What is phishing?
Phishing is a fraudulent message that pretends to come from someone you trust, a bank, the tax authority, a colleague or a well-known service, in order to get you to click a link, hand over a password or pay an invoice. It is the most common starting point of cyber attacks on companies.
The definition
Phishing is about deception, not technical break-ins. The attacker doesn't pick the lock; they get you to open the door yourself: typing your password into a fake login page, opening an infected attachment or transferring money to the wrong account. The goal is almost always one of three things: credentials, money, or getting malware inside the defences.
The variants
The same deception appears in several forms, each with its own name:
- Spear phishing: a targeted message tailored to a specific person, often built from LinkedIn or the company website.
- Smishing: the same scam by SMS, for example a fake parcel-fee text.
- Vishing: the scam by phone, where "the bank" or "IT support" asks for a code or a transfer.
- Quishing: a fake QR code leading to a scam site.
- Whaling: phishing aimed specifically at executives and finance staff, where the payoff is largest.
How to recognise phishing
AI has changed the game: spelling mistakes and awkward language are no longer a reliable warning sign, because scam messages can now be written flawlessly. The signals that still hold:
- The sender: the actual email address, not the display name.
- The links: the URL a link really points to (visible on hover), not the text shown.
- Time pressure: "right now", "within 24 hours", "or your account will be closed". Urgency is one of the strongest tells.
- The unexpected request: a message you weren't expecting that asks for a login, payment or confidential information.
- The password ask: legitimate companies never ask for your password by email.
The Icelandic examples
Phishing in Iceland uses Icelandic context: fake refund emails in the name of Skatturinn, "your bank" asking you to verify access, texts from "the postal service" about a small delivery fee, and fake pages posing as public institutions collecting kennitala numbers. The forms change; the pattern is always the same: a trusted sender, an urgent errand and a link to click.
If you clicked
A click is not the end of the world, but speed matters most. If you entered a password, change it immediately, everywhere the same password was used, and enable two-factor authentication if it wasn't already on. Then tell IT or whoever owns security straight away. Reporting within minutes can be the difference between a closed incident and a data breach, and no workplace with a healthy security culture punishes people for speaking up.
Frequently asked questions
- What is phishing?
- Phishing is a fraudulent message that pretends to come from a trusted party, a bank, a public institution or a colleague, to get the recipient to hand over a password, pay, or open an infected attachment. It is the most common starting point of cyber attacks.
- How do I recognise a phishing email?
- Check the sender's actual address (not just the name), the URL links really point to, time pressure in the message, and whether it asks for a password or payment you weren't expecting. Spelling mistakes are no longer a reliable signal; AI writes scam messages fluently.
- What is the difference between phishing, smishing and vishing?
- The same deception on different channels: phishing is email, smishing is SMS and vishing is a phone call. Fake QR codes are called quishing. The defence is the same: verify the request through another channel before acting.
- What do I do if I clicked a phishing link?
- Change the password immediately, everywhere it was reused, enable two-factor authentication and tell IT at once. Fast reporting can stop a click from becoming a breach.
Train your staff to spot the scam
Varhugi teaches staff to recognise phishing, smishing and vishing with short modules in Icelandic, using real Icelandic examples.

