You get an email from bank0famerica@acc0unt.com claiming that they have found suspicious activity on your credit card statement and are requesting that you verify your financial information. What do you do? While you may be tempted to click on a link to immediately resolve the issue, this is likely a phishing attempt—a type of scam that tricks you into voluntarily providing important personal information.

To help you avoid being victimized by phishing scams, this guide will review common phishing techniques and characteristics, and share tips on how to protect yourself from this online threat.

What is phishing?

Phishing is a cybercrime where scammers, pretending to be popular or trusted brands, send you fraudulent emails and text messages containing links to fake websites such as a bank or credit card account. With an urgent tone, the scammers will deceive you to click on the link, log into the website, and obtain access to your account.

If you don’t look carefully, you might not be able to tell the difference between an authentic message and a phishing message.

Common phishing techniques

  • Credential harvesting pages: These fake websites perfectly mimic legitimate login pages for banks, social media, or email services. When you enter your username and password, cybercriminals capture this information to access your real accounts. To recognize these fake sites, carefully check the URL for slight misspellings or unusual domains, and note if the site lacks proper security certificates. Always type website addresses directly into your browser rather than clicking links in emails, and enable two-factor authentication on all important accounts. Learn more about recognizing fake login pages here.
  • OAuth consent scams: These attacks trick you into granting malicious apps access to your email, cloud storage, or social media accounts through legitimate authorization systems. The scammer sends you a link that appears to be from a trusted service, asking you to “authorize” a helpful app that actually gives them broad access to your personal data. To protect yourself, carefully read permission requests before clicking “Allow,” question why an app needs extensive access to your accounts, and regularly review authorized applications in your account settings.
  • QR code phishing: Cybercriminals create fake QR codes that redirect you to malicious websites or automatically download harmful apps. These QR codes are often posted on parking meters, restaurant tables, or even printed materials that look official, but scanning them can compromise your device or steal your information. Before scanning any QR code, preview the destination URL, or just avoid them altogether if possible. Never download apps directly from QR code prompts.
  • Attachment-based malware delivery: This technique involves sending emails with infected attachments that appear to be invoices, shipping notifications, or important documents. Opening these files will install malware on your device that can steal your data, encrypt your files for ransom, or give criminals remote access to your computer. Never open attachments from unknown senders, and scan all attachments with updated security software before opening. Be especially cautious with file types like .exe, .zip, or macro-enabled documents from unexpected sources.
  • Brand impersonation: Scammers register domain names that closely resemble trusted companies, using slight misspellings or different extensions to fool you. For example, they might use “amaz0n.com” instead of “amazon.com” or “paypal-security.com” to make their fake emails appear legitimate. To protect yourself, it is better to type website addresses manually, double-check sender email domains for subtle differences, and bookmark legitimate sites to avoid typing errors.
  • Reply-chain hijacking: This attack involves criminals hacking someone’s email account and inserting themselves into email conversations with malicious responses. Because the emails appear to come from someone familiar or trusted, you’re likely to click malicious links or download harmful attachments. Stay alert for unusual requests, tone changes, and unexpected links or attachments. Verify suspicious requests through a different communication channel.

Spot a phishing message with these signs

Phishing scammers often undo their own plans by making simple mistakes that are easy to spot once you know how to recognize them. Check for the following signs of phishing when you receive an email or text:

It’s poorly written

Phishing messages often contain grammatical, spelling, and other blatant errors that major corporations wouldn’t make. If you see multiple, glaring errors in an email or text that asks for your personal information, you might be a target of a phishing scam.

The logo doesn’t look right

To enhance their credibility, phishing scammers often steal the logos of organizations they are impersonating. In many cases, however, the stolen corporate logos are used poorly. If you receive an unsolicited email or text with a distorted or low-resolution logo, chances are that it’s phishing.

The URL doesn’t match

Oftentimes, phishing URLs contain misspellings. To verify, hover your cursor over the link to display its URL. You could also right-click the link, copy it, and paste it into a document and examine it thoroughly for spelling errors without being directed to the potentially malicious webpage. On a mobile device, you can view the link by pressing it with your finger and holding it down for a few seconds. If the URL looks suspicious, don’t interact with it and delete the message altogether.

