Phishing might be one of the oldest tricks in the (cybercriminal) book, but it’s still one of the most effective. Why? Because it doesn’t rely on any sort of special software or breaking firewalls. It relies on people, trust, curiosity, and our tendency to act quickly when something looks urgent.

You’ve almost certainly seen one before. An email that looks like it’s from your bank. A text about a missed delivery. A phone call asking you to verify a password sent to your phone. These scams are carefully designed to look and sound genuine, and they catch out thousands of people every day.

But there is good news: once you know what to look for, they’re much easier to spot. In this guide, we’ll run through the five most common types of phishing and provide easy-to-follow, practical ways to protect yourself and your business.

If you’ve ever received an email that made you panic, “Your account has been locked!” or “Payment failed, click here to fix it!”, you’ve met the original phishing scam.

Email phishing works because it mimics real communication. Attackers copy company logos, use convincing language, and create fake websites that look almost identical to the real thing. The bet on one thing: you to click before you think.

How to dodge it:

• Take a breath before clicking any link. Hover over a hyperlinked section to check where it really leads. If it isn’t where you expect it to be, do not click the link.
• Look closely at the sender’s address. Does it match the organisation’s real domain? Look at it carefully, hackers even use different alphabets to make it look as close as possible, like using a Cyrillic “a” instead of an “a” from the English alphabet to trick users into thinking it’s the correct domain.
• When in doubt, go directly to the official website or app instead of clicking links in emails.
• If a message feels rushed or emotional, that should be a huge red flag. Genuine organisations rarely demand immediate action.

Not all phishing happens online. Sometimes, it’s a voice on the end of a phone call.

Vishing scams usually start with a call from someone claiming to be someone from a trusted source, like your bank, manager, or even a relative. The caller sounds professional and often creates a sense of urgency. They might say things like, “We’ve spotted unusual activity on your account” or “We need to verify your details immediately.”

Their aim is simple: to get you talking and giving away information. Their target is your PII (Personally Identifiable Information), which begins opening new doors for these scammers that you want to keep locked.

How to dodge it:

• Never share passwords, codes, or financial details over the phone.
• If you’re unsure, hang up and call back using a verified number from the organisation’s website. Trust your instincts.
• If something feels off, it probably is. A genuine caller will never pressure you into making quick decisions.

That “missed delivery” text asking you to click a link to rearrange a parcel? That’s smishing; phishing via SMS.

These texts often look like they’re from legitimate couriers, government services, or banks. But the link leads somewhere dangerous, like a fake login page, a malware download, or a form that will steal the details put into it.

How to dodge it:

• Don’t click links in texts you weren’t expecting.
• If it looks like it’s from a company you use, go to their official website or app instead.
• When you spot it, report the message if possible.
• Treat texts the same way you treat emails, with a healthy dose of caution.

Spear phishing takes things up a notch. Instead of sending out generic messages, attackers research you. They might know your name, your job title, your manager, which systems you might use and what goes on your social media profiles. With that information, they craft a message that feels personal and trustworthy.

You might receive an email that looks like it’s from your CEO, asking for an urgent payment. Or even from a job recruiter claiming they have the perfect position for you. The attention to detail is what makes it convincing.

How to dodge it:

• Be cautious with emails that feel unusually urgent or sensitive.
• Double-check sender addresses and watch for subtle misspellings.
• Confirm unusual requests via another channel. A quick phone call can save a lot of trouble.
• Attackers rely on familiarity and pressure. If you slow down, you take away their advantage.

As we spend more time on social platforms, scammers follow. Social media phishing happens when someone sends you a direct message, often on LinkedIn, Facebook, or Instagram, pretending to offer a job, prize, or opportunity. The goal is to get you to click a link, hand over personal details, or download something unsafe.

Fake profiles can be convincing. Some use stolen photos and copied bios to look legitimate.

How to dodge it:

• Avoid clicking links in messages from people you don’t know.
• Check the sender’s profile. Does it look real, active, and genuine?
• Enable two-factor authentication on your social accounts for an extra layer of protection.
• If a message feels too good to be true, or too urgent to be real, it’s worth a second look.

Phishing isn’t standing still. With the rise of AI, scams have become more convincing, more personal, and far harder to spot.

In the past, a phishing email was often riddled with typos or awkward language. Today, AI tools can write flawless messages that match a company’s tone of voice, mimic official templates, and even reference recent events. Some can generate cloned voices or faces, turning a simple phone scam into a sophisticated deepfake.

Attackers are now using AI to scale their efforts, sending thousands of unique, polished messages in seconds. It’s no longer about spotting bad grammar or poor design. The difference between real and fake can be almost invisible.

How to respond:

• Focus on behaviour, not appearance. Ask yourself, “Is this request expected?”
• Build a culture of caution. Encourage your team to verify before acting.
• Stay informed. Awareness is your best defence against evolving tactics.
• AI has raised the stakes, but it hasn’t changed the fundamentals. Slow down, stay alert, and don’t let urgency cloud your judgment.

Phishing isn’t about how pro you are with IT. It’s about how aware you are.

Most scams rely on one simple thing: getting you to act before you think. That’s why the best defence isn’t software, it’s taking a second to remember caution and assess “is this email/text/call legitimate”. Take a breath, look twice, and verify before you click, share, or respond.

Because when you stay calm and curious, you make it much harder for anyone, silent intruder or otherwise, to slip through the cracks.