Phishing is a social engineering attack where bad actors impersonate trusted entities to trick you into revealing sensitive information like passwords, credit card numbers, or personal data. These attacks arrive through email, text messages, phone calls, and fake websites.

Check the sender address carefully

Phishing emails often come from addresses that look similar to legitimate ones but have subtle differences. Look for misspellings like [email protected] instead of [email protected], or extra domains like [email protected]. The display name can say anything, so always check the actual email address.

Hover over links before clicking

Before clicking any link in an email or message, hover your mouse over it to see the actual destination URL. On mobile, long-press the link to preview it. Legitimate companies will link to their own domains. Be suspicious of shortened URLs (bit.ly, t.co), links with long random strings, or domains that don't match the supposed sender.

Watch for urgency and threats

Phishing messages frequently create a false sense of urgency: "Your account will be suspended in 24 hours," "Unusual sign-in detected," or "Confirm your identity immediately." Legitimate companies rarely threaten immediate account closure via email. If something seems urgent, go directly to the service's website by typing the address manually rather than clicking any links.

Never open unexpected attachments

Attachments in phishing emails can contain malware, ransomware, or scripts that compromise your device. Be especially cautious with file types like .exe, .zip, .scr, .js, and even .pdf or .docx files from unknown senders. If you receive an unexpected attachment from someone you know, verify with them through a separate communication channel.

Verify requests for sensitive information

No legitimate company will ask for your password, social security number, or full credit card number via email. If you receive such a request, contact the company directly using a phone number or website you know is real, not the contact information provided in the suspicious message.

Look for poor formatting and grammar

While phishing attempts have become more sophisticated, many still contain telltale signs: generic greetings like "Dear Customer," inconsistent formatting, unusual fonts, low-resolution logos, or grammar and spelling errors throughout the message.

Enable two-factor authentication

Even if you accidentally fall for a phishing attempt, two-factor authentication (2FA) adds an extra layer of protection. With 2FA enabled, attackers cannot access your account with just your password. Use an authenticator app rather than SMS-based 2FA when possible, as SIM swapping attacks can intercept text messages.

What to do if you suspect phishing

If you receive a suspected phishing message, do not click any links or download attachments. Report the email as phishing in your email client (most have a dedicated button), then delete it. If you already clicked a link or entered credentials, change your password immediately and enable 2FA. Monitor your accounts for suspicious activity and consider running a malware scan on your device.