What is phishing and how does it work?

Phishing is the term used to describe fraudsters who use emails, SMS and phone scams to trick people into giving over their personal details. It is one of the most commonly reported types of cyber crime.

Woman playing with children in the park

What is phishing?

As a rule, all phishing attempts involve a scammer pretending to be someone they’re not in order to gain sensitive information, like credit card and bank account numbers, PINs and passwords. Generally, they do this by impersonating a reputable company or trustworthy person.

Should they get their hands on a victim’s card details for instance, they can get to work – making purchases on the internet, over the phone or by mail order – without anyone realising until it’s too late.

How phishing works?

Usually carried out over email, phishing attacks can come by phone (voice phishing, or vishing), text (SMS phishing, or smishing) and through social media and fake sites designed to look like web pages you regularly visit.

A basic phishing attack will aim to trick the target into doing what the scammer wants, whether that’s handing over passwords or altering bank details so that payments go to the fraudsters instead of the correct account.

Phishing is also a favoured method of cyber criminals to deliver malware (malicious software, like viruses and spyware) by encouraging victims to download a document or visit a link that will secretly install it on a computer.

Types of phishing

While most phishing emails are sent at random to large numbers of people in the hope of boosting their hit rate, many others are highly targeted and personalised to a specific individual or organisation.

Phishing itself comes in many forms, so here are some to be aware of:

Email phishing

This is the most common type of phishing, where fraudsters send scam emails out in bulk with the aim of duping as many people as possible. Quite often, they’ll ask the target to act immediately to resolve an issue like a compromised bank account by clicking on an attached – and bogus - link.

Spear phishing

This is when a scammer directly targets a specific organisation or person with tailored phishing emails. Unlike bulk phishing, these attackers often gather and use a victim’s personal information - their name, company or job title - to make scam emails seem more genuine and from a legitimate source.


Voice phishing – vishing for short – is when a scammer attempts to get a target’s personal details over the phone. Typically, visher scammers create fake ID caller profiles so the phone numbers they’re calling on seem legitimate and from a local area code or trusted organisation. Learn more about what vishing is and how it works.


Smishing is an attack that uses text messaging or short message service (SMS) to target phone users. Typically, a smishing message will include a urgent demand to hook a target, inviting them to click a link, call a number or contact an email address, ultimately, to get them to share personal data.

Social phishing

This is when scammers use social media sites such as Facebook, Twitter or Instagram to steal personal data. In such attacks, targets are often urged to click on links on fake pages, or respond to messages sent from scammers posing as friends and family.


This phishing technique uses online adverts or eye-catching pop-ups to encourage people to click on a link that appears genuine, but instead can install malware on their computer - or redirect them to a malicious website which is operated by the attacker.

While phishing presents a very real threat, the most important thing is to exercise common sense and a good deal of caution about any message you receive which looks faintly suspicious, urges you to do something ‘right now’ or has a link or attachment which seems even remotely dodgy.

Recognising a phishing attack

Being familiar with the tell-tale signs of a phishing attack will help you to recognise and report any that you receive. Here are some things to look out for:

  • is it unexpected? For example, an email from your bank that would usually be a text
  • does it have an unusual tone or greeting? Is it much too friendly when it should be formal
  • are there grammatical errors or spelling mistakes?
  • does it urge you to act fast and contain threats? For instance, you have unpaid tax which requires immediate action to avoid prosecution
  • are there inconsistencies in email addresses and domain names? Such as @micrusoft.com rather than @microsoft.com
  • does it come with suspicious attachments?

Protecting yourself against phishing

While phisher scammers may attempt to reel you in, by taking a few simple precautions, you can help safeguard your information and avoid being caught out.

Think before you click

Don’t click on links in random emails and instant messages. Instead, hover over any links you’re unsure of to check whether the URL is legitimate. Or, if still in doubt, go directly to the source yourself via your search engine.

Don’t give out personal information

As a rule, you should never share sensitive information over the internet. When unsure about a particular email or message, you can log in to your account and contact the company directly to check the validity of any communication.

Always check a site is secure

Submitting personal information shouldn’t be an issue as long as you’re on a secure website. However, before you do, check the site’s URL begins with ‘https’. Also, check for the site’s security certificate.

Install firewalls

Firewalls act as a buffer against phishing attacks. The are two different kinds – desktop firewalls and network firewall – and installing both can work effectively to reduce the odds of a scammer infiltrating your computer.

Reporting a phishing attack

If you spot the signs of a phishing scam, you can report it to Action Fraud, the national fraud and crime reporting centre. They’ll review your report, and send it to the police if necessary.

If money’s been taken from your account or you’re worried a scammer might have enough of your details to do so, let your bank know straight away. They can then protect your account from further issues.

How Barclaycard can help protect you from scams

We believe you can’t be too safe. So here are just a few ways we keep your account secure:

  • our fraud protection means you’ll be refunded for any fraud carried out on your account
  • your account is monitored 24/7. If something doesn’t look right, we’ll contact you straight away
  • If you’ve had a suspicious call, you can speak to our fraud team over the phone on 0800 318 665 or by email at internetsecurity@barclays.co.uk.
  • You can also find out more about reporting a scam.

What’s next?

Barclaycard’s fraud team are dedicated to stopping scammers in their tracks. So we’ve created a Fraud Fighter tool to help keep you prepared and protected.

Use our Fraud Fighter tool