Walter Ledger

Tech Tips for the Over 50

Digital Life Skills for the Generation That Mastered Everything Else

Blog Posts

Home

, ,

Phishing Attacks and Staying Safe: A No-Nonsense Guide to Not Getting Hooked

Phishing Attacks

Author: Walter Ledger

Why This Matters (And Yes, It Really Does)#

Right, let’s talk about something that’s probably already irritated you at least once this week. Phishing attacks. I know, I know, another scary internet thing to worry about. But here’s the truth, phishing is responsible for a staggering amount of online crime these days. We’re talking over a million phishing attacks recorded globally in just the first quarter of 2025, and losses from internet crimes hit a record $16.6 billion in 2024 alone. That’s billion, with a B.

Now, I’m not trying to terrify you. I’m really not. But phishing attacks have become the digital equivalent of that dodgy bloke who used to knock on your door claiming to be from the water board. Except now, he’s got a thousand different disguises, he’s in your inbox, on your phone, and he’s gotten disturbingly good at his job.

The thing is, understanding phishing isn’t just about protecting your bank account, though that’s obviously important. It’s about staying independent online. It’s about not having to call your kids or grandkids in a panic because someone’s locked you out of your email or, worse, emptied your savings. And honestly, once you understand how these scams work, you’ll feel a lot more confident clicking around the internet. You might even feel a bit smug when you spot one.

What Phishing Is Used For (And What It’s Not)#

Let me be really clear about what we’re dealing with here. Phishing is a type of fraud. It’s criminals pretending to be someone trustworthy, your bank, Amazon, the tax office, even your own grandson, to trick you into handing over personal information or money. They want your passwords, your bank details, your personal data. Sometimes they want you to click a dodgy link that installs nasty software on your computer. Other times they’re after direct bank transfers.

What phishing is not, however, is a legitimate security check. Your bank will never email you asking for your password. The police won’t ring demanding iTunes gift cards. Netflix isn’t going to text you threatening to cancel your account unless you click a link right now. These are all classic examples of email scams and phishing attacks that we’ve all seen in one form or another.

Phishing also isn’t some super-sophisticated hacking like you see in films. These criminals aren’t breaking through firewalls or cracking codes. They’re exploiting something much simpler and, frankly, much more effective. They’re exploiting trust and urgency. They’re social engineers, really, just con artists who’ve moved their operation online.

Before Phishing: The Original Scammers#

Before we had phishing attacks, we had good old-fashioned fraud. And I do mean old-fashioned. Scams have been around since humans figured out they could lie for profit, which was probably about five minutes after we invented currency.

Think about it. Remember those letters that used to come through the post telling you you’d won a prize draw you never entered? Or the ones claiming you’d inherited a fortune from a distant relative in Nigeria? That was the phishing of its day, just slower and printed on paper. The 419 scam, as it became known, was named after the section of the Nigerian Criminal Code dealing with fraud. It worked exactly like modern phishing, create a believable story, make a tempting offer, get the victim to send money or personal details.

Then there were the telephone scams. The double glazing salespeople who wouldn’t take no for an answer. The people claiming to be from the tax office demanding immediate payment. The fake charity collectors. We learned to be suspicious of cold callers, to hang up on pushy salespeople, to check credentials before opening the door to strangers.

Early Internet Security (Or Lack Thereof)#

When the internet first arrived in homes during the 1990s, security was barely an afterthought. Honestly, it was like the Wild West, exciting, new, and absolutely teeming with outlaws. Early internet users were mostly enthusiasts, academics, and tech-savvy folks who were just thrilled to be connected to a global network. The idea that you needed to protect yourself online hadn’t really sunk in yet.

Viruses were the big worry back then, not phishing. We installed antivirus software and learned not to open suspicious email attachments. Email itself was still relatively new and exciting. If someone sent you an email, it felt personal, almost trustworthy. We hadn’t yet learned to be suspicious of our inboxes.

The early security measures were pretty basic. You had a password, hopefully not “password123” but let’s be honest, probably something similar. There was no two-factor authentication, no password managers, no security alerts. If someone figured out your password, that was pretty much game over.

The Evolution of Phishing: From Amateur Hour to Professional Crime#

Version 1.0: The Early Days (Mid-1990s)#

The term “phishing” first appeared in the mid-1990s, with the “ph” borrowed from “phreaking,” which was what people called hacking telephone systems. The first phishers targeted America Online (AOL) users, and they were remarkably unsophisticated by today’s standards.

