What Is Phishing? How to Spot and Avoid Phishing Scams

Have you ever received an email that looked like it was from your bank, asking you to verify your account by clicking a link? Or a text message saying there is a problem with your Amazon delivery? These are phishing attempts.

Phishing is the most common type of cyberattack, and it is getting more sophisticated every year. In this guide, we will explain what phishing is, show you real examples, and teach you how to protect yourself.

What Is Phishing?

Phishing (pronounced like fishing) is a type of cyberattack where criminals pretend to be a legitimate company or person to trick you into giving them sensitive information. They want things like:

• Your passwords and login credentials
• Credit card numbers and banking details
• Social Security numbers or national ID numbers
• Personal information they can use for identity theft
• Access to your computer or network

The name comes from the idea of fishing for information - the attacker casts out a bait (a fake email or message) and waits for someone to bite.

How Phishing Works

Most phishing attacks follow the same basic pattern:

1. The bait: The attacker sends a message that appears to be from a trusted source (your bank, a company you use, a government agency, or even a friend).
2. The hook: The message creates a sense of urgency or fear. Your account has been compromised! or You owe money - pay immediately to avoid legal action! or You have won a prize - claim it now!
3. The trap: You are asked to click a link, download an attachment, or enter your personal information on a fake website.
4. The catch: Once you provide your information, the attacker uses it to steal your money, access your accounts, or commit identity theft.

The key to a successful phishing attack is making the fake message look as real as possible. Today phishing emails can look identical to real messages from real companies.

Common Types of Phishing Attacks

Email Phishing

This is the most common type. You receive an email that looks like it is from a legitimate company. The email asks you to click a link, open an attachment, or reply with personal information. The link leads to a fake website that looks real.

Example scenario: You receive an email from Netflix saying your payment method has expired. The email looks exactly like a real Netflix email, with their logo and colors. You click the link and enter your credit card details on a page that looks like Netflix login. But it is a fake page, and the attacker now has your credit card information and password.

Smishing (SMS Phishing)

Smishing is phishing via text message. These messages often claim to be from delivery services (DHL, FedEx, Amazon), banks, or government agencies. They typically include a link that leads to a fake website.

Example scenario: You get a text: USPS: Your package is on hold due to incorrect address information. Please update your delivery details. The link takes you to a fake USPS website that asks for your address, phone number, and credit card for a redelivery fee.

Vishing (Voice Phishing)

Vishing is phishing over the phone. The attacker calls you pretending to be from your bank, the IRS, Microsoft tech support, or another trusted organization. They try to pressure you into giving them personal information or access to your computer.

Example scenario: You receive a call from someone claiming to be your bank fraud department. They say there is suspicious activity on your account and need to verify your account number and PIN. They sound professional and may even have some of your information to appear legitimate.

Spear Phishing

Unlike regular phishing (which is sent to thousands of people randomly), spear phishing targets a specific person or organization. The attacker researches their target and customizes the message to make it more believable.

Example scenario: An attacker finds out your name, where you work, and that you recently subscribed to a particular service. They send you a personalized email referencing this information, making the scam much harder to detect.

Clone Phishing

In clone phishing, the attacker makes an exact copy of a legitimate email you have received before, but replaces links or attachments with malicious ones. Since the email looks identical to one you have already seen and trusted, you are more likely to click.

Real-World Phishing Examples to Watch For

Here are common phishing scenarios you might encounter:

• Your account has been compromised - click here to secure it (from fake PayPal, bank, or email provider)
• You have won a prize or gift card - claim it now (from fake contests or giveaways)
• There is a problem with your delivery - update your address (from fake USPS, UPS, FedEx, Amazon)
• Unusual sign-in detected - verify your identity (from fake Microsoft, Google, or Apple)
• You have an unpaid invoice - pay immediately (from fake utility companies or tax authorities)
• Your subscription is expiring - renew now to avoid cancellation (from fake streaming services)
• Someone shared a document with you - click to view (from fake Google Docs or OneDrive notifications)
• Urgent: Contact HR about your benefits (appears to be from your employer)

How to Spot a Phishing Attempt

Here are the red flags to look for in any message:

Check the Email Address or Sender

Hover over the sender name to see the actual email address. A real email from your bank will come from @yourbank.com, not from @yourbank-secure.com or @yourbank.support.com. Look for misspellings, extra words, or suspicious domains.

Look for Bad Grammar and Spelling

While not always present (some phishing attacks are very well written), many phishing messages contain spelling mistakes, awkward phrasing, or grammatical errors. Legitimate companies proofread their communications.

Check the Link Before Clicking

Hover your mouse over any link (without clicking!) to see where it actually leads. The link text might say www.amazon.com, but the actual destination might be something completely different.

Beware of Urgency and Threats

Phishing messages create a false sense of urgency. Act now! Your account will be closed! 24 hours to respond! Legitimate companies do not pressure you like this. If a message tries to rush you, that is a red flag.

Unexpected Attachments

If you receive an unexpected email with an attachment, especially from someone you do not know (or even from someone you know but were not expecting a file from), do not open it. Attachments can contain malware.

Requests for Personal Information

Legitimate companies will never ask for your password, credit card number, Social Security number, or other sensitive information via email or text message. If someone asks for this, it is a scam.

Too Good to Be True

If you have won a contest you did not enter, or someone is offering you free money, it is almost certainly a scam. If it sounds too good to be true, it is.

How to Protect Yourself from Phishing

• Never click links in unexpected messages: If you receive an unexpected message from a company, do not click any links. Instead, open your browser and go directly to the company official website.
• Use two-factor authentication (2FA): Even if someone gets your password, 2FA can stop them from accessing your account. Enable it on all accounts that support it.
• Use a password manager: Password managers can detect fake websites because they will not autofill your credentials on a site that does not match the real domain.
• Keep your software updated: Updates often include security patches for known vulnerabilities that phishers exploit.
• Use email filtering: Most email services (Gmail, Outlook, Yahoo) have built-in phishing filters. Make sure they are enabled.
• Install a browser extension: Some browsers and security companies offer extensions that warn you about known phishing sites.
• Educate yourself and your family: Phishing works because people do not know what to look for. Share this guide with family members, especially older relatives who may be more vulnerable.

What to Do If You Have Been Phished

If you think you have fallen for a phishing attack, act quickly:

1. Change your passwords immediately: Start with the account that was compromised, then change passwords on all other accounts, especially if you reuse passwords.
2. Enable two-factor authentication: If you have not already, enable 2FA on your accounts.
3. Contact the company: If you gave financial information to a fake bank or payment service, contact the real company immediately to report fraud.
4. Check your accounts for unauthorized activity: Look for suspicious transactions, login attempts, or changes to your account settings.
5. Run a malware scan: Use Windows Defender or Malwarebytes to scan your computer for malware.
6. Report the phishing attempt: Forward phishing emails to the FTC or your email provider. Most email services have a Report phishing button.
7. Monitor your credit: If you gave away your Social Security number or other sensitive ID information, consider placing a fraud alert on your credit file.

Conclusion

Phishing is a serious threat, but it is one you can defend against with awareness and caution. Remember the golden rule: if an unexpected message asks you to click a link, open an attachment, or provide personal information, do not do it. Go directly to the company official website or call them using a phone number you know is real. Stay skeptical, stay safe, and help others learn to spot these scams too.