Types of phishing emails and texts

Phishing messages come in all shapes and sizes. Let’s review some examples of the most frequently sent phishing scams:

Account suspended scam

Some phishing emails will notify you that your bank temporarily suspended your account due to unusual activity. If you receive such a message from a bank with which you don’t have an account, delete it immediately. However, if the email comes from banks you do business with, use the methods listed above to check the email’s integrity. If all else fails, contact your bank directly instead of opening any links within the email.

Two-factor authentication scam

Phishing scammers know how standard 2FA has become, and could take advantage of this service that’s supposed to protect your identity. If you receive an email asking you to log in to an account to confirm your identity, use the criteria we listed above to verify the message’s authenticity. Be especially wary if someone asks you to provide 2FA for an account you haven’t accessed for a while.

Tax refund scam

Phishing scammers are counting on tax season when they send you phony emails from the Internal Revenue Service (IRS). Be careful when an email informs you that you’ve received a windfall of cash. Be especially dubious of emails that the IRS supposedly sent since this government agency only contacts taxpayers via snail mail. Tax refund phishing scams can do serious harm since they usually ask for your social security number and bank account information.

Order confirmation scam

Cybercriminals will try to trick you with fake order confirmation emails with “receipts” attached or links claiming to contain more information on your order. Do not open the attachments and links as these are used to spread malware to your device.

Tech support phishing emails

Tech support phishing emails are designed to trick you into believing your computer has serious security problems that require immediate attention. These fraudulent emails often claim to come from well-known technology companies, warning that your device is infected with viruses, your accounts have been compromised, or your security software has expired. Once they gain your trust, cybercriminals will ultimately steal your money, personal information, or access to your devices. Common warning signs of tech support phishing emails include:

  • Urgent demands to call immediately: These emails create false urgency by claiming your computer is severely infected or your account will be suspended unless you immediately call a phone number they provide. Legitimate tech companies typically don’t request immediate phone calls through unsolicited emails.
  • Requests for remote access to your device: The email may ask you to download software that allows someone to control your computer remotely, often disguised as “diagnostic tools” or “security scans.” Real tech support companies have strict protocols and rarely request remote access through unsolicited communications.
  • Payment via gift cards or cryptocurrency: Scammers frequently request payment for fake “fixes” using untraceable methods such as gift cards, wire transfers, or digital currency. Legitimate companies will never demand payment for tech support services through these methods.
  • Spoofed sender domains and addresses: Phishing emails often use addresses that closely mimic legitimate companies but contain subtle misspellings or unusual domain extensions, such as “micr0soft-security.com” instead of the official domain.

Social media phishing emails

Social media phishing emails target your Facebook, Instagram, Twitter, LinkedIn, and other social media accounts with convincing and urgent messages that claim your account has been suspended, locked, or flagged for policy violations. Look for these signs to spot a phishing email:

  • Account suspension alerts: Urgent notifications claim your social media account will be permanently deleted unless you verify your identity immediately.
  • Copyright violation warnings: The messages claim you’ve posted copyrighted content and must appeal the decision by clicking a link. Legitimate platforms typically handle these issues through their internal notification systems, not via email.
  • Security verification requests: Fake emails ask you to confirm recent log-in attempts or suspicious activity on your account. While real platforms do send security notifications, they never ask you to enter your log-in details through email links.
  • Lookalike login pages: Clicking suspicious links often leads to fake websites that perfectly mimic legitimate social media login pages. These pages capture your username and password when you attempt to sign in, giving scammers full access to your real accounts.

Malware email: Another kind of phishing

While phishing emails typically aim to steal your login credentials or personal information, malware emails have a different and potentially more dangerous goal: they install malicious software directly on your device. Watch out for these key warning signs to help you stay protected.