These early phishing attacks were crude. Scammers would send messages pretending to be AOL employees, asking users to “verify” their accounts by handing over their passwords. The emails were often riddled with spelling mistakes and looked obviously fake, but remember, this was new. People didn’t know to be suspicious yet. Some folks actually fell for it, which taught the criminals a very important lesson: this works.

The benefit over previous scams was scale and speed. Instead of posting individual letters or making phone calls one at a time, a scammer could send thousands of emails in minutes. The internet had industrialised fraud.

Version 2.0: Getting Sophisticated (Early 2000s)#

By the early 2000s, phishing had grown up considerably. Criminals started creating fake websites that looked exactly like real bank login pages. They’d send emails with links to these counterfeit sites, and unsuspecting users would type in their usernames and passwords, handing them directly to the scammers.

These attacks became more targeted and more convincing. The emails looked more professional. The fake websites were harder to distinguish from the real thing. Criminals learned to use company logos, official-sounding language, and urgent calls to action. “Your account will be suspended unless you act now!” That sort of thing.

This version of phishing introduced us to the concept of learning how to spot phishing emails. Security experts started telling us to check the sender’s email address, to hover over links before clicking, to look for spelling mistakes. It became a proper cat-and-mouse game.

Version 3.0: Going Mobile (2010s)#

Then smartphones happened, and suddenly we were all carrying the internet in our pockets. The criminals, naturally, followed us there. This era introduced smishing (phishing via text message) and ramped up vishing (voice phishing, or scam phone calls) to industrial levels.

Smishing messages would claim to be from your bank, the Post Office saying you’d missed a delivery, or HMRC threatening legal action. These texts would include links to fake websites designed to steal your details. The benefit for scammers was that people tend to trust text messages more than emails, and phone screens are smaller, making it harder to spot warning signs.

Vishing got more sophisticated too. Scammers would spoof phone numbers to make calls appear to come from legitimate organisations. They’d have scripts, background noise to sound like call centres, and increasingly convincing stories. Vishing attacks surged by 442 percent in recent years, which is frankly terrifying.

Version 4.0: Social Media and Current Attacks (2020s)#

We’re now living through what I’d call the golden age of phishing, if you’re a criminal anyway. For the rest of us, it’s more of a nightmare. Current phishing attacks happen across every platform you use. Email, obviously, but also Facebook, WhatsApp, Instagram, LinkedIn, and even dating sites.

Social media phishing is particularly nasty because criminals can gather information about you from your public profiles. They know your friends’ names, where you’ve been on holiday, what hobbies you have. This makes their attacks more convincing. They might impersonate a friend asking for money, knowing you’ll recognise the name.

We’re also seeing something called Business Email Compromise, where criminals impersonate executives or suppliers to trick employees into transferring large sums of money. A staggering 64 percent of businesses faced these attacks in 2024, with average losses of $150,000 per incident. That’s not small change.

Current statistics show that over a million phishing attacks occurred in the first quarter of 2025 alone, and 82.6 percent of phishing emails now bypass standard email security. The criminals have gotten really, really good at this.

How Phishing Works: Breaking Down the Con#

Right, let’s walk through exactly how a phishing attack works, from start to finish. Understanding this is your best defence, honestly.

Step One: Research and Preparation#

The criminal starts by choosing their target and their story. Sometimes they’re casting a wide net, sending thousands of generic emails hoping someone bites. Other times they’re more targeted, researching specific individuals or companies on social media to craft convincing, personalised messages.

They’ll decide who to impersonate. Banks are popular because everyone’s nervous about their money. Amazon works well because so many people use it. The tax office is effective because people fear legal trouble. During the pandemic, we saw loads of phishing attacks pretending to be from the NHS or offering vaccines.

Step Two: The Approach#

Next comes the contact. If it’s email phishing, you’ll receive a message that looks legitimate. It’ll have the right logos, similar email addresses (though usually slightly wrong if you look closely), and professional language. The email will contain either a link to a fake website or an attachment containing malware.

With smishing, you’ll get a text message, usually claiming to be urgent. “Your parcel couldn’t be delivered,” or “Suspicious activity on your account.” The message includes a link.

Vishing involves a phone call. The caller might claim to be from your bank’s fraud department, from Microsoft’s technical support, or from the police. They’ll sound professional and convincing.

Social media phishing might be a message from what looks like a friend’s account, or an advert for something too good to be true.

