How to Spot and Avoid Phishing Attacks in 2026

Phishing is responsible for over 90% of data breaches, according to Proofpoint research. Despite decades of warnings, it remains effective because attackers keep improving. Here's how to spot and avoid phishing across every channel.

Email Phishing: The Classic Attack

Red flags in phishing emails:

• Urgency: "Your account will be suspended in 24 hours"
• Mismatch between sender name and email address (hover to see actual email)
• Suspicious links: hover over links before clicking — check the actual URL
• Attachments from unexpected senders
• Requests for OTP, password, or personal information
• Generic salutations ("Dear Customer") when your bank knows your name

Spear Phishing: Personalised Attacks

Standard phishing is broad. Spear phishing targets specific individuals with personalized information gathered from LinkedIn, social media, and data breaches. It references your name, company, boss, or recent activities — making it much more convincing.

SMS Phishing (Smishing)

• Fake parcel delivery notifications ("click to reschedule your delivery")
• Bank alerts ("suspicious transaction detected — verify here")
• KYC update requests ("update your Aadhaar-linked mobile number")

Rule: Never click links in SMS messages from unknown senders. Go directly to the website or app.

Voice Phishing (Vishing)

Calls from "your bank" or "TRAI" or "CBI" demanding immediate action. No legitimate organization asks for OTPs over the phone. The "digital arrest" scam (where callers threaten arrest via video call) has cost Indians crores in recent years.

The Golden Rules

• No bank/government agency will call you asking for OTPs or passwords
• Pause and verify through official channels before any action
• Enable 2FA on all important accounts — it protects even if credentials are stolen