
  4. Check your account for any changes — email address, recovery phone number, any orders or transfers you didn't make.

If you entered your credit card or bank details: Call your bank or card issuer directly. Tell them what happened. They can freeze the card, watch for fraudulent charges, and issue you a new card number. Do this within the hour if you can.

If you downloaded and opened a file: This one's more serious. Run a full scan with your antivirus software immediately. If you're on a work computer, tell your IT team right away — they need to know. If you're not sure whether your device is clean, a tech professional can help.

The Simple Habits That Keep You Safe Long-Term

Security doesn't have to be complicated. A few consistent habits stop the vast majority of phishing attacks before they can do anything:

  • Use a password manager. Apps like Bitwarden or 1Password store your passwords and auto-fill them — but only on the real website. If you land on a fake page, the password manager simply won't fill in your details, because the domain doesn't match. It's like a built-in phishing detector.
  • Turn on two-factor authentication everywhere. Even if phishers steal your password, the second factor (usually a code from an app or text message) blocks them. Enable it on your email first — email is the master key to everything else.
  • Don't click links in unexpected emails or texts. If you get a message saying there's an issue with your Amazon order, close the message and go to Amazon.com yourself. Log in directly. If there's a real problem, it'll show up there.
  • Keep your devices updated. Software updates patch security holes that attacks exploit. It's boring advice but it genuinely matters.
  • When in doubt, call them. Got a scary email supposedly from your bank? Call the number on the back of your card — not any number in the email — and ask if the message is real. Takes two minutes and kills the scam dead.

The Bottom Line

Phishing works because it impersonates trust. It borrows the logos, the language, and the tone of companies you actually rely on. The goal is to make you react before you think.

The antidote is a small pause before you click anything. Check the sender. Check the link. Ask yourself: did I expect this? Does this make sense? Is someone trying to rush me?

That two-second habit — just hovering over a link and reading the actual URL — is enough to stop most phishing attacks completely. You don't need to be a cybersecurity expert. You just need to slow down for one breath before you click.

And if you do get caught? It happens to everyone at some point. Change your passwords, call your bank if needed, and don't beat yourself up. The important thing is moving quickly once you realize what happened. Time is the only thing working against you — and now you know exactly what to do.