Online Safety and Privacy
Feb 11, 2025
|
Min Read
What Is Phishing and How To Avoid It
Cybercriminals love to go phishing, but you don't have to get hooked.
Phishing is when cybercriminals use emails, social media posts, or direct messages to trick you into clicking harmful links or downloading malicious files. Phishing is a common "social engineering" attack in which a hacker attempts to deceive you instead of directly attacking your system. Falling for a phishing scam can expose your personal information, like passwords or credit card numbers, and can even result in cybercriminals installing malware on your device.
But with some knowledge, you can become an expert at spotting phishing attempts and not taking the bait. Furthermore, you can block and report phishing emails to take away the phishing nets.
What does a phishing email look like?
Scammers often disguise phishing emails as messages from trusted organizations or people, but there are telltale signs that give them away. Here’s what to look for:
Offers that seem too good to be true. Does the message promise free money, luxury items, or too-good-to-be-true exclusive deals? Red flag! Ditto, if you won a contest you don't remember entering!
Urgent or threatening language. Watch out for phrases like "Your account will be deleted!" or "Act now!" are designed to make you panic. They might even say that your computer has been hacked or you are under arrest.
Requests for personal information. Legitimate companies will never ask you for sensitive details like passwords over email.
Odd business requests. A sudden demand for payment or private data? An invoice you don't recognize? Pause and question its legitimacy.
Mismatched sender addresses. Before opening any email containing sensitive data or money, always check the sender's email address for strange domains or slight misspellings.
Unfamiliar hyperlinks or attachments. Hover over links to check where they lead. If they look suspicious (e.g., pavpal.com instead of paypal.com), don’t click. Never download an attachment from a sender you don't recognize, and even if you recognize the sender, use your email's antivirus scan on it.
Poorly written content. Look for bad grammar, awkward phrasing, or misspelled words—professional companies rarely make these mistakes. However, the grammar of many phishing emails is improving with the rapid spread of artificial intelligence systems.
Generic greetings. Be wary of vague openings like "Dear Customer" instead of your name.
What is a sense of urgency in phishing?
Cybercriminals focus on playing on your emotions with their phishing emails. The reddest flag for phishing emails is a "sense of urgency," where you feel pressured to take action quickly. Scammers want you to act quickly so you click before you think!
In phishing messages, a sense of urgency can be negative or positive.
Examples of positive sense of urgency: you won a prize, you're owed money, you can get an exclusive deal.
Examples of negative sense of urgency: You've been hacked, the IRS is investigating you, criminals are recording you through your webcam, there is a warrant out for your arrest.
Even if the messages are unsettling and worrisome, it's important to remember that almost all messages sent to your email inbox or social media DM about serious matters, like IRS audits, are scams. Scammers will say they have embarrassing footage of you as a way to get your attention and money – don't give it to them.
Take 5 seconds with every email
You can typically scan for the red flags of a phishing email by taking five seconds per email. Before clicking a link, sending any information, or downloading an attachment, take a breath and consider if the email is a phish. Ask a coworker, friend, or family member if the message seems strange. No email needs a response in less than a minute.
When the scammers know your name: spearphishing
Sometimes, cybercriminals spend time tailoring a phishing email just for you. They might know your name, your job, your address, or the names of people you know. They might glean this data from social media or other publicly available sources. This is called “spearphishing,” as in, the scammer has to target you specifically with their message.
Because of this, be wary of any unexpected message with a sense of urgency, even if the sender seems to know who you are.
What to do if you spot a phishing message
Caught a phishing attempt? Here’s how to handle it:
Stay calm and don't click. Don’t click any links or download attachments. Even the unsubscribe link could be a trap. Don't reply to the email.
Report the email:
At work: Notify your IT department or security officer immediately.
At home: Many email platforms have a “Report Phishing” feature. Use it to alert them:
Report a phish on Outlook.
Report a phish on Gmail.
Report a phish on Mac Mail.
Block the sender. Take an extra step by blocking the sender in your email program.
Delete the email. Delete the message. Do not reply or engage with the sender.
Protect your lake before phishing strikes
Phishing emails might slip through your spam filter, so staying proactive is crucial. Adopting a few key cybersecurity behaviors can help protect you when phishing happens.
Enable multifactor authentication (MFA) wherever possible to add an extra layer of security.
Use strong, unique passwords and store them securely in a password manager. Each password should be at least 16 characters long and unique to the account.
Keep all software and devices updated to patch vulnerabilities cybercriminals exploit.
Reporting phishing makes a difference
By reporting phishing attempts, you protect yourself and help prevent others from falling victim. Email providers and IT teams use your reports to block these scammers and improve security measures. Please report and block!
Think before you click
You can stay one step ahead of phishing scammers. Remember: If something feels off, trust your instincts. You can even ask a friend to get a second set of eyes on it. Think for a few seconds before you click, and you’re well on your way to staying safe online.
