What Is Phishing?

Phishing is a type of social engineering attack where criminals impersonate trusted entities - like banks, tech companies, or government agencies - to trick you into revealing sensitive information. The goal is usually to steal your passwords, financial information, or personal data.

Phishing attacks come in many forms:

  • Email phishing: Fraudulent emails that appear to be from legitimate companies
  • Smishing: Phishing via SMS/text messages
  • Vishing: Voice phishing over phone calls
  • Spear phishing: Targeted attacks using personal information about you

Red Flags in Phishing Emails

1. Suspicious Sender Address

Always check the actual email address, not just the display name. Phishers often use addresses that look similar to legitimate ones:

  • support@amaz0n.com (zero instead of 'o')
  • security@paypal.account-verify.com (legitimate domain buried in subdomain)
  • noreply@bankofamerica.suspicious-domain.com

How to Check

In most email clients, you can click or hover on the sender's name to see the actual email address. If it doesn't match the company's official domain, it's likely a scam.

2. Urgency and Threats

Phishing emails often create a sense of urgency to make you act without thinking:

  • "Your account will be suspended in 24 hours"
  • "Immediate action required"
  • "Unauthorized login detected - verify now"
  • "You've won! Claim within 48 hours or forfeit"

Legitimate companies rarely threaten you or demand immediate action via email.

3. Generic Greetings

Real companies usually address you by name. Be suspicious of:

  • "Dear Customer"
  • "Dear User"
  • "Dear Account Holder"
  • "Dear Sir/Madam"

4. Poor Grammar and Spelling

While phishing attempts are getting more sophisticated, many still contain obvious errors that legitimate companies wouldn't make. Look for:

  • Misspelled words
  • Awkward phrasing
  • Inconsistent capitalization
  • Missing punctuation

5. Suspicious Links

Before clicking any link, hover over it to see the actual URL. Watch for:

  • Misspelled domain names (paypa1.com, arnazon.com)
  • Extra words or subdomains (paypal.secure-login.com)
  • Unusual top-level domains (amazon.payment.xyz)
  • IP addresses instead of domain names

Golden Rule

When in doubt, don't click the link. Instead, go directly to the company's website by typing the address in your browser or using a bookmark you've previously saved.

6. Unexpected Attachments

Be extremely cautious with email attachments, especially:

  • Unexpected invoices or receipts
  • Files with extensions like .exe, .scr, .zip, or .doc with macros
  • Attachments from unknown senders
  • "Voicemail" or "fax" attachments

7. Requests for Sensitive Information

Legitimate companies will never ask you to provide via email:

  • Passwords
  • Social Security numbers
  • Full credit card numbers
  • PINs or security codes

Text Message (SMS) Phishing

Smishing attacks use the same tactics as email phishing but through text messages. Common examples:

  • "Your package cannot be delivered. Update delivery preferences: [suspicious link]"
  • "ALERT: Unusual activity on your bank account. Verify: [link]"
  • "You've won a gift card! Claim here: [link]"
  • "IRS: You owe back taxes. Pay now to avoid arrest: [link]"

How to Protect Yourself

  • Don't click links in unexpected text messages
  • Contact companies directly using official phone numbers
  • Government agencies (IRS, SSA) don't initiate contact via text
  • Report suspicious texts to 7726 (SPAM)

Phone Call Phishing (Vishing)

Scammers may call pretending to be from:

  • Tech support (Microsoft, Apple, etc.)
  • Banks or credit card companies
  • Government agencies (IRS, Social Security)
  • Utility companies threatening to cut service

Warning Signs

  • Unsolicited calls about problems with your computer or accounts
  • Requests for remote access to your computer
  • Pressure to act immediately
  • Requests for payment via gift cards or wire transfers
  • Threats of arrest or legal action

What to Do

Hang up and call the company back using a number from their official website or your account statement. Never use the number the caller provided.

Spotting Fake Websites

Check the URL Carefully

  • Look for misspellings in the domain name
  • Check for HTTPS (but note: scammers can use HTTPS too)
  • Watch for suspicious subdomains
  • Be wary of shortened URLs

Other Red Flags

  • Poor design quality or broken images
  • Missing contact information or about pages
  • Suspicious privacy policy or terms of service
  • Only accepting unusual payment methods

What to Do If You've Been Phished

Immediate Steps

  1. Change your passwords immediately on any affected accounts
  2. Enable two-factor authentication if you haven't already
  3. Contact your bank if you shared financial information
  4. Monitor your accounts for unauthorized activity
  5. Run a security scan if you downloaded anything

Report the Phishing Attempt

  • Forward phishing emails to: reportphishing@apwg.org
  • Report to the FTC: ReportFraud.ftc.gov
  • Report to the impersonated company (most have abuse reporting addresses)
  • Report SMS phishing to: 7726 (SPAM)

Quick Reference Checklist

Before Clicking or Responding, Ask:

  • Was I expecting this email/message?
  • Does the sender address match the company's real domain?
  • Does the link go to the company's actual website?
  • Is there pressure to act immediately?
  • Are they asking for sensitive information?
  • Does something feel "off" about this message?

If any answer raises concerns, don't engage. Verify independently.