  • Suspicious attachments: Be cautious of unexpected emails with attachments, especially files with extensions like .zip, .img, .iso, .exe, or .scr, as these are commonly used to deliver malware.
  • Macro-enabled documents: Office documents (.doc, .docx, .xls, .xlsx) that prompt you to “enable macros” or “enable editing” should raise immediate red flags. Legitimate businesses rarely send documents requiring macro activation.
  • Password-protected archives: Files that come with passwords provided separately in the email are often used to bypass security scanners.
  • Double extensions: Files that use deceptive naming, such as “invoice.pdf.exe” or “document.txt.scr.” may appear harmless while hiding their true malicious nature.
  • Drive-by download links: Unlike phishing links that take you to fake login pages, malware emails often contain links that automatically download files when clicked, without any visible webpage.

Safely handle suspicious emails

  • Preview before clicking: Hover over links to see their true destination before clicking to avoid malicious redirects.
  • Scan attachments first: Use your antivirus software to scan any attachments before opening them, even if they appear to come from trusted sources.
  • Use cloud-based viewers: When possible, open documents using cloud-based viewers such as Google Docs or Office Online for an additional layer of protection against malicious macros.
  • Keep software updated: Ensure your operating system, antivirus software, and email client are up to date with the latest security patches.
  • Run with limited privileges: Avoid using administrator accounts for daily activities. Instead, employ standard user accounts to limit potential damage from malware.

Phishing and financial scams

Phishing emails serve as the gateway to some of the most costly financial scams today. While recognizing phishing techniques helps you avoid the trap, understanding how these fake emails connect to money loss empowers you to protect your finances more effectively.

Financial scams that start with phishing emails

  • Fake invoice scams: You receive professional-looking invoices for services you never ordered, often claiming urgent payment is needed to avoid late fees. These scams exploit your natural inclination to resolve billing issues quickly.
  • Payroll update requests: Criminals send emails appearing to come from your HR department, requesting you to update your direct deposit information or tax withholding details. Once you provide the new details, they redirect your paycheck to accounts they control.
  • Investment and cryptocurrency schemes: These emails promote “exclusive” investment or cryptocurrency opportunities that promise exceptional returns. The FBI’s Internet Crime Complaint Center reported $9.3 billion in cryptocurrency fraud losses in 2024, with many schemes launched through phishing emails.
  • Charity and disaster relief appeals: Following natural disasters or during charitable giving seasons, scammers send emotional appeals for donations to fake organizations, using real disaster images and urgent language to pressure you into giving.
  • Refund and overpayment scams: These emails claim you’re owed a refund and require you to provide banking information or pay processing fees to receive your “refund” from the IRS, a utility company, or online retailer.

Actionable protection strategies that work

Taking proactive steps to verify and protect yourself provides the most effective defense against scams. Here are some smart steps you can take to protect your identity, based on the type of phishing scam:

Defense against financial scams

When you receive financial requests via email, trust your instincts and verify the sender before taking any action. Your careful approach not only protects your own finances but also contributes to a safer digital environment for everyone. Follow these steps to stay safe:

  • Verify payment changes through known channels: Never process financial changes based solely on email requests. Call the organization using phone numbers from your account statements or official websites, not those provided in the suspicious email.
  • Never pay with gift cards or cryptocurrency: Legitimate organizations will never ask for gift cards, wire transfers, or cryptocurrency as payment for bills, taxes, or services. The FTC emphasizes that these payment methods are nearly impossible to reverse and strongly favored by scammers.
  • Confirm invoices directly with vendors: Before paying any unexpected invoice, contact the vendor directly through their official customer service channels. Ask for detailed information about the services or products that generated the bill.
  • Monitor accounts and transactions: Monitor your accounts and credit reports regularly to catch unauthorized activity early. Enable notifications on your bank and credit card accounts for all transactions.
  • Implement the 24-hour rule: For urgent financial requests received via email, wait 24 hours before taking action. This cooling-off period allows you to verify the request and consult with trusted family members or financial advisors.

