Phishing is one of the most widespread and dangerous forms of cybercrime today – and it’s evolving fast, with over 45 million scams reported as of September 2025. The most concerning part is that in a new era of artificial intelligence (AI), detecting such activity has never been so difficult, making the lines between legitimate and fraudulent messages increasingly blurred. That’s why understanding phishing and knowing how to spot the signs is crucial. This article explores how phishing works, why it’s so effective, and most importantly, how you can protect yourself.
What is phishing?Bottom of Form
Phishing is a type of online fraud where criminals impersonate trusted organisations – such as banks, HMRC, or financial service providers – to trick individuals into revealing sensitive information like login credentials, bank details, or credit card numbers. In the UK, phishing remains one of the most common threats to personal financial security, with scammers regularly sending emails or text messages that appear to be from legitimate sources.
Example of phishing
For example, you might receive a message claiming to be from your bank, asking you to “verify” unusual account activity or “reactivate” your online banking access by clicking a link. These links typically lead to fake websites designed to capture your information. Some fraudsters even spoof phone numbers, making it appear as if a call is coming from your bank’s fraud team. Once they gain access to your accounts, they can steal funds or commit identity fraud. Most notably, UK consumers are increasingly falling victim to a deceptive tactic known as the homograph attack (more on that below).
The term “phishing” is a play on the word “fishing”, where fraudsters “cast out bait” – usually in the form of fake emails, messages, or websites – to lure victims into “biting” by giving up sensitive information like passwords, bank details, or credit card numbers.Top of Form
AI is making phishing more effective
Thanks to AI, phishing has become even more efficient and convincing, making it harder for recipients to spot fake messages. For example, a scam email might appear to come from your bank or a well-known provider like PayPal or HMRC, complete with official logos, professional wording, and even your name. The language used is far more believable than in the past, with AI helping scammers craft emails that sound exactly like genuine communications.
In some cases, fraudsters even include real links to customer service pages – such as the official NatWest help centre or a genuine GOV.UK page – within the same message, giving the impression that the email is legitimate. Some scammers even include real customer service links in their fake emails – giving the impression the message is legitimate. This false sense of security is what makes victims more likely to click the fraudulent phishing link.
Emerging threat: Homograph attacks
Most notably, UK consumers are increasingly falling victim to a deceptive tactic known as the homograph attack (also known as homoglyph attacks), where scammers create web addresses using lookalike characters from different alphabets and successfully trick users into thinking they’re visiting a legitimate site.
For example:
- The letter “O” and the digit “0”
- Uppercase “I” and lowercase “l”
- Or letters like a, c, e, o, p, x, y in Cyrillic, which look nearly identical to Latin characters.
Fraudsters register domain names that look like the original at first glance but contain subtle substitutions using foreign alphabet characters. For example:
- A phishing website like bank-x.com could use a Cyrillic “x”.
- An email sender might be listed as chef@xyz-ag.ch – with a Cyrillic “a”, not a Latin one.
These differences are nearly invisible to the naked eye, but they completely alter the destination or sender, tricking victims into trusting the message or site.
How to protect yourself from phishing
Browser developers and domain providers are actively working to protect users from homograph attacks – where lookalike characters from different alphabets are used to create deceptive web addresses. Some domain registries now restrict the use of mixed alphabets in URLs, making it harder for scammers to register misleading domains. In addition, modern security software can detect and block certain phishing attempts, including suspicious or spoofed web addresses. However, your own vigilance remains the most effective defence.
Essential tips to stay safe
- Never share sensitive information: No bank, credit card company, or legitimate provider will ever ask for passwords, credit card numbers, or e-banking login details by email, phone, WhatsApp, or SMS. No matter how professional the request looks, don’t share this information.
- Don’t let yourself be pressured: If you receive a suspicious email or something feels “off,” don’t click any links – even if the message seems urgent. Scammers often try to create panic. Remember to stay calm and cautious.
- Use official apps: If you’re asked to update payment info or unlock an account, don’t use the link in the message. Instead, open the official website manually or better yet, use the app from your bank or provider.
- Don’t respond to suspicious messages: If something seems strange, ignore it. If in doubt, call your provider directly using a known number.
- Keep your software updated: Use reliable security software and keep it up to date. The same goes for your browser and apps – enable automatic updates whenever possible.
- Beware of spoofed SMS and calls: Scammers can fake caller names and phone numbers. Don’t trust what you see on your screen alone.
Stay alert, stay safe
Phishing is no longer just about poorly written emails and obvious scams. Instead, it has evolved into a sophisticated, AI-driven threat that can deceive even the most tech-savvy individuals. With tactics like homograph attacks and convincing impersonations of trusted institutions, cybercriminals are constantly finding new ways to exploit our trust and access our most sensitive financial information. While technology such as security software and browser safeguards plays an important role in protecting against these threats, the most powerful defence is still your own awareness. By staying informed, thinking twice before clicking, and using secure practices when managing your finances online, you can significantly reduce the risk of falling victim to phishing.