Step Three: The Hook#

Here’s where the psychology comes in. The message will always contain an emotional trigger. Fear is popular, your account’s been compromised, you owe money, legal action is imminent. Urgency works too, act now or lose this opportunity. Sometimes they use curiosity, you’ve received a package, or greed, you’ve won something.

These emotional triggers are designed to make you act without thinking. They want you to click that link or provide those details before your rational brain kicks in and says, “Hang on, this doesn’t seem right.”

Step Four: The Steal#

If you click the link in a phishing email, you’ll land on a fake website that looks real. You’ll be asked to log in, and when you type your username and password, the criminals capture them. They now have access to your account.

If you call back a number from a vishing attempt, or stay on the line, the scammer will ask you to “verify your identity” by providing personal details, passwords, or even one-time security codes. Some will try to get you to install remote access software, giving them complete control of your computer.

With smishing, clicking the link might download malware onto your phone, or take you to a fake payment page where you’re asked to pay a small fee for a delivery or to “verify” your account.

Step Five: The Damage#

Once criminals have your login details, they act fast. They’ll access your bank account and transfer money. They’ll use your email to send phishing emails to everyone in your contacts. They’ll lock you out by changing your passwords. They might steal your identity to open new accounts or apply for credit in your name.

The damage can be financial, obviously, but it’s also emotional. Victims of phishing attacks often feel embarrassed, stupid, violated. But here’s the thing, it’s not your fault. These are professional criminals using sophisticated psychological manipulation. Plenty of tech-savvy people fall for phishing too.

The Future of Phishing: It Gets Worse Before It Gets Better#

I wish I could tell you phishing was going to get easier to spot, but I’d be lying. The future of phishing attacks looks, quite frankly, terrifying.

Artificial Intelligence and Deepfakes#

The biggest game-changer is artificial intelligence. Nearly nine out of ten phishing attempts now involve AI-generated or AI-assisted content. AI allows criminals to create perfectly written phishing emails with no spelling mistakes or grammatical errors. It can generate thousands of personalised messages, each tailored to individual targets based on their social media activity.

But the really scary bit is deepfakes. We’re already seeing criminals use AI to clone voices and create fake videos of executives. Imagine receiving a video call from your bank manager, or your boss, or even your child, except it’s not actually them. It’s a deepfake, a computer-generated fake that looks and sounds exactly like them, asking you to transfer money or provide sensitive information.

This isn’t science fiction. In 2024, fraudsters used deepfake technology to impersonate a company’s CFO on a video call, tricking an employee into transferring $25 million. Twenty-five million pounds. From one fake video call. Deepfake fraud could rise by 162 percent in 2025.

Cross-Platform Attacks#

Future phishing won’t just come through one channel. Criminals are developing sophisticated cross-platform campaigns. You might receive an email, then a text message, then a phone call, all supporting the same scam story. This multi-channel approach makes the scam seem more legitimate because it’s coming at you from different directions.

The Arms Race#

Here’s the slightly hopeful bit. As phishing gets more sophisticated, so do the defences. AI is being used to detect phishing attempts as well as create them. Email providers and phone companies are getting better at filtering scams. Browsers now warn you when you’re about to visit suspicious websites.

But it remains an arms race. Criminals develop new techniques, security improves, criminals adapt again. The best defence, honestly, is staying informed and staying suspicious.

Security and Vulnerabilities: Protecting Yourself#

Right, enough doom and gloom. Let’s talk about what you can actually do to protect yourself from phishing attacks. The good news is that you don’t need to be a technical genius. You just need to develop some good habits.

The Basic Rules#

First, be suspicious. Really, genuinely suspicious. If you receive an unexpected email, text, or call asking for personal information or money, your default response should be doubt. Legitimate organisations don’t ask for passwords or financial details via email or text. They just don’t.

If your bank emails you about a problem, don’t click any links in the email. Instead, close the email, open your browser, and go to your bank’s website by typing the address yourself. Log in there and check if there really is a problem. Or call your bank using the number on the back of your card, not any number provided in the email.

Never, ever give out passwords, PIN numbers, or one-time security codes to anyone. Not over the phone, not via email, not in a text message. Your bank already knows your password. They don’t need you to tell them.

Two-Factor Authentication: Your Digital Deadbolt#

Right, two-factor authentication. Sounds technical, but it’s actually beautifully simple. You know how your front door probably has a lock and maybe a chain or bolt? Two-factor authentication is like that, but for your online accounts.