Protect yourself from tech support scams

Because tech support phishing scams work differently, they also require distinct protection tactics. Check out these defensive steps when scammers attempt to target you:

  • Close the window or delete the email immediately: Don’t interact with any links, attachments, or phone numbers provided in suspicious messages. Simply closing the email and moving it to your trash folder is the safest first step.
  • Never call phone numbers provided in unsolicited emails: Calling these numbers connects you directly to scammers who will attempt to convince you to pay for unnecessary services or provide personal information.
  • Visit the company’s official website or app directly: If you’re concerned about your account or device security, type the company’s web address into your browser manually or use their official mobile app. This ensures you’re accessing genuine support channels rather than fraudulent ones.
  • Run a trusted security scan: Use reputable antivirus software to perform a full system scan if you’re worried about your device’s security. Most legitimate security programs can detect and remove actual threats without requiring phone support or immediate payment.

Block social media phishing scams

Learning to identify and block social media phishing attempts can help you protect your accounts, personal data, and online reputation. Here are some ways to thwart phishing on social media:

  • Quick protective actions: Always navigate to the social media platform directly through your browser or official app rather than clicking email links. Check your notifications within the platform itself to verify legitimate security concerns.
  • Enable multi-factor authentication: Add an extra layer of security to all your social media accounts by enabling two- or multi-factor authentication. This prevents unauthorized access even if scammers obtain your password.
  • Review connected apps and permissions: Regularly audit third-party applications and services connected to your social media accounts. Disconnect apps you no longer use or don’t recognize to prevent unauthorized access through compromised accounts. Regularly conduct account security reviews to maintain proper social media protection.

Remember that you have the power to protect yourself and your community by staying informed and taking measured actions.

Did you click that link by mistake?

If you accidentally click a link from a suspected phishing email, the link will take you to a web page with a form where you can enter sensitive data such as your Social Security number, credit card information, or login credentials. Do not enter any data on this page. Just close the page and delete that email.

Immediate steps to take if you’ve been phished

Sometimes, phishing scammers are that good, deceiving you to enter data into a fake webpage. If you immediately realize your mistake, you can still protect yourself by taking quick and mindful action. One vital measure you need to take in the wake of a phishing event is reporting the matter. Each report contributes to a security shield that protects millions of people from similar threats. Your action today helps create safer online experiences for everyone in your community and beyond.

  1. Scan, back up files, and change passwords. Immediately perform a full malware scan on your device, backup all of your files, and change your passwords. Once you provide a scammer with the data from one account, you may have also opened the door to other personal data, so it’s important to change all the passwords.
  2. Report to the Federal Trade Commission (FTC). File your report at ReportFraud.ftc.gov for the most comprehensive fraud reporting system. The FTC uses this data to track scam trends and protect other consumers from similar threats.
  3. Submit details to the FBI. Report the incident to the FBI’s Internet Crime Complaint Center, which helps law enforcement identify and prosecute cybercriminals targeting Americans.
  4. Alert the industry authority. Forward suspicious emails to the Anti-Phishing Working Group, which uses your reports to combat phishing attacks across the internet ecosystem.
  5. Contact USPS for mail-related scams. Report postal fraud to the U.S. Postal Inspection Service when scammers use traditional mail as part of their scheme.
  6. Notify the impersonated organization. Most legitimate companies have dedicated abuse or fraud reporting pages on their websites. Search for “[Company Name] report phishing” to find their official reporting channel.
  7. Preserve important evidence before reporting. To help authorities investigate the incident, take screenshots of the suspicious message, save email headers (which show routing information), and document any financial losses.

Final thoughts

Phishing attacks continue to target millions of people every day, making it crucial for you to stay vigilant. But phishing emails only work on the unaware. By knowing the characteristics of a phishing email, you’ve taken an important step toward safeguarding yourself from cybercriminals who rely on deception to steal your sensitive data.

Remember the key warning signs we’ve covered: poorly written messages with grammatical errors, low-resolution or distorted logos, suspicious URLs, and urgent requests for personal information. These signs show that scammers often make telltale mistakes that reveal their true intentions. Trust your instincts and err on the side of caution each time anybody asks you to divulge sensitive details about your identity, finances, or log-in information.

As scammers develop new methods to bypass detection, your continued awareness and knowledge will serve as your first line of defense. The more you understand about common phishing tactics, the better equipped you’ll be to recognize and avoid these threats before they can harm you or your devices.