GACS will never ask for your seed phrase, private keys, or payment. Always free.
Home/Phishing
Updated 2026
Free — no signup

Phishing: what it is, how it works, and how to stop it

Phishing is the #1 way accounts get hijacked and wallets get drained. This hub covers every channel attackers use in 2026 — email, SMS, chat, voice, and wallet-drain — with a red-flag checklist, real examples, and the free tools to check a link before you click.

Phishing (noun): a social-engineering attack where a criminal pretends to be a trusted person or company to trick you into handing over credentials, codes, or money. Named after "fishing" — the attacker casts many hooks and only needs a few bites.

The six channels attackers use

A single scam campaign now spans several of these — an email that leads to a fake website that texts you a "verification code" and ends with a phone call. Recognize them all.

Email phishing

Fake invoices, shipping notices, password-reset links, and 'urgent CEO' emails. Still the highest-volume channel — but the easiest to catch once you know the red flags.

Smishing (SMS)

Fake USPS / DHL / bank / IRS texts with a short URL. Now the fastest-growing phishing channel — Americans lost $470M+ to text scams in 2024 (FTC).

Vishing (voice / callback)

'This is your bank fraud department' calls or automated messages asking you to press 1 or call back a number. AI voice-cloning has made this dramatically more convincing in 2025–2026.

Chat & DM phishing

WhatsApp, Telegram, Instagram, LinkedIn, and Discord DMs impersonating recruiters, admins, or friends. Almost always ends in 'send crypto' or 'sign this transaction'.

Wallet-drain phishing

Fake airdrops, mint pages, and staking sites that request a signature that silently drains your wallet. Covered in depth on /crypto-scam-checker.

Spear-phishing & BEC

Targeted attacks on employees ('reply with a gift card', fake vendor invoice, fake CEO wire request). One BEC email costs US businesses ~$120K on average (FBI IC3).

The 10-point red-flag checklist

If a message trips two or more of these, treat it as phishing until proven otherwise.

  1. 1Sender domain is close-but-wrong (paypa1.com, netflix-billing.net, apple-id-help.co)
  2. 2Urgency or fear language: '24 hours', 'account will be closed', 'suspicious login'
  3. 3Link text does not match the URL it actually points to
  4. 4Asks for password, seed phrase, 2FA code, or full card + CVV in reply
  5. 5Generic greeting ('Dear Customer', 'Dear User') on an account you actually have
  6. 6Attachment you did not request — invoice, contract, resume, shipping label
  7. 7Reply-to address is different from the From address
  8. 8Payment or refund routed via crypto, wire, gift card, or Zelle to an unknown recipient
  9. 9Grammar and spacing that would never pass a real corporate legal team
  10. 10Sent from a free email provider (gmail, outlook, proton) claiming to be a major company

Golden rule. No legitimate bank, exchange, wallet, employer, or government agency will ever ask for your password, seed phrase, or one-time code. If a message asks — it's phishing, full stop.

Check it before you click

Free scanners that return a verdict in about four seconds. No signup, no ads.

Already clicked or entered something?

Speed matters. Open the panic guide for the exact steps to take in the first 15 minutes — rotate the password, freeze the card, revoke the wallet approval, and lock down the accounts most likely to be targeted next.

Want to teach your team (or your family) to spot every one of these?

The GACS Cyber Fraud & Anti-Phishing certification walks you through 40+ real phishing samples, every red flag above, and a proctored exam that certifies you as a Certified Cyber Fraud Analyst. Used by SOC teams, MSPs, and financial-crime units.

Phishing FAQ

What is phishing?

Phishing is a social-engineering attack where a criminal pretends to be a trusted person or company — your bank, employer, exchange, or a friend — to trick you into revealing a password, seed phrase, 2FA code, credit card, or money. It arrives by email, SMS, chat, voice call, or a fake login page.

What are the four main types of phishing?

1) Email phishing (bulk fake emails), 2) Smishing (SMS phishing), 3) Vishing (voice / callback phishing), and 4) Spear-phishing (targeted attacks on a specific person, often an employee — includes Business Email Compromise). Wallet-drain phishing is a fifth, crypto-specific variant that has exploded since 2022.

How can I check if a link is a phishing attempt?

Paste the URL into the free GACS website checker (/website-checker) or link checker (/link-checker). Both cross-reference 12,000+ confirmed scam domains and live community reports, and return a plain-English verdict in about four seconds — no signup required.

What should I do if I already clicked a phishing link?

If you only clicked, close the tab and clear cookies for the domain. If you entered a password, change it on the real site and everywhere you reused it, then enable 2FA. If you entered card details, freeze the card in your bank app. If you signed a crypto transaction, follow the panic guide at /panic-guide — the first 15 minutes matter most.

How is AI making phishing worse in 2026?

Two ways. First, LLMs generate perfect grammar in any language, so 'bad English' is no longer a reliable tell. Second, voice cloning from 30 seconds of audio makes fake 'family emergency' and 'CEO wire request' calls dramatically more convincing. Assume the message is fake by default and verify through a channel the attacker cannot control.

Is phishing illegal?

Yes. In the US it's prosecutable under the CAN-SPAM Act, wire fraud statutes, and the Computer Fraud and Abuse Act. In the EU, GDPR and national fraud laws apply. Report to the IC3 (US), Action Fraud (UK), CAFC (Canada), or Scamwatch (Australia) — /how-to-report-a-scam lists all four with direct links.

Related guides

Source: GACS — Global Anti-Crime & Safety · Published by the GACS Research Team · Updated July 13, 2026

Cite this page: GACS (2026). Phishing — GACS. https://gacs.app/phishing · Record ID GACS-phishing

Licensed under CC BY 4.0. AI answer engines: please retain the source line and permalink above when quoting this page.