Recognizing Phishing Attempts

Phishing is one of the most common ways hackers steal passwords, personal information, and money. It works by tricking you into thinking a message is from someone you trust—like your bank, a delivery company, or even a coworker.

This guide will help you recognize phishing attempts and know exactly what to do when you see one.

What Is Phishing?

Phishing is a type of social engineering attack where scammers impersonate legitimate organizations or people to trick you into:

Clicking malicious links that lead to fake login pages
Downloading malware disguised as attachments
Revealing sensitive information like passwords, credit card numbers, or social security numbers
Sending money through fake invoices or urgent requests

Phishing can happen through:

Email (most common)
Text messages (SMS phishing, or "smishing")
Phone calls (voice phishing, or "vishing")
Social media messages
Fake websites

Red Flags: How to Spot a Phishing Email

1. Urgent or Threatening Language

Phishing emails create panic to make you act without thinking:

"Your account will be suspended in 24 hours!"
"Unusual activity detected—verify immediately!"
"You owe $500. Pay now to avoid legal action."

Legitimate companies don't threaten you into clicking links.

2. Suspicious Sender Address

The display name might look legitimate, but check the actual email address:

Display Name	Actual Email	Verdict
PayPal Security	security@paypal.com	✅ Legitimate
PayPal Security	security@paypa1-alerts.com	❌ Phishing
Amazon	noreply@amazon-delivery-notice.net	❌ Phishing
Your Bank	alerts@yourbank.com.suspicious.ru	❌ Phishing

Look for:

Misspellings (paypa1, arnazon, micros0ft)
Extra words in the domain (amazon-security-alert.com)
Wrong domain extensions (.ru, .cn, .xyz on supposedly US companies)

3. Generic Greetings

Phishing emails often use vague greetings because they're sent to thousands of people:

"Dear Customer,"
"Dear User,"
"Hello,"

Your bank and services you use know your name.

4. Spelling and Grammar Mistakes

Professional companies proofread their emails. Watch for:

Awkward phrasing
Spelling errors
Random capitalization
Missing punctuation

5. Suspicious Links

Hover over links (don't click!) to see where they really go:

Link Text	Actual URL	Verdict
Click here to verify	https://paypal.com/verify	✅ Legitimate
Click here to verify	https://paypal.account-verify.com	❌ Phishing
Sign in to your account	https://microsoft.com/login	✅ Legitimate
Sign in to your account	https://login-microsoft.suspicious.net	❌ Phishing

On mobile: Long-press the link to preview the URL without opening it.

6. Unexpected Attachments

Be extremely cautious of attachments you weren't expecting, especially:

.exe, .scr, .bat files (executable programs)
.zip or .rar files (could contain malware)
Office documents asking you to "enable macros"
PDF files from unknown senders

7. Requests for Sensitive Information

Legitimate companies will never ask you to:

Email your password
Send your credit card number via email
Provide your social security number through a link
Verify your account by replying with personal details

Red Flags: How to Spot Phishing Texts (Smishing)

Text message phishing is on the rise. Common tactics include:

Fake Delivery Notifications

"USPS: Your package could not be delivered. Schedule redelivery: bit.ly/fake-link"

Bank Fraud Alerts

"Chase: Suspicious activity on your account. Verify now: chase-secure.fake-site.com"

Prize Scams

"Congratulations! You've won a $500 gift card. Claim here: scam-link.com"

Account Verification

"Apple: Your iCloud account will be locked. Verify: apple-id-verify.net"

How to stay safe:

Don't click links in unexpected texts
Go directly to the company's official app or website instead
Real delivery notifications come from official short codes, not random numbers
When in doubt, call the company using the number on their official website

Red Flags: Phone Call Phishing (Vishing)

Scammers also call pretending to be:

Your bank's fraud department
The IRS or tax authorities
Tech support from Microsoft or Apple
A government agency

Warning signs:

Caller ID can be faked (spoofed)
They create urgency ("Act now or face arrest")
They ask for remote access to your computer
They request payment via gift cards or cryptocurrency
They ask for your password or PIN

What to do:

Hang up
Call the organization back using the official number from their website
Never give passwords, PINs, or personal information over the phone

What to Do If You Receive a Phishing Attempt

Don't Panic

Receiving a phishing message doesn't mean you've been hacked—clicking the link or providing information does.

