What Is Phishing? Tips to Avoid Phishing Scams

If you’re tempted to click, think again. These may be phishing emails: phony messages from criminals seeking to trick you into revealing information that they can use for a variety of purposes, such as draining your financial accounts or stealing your identity.¹ In 2023, the FBI’s Crime Complaint Center (IC3) received 880,418 complaints of cyberattacks and incidents. Since phishing email scams are on the rise, it’s important to learn to recognize and avoid them.²

Phishing is a crime in which someone poses as a legitimate institution in order to trick you into revealing sensitive information, such as:¹

• Personal information like your Social Security number, name and address, and mother’s maiden name.
• Bank or credit card account details.
• Usernames and passwords.

Phishing criminals often aim to convince you to click on malware or to type your personal information into a form. To increase their chances of success, criminals often try to impersonate well-known organizations that you may trust, such as:¹

• Banks.
• Credit card companies.
• Big retailers.
• Government agencies.
• Big technology firms and social networking sites.

One common way that phishing emails try to get your information is by asking you to click on a hyperlink in the message. If you click on the link, you may be taken to a website that looks like an official login page, asking you to enter identifying information such as your username and password, or perhaps your full name and Social Security number. Type in the data, press return, and voilà! The scammers now have what they want.

While many phishing attempts occur via email, it’s not the only method. Criminals sometimes also use phone calls, which is called vishing, or text messages, which is called smishing after “SMS” (short message service).¹

If criminals succeed in stealing someone’s information using a phishing attack, they may use it in a variety of ways, depending on the information they’ve stolen.³

• Apply for credit cards or services: They may use personal information like your date of birth, Social Security number, and address to apply for credit cards in your name, open utility accounts, or even try to get medical care.
• Drain your financial accounts: If they get your bank or credit card login, they may be able to start buying things using your account or simply take your money.
• Access your other accounts: Many people reuse the same username and password for multiple services. You might think that it’s not a big deal if attackers get your login information for a streaming service. But they may try reusing those same login details to access your bank account. They might even be able to get into your employer’s email system and create problems for the entire organization.
• Sell the information: Thieves may sell your data on an underground online marketplace. Other criminals buy that information and may use it, perhaps months later.

Why do phishing attacks still work, even though people have known about them for decades? It’s largely because criminals constantly come up with new ways to evade email filters and convince people to click. Because of that, there’s no single characteristic that you can use as a sure way to identify a phishing email. But there are common telltale signs:^4,5

• Appealing offers: If it seems too good to be true, it probably is. Be extra cautious and check for legitimacy.
• Urgent action needed: Attackers often inject a sense of urgency to make you feel you need to act straightaway. They may tell you your account has been suspended or that they’ve detected suspicious activity – and you must log in immediately to fix the problem. If you get such a message, call the number on the back of your card to see whether there is indeed an issue with your account.
• Current events: Attackers use current events and concerns to grab your attention. Watch out for phony special offers during the holiday shopping season, or messages from the IRS during the tax filing season.
• Unusual senders: If the sender isn’t who you’d expect, the message may be fake. But be careful: It’s easy for scammers to make it look like emails come from a reputable organization.
• Incorrect recipients: Phishing emails may not address you by name – “Dear Customer” – or may even use an incorrect name.
• Attachments or links: Any emails containing attachments or links should be treated with suspicion, especially if links in the message don’t match the real organization’s web address. Scammers may disguise malicious links with innocent-looking text or, for example, use a “1” in place of an “l” – which is almost undetectable.

It’s worth being extra careful if someone you don’t know offers you a gift card in any context. Gift card scams are always present and usually increase during the holidays. These are some popular gift card scams:⁶

• Prize scam: Scammers impersonate a company offering a prize but then ask for payment through gift cards.
• Family friend scam: They impersonate a close family member or friend by using technology that clones their voice. Then they ask for money and may add they don’t want you to tell anyone.
• IRS/government agency scam: Someone impersonating an IRS agent or another government entity tells you your identity was stolen and asks you to buy gift cards using different accounts to help them identify the culprits.
• Tech support scam: In this one, the scammer sends an email that appears to lock up your computer or mobile device, then pretends to be a tech support person stepping in to help – for a price.

While some phishing attempts are easy to spot, others can be much more sophisticated and harder to distinguish from genuine emails.

For example, in so-called “spear phishing” attacks, criminals carefully target specific people whom they think will have access to sensitive data, such as company executives or employees who handle electronic payments. The scammers spend time researching their targets’ personal lives, using sources such as social media. Armed with that personal information, they can craft phishing emails that are much more convincing.⁴

It’s also become much easier for attackers to include corporate logos and website content that look exactly like the real thing because they can buy “phishing kits” that include almost everything they need to imitate widely used and trusted brands.⁷

Some attacks use voice or text messages instead of email:⁸

• Vishing: Some scammers may leave voice messages or even use live phone calls containing phishing lures to get you to reveal your information over the phone. They may appear to be calling from a legitimate local number, even if they’re not.
• Smishing: Some phishing attacks use text messages because people are sometimes more likely to trust text messages than emails. The approach is known as smishing because SMS is an acronym for the technology used to send texts – it means Short Message Service. Like phishing emails, these texts may include links to phony websites.

If suspicious emails arrive in your inbox, here are some ways to help avoid falling for a phishing scam:^1,5

• Don’t respond to a message unless you’re sure you recognize the sender and don’t see any of the warning signs listed above. It’s easy for scammers to make it look like emails come from legitimate institutions, but major email systems often provide a way to identify the real sender and where your reply will be sent.
• Don’t click on an attachment or link unless you’re sure it’s legitimate. Attackers can disguise bad links behind innocent-looking text, but if you’re using a computer you can often hover your cursor over the link to reveal the real URL. Attachments may conceal malware that steals data or causes other problems, including spreadsheets and word-processing documents.
• If a request seems odd, unusual, or suspicious, it probably is. If it appears to be from someone you know, try contacting them by phone or another method to make sure they really sent the request.
• When in doubt, visit a website directly by typing the address into your browser instead of clicking on a link.
• Protect your accounts with multifactor authentication. This adds a layer of safety by requiring an additional identification method to log in to your account, like a passcode delivered via text message.