How To Spot Phishing Attacks

What Is Phishing?

Natalie toggles between news stories and enterprise reporting to bring timely personal finance topics to readers. Her mission is to help inform people of all financial backgrounds about events that may affect their financial futures. Her work has appeared in numerous publications such as CNBC, Bankrate, Buzzfeed, ABC Action News, The Chicago Tribune, The Associated Press and the Tampa Bay Times. She’s appeared on various podcasts and news shows to discuss personal finance topics, including Nasdaq’s Trade Talks.

Natalie Campisi

Natalie CampisiSenior Staff Writer

Senior Staff Writer

Updated: Dec 2, 2022, 7:56pm

Editorial Note: We earn a commission from partner links on Forbes Advisor. Commissions do not affect our editors' opinions or evaluations.

Phishing is a type of fraud that cybercriminals use to trick people into divulging personal information, such as Social Security numbers, passwords and birth dates; it’s also used to trick someone into sending money to con artists.

Typically, phishing attacks refer to scams sent via email and text messages. However, phishing can also be broadly used to describe any kind of social engineering that deceives or tricks the victim into sending money to or sharing information with a fraudster.

Like fishing (where the term originates), phishing attacks use a wide variety of tools as bait to gain your trust.

Scammers may use personal information (you have a grandchild, you went to a particular college, you’re part of a charitable organization) or enticing subject lines (you won a prize, your tax refund is waiting) to trick you into clicking a link, calling a number or sending money.

Social media makes it easy for criminals to gain personal information or even pose as friends and colleagues, so these schemes can often be challenging to detect.

Attackers have gotten more sophisticated in making phony emails, also known as “spoofing.” Fake emails can be indistinguishable from authentic emails as the scammers will use everything from the logos, writing style and even similar email addresses to those from a legitimate organization.

A typical tactic is to change just one letter from the sender’s email address, so instead of “BankofAmerica.com,” it might read “BankofAmerca.” At a glance, you may not notice the error.

Why Do Scammers Send Fake Emails And Texts?

The goal of phishing or sending fake emails and texts is typically to get the recipients to click on a link or download something. The link or download often does one of two things:

It sends you to a site that asks for personal information, such as your password or credit card number.
It installs malware—viruses, spyware or ransomware, on your computer.

You might not even realize you have malware on your computer, which can be dangerous. If hackers can access your accounts or install a keystroke logger on your device, they could wreak havoc on your life. If you do click on a link, run a malware diagnostics check or get your device examined by a professional.

Common Phishing Scams Take Advantage Of Our Fears And Desires

Phishing emails prey upon our basic needs and desires, such as emergencies, cash windfalls, late payments and messages from friends. They often have an urgent call to action that might prompt you to act quickly, without time to consider the consequences or research the email.

According to the Federal Trade Commission (FTC) some common phishing stories include:

Your payment is past due.
You need to verify the information to get your tax refund.
There’s been suspicious activity or log-in attempts on your account.
Claim your coupons, discounts or free stuff.

Any unexpected email promising a great job, cheap rent, a tax refund and other financial opportunities should be met with suspicion. Contact the source directly if you want to know if the email is credible. Call the source if the email claims to be from the IRS, your bank, or a potential employer. Be sure to contact a verified number and don’t call any numbers contained in the email.

Often, phishing attacks coincide with current events. For example, rental assistance and IRS refund scams gained popularity as Covid-era assistance and tax rebates were in the news. By offering solutions to real issues, it can be easy to mistake a scammer for someone authentic.

You Clicked On A Phishing Link. Now What?

If you get duped into clicking on a phishing link (don’t feel bad, it can happen to anyone), there are some immediate steps you should take.

Disconnect from the internet so the malware can’t spread to the rest of your network. The quickest way to disconnect from the internet is to put your devices on airplane mode while you assess the situation. You can also disconnect from Wi-Fi by going to the settings menu on your device.
Back up your data. You can use a USB drive, which doesn’t require an internet connection, to save important data like documents and pictures that you don’t want permanently deleted.
Run a malware scanner to see if there are any viruses or suspicious files on your computer. If you’re unsure if you have a virus, you may want to bring your computer to a professional to make sure it’s clean.
Change your passwords. While changing the password on all the websites and apps you visit can be daunting, it’s an essential step in protecting yourself from further harm.
Employ two-factor authentication on important websites like your bank, credit card companies, social media sites and work-related websites. Two-factor authentication gives you an extra layer of security because it requires you to use two ways to verify your identity.
Contact anyone that might have been affected. For example, if you forwarded a phishing email to others, warn them about the potential hazards and urge them to delete the message. If the scammer is impersonating someone you know, tell your friend or colleague they’re being imitated so they can warn their contacts.
Some email servers, like Google, will allow you to report phishing emails. You can also forward phishing emails to the Anti-Phishing Working Group at reportphishing@apwg.org, which is a group that includes security vendors, financial institutions, and law enforcement agencies.

If you think a scammer got sensitive information, alert the proper authorities. If your Social Security number was compromised, contact the Office of Inspector General (OIG) at 1-800-269-0271 or submit a report online. For credit cards and bank accounts, use the number on the back of your credit card or bank statements to locate a number to report the compromised accounts.

How To Spot a Phishing Email or Text Message

Sometimes there are obvious signs that an email is fraudulent. Telltale signs include misspellings, poor grammar, threatening language and requests to click links or attachments or to call the company to settle a bill or claim a refund.

This example of a phishing email contains the name of a known company, its logo and a message about being charged for a service the recipient likely doesn’t want. The fraudster is using a common experience of being charged for auto-renewals or other plans without the customer’s knowledge to get their attention and prompt them to act.

Call the company directly if you’re concerned that the email might be authentic. Don’t use the contact information in the email, instead look it up yourself so that you know you’re actually in communication with the company.

Source: FTC

This is an example of a phishing text in which the fraudster uses a topic that’s current to trick the recipient into clicking on the link. Don’t click on links if you’re not expecting a message from a particular company, even if you do business with them. Call them using a verified phone number if you’re unsure if the text is from the organization.

Source: FTC

4 Ways to Protect Yourself From Phishing

Make sure your device’s software is updated regularly. You can set your software to update automatically.
Protect your accounts by using multi-factor authentication. This means that you’ll have to log into your account using two or more forms of identification.
Don’t click on email or text links unless you inspect the link and the source is verified.
Frequently back up the data on your devices, such as photos and important documents.