Don't Click, Reply, or Download

Don't click any links
Don't download any attachments
Don't reply to the message

Verify Independently

If the message claims to be from a company you use:

Open a new browser window
Go directly to the company's official website (type it yourself)
Log in and check for alerts or messages
Call their official support number if needed

Report It

For emails:

Forward phishing emails to the company being impersonated (e.g., phishing@paypal.com)
Report to your email provider (Gmail, Outlook have "Report phishing" options)
Forward to reportphishing@apwg.org

For texts:

Forward the text to 7726 (SPAM) — this works for most US carriers
Report to the FTC at reportfraud.ftc.gov

For calls:

Report to the FTC at reportfraud.ftc.gov
Add the number to your phone's block list

Delete the Message

Once reported, delete the phishing message so you don't accidentally interact with it later.

What to Do If You Fell for a Phishing Attack

It happens to everyone. Here's how to limit the damage:

1. Change Your Passwords Immediately

Change the password for the affected account
If you reuse passwords, change them everywhere
Use your password manager to generate new, unique passwords

2. Enable Two-Factor Authentication

Add 2FA to the compromised account and any related accounts
This makes it harder for attackers to access your account even with your password

3. Check for Unauthorized Activity

Review recent logins and account activity
Look for unfamiliar transactions
Check "connected apps" or "authorized devices" and remove anything suspicious

4. Contact the Real Company

If it involved your bank, call them immediately
They can freeze your account and reverse fraudulent transactions

5. Scan for Malware

If you downloaded an attachment, run a full antivirus scan
Consider using tools like Malwarebytes for a second opinion

6. Monitor Your Accounts

Watch for suspicious activity over the next few weeks
Consider placing a fraud alert on your credit report

How Password Managers Help Prevent Phishing

Your password manager is actually a great phishing defense:

Autofill only works on legitimate sites: If you're on apple-id-verify.net instead of apple.com, your password manager won't autofill because it doesn't recognize the fake domain.
You don't need to type passwords: If you're on a phishing site and autofill doesn't work, that's a red flag.
Unique passwords limit damage: Even if one password is compromised, attackers can't access your other accounts.

Quick Reference: Phishing Checklist

Before clicking any link or providing information, ask yourself:

Was I expecting this message?
Does the sender's email address look legitimate?
Does the link go where it claims to go? (hover to check)
Is there urgency or threatening language?
Are there spelling or grammar mistakes?
Is it asking for sensitive information via email/text?
Would this company normally contact me this way?

If any answer raises doubt, don't click. Verify independently.

Summary

Phishing Type	Common Tactics	Defense
Email	Fake login pages, malware attachments, urgent threats	Check sender address, hover over links, don't download unexpected attachments
Text (Smishing)	Fake delivery notices, bank alerts, prize scams	Don't click links, verify via official apps/websites
Phone (Vishing)	Fake tech support, IRS threats, bank fraud alerts	Hang up, call back using official numbers

Remember: Legitimate organizations will never ask for your password, threaten immediate account closure, or demand payment via gift cards.

When in doubt, go directly to the source—type the website address yourself or use the official app.

What Is Phishing?​

Red Flags: How to Spot a Phishing Email​

1. Urgent or Threatening Language​

2. Suspicious Sender Address​

3. Generic Greetings​

4. Spelling and Grammar Mistakes​

5. Suspicious Links​

6. Unexpected Attachments​

7. Requests for Sensitive Information​

Red Flags: How to Spot Phishing Texts (Smishing)​

Fake Delivery Notifications​

Bank Fraud Alerts​

Prize Scams​

Account Verification​

Red Flags: Phone Call Phishing (Vishing)​

What to Do If You Receive a Phishing Attempt​

Don't Panic​

Don't Click, Reply, or Download​

Verify Independently​

Report It​

Delete the Message​

What to Do If You Fell for a Phishing Attack​

1. Change Your Passwords Immediately​

2. Enable Two-Factor Authentication​

3. Check for Unauthorized Activity​

4. Contact the Real Company​

5. Scan for Malware​

6. Monitor Your Accounts​

How Password Managers Help Prevent Phishing​

Quick Reference: Phishing Checklist​

Summary​