Here’s how it works. When you log into an account with two-factor authentication enabled, you first enter your password as normal. That’s factor one. But then the system asks for factor two, usually a code sent to your mobile phone via text or an app. You type in this code, and only then are you allowed in.

The beauty of this is that even if a criminal steals your password through phishing, they can’t access your account without that second code, which is sent to your phone. They’d need to have both your password and physical access to your phone, which is much, much harder.

Setting up two-factor authentication is usually free and relatively painless. Most major services now offer it, Google, Facebook, your online banking, Amazon. There’s usually an option in your account security settings. It adds a few seconds to logging in, yes, but it makes your account vastly more secure. Think of those few extra seconds as time well spent.

Password Managers: Your Digital Keyring#

Now, password managers. You probably have dozens of online accounts, and you’re supposed to use a different, complex password for each one. That’s basically impossible to remember, so most people either use the same password everywhere, terrible idea, or use simple passwords they can remember, also terrible.

A password manager is a piece of software that remembers all your passwords for you. You create one single, strong “master password” that you’ll need to remember. The password manager then generates long, complex, random passwords for all your other accounts and stores them securely. When you need to log into a website, the password manager fills in your username and password automatically.

It’s like having a keyring for all your digital keys, except the keyring is locked and encrypted, so even if your computer gets hacked, the passwords are protected. Popular password managers include LastPass, 1Password, Dashlane, and Bitwarden. Some are free, others charge a small fee, usually around £30 a year.

The brilliant thing about password managers is that they also protect you from phishing. If you click a link to a fake banking website, your password manager won’t recognise the URL and won’t fill in your password. It’s an automatic warning that something’s wrong.

For a more detailed look at password managers see my post on them

The Password Manager Guide for People Who Can’t Remember Where They Put Their Reading Glasses

Keep Your Software Updated#

This one’s boring but important. When your computer or phone nags you about installing updates, actually install them. Those updates often include security patches that fix vulnerabilities criminals might exploit. Yes, updates are annoying and sometimes take ages, but they’re your first line of defence against new types of malware and phishing attacks.

Trust Your Instincts#

Finally, and I really mean this, trust your gut. If something feels wrong, it probably is. If an email seems suspicious, even if you can’t quite put your finger on why, don’t click anything. If a phone call feels off, hang up. If an offer seems too good to be true, it absolutely is.

You’ve lived through decades of real-world scams and dodgy salespeople. Those same instincts apply online. The criminals are relying on you doubting yourself, on you thinking, “Well, maybe this is legitimate, maybe I’m just being paranoid.” You’re not being paranoid. You’re being sensible.

Summary: Staying Safe in Dangerous Waters#

So there we are. Phishing attacks have evolved from crude AOL scams in the 1990s into a sophisticated, AI-powered criminal industry causing billions in losses every year. More than a million phishing attacks occurred in just the first quarter of 2025, using email, text messages, phone calls, and social media to trick victims.

The key to learning how to spot phishing is understanding that these scams work through psychological manipulation, not technical wizardry. Criminals create urgency, fear, or curiosity to make you act without thinking. They impersonate trusted organisations. They’re getting better at it, too, with AI-generated content and deepfake technology making email scams and other phishing attacks increasingly convincing.

But you’re not helpless. Simple precautions make an enormous difference. Be suspicious of unexpected contacts asking for personal information. Use two-factor authentication, that extra layer of security that requires both your password and a code sent to your phone. Consider a password manager to create and store complex, unique passwords for every account. Keep your software updated. And trust your instincts, if something feels wrong, it probably is.

The future will bring more sophisticated phishing attacks, there’s no getting around that. But it will also bring better defences. And more importantly, you’re now armed with knowledge. You understand how these scams work, what they’re trying to achieve, and how to protect yourself.

Nobody’s perfect. We all have moments of distraction where we might click something we shouldn’t. If you do fall victim to phishing, don’t panic and don’t be embarrassed. Act quickly, change your passwords, contact your bank, report the scam to Action Fraud. The faster you act, the less damage can be done.

The internet is a wonderful thing. It connects us to information, to people, to services that make life easier. Phishing is the price we pay for that connectivity, but it doesn’t have to control how you use the internet. Stay informed, stay suspicious, and stay safe. You’ve got this.

Walter

Walter Ledger helps people over 50 navigate the digital world with confidence and common sense. In addition to his cryptocurrency guide Bitcoin & Beyond: A Guide for People Who Remember When Phones Had Cords, he has also written The The Robot Won’t Bite: A Common-Sense Guide to AI for People Over 50.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

TechTips Related Post