Explainer: what is phishing — how to report emails, texts, calls and fake sites

Feb. 17, 2026 ET — Phishing has grown into a sophisticated, AI‑assisted threat that now underpins a large share of data breaches. Knowing what is phishing, how to stop interacting with a scam, and where to report it can help investigators shut down campaigns and protect other potential victims.

What is phishing and why it matters

Phishing is any attempt to trick a person into revealing sensitive information or installing malware by impersonating a trusted contact or organization. Attacks no longer rely solely on clumsy spelling mistakes; modern campaigns use polished language, stolen branding and multi‑channel narratives that span email, SMS, phone calls and fake websites. That evolution makes behavioural red flags — unexpected requests for money or credentials, urgent timelines, and demands to verify private data — more reliable signals of fraud than grammar alone.

Public safety offices have recently urged extra caution after campaigns that mimicked internal IT requests and payroll notices surfaced in multiple communities. Those incidents show how quickly a single convincing message can prompt widespread engagement, so rapid reporting and containment are critical.

How to report phishing: email, texts, calls and websites

Stop interacting immediately. Do not click links, download attachments or reply. Then take these reporting steps tailored to the medium you encountered.

Email: Use the reporting or abuse tool provided by your mail client or webmail interface to mark the message as phishing or junk. If the message impersonates a company you recognize, forward the suspicious content to that organisation’s verified abuse or fraud contact after confirming the contact details independently, then delete the message.

Text messages (smishing): Many carriers support a short code that maps to the word SPAM for reporting unwanted texts. Forward the message to your carrier’s spam code if supported; if not, block the sender and report the incident to your national consumer protection or cybercrime authority.

Phone calls and voicemails (vishing): Do not provide personal details. Note the caller’s number, the time and the content, and report the call to national authorities responsible for consumer fraud or cybercrime. If the call impersonated a bank or financial service, contact the institution through verified channels to flag the attempted impersonation.

Fraudulent websites: Malicious sites are common distribution points for credential theft and malware. Report these sites through the unsafe‑content or abuse reporting mechanisms maintained by major browser and search service operators so they can evaluate and block access. If a site impersonates a brand, notify the company’s official fraud or abuse team using contact details taken from the company’s verified site.

If you clicked a link or entered information — immediate steps

If you clicked a link but did not enter credentials, disconnect from the internet and run a full antivirus or anti‑malware scan on the device. If you entered login details or financial information, change the affected account passwords immediately from a separate, secure device and enable multi‑factor authentication. Contact your bank or payment provider to report potential fraud and consider freezing or closely monitoring accounts for suspicious activity. Where identity data was submitted, consider placing fraud alerts with the appropriate credit‑monitoring agencies in your country.

Longer term, adopt layered defenses: use unique passwords or passkeys, keep devices and apps updated, enable multi‑factor authentication, and use reputable security tools or DNS filtering to reduce exposure. Prompt reporting helps investigators take down malicious domains, disrupt active campaigns and improve filters that protect everyone.

Community and corporate reporting both matter. If you see a message that feels off, file a report with your email or mobile provider and with the appropriate national authority so officials can investigate and warn others before the next wave of messages arrives.