Phishing and Scams: How to Recognise and Avoid Them

Phishing is the most successful attack vector in use today — not because it is technically sophisticated, but because it does not need to be. It bypasses firewalls, antivirus software, and encryption entirely by targeting the person using the device rather than the device itself. Understanding how these attacks work makes them significantly easier to recognise and resist.

What phishing is

Phishing is the act of impersonating a trusted entity — a bank, employer, government agency, or service provider — to trick someone into revealing credentials, sensitive information, or transferring money. The term covers attacks delivered via email, SMS (smishing), phone calls (vishing), and messaging apps.

The common thread is social engineering: creating a situation where the target's instinct to respond — to fix a problem, avoid a penalty, or help someone in need — overrides their scepticism.

Email phishing

Email phishing ranges from mass-sent generic attempts (easily spotted) to highly targeted spear-phishing attacks crafted using information gathered from social media and public sources. Modern phishing emails often:

• Clone the exact visual design of a legitimate communication from the impersonated organisation
• Spoof the sender address to display a legitimate-looking domain in email clients
• Create urgency — "Your account will be suspended in 24 hours" — to suppress analytical thinking
• Link to a login page that looks identical to the real one but captures credentials and may relay them in real time (adversary-in-the-middle phishing)

How to spot it: Hover over any link before clicking — check the actual URL, not the display text. Look for subtle domain variations (paypa1.com, amazon-account-verify.com). Legitimate services do not send account suspension notices that require clicking an email link to resolve — go directly to the service by typing the URL yourself.

Phone phishing (vishing)

Voice phishing is particularly effective because it exploits the real-time pressure of a live conversation. Attackers impersonate bank fraud departments, government agencies (tax authority, social security), and tech support services. They typically:

• Spoof the caller ID to display the legitimate organisation's phone number
• Reference real information (your name, partial account details obtained from data breaches) to establish credibility
• Create urgency — "Your account has been compromised and we need to verify your identity immediately"
• Ask for your PIN, card number, online banking password, or 2FA code
• Ask you to install remote access software ("so we can fix the problem")

The rule with no exceptions: No bank, government agency, or legitimate organisation will ever ask for your PIN, full card number, online banking password, or two-factor authentication code. Ever. If you receive such a request, hang up immediately. Call the organisation back using the number on their official website or the back of your card — not the number the caller provides.

SMS phishing (smishing)

SMS phishing uses text messages purportedly from delivery companies, banks, or government bodies. Common formats include missed delivery notifications requiring payment of a small fee (which actually captures card details), bank fraud alerts requiring urgent action, and government refund or fine notifications.

How to spot it: Delivery companies do not send payment requests via SMS. Banks send transaction alerts but do not ask for credentials via SMS. Check the sender number — legitimate organisations use consistent, registered shortcodes or numbers. When in doubt, go directly to the service via its official app or website.

Tech support scams

Tech support scams typically begin with a pop-up warning that your computer is infected — displaying a phone number to call, or auto-playing audio to create panic. When you call, the "technician" asks you to install remote access software (AnyDesk, TeamViewer) and then either steals data directly or demands payment to "fix" the non-existent problem.

How to spot it: Microsoft, Apple, and Google do not deliver security warnings via browser pop-ups with phone numbers. No legitimate software company will cold-call you about a virus. Close the browser tab and run a scan from your existing security software if you're concerned.

QR code phishing (quishing)

QR code phishing — sometimes called quishing — has grown rapidly as a delivery vector because QR codes bypass many email and web security filters. An attacker embeds a malicious URL in a QR code and delivers it via email, physical signage (parking meters, restaurant menus, package labels), or messaging apps. Because the URL is not rendered as a clickable link, most email clients do not scan or flag it.

When scanned, the QR code typically redirects to a credential harvesting page or initiates a malware download. The attack is particularly effective because mobile browsers often show a truncated URL in a small bar at the bottom of the screen — making it harder to verify the destination before the page loads.

How to protect yourself: Before scanning any QR code in an unexpected context, use a QR scanner app that shows you the full URL before opening it. On iPhone, the Camera app previews the link in a banner at the top — check it before tapping. Never scan QR codes in unsolicited emails. Be sceptical of QR codes on physical signage in public places — these can be replaced or covered with a fraudulent sticker. Legitimate services rarely require you to scan a QR code to access your account from a desktop — that is a pattern specific to phishing.

Romance and investment scams

Longer-term social engineering attacks build trust over weeks or months before making financial requests. Romance scams involve manufactured relationships that culminate in requests for money transfers. Investment scams present fabricated trading platforms showing impossible returns, encouraging victims to deposit increasingly large sums before the platform disappears.

These scams are effective precisely because they are slow — the trust-building phase makes the request feel different from an obvious fraud. Warning signs: any relationship that moves quickly to financial topics, any investment opportunity promising guaranteed or exceptional returns, any request to use unusual payment methods (gift cards, cryptocurrency, wire transfers) that cannot be reversed.

Protecting yourself

• Slow down. Urgency is a manipulation tool. Legitimate organisations give you time to verify. Any request requiring immediate action is a signal to pause, not act.
• Verify independently. Do not use contact details provided in the suspicious communication. Look up the organisation yourself.
• Use hardware security keys for important accounts. FIDO2 keys (such as a YubiKey) are phishing-resistant by design — they verify the domain cryptographically and will not authenticate on a fake site.
• Enable 2FA on all accounts — but prefer app-based or hardware 2FA over SMS, which is vulnerable to real-time relay attacks in advanced phishing scenarios. See Password Best Practices for a comparison of 2FA methods.
• Be sceptical of unexpected contact. If someone reaches out to you — rather than you initiating contact — apply a higher level of scrutiny to any requests that follow.

What to do if you've been phished

If you've entered credentials on a phishing site, change the password on that account immediately — and on any other account where you used the same password. Enable 2FA if it wasn't already active. If financial information was disclosed, contact your bank directly using the number on your card. Report the phishing attempt to your national cybercrime agency and the impersonated organisation.

Acting quickly significantly limits the damage — most attackers monetise stolen credentials within hours, so hours matter. For hardware-level protection against phishing — including FIDO2 key support, sandboxed apps, and per-app network access controls — the Norypt Pixel Secure running GrapheneOS provides a significantly harder target than a standard Android or iOS device.