What is Phishing?

Reading time: 5 minutes

Highlights:

  • The goal of phishing is to snare your personal or financial information
  • Phishing messages may look legitimate
  • Here are some ways to evaluate a message before you click on a link or attachment

You may have heard the term “phishing” before, but you may not know what a phishing email or text message looks like – and some ways to check to make sure messages are legitimate before you click on a link or open an attachment. 

Phishing messages are used by scammers to trick you into clicking a link or an attachment that will provide them access to your information or download malware onto your computer. The goal is to snare your personal or financial information.

While phishing traditionally has been done through emails or text messages, recently phishing has been seen on communication apps and social media messaging. Attackers are also using attachments within shared files and posting them on trusted file-sharing sites. 

Phishing messages may look legitimate. They may come in the form of a communication that seems to be from your bank, credit card company, a company you do business with, or even your employer. Others may seem to come from a social networking site, an online payment website or app, or an online store. 

These messages may tell you there’s a problem with your account or payment information, or that some suspicious activity or login attempts have taken place. They may also include a fake invoice or ask you to update confirm personal information. Some may include links to “make a payment,” register for something, or offer a coupon. And still others may try to entice you to open an attachment.

The goal of phishing is to get you to take the bait, whether that’s logging in to your account directly from the message (giving hackers access to your password), clicking on a link, or opening an attachment. 

How to recognize phishing 

Look closely at any messages like this you receive. Ask yourself the following:

  • Do you have an account with this business? If so, is the email address the same email address associated with your account? Did you sign up to get email discounts from this company?
  • If the message claims to be from an individual, do you know this person? 
  • Did the email come to your junk or spam folder?
  • Does the message greeting address you by name?
  • For emails, hover over the sender’s email address and any links in the email to see where they lead. Do they look legitimate?
  • Hover over any attachment to see where the link goes. Does it look like a legitimate site?
  • Are there misspellings and awkward grammar?
  • Are you being asked for a payment you aren’t sure you owe?
  • Are you being threatened with lawsuits and penalties if you don’t immediately take action?

It’s best not to click on any links or attachments in messages if you can’t verify they are legitimate. If they claim to be from a company you know and do business with, do not click on a link in the email to log in to your account; instead, go to the company’s website to log in. 

It’s also important to know that most financial institutions and government agencies will not request personal information through emails, texts or other messages.

How to help protect yourself from phishing emails

Your email spam or junk mail filters may keep some phishing emails out of your inbox, but as scammers and hackers constantly try to get past those filters, you might consider some other ways to help protect yourself. These might include:

  • Using security software. Install security and anti-virus software on your computer, and set it to update automatically as new threats arise. You can also set automatic updates for apps or software updates on your mobile phone.
  • Using multi-factor authentication. Some accounts require more than a password to log in. The additional credentials might include a passcode sent to your phone or an authentication app or a scan of your fingerprint or face. This extra step makes it harder for scammers to access your accounts, even if they have your username and password.
  • Backing up your data. Copy your computer files and your phone data to an external drive or cloud storage. 

Help! I’ve been phished!

If you clicked on a suspicious link or attachment, here are some steps you can take: 

  • Disconnect your device from the internet as quickly as possible. Unplug the internet cable or disconnect it from your WiFi network. This may help reduce the risk of malware spreading to other connected devices and may prevent a hacker from remotely accessing your device.
  • Back up your files. In case you are the victim of a phishing attack, your data can be destroyed or deleted. Use an external hard drive, a USB drive or cloud storage to back up your device.
  • Scan your device with anti-virus or security software . You should be able to run the scan even if you aren’t connected to the internet. If you entered any personal information, such as a password, use an uncompromised device to change that password on any accounts.
  • If you entered a credit card or bank account number, contact your credit card company or financial institution.

If you believe information such as your credit card number, Social Security number or bank account details has been compromised, visit identitytheft.gov  to report the theft to the FTC and make a recovery plan.  

You might also want to consider placing a fraud alert or security freeze  on your credit reports with the three nationwide credit bureaus.

How to report phishing emails 

If you receive a phishing email or text message, you can report it and help fight phishing. Forward emails to the FTC at spam@uce.gov and the global Anti-Phishing Working Group at reportphishing@apwg.org. Text messages can be forwarded to SPAM (7726); standard messaging rates may apply. You can also report the phishing attempt to the FTC at ftc.gov/complaint  and to the Internet Crime Complaint Center at https://www.ic3.gov