Recognizing and Avoiding Phishing
How to identify phishing emails, messages, and websites to stay safe online. Learn the warning signs of scams and what to do if you click a bad link.
Phishing is a social engineering attack where bad actors impersonate trusted entities to trick you into revealing sensitive information like passwords, credit card numbers, or personal data. These attacks arrive through email, text messages, phone calls, and fake websites.
Check the sender address carefully
Phishing emails often come from addresses that look similar to legitimate ones but have subtle differences. Look for misspellings like [email protected] instead of [email protected], or extra domains like [email protected]. The display name can say anything, so always check the actual email address.
Hover over links before clicking
Before clicking any link in an email or message, hover your mouse over it to see the actual destination URL. On mobile, long-press the link to preview it. Legitimate companies will link to their own domains. Be suspicious of shortened URLs (bit.ly, t.co), links with long random strings, or domains that don't match the supposed sender.
Watch for urgency and threats
Phishing messages frequently create a false sense of urgency: "Your account will be suspended in 24 hours," "Unusual sign-in detected," or "Confirm your identity immediately." Legitimate companies rarely threaten immediate account closure via email. If something seems urgent, go directly to the service's website by typing the address manually rather than clicking any links.
Never open unexpected attachments
Attachments in phishing emails can contain malware, ransomware, or scripts that compromise your device. Be especially cautious with file types like .exe, .zip, .scr, .js, and even .pdf or .docx files from unknown senders. If you receive an unexpected attachment from someone you know, verify with them through a separate communication channel.
Verify requests for sensitive information
No legitimate company will ask for your password, social security number, or full credit card number via email. If you receive such a request, contact the company directly using a phone number or website you know is real, not the contact information provided in the suspicious message.
Look for poor formatting and grammar
While phishing attempts have become more sophisticated, many still contain telltale signs: generic greetings like "Dear Customer," inconsistent formatting, unusual fonts, low-resolution logos, or grammar and spelling errors throughout the message.
Enable two-factor authentication
Even if you accidentally fall for a phishing attempt, two-factor authentication (2FA) adds an extra layer of protection. With 2FA enabled, attackers cannot access your account with just your password. Use an authenticator app rather than SMS-based 2FA when possible, as SIM swapping attacks can intercept text messages.
What to do if you suspect phishing
If you receive a suspected phishing message, do not click any links or download attachments. Report the email as phishing in your email client (most have a dedicated button), then delete it. If you already clicked a link or entered credentials, change your password immediately and enable 2FA. Monitor your accounts for suspicious activity and consider running a malware scan on your device.
Frequently Asked Questions
What should I do if I already clicked a phishing link?▾
Change your passwords immediately, starting with your email and banking accounts. Enable two-factor authentication where available. Run a malware scan on your device. If you entered financial information, contact your bank. Monitor your accounts for unusual activity over the next few weeks.
Can phishing happen through text messages?▾
Yes. This is called "smishing" (SMS phishing). Scammers send text messages with malicious links, often disguised as delivery notifications, bank alerts, or account verification requests. The same rules apply: do not click suspicious links, and go directly to the official website if you need to check something.
How can I tell if an email is actually from my bank or company?▾
Check the sender's full email address, not just the display name. Hover over any links to see the actual URL. Legitimate organizations will never ask for your password via email. When in doubt, open a new browser tab and navigate directly to the official website instead of clicking links in the email.
Related Guides
Suspicious Email Attachments
How to evaluate email attachments safely and recognize dangerous file types. Learn which files to avoid, how to scan attachments, and red flags to watch for.
Securing Your Home Wi-Fi
How to lock down your home wireless network and keep unwanted devices off it. Covers router settings, encryption, passwords, and guest network setup.
Passkeys Explained
What passkeys are, how they replace passwords, and how to set them up on your devices. Covers iCloud Keychain, Google, and Windows passkey support.
QR Codes
How to scan and create QR codes, and how to avoid QR code phishing scams. Covers built-in camera scanning, generator tools, and security best practices.
Staying Safe on Public WiFi
How to protect yourself when using public or shared WiFi networks at hotels, airports, and cafes. Covers VPNs, HTTPS, DNS settings, and device hardening.
Gift Card and Prepaid Card Scams
Why scammers want you to pay with gift cards, how to recognize the scam, and what to do if it already happened. Covers common tactics and how to report fraud.