Learn how phishing works, how to spot it, analyse suspicious links with the URL / domain checker, and practise with safe simulations. Education and research for students and staff.
Phishing is a type of social engineering attack where criminals try to trick you into giving away sensitive information—such as usernames, passwords, bank details, or personal data—by pretending to be someone you trust. The word “phishing” plays on “fishing”: attackers cast out bait (emails, messages, or fake websites) and wait for people to bite.
Attackers often impersonate banks, universities, employers, tech companies (e.g. Microsoft, Google), or delivery services. They create a sense of urgency (“Your account will be locked”, “Verify within 24 hours”) so you act quickly without checking. The goal is usually to steal credentials, install malware, or persuade you to send money or data.
Criminals follow a repeatable playbook. Understanding it helps you recognise when you are being targeted.
They gather information about you or your organisation: job titles, email addresses, social media, and past breaches. This makes messages feel personal and relevant.
They pretend to be a trusted sender: your university, bank, IT team, or a well-known brand. They copy logos, wording, and sometimes real email headers to look legitimate.
They create a reason for you to act: “Your timetable has been updated”, “Unusual login to your account”, “Verify your details or lose access”. The message is designed to trigger curiosity or fear so you click without thinking.
Links in the email or message go to fake websites that look like the real thing. Once you enter your username, password, or card details there, the attacker captures them. Sometimes the link downloads malware instead.
Stolen credentials are used to access your accounts, steal more data, send more phishing from your address, or sell the data on the dark web.
Real-world incidents show how effective and damaging phishing can be—and why awareness matters.
Staff received spear-phishing emails that looked like Google security alerts. When they entered their passwords on fake Google login pages, attackers gained access to thousands of emails. The breach had major political and policy consequences.
In several high-profile cases, attackers first phished or stole credentials from contractors or employees. Those credentials were then used to get into company networks and steal customer payment data. One weak link (a phished employee) can expose an entire organisation.
A single compromised password (reportedly from a legacy VPN account that did not use multi-factor authentication) allowed ransomware attackers to get inside. The pipeline was shut down for days, affecting fuel supply. Phishing or leaked credentials are often the first step in such attacks.
Universities are frequent targets: fake “timetable update” or “scholarship” emails, fake login pages for student portals, and impersonation of IT or finance. Stolen university credentials can give access to research, personal data, and further attacks on partners and suppliers.
These examples underline the same lesson: one clicked link or entered password can lead to large-scale harm. Training and caution are essential.
Before you type your username, password, or any personal or financial information anywhere, run through these checks. If anything feels off, stop and verify through a known, trusted channel.
university.ac.uk—not university-login.xyz or university-secure.com.gooogle.com, microsft.com, amaz0n.com.randomname@gmail.com or a long, odd domain.Even if an attacker gets your password, MFA (e.g. a code on your phone or an authenticator app) can block them from signing in. Turn on MFA for email, university accounts, and banking where possible.
Paste a link or domain into the URL / domain checker for an automated risk indication (typosquatting patterns, brand-in-domain tricks, HTTP vs HTTPS, optional DNS check). It is a teaching aid — not a guarantee — so still verify with official channels.
Phishing is one of the most common and costly forms of cyber crime. A few figures help put the risk in context.
Technical defences (email filters, MFA, secure gateways) reduce risk but cannot block every phishing attempt. Attackers constantly adapt. Human vigilance—checking senders, URLs, and avoiding rushed decisions—remains essential. Training and safe simulations (like those on this site) help people recognise real attacks when they occur.
If you receive a suspicious email or message, do not click links or open attachments. Report it so others can be protected.
After reporting, delete the message if your policy allows. Do not reply or click any links. If you have already entered data on a suspicious page, change your password on the real site (typed in yourself) and enable MFA. If it was a work or university account, inform IT immediately.
Try safe, controlled phishing-style pages to see how realistic they can look. Every simulation shows a clear warning banner and never sends or stores any data.
Enter a website URL or domain to get an automated risk assessment (heuristic rules + optional public DNS lookup). Useful for demonstrating how fake links can be analysed; results are indicative only — see disclaimers on the tool page.
Each scenario uses a realistic-looking page with a safe-simulation banner. No data is ever sent. After you interact, you are redirected to the educational debrief.
Fake university login (identifier then passphrase). Mimics institutional sign-in so you can see how phishers copy real pages.
Try simulationFake login page mimicking a social platform. “Unusual login” email → click → login form (with banner) → redirect to debrief.
Try simulation · Email templateFake “Reset your password” page. “Password reset requested” email → click → reset form (with banner) → redirect to debrief.
Try simulation · Email template