How to recognize phishing scams and protect yourself against them

March 6, 2020
Most of us use emails and text messages on a daily basis; they are convenient, simple modern methods of communication. But for every legitimate message we send or receive, it seems like there are dozens of suspicious emails and fishy text messages that come our way. Phishing and other similar scams are an everyday occurance and they're not just annoying - they're dangerous. We've all encountered them, and most of the time they're easy to spot and avoid. But they're getting trickier, and even the best of us can fall prey to their clever tactics if we don't know what to watch out for. Today, we'll show you how to recognize phishing scams and protect yourself against them!

A man recognizing a phishing scam on his mobile phone.

What is a phishing scam and how do I recognize one?


The word "phishing" almost sounds made up, but it refers to a very real type of fraud. In a broad sense, phishing is any scam designed to steal sensitive information from you. What makes this unique, however, is that the scammer usually tries to trick you into giving that information up yourself. In order to understand how they do this, let's take a closer look at some of the more common types of phishing scams.

Email phishing


Email phishing is one of the more common types of phishing that people encounter. Basically, the would be scammer sends the intended target an email that is designed to look as though it came from a trusted or reputable source. The email will either ask that you click a link within it to complete some urgent action, or ask that you answer some question by sending personal information.

For example, you might get an email that looks as though it came from Chase Bank saying that your account requires urgent action. They will then provide a link that you are meant to click. Sometimes, they'll set up a fake website designed to mimic Chase's login page. But when you enter your login credentials, it's not going to Chase - it's going to the criminal on the other end.

However, sometimes they don't need you to fall for their fake site. Sometimes, simply clicking the link is enough to compromise your device. Often, the website the email link takes you to will secretly install software on your computer designed to record your keystrokes, or monitor your activity with the hope of stealing your most sensitive information.

While email scams often target your personal email account, it is not uncommon for a criminal to go after a business. These can be especially tricky because employees often receive a large number of emails on a daily basis. The scammer simply has to make the email seem legitimate enough for an unsuspecting employee to bite, and then the entire company might be at risk.

Imagine you're on your work computer and you get an email that says, "Hey Tom, I was hoping you could review this document before I send it off." Attached is what appears to be a perfectly normal Word document or a link to a document online. However, after clicking it, your computer is turned into an open door to your company's secure network.

This happens more than you might think, and it's not just small businesses that are targeted. In fact, one phishing scam was so convincing that the criminal was able to convince Google employees to send them millions of dollars in response to a fake invoice.

"Smishing," fake text messages, and text message scams


If you thought phishing was a strange word, you're sure to love "SMiShing." This term is a mashup of "phishing" and "SMS texting" and refers to phishing scams conducted through text messages. In recent years, these scams have become more common as our preferred method of communication shifts towards texting.

These days, texting isn't just for talking to your friends and family. We receive all sorts of notifications from legitimate sources like banks and credit cards. That's why it's important to be especially careful when you get a text message from a source you don't know.

Smishing scams are often designed to look as though they come from important organizations demanding some immediate action. For example, you may get a message claiming that your email or cloud storage account has been hacked or that your bank account has been compromised. They can be fairly convincing and even appear to come from Apple, Google, the IRS, or the Social Security Administration. But sometimes, they can even pose as an old friend, asking for money or even offering to transfer money to your digital wallet. They'll often ask you for personal information or hope that you'll click a link within the message. Sometimes, they'll even try and get you to download a harmful app.

How can I avoid phishing scams and protect myself from them?


So at this point, you may be asking yourself, "If these scams are so convincing, how can I protect myself from them?" Next, we'll discuss some key details that can be used to spot phishing scams and what you should do if you suspect you have been targeted by one.

How to protect yourself from email phishing


Check the source. Before opening an email, ask yourself if you know the sender or recognize the email address. If you don't, it's best not to open the email or click links within. Even if you recognize the name associated with the email, it's still important to check the actual address. If an email claims to be from Google, it probably won't be coming from something like "jonsmith123@gmail.com."

But it isn't always that obvious. You may see email addresses that are very close to the real thing, but may be off by a letter or two. For example "customerservice@gooogle.com" or "support@applle.com." Simply inspecting the email address can save you from a good portion of scams that come your way.

Look for errors and unusual language. Sometimes, email phishing scams are obvious and easy to spot. You'll see misspelled words or sentences that don't seem right, or the email will just look fishy (pun intended). This, of course, doesn't necessarily mean it's a scam, but it's unlikely that Bank of America will send an email chalked full of errors. On the other hand, just because an email is error-free doesn't mean it's safe, either.

Understand what types of emails a company won't send. Sometimes phishing scams look exactly like an authentic email. In such cases, the content of the message may be the only way to tell it apart from a real one. Because phishing is such a common practice, many companies will tell you outright that they never ask for certain details like passwords. No matter how real it may seem, the IRS will never contact you unprompted. You should be immediately suspicious of any email asking for personal information. Remember, never send passwords and other private details over an email.

