How to Spot and Avoid Phishing Attacks

Phishing attacks are responsible for a significant portion of all data breaches, account takeovers, and ransomware infections. They’re effective because they target humans, not software — and humans make mistakes regardless of how many security tools are in place.

Understanding how phishing works — and developing reliable habits for dealing with it — is one of the highest-value security investments you can make.

What Is Phishing?

Phishing is a deception attack. The attacker impersonates a trusted entity — your bank, Amazon, PayPal, your employer’s IT department, the IRS — and tricks you into taking an action that compromises your security.

The action might be:

• Clicking a link to a fake login page and entering your credentials
• Opening a malicious attachment that installs malware
• Transferring money (Business Email Compromise)
• Providing personal information directly
• Calling a fake customer service number

The name comes from “fishing” — casting a wide net (or specifically targeting one person) and waiting for someone to take the bait.

Types of Phishing

Email phishing: Mass emails impersonating trusted brands. “Your account has been compromised. Click here to verify.” Millions sent; even a 0.1% success rate yields thousands of victims.

Spear phishing: Targeted attacks on a specific person or organization, using personal details to seem legitimate. More effort, much higher success rates.

Smishing: Phishing via SMS text message. “Your package couldn’t be delivered. Confirm your address here: [link]”

Vishing: Voice phishing — calls from fake banks, IRS, Microsoft support, etc.

Business Email Compromise (BEC): Attacker impersonates a company executive or vendor, requests a wire transfer or payroll change. Causes billions in losses annually.

How to Spot a Phishing Email

No single indicator is definitive. Look for combinations:

Check the sender’s actual email address: Hover over the From field. support@amazon-security-alert.com is not Amazon. Real Amazon emails come from @amazon.com. Attackers register lookalike domains constantly.

Hover over links before clicking: Hover (don’t click) over any link and look at the URL in your browser’s status bar or tooltip. Does the domain match who claims to be sending it? amazon.security-check.xyz is not Amazon.

Look for urgency and pressure: “Your account will be suspended in 24 hours.” “Immediate action required.” “Failure to respond will result in…” Urgency is designed to override careful thinking.

Grammar and spelling errors: Mass phishing is often sloppy. However, AI has dramatically improved phishing text quality — don’t rely on this alone.

Unexpected requests: Did you initiate this interaction? Your bank doesn’t email you asking you to verify your password. The IRS doesn’t contact you by email.

Generic greetings: “Dear Customer,” “Dear User” instead of your name — though spear phishing uses your name.

Mismatched branding: Slightly off logos, different fonts, incorrect colors.

The Single Best Defense: Slow Down

Most phishing works because people act quickly without thinking. The act of pausing to examine an email before clicking is your strongest protection.

When you receive an email asking you to take action:

1. Stop. Do not click anything yet.
2. Ask: “Am I expecting this? Did I initiate this?”
3. Examine the sender address.
4. Hover over any links.
5. If still uncertain — don’t click the link. Go directly to the company’s website by typing the URL yourself or using a bookmark.

The most important phrase: go directly. If your bank emails you about an account issue, don’t click the link in the email. Open a new tab, type your bank’s URL, log in, and see if there’s actually an issue.

What to Do If You Clicked

If you clicked a link but didn’t enter credentials or download anything:

• Close the page
• Run a malware scan
• You’re likely fine, but stay alert

If you entered credentials on a phishing page:

• Immediately change your password on the real site
• If you use that password elsewhere, change it everywhere (this is why unique passwords matter)
• Enable two-factor authentication if not already enabled
• Check for any unauthorized activity (logins, changes, transactions)

If you downloaded an attachment:

• Disconnect from the network
• Run a comprehensive malware scan
• Consider contacting IT support (for work) or a security professional

Technical Defenses

Two-factor authentication: Even if attackers get your password via phishing, 2FA prevents them from logging in. Enable it everywhere, especially email and banking. Use an authenticator app, not SMS when possible.

Password manager: If your password is unique to each site, a phished credential is only useful on the site it was stolen from — not everywhere you use that password.

Email security tools: Most enterprise email systems filter phishing emails. If you’re responsible for a domain, set up SPF, DKIM, and DMARC records — these make it harder for attackers to impersonate your domain.

Up-to-date software: Malicious attachments often exploit browser or OS vulnerabilities. Keeping software updated patches known exploits.

Recognizing Phishing Phone Calls

“Hi, this is Sarah from Microsoft Support. We’ve detected malware on your computer…”

Legitimate companies:

• Don’t call you unsolicited about security problems on your device
• Don’t ask for remote access to your computer
• Don’t request payment in gift cards
• Don’t threaten arrest for unpaid taxes

If you receive such a call: hang up. If you’re genuinely concerned, look up the company’s real number and call back.

---

Phishing succeeds by exploiting trust and urgency. The countermeasure is developing the habit of pausing, verifying, and going directly to sources rather than following links in unsolicited messages. Once this habit is automatic, you’re significantly better protected than the average user.