Phishing is consistently ranked as the number one initial attack vector in data breaches worldwide. In 2025, phishing accounted for more than a third of all confirmed breach incidents, according to the Verizon Data Breach Investigations Report — and the problem is accelerating. With attackers now using artificial intelligence to generate highly personalised, grammatically flawless phishing messages at scale, the old advice of "look for spelling mistakes" is no longer sufficient. This guide will help you understand what modern phishing looks like and how to protect yourself.

What is Phishing?

Phishing is a social engineering attack in which criminals impersonate a trusted organisation or individual to trick you into revealing sensitive information — such as passwords, credit card numbers or bank account details — or into downloading malware. The term covers a broad range of delivery methods:

• Email phishing: The most common form. A fraudulent email mimics a bank, courier, government agency or online service and urges you to click a link or open an attachment.
• Smishing (SMS phishing): Fraudulent text messages impersonating delivery companies, banks or government departments, often containing shortened URLs that obscure their true destination.
• Vishing (voice phishing): Phone calls from people claiming to be bank fraud teams, tech support agents or government officials. AI voice cloning now makes it possible to convincingly impersonate real people.
• Spear phishing: Highly targeted attacks tailored to a specific individual, often using personal information gathered from social media or previous data breaches to make the message highly convincing.
• QR code phishing ("Quishing"): A growing technique where a malicious QR code is embedded in an email, poster or physical object, directing victims to a fake login page when scanned.

Warning Signs of a Phishing Message in 2026

While AI has made phishing harder to detect by grammar alone, there are still reliable warning signs to look for:

• Urgency and fear: Phishing messages almost always create a sense of urgency — "Your account will be suspended in 24 hours", "Unusual activity detected — verify now", "Final notice before legal action". Legitimate organisations rarely demand immediate action via email.
• Mismatched sender domain: Check the actual email address, not just the display name. A message appearing to be from PayPal but sent from "[email protected]" (note the "1" instead of "l") is fraudulent. Hover over the sender name to reveal the real address.
• Suspicious links: Hover over any link before clicking to see the real URL in your browser's status bar. Phishing URLs often use lookalike domains (paypa1.com), excessive subdomains (login.paypal.account-verify.net), or URL shorteners to hide the true destination.
• Requests for sensitive information: Legitimate banks, government agencies and reputable companies will never ask you to confirm your password, PIN, full credit card number or social security number via email.
• Unexpected attachments: Attachments in unexpected emails — especially Office documents, PDFs and ZIP files — should be treated with extreme suspicion. Even if the sender appears genuine, confirm by contacting them through a separate channel before opening.
• Generic greetings: Mass phishing emails typically use "Dear Customer" or "Dear User" rather than your actual name, though AI-powered spear phishing campaigns now often include your real name.

How Antivirus Software Helps Protect Against Phishing

A good antivirus suite adds multiple layers of protection specifically designed to catch phishing attacks that human vigilance might miss:

• Real-time URL filtering: Products like Norton, Bitdefender and ZoneAlarm maintain constantly updated databases of known phishing domains. Any attempt to navigate to one of these sites is blocked before the page even loads.
• Heuristic site analysis: Beyond known bad domains, modern antivirus products analyse newly registered websites for characteristics common to phishing pages — fake login forms, brand impersonation, suspicious JavaScript — even if the domain has never been seen before.
• AI scam detection: McAfee's 2026 suite features an AI-powered Scam Detector that analyses the actual content of emails, text messages and even video content to flag potential scams, catching AI-generated phishing that bypasses traditional filters.
• Browser extensions: Dedicated browser extensions from Bitdefender (TrafficLight), Norton Safe Web and ZoneAlarm Web Secure display real-time safety ratings for every link you hover over and block redirects to phishing sites.
• Email scanning: Some suites scan email attachments before they are opened, detecting malicious macro-embedded Office documents and other common phishing delivery vehicles.

What to Do if You Think You've Been Phished

If you suspect you have clicked a phishing link or entered credentials on a fake site, act quickly:

• Change your password immediately on the real site — use a different device if you suspect your computer is compromised.
• Enable two-factor authentication on the affected account if it is not already active.
• Contact your bank immediately if financial details were entered.
• Run a full antivirus scan to check for any malware that may have been installed.
• Report the phishing message to your email provider and to your national cybersecurity authority (in the UK: NCSC; in the US: the Anti-Phishing Working Group at [email protected]).

The best defence against phishing is a combination of awareness, healthy scepticism and a quality antivirus suite with active web protection. Never let urgency override caution — take a moment to verify before you click.