TECHNOLOGY

What is a phishing attack and how do you spot one?

Last updated:

A phishing attack is a scam where criminals send fake emails, texts, or messages pretending to be from trusted companies to trick you into giving them your passwords or personal information. You can spot one by looking for suspicious links, urgent language, and emails from addresses that don't match the real company.

Continue in Reels Listen and swipe through more answers in Technology
What it targetsPasswords, credit card numbers, and personal information
Common delivery methodFake emails, text messages, or social media messages
Fake senderCriminals impersonate banks, PayPal, Apple, Amazon, or other trusted companies
Red flag: UrgencyMessages claiming your account will be closed or locked if you don't act now
Red flag: LinksSuspicious URLs that look similar to real websites but have slight spelling differences
Red flag: GrammarPoor spelling, grammar mistakes, or awkward phrasing in official-looking messages

What is a phishing attack?

Phishing is a type of cybercrime where attackers send fake messages that appear to come from legitimate companies or people you trust. The goal is to trick you into clicking a malicious link or downloading a harmful file. When you click the link, you might be taken to a fake website that looks real, where criminals can steal your login information, financial details, or other sensitive data.

How to spot a phishing email

Check the sender's email address carefully—it may look similar to a real company email but have a slightly different spelling. Look for generic greetings like "Dear Customer" instead of your actual name. Hover over any links (don't click them) to see if the web address matches what the email claims. Be suspicious of any message asking you to verify your password, confirm your account, or update your payment information by clicking a link.

Common warning signs

Phishing messages often create a sense of urgency, saying things like "Act now or your account will be closed" or "Suspicious activity detected." They may contain spelling mistakes, poor grammar, or unusual formatting. Legitimate companies usually address you by name and won't ask for passwords through email. If an offer sounds too good to be true—like winning money you didn't enter—it's likely a scam.

What to do if you receive a phishing message

Don't click any links or download any attachments. If the message claims to be from a company you use, contact that company directly using a phone number or website you know is real, not information from the email. Report the phishing email to the company and to your email provider. You can also report suspicious messages to the Anti-Phishing Working Group at reportphishing.org.

How to protect yourself

Use strong, unique passwords for each online account so that if one is compromised, others stay safe. Enable two-factor authentication when available, which adds an extra security step when logging in. Keep your browser and operating system updated with the latest security patches. Be cautious about what personal information you share online.

Sources

  1. cisa.gov (cisa.gov)
  2. fbi.gov (fbi.gov)
  3. consumer.ftc.gov (consumer.ftc.gov)