How to spot and prevent phishing

Every day, millions of people worldwide fall victim to internet scams. These scams can take many forms, such as fraudulent investment opportunities, fake job offers, and phishing attacks.

That’s why it’s crucial for people to take steps to protect themselves. Staying informed, remaining cautious, and following good security practices can help to significantly reduce the risk of falling victim to scams. These steps to security awareness are especially crucial when it comes to phishing attacks, one of the most widespread types of internet scams, totaling over 500 million reported attacks in 2022.1

This article will explore common phishing attacks and provide strategies to help people protect themselves from falling prey to these fraudulent schemes.

What is phishing?

Phishing is a type of cyber attack where scammers pose as legitimate institutions, companies, and sometimes as friends or family, and then attempt to trick individuals into giving away their personal or financial information.

In a typical phishing attack, scammers might create fake emails, text messages, or websites that appear legitimate. They might use logos, branding, or other elements to make the communication look like it's coming from a trusted source, such as a bank or social media platform.

Normally, the goal of the attacker is to convince the recipient to click on a link, download an attachment, or enter their personal information.

Types of phishing attacks

When understanding how to prevent phishing, it’s important to learn what these attacks might look like.

Phishing scams can attack a general audience (spam phishing) or target a specific group or individual (spear phishing). Within these two categories, there are different types of phishing attacks that scammers might use.

Here are some to be aware of:

  • Email phishing: Fraudulent emails appear to be from a legitimate source and ask the recipient to click on a link or provide personal information.
  • Smishing: Scammers use text messages to trick individuals into clicking on a link or providing personal information.
  • Vishing: Like smishing, scammers use phone calls to convince individuals to provide personal information or click on a link.
  • Website spoofing: This is when fake websites are designed to look like legitimate sites to trick individuals into providing personal information.
  • Clone phishing: Scammers create a fake but identical copy of a legitimate email, then send it from a similar-looking email address, asking the recipient to click on a link or download an attachment.
  • Social media phishing: This happens when scammers create fake social media accounts, then send phishing messages to their contacts.

How to spot phishing

Some phishing scams claim to be from someone a person knows, while others pretend to be from a reputable business or charity. Scammers may often threaten to send a debt collector to an individual’s house if they don't transfer money or supply their personal information. Alternatively, a phishing attack may claim someone has a tax refund waiting, requiring them to click on a link — which then might release a virus or malware that can infect the person’s computer.

With so many variations of phishing attacks, it's important to stay vigilant online and when dealing with digital communications. Consider the following to help potentially spot phishing attempts:

  • Look for spelling mistakes or poor grammar
  • Check the sender's address to ensure it's the correct one
  • Avoid websites where the URL doesn't have a padlock or 'https' at the start

Another common tactic used by phishing attacks is to imply a sense of urgency. Often, phishing scams might tell a person they have just a few short hours to respond to the message, instilling fear and making them feel that they must act quickly.

Potential ways to help protect against phishing

It's important to make security a priority. Below are some additional steps one could take to potentially stay protected from phishing.

Avoid clicking on links and check senders

Don’t click on links before verifying who the message is from and whether the link is safe. Check the sender's details. It may be helpful to look up a company’s official website and verify their contact information to confirm legitimacy. People could also consider navigating on a company’s official website to the purported link destination instead of clicking on a link in an email or message. Online URL-checking tools may also be available that can verify whether a link is legitimate or not — though it’s important to be careful and not click the link when copying it to the URL checker.

Software updates

Updating device software can be a great way to protect data, as updates typically include new and enhanced features that can address real-time security issues. Don’t just update laptop software — remember to update mobile devices and desktop computers too.

Passkeys and multifactor authentication

If possible, set up a passkey as the primary login option. Passkeys are considered to be more secure than passwords because they are resistant to phishing and hacking attempts.2 Passkeys let people log in to an app or website by confirming their identity with biometric data (such as face or fingerprint ID), device passcode, or PIN.

Passkeys may not be available on all websites or apps, so review login options when setting up or assessing an account.

Many organizations also offer multifactor (also known as MFA or two-factor) authentication to access their app or platform. This can be via a code that is sent to a personal device or contact account, such as a phone or email, or through an associated MFA app. This can add a form of security past a login username and password.

For example, a person may enter in their login information to a website. The website then sends a code to the person’s phone. The person then needs to input the code into the website before they’re able to officially sign in.

While MFA adds an additional step, it could possibly help people avoid being targeted by phishing scammers.

What to do if you suspect a phishing attack

If someone thinks they’ve fallen victim to a phishing attack, it’s important to act fast to minimize potential damage. Consider taking the following steps:

  • If personal or login information about an account was provided, change that password right away or set up a passkey (if available).
  • If the details provided are financial, let the bank and credit card provider know.
  • If money has been sent to a scammer, contact the police immediately.
  • Report internet scams and phishing to the company being impersonated and to the FTC for investigation.

As with many organizations, some phishing scams might involve fake PayPal messages. If unsure whether an email is fraudulent, avoid clicking on any links. Instead, open the app or log in online to see if the same message is in the related account.

Was this content helpful?

We use cookies to improve your experience on our site. May we use marketing cookies to show you personalized ads? Manage all cookies