When in doubt, call the company. If you receive any email from a company (like AT&T for example) that seems suspicious, you should always reach out to them directly to make sure it's real. Call their customer service line or open a new internet browser window and navigate directly to their website. From there, you can inquire about any action they've asked you to take.

Check that URL. If an email asks you to click on a link to take some action, take a moment to inspect the link. It is possible (and in fact very easy) to have a link display one address, but secretly take you to another URL. You can check this by simply hovering your mouse over the link (without clicking it). The true URL should present itself, either in a section at the bottom of your browser, or even in a small text box above your mouse cursor.

Think before you click! Even legitimate emails will sometimes provide a link or button for you to click. For example, your credit card company might send you electronic statements and provide a link for you to log in and view the details. While clicking that button is certainly convenient, it's much safer to open a new browser window and navigate their manually.

Beware attachments. Downloading a malicious file attached to an email can be devastating. Scammers will often send harmful programs disguised as images, videos, or other documents. If an email has an attachment, before downloading it, ask yourself if you were expecting something in the first place. If you are, consider contacting the sender to confirm its legitimacy. If you have antivirus software, they often have the ability to scan files before you download them. They can't catch every malicious file, so it's important to use your best judgement, too.

Ask your IT department. If you're in a work environment or on a company device and receive a suspicious email or attachment, make sure to contact your IT department before clicking it. Tell them that you suspect the email is a phishing scam so that they can inspect it. It only takes one mistake to compromise an entire corporate network.

Delete it! If you suspect that an email is a scam or might potentially contain something harmful, consider simply deleting it. Ask your coworker to resend the email, ask your mom to resend the Christmas photos, or check with a bank or business to see what it was they needed to talk to you about. The point is, there are very rarely emails that can't be resent. However, once you've clicked a malicious link, there's no going back.

How to protect yourself from SMiShing and text message scams


Check the number. Do you know who sent you this text message? While we often receive text messages from unknown numbers (like bank alerts), you should still be suspicious and avoid interacting with it.

Don't open links or attachments. If you receive a suspicious text, the last thing you should do is open any attachments or click any links, videos, or images contained within. Like a malicious link within an email, a link within a text message can wind up infecting your phone with harmful software.

Don't respond. With all of the texts we get on a daily basis, it can be tempting to simply try and get them to go away. That's why most people respond "STOP" when the option is given. When this is in response to a text from a real source, it usually works and the messages stop. However, if a scammer is on the other end, you're giving them confirmation that your number is active and they'll likely continue to send fraudulent messages, hoping you'll slip up. Before responding to a suspicious text, take a moment to search for the number online. If it's real, you'll usually be able to figure out what company it's connected to.

Beware urgent language. Many scammers will try to impart a sense of urgency upon you with text scams. Their hope is that this will knock you off balance and prevent you from taking the time to consider whether or not the message is fake. If you're worried that something requires your immediate attention, take a few more moments to call the relevant person or organization to confirm.

Beware friendly language. These scams don't always try and leverage urgency or fear. Sometimes, they'll use friendly language to try and trick you. They may even use your name to give it a more personal feel. Don't let this fool you into letting your guard down.

Don't send personal information. To some, text messages seem like a more secure method of communication. This couldn't be further from the truth. Regardless of who the message is from (or appears to be from) never share personal information through a text message.

Update your phone. Scammers often take advantage of weaknesses in older operating systems. That's why it is essential to keep your phone's software current.

Delete it. When in doubt, deleting a suspicious text message is the safest way to ensure that you, your phone, and your information is safe.

How to report phishing and smishing scams


Contact the FCC. The Federal Communications Commision does its best to combat Smishing and other text message scams. If you're having problems with suspicious or fraudulent text messages, you can file a complaint by visiting their website. While this won't necessarily guarantee that they will stop, it gives them information they can use to combat these criminals.

Contact the IRS. Phishing scams that appear to come from the Internal Revenue Service are incredibly common. They come in all forms, including emails, text messages, and even phone calls. If you are having issues with any one of these, you can find detailed instructions on how to report it by visiting their website. 

Contact your wireless carrier. Mobile service providers take scams seriously. If you're receiving suspicious text messages, you can forward the message to 7726 ("spam") to file a report. Most providers (like AT&T, Sprint, and Verizon) will take reports sent from this number, but you can always call your provider's customer service line to find out how they can help.

Block the number or email. Lastly, if you can't seem to catch a break from the phishing scams, you can try blocking the numbers on your phone. Most email services also have the ability to block problematic email addresses or allow you to report certain messages as spam.

by Geoff Ullrich

About the Author

Geoff Ullrich is a writer and Content Marketing Specialist at Germania Insurance.