top of page

Phishing: the many methods (and how to stop them)

Phishing isn’t just one single trick - it’s a toolbox attackers use to get you to hand over credentials, money or access. Here we look at common types of phishing (from run-of-the-mill to highly targeted), show realistic examples, and give concrete mitigations that follow the National Cyber Security Centre (NCSC) guidance.


ree

Generic (bulk) phishing


What it is: mass emails or texts pretending to be a bank, delivery firm, or service, trying to trick many people at once (“You must verify your account - click here”).

How it looks: urgent language, dodgy links, attachments, poor spelling; addresses that don’t exactly match the organisation.

Risk: low per message but high scale - many people fall for a few messages.

Mitigations (NCSC picks): don’t click links in unexpected messages; check sender addresses and hover links to inspect real URLs; report suspicious items; use web/email filters and SPF/DKIM/DMARC to reduce fake mail delivery.


Spear-phishing (targeted email attacks)


What it is: bespoke emails aimed at a particular individual or group, using personal detail to increase credibility (e.g., “Hi John - here’s the invoice for last week” when you don’t expect one).

How it looks: personalised greeting, relevant context, sometimes a compromised internal account as the sender.

Risk: much higher - tailored social engineering bypasses generic checks.

Mitigations: staff awareness training to spot context-aware lures; disable/limit Office macros and risky attachment types; enforce multi-factor authentication (MFA); use email filtering and monitoring for unusual inbound messages. NCSC gives extensive mitigation guidance for spear-phishing and related targeted campaigns.


Whaling / Business Email Compromise (BEC)


What it is: very high-value spear-phishing aimed at executives or finance staff to authorise payments or reveal sensitive data. Attackers often impersonate CEOs, CFOs, or trusted suppliers.

How it looks: urgent payment requests, changed bank details, faked invoices, or “confidential” one-off requests. Often well written and carefully timed.

Risk: extremely high - can directly cause large financial loss.

Mitigations: separate duties and approval chains for payments; require verbal or second-channel verification for unusual requests; keep senior staff trained and sceptical; deploy email authentication and monitoring; and follow the NCSC’s BEC guidance.

 

Vishing (voice phishing)


What it is: attackers call (or leave voicemail) pretending to be IT support, bank staff, police, etc., to extract credentials, codes, or to trick you into installing software.

How it looks: spoofed caller IDs (showing a bank’s number), pressure to act now, requests for OTPs or passwords.

Risk: medium/high because spoken pressure can be persuasive.

Mitigations: never give one-time codes or passwords to callers; verify identity via known numbers (don’t use numbers given by the caller); train staff to treat unsolicited calls with suspicion; report scams. NCSC advice on how to spot scam calls is applicable.


Smishing (SMS phishing)


What it is: phishing by text message - links to malicious sites or prompts to call a number.

How it looks: short urgent messages about parcels, payments, or account problems with a link.

Risk: similar to generic phishing but effective because people trust SMS more.

Mitigations: same basic rules as email: don’t click unexpected links; check sender; verify via official apps or websites; report. NCSC’s consumer guidance covers spotting SMS scams.


Pharming and fake sites


What it is: attacker redirects you to a fake website (either by DNS compromise, malicious link, or cloned site) so you enter credentials there.

How it looks: near-perfect copies of login pages, slightly different domain names, or long URLs.

Risk: medium/high - looks convincing and steals credentials even without attachments.

Mitigations: check HTTPS and domain carefully (padlock alone isn’t proof); use password managers (they only autofill on the exact domain); use MFA; report fake sites and use browser/site-blockers. NCSC guidance emphasises removing fake sites and reporting them.


Angler phishing (social media)


What it is: fake social accounts posing as customer support or official channels to harvest details or promote malicious links.

How it looks: replies to customers on social platforms, DMs asking you to click a link or verify identity.

Mitigations: treat DMs cautiously; go to official websites/apps for support; platform reporting and take-down. NCSC spot-scam guidance covers social channels too.


Quishing (QR-code phishing)

 

What is it: a short, sneaky cousin of phishing -  uses malicious QR codes to send victims to spoofed websites, prompt payment or download malware.

How it looks: Attackers can embed QR codes inside emails or PDFs (where image-based codes may bypass link filters), or physically stick fraudulent codes over legitimate ones on posters, parking meters and menus. Because scans happen on mobile devices and URLs are hard to inspect visually, quishing is especially effective at evading the usual “hover-and-check” protections.

Mitigations: use the phone’s built-in QR scanner or a trusted scanner that previews the destination URL, inspect the preview carefully before proceeding, avoid scanning codes from unexpected emails or public stickers, type known payment URLs manually when possible, enable MFA on accounts that could be targeted, and report suspected quishing to the appropriate authorities.


ree

Practical, NCSC-aligned checklist to reduce risk (for individuals & organisations)


Quick wins (everyone):


  • Use MFA on every account that supports it (authenticator app or hardware token where possible).

  • Think before you click: hover links, don’t open unexpected attachments.

  • Use a password manager to avoid password reuse and to detect fake domains.

  • Report suspicious emails to the NCSC Suspicious Email Reporting Service (SERS): report@phishing.gov.uk - forwarding suspected phishing helps the NCSC take sites down.


Technical controls (recommended by NCSC for organisations):


  • Enforce email authentication standards: SPF, DKIM, DMARC and check your domain via NCSC’s email security checker.

  • Deploy modern email filtering and anti-malware gateways; block risky attachment types and macros.

  • Apply the principle of least privilege and segmentation so a compromised account can’t easily access everything.

  • Maintain an incident response plan that includes scenario playbooks for phishing/BEC.


Process & people (culture):


  • Run regular, practical training and phishing simulation exercises, but pair simulations with supportive coaching - people who fail should be taught, not shamed.

  • For financial or data-sensitive requests: require two-person approvals, out-of-band verification (phone or face-to-face), and pre-approved payee lists. This helps prevent whaling/BEC losses.

Realistic examples


  • Email from “HR” asking you to log in to view a payslip - hover link, check that URL, and go to payroll site via saved bookmark. (If unsure, call HR on a number you know.)

  • Call from “IT” needing your 2FA code to “fix” your laptop - this is a classic vishing trick; never give codes to callers. Verify by contacting IT on a known internal number.

  • CEO emails finance: “urgent-pay supplier now” - treat as BEC/whaling; require voice confirmation from the CEO and two-step finance approvals.


If you (or your org) get phished — immediate steps (NCSC recommended)


  1. Don’t panic. Disconnect the affected device from networks if data exfiltration or malware is suspected.

  2. Change passwords on affected accounts (from a clean device) and revoke active sessions. Enable MFA.

  3. Report the scam: forward suspicious emails to report@phishing.gov.uk and use GOV.UK reporting routes for fraud. For serious incidents, follow your organisation’s incident playbook and contact NCSC if national-level advice is needed.


Final quick takeaways


  • Phishing comes in many forms email, SMS, voice, social media, and fake sites - and ranges from bulk scams to highly targeted whaling/BEC.

  • Defence is layered: training + technical controls (MFA, email auth, filtering) + good processes (payment controls, reporting) give the best protection.

  • If you see something suspicious, report it to report@phishing.gov.uk - flagging helps the NCSC take malicious sites down and protect others.


Reporting

Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).


 
 
 

Comments

The contents of blog posts on this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of East Midlands Cyber Resilience Centre (EMCRC) is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. EMCRC provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us by email.

 

EMCRC does not accept any responsibility for any loss which may arise from reliance on information or materials published on this blog. EMCRC is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page