In this article:
Identity theft and fraud protection for your finances, personal info, and devices.
Do You Know How To Spot a Phishing Attack?
When Jenny Smith updated the payment information on her Microsoft account, she never thought that she — along with others at the small marketing agency that she runs — would get locked out of their email accounts for 22 days [*].
But fraudsters posing as Microsoft support agents had tricked Jenny into giving up her email password. Then, they proceeded to send over 21,000 spam emails from her account, forcing her provider to lock her out — and grinding her business to a halt.
These scams — known as phishing attacks — are widespread. And they don’t just happen through emails.
Different types of phishing attacks across email, phone calls, social media, and SMS messages cost individuals and businesses billions in losses every single year, according to the FBI [*].
In this guide, we’ll cover how phishing attacks work, the most common types of phishing attempts, and what to do if you’ve been the victim of phishing.
How Do Phishing Attacks Work?
Phishing attacks occur when scammers pose as trustworthy individuals, businesses, or government agencies and attempt to trick you into giving up sensitive information or sending them money.
Phishing messages often include links to fake websites that steal your login credentials and financial information or even infect your device with malware — giving scammers full access to your files.
The goal of these phishing attacks is often one of the following:
- Steal your personal information. Phishing attacks often seek to get you to give up or “verify” personal data, which could lead to identity theft. Scammers are usually after your Social Security number (SSN), Medicare number, or your credit card and other financial information.
- Trick you into sending them money. Some phishing emails pressure you into wiring money, sending checks, or using payment apps like Zelle or Cash App to send payments that can’t easily be reversed. In many cases, the attackers threaten you with legal action or arrest if you don’t pay them.
- Gain access to your online accounts. Links in phishing messages may take you to a fake website that looks like a legitimate login page. But in reality, it’s designed to steal your credentials and give scammers access to your online accounts (such as your email, bank, or social media).
- Break into your work email or network. Business Email Compromise (BEC) is a $43 billion problem [*]. Cybercriminals use phishing campaigns to gain access to your work email account or company network. They might trick your co-workers into clicking on a link or opening an attachment in phishing emails. Then, they can snoop around, steal data, or plant malware.
- Convince you to give up remote access to your computer. Phishing emails or calls claiming to be from tech support agents may ask you to give them remote access to your computer. If they get access, they can install malware, steal your files, or watch your activities.
- Infect your device with malware. Phishing messages may contain links or attachments that infect your device with malware. These programs can track your keystrokes, take screenshots, or even turn on your webcam or microphone without your permission.
Scammers know that phishing is often their best strategy when it comes to stealing your login credentials, financial information, or access to your business’ sensitive data. And they’re always coming up with new phishing messages and approaches to target your vulnerabilities.
Do this now! Check if your sensitive data is on the Dark Web
Scammers don’t just use phishing attacks and data breaches to break into your accounts — they often sell your data to other hackers and fraudsters on the Dark Web.
The Dark Web is a network of anonymous sites, forums, and online marketplaces that are only accessible using special browsers, such as TOR. Hackers and scammers use the Dark Web to buy, sell, and swap sensitive data — including your SSN, bank account numbers, email, and more.
Unfortunately, few people know if their data is on the Dark Web — until it’s too late.
A Dark Web scanner checks your email address against known data breaches and Dark Web forums and marketplaces.
👉 Try Identity Guard’s free data breach scanner now to see if you’re at risk of identity theft or financial fraud.
Scanning the Dark Web is one of the only ways to tell if your personal data has been leaked and if you are at risk of phishing attacks or worse.
The 11 Latest Types of Phishing (and How To Spot Them)
- Email phishing
- Spear phishing
- Whaling (i.e. executive phishing)
- Angler phishing
- Search engine phishing
- Watering hole phishing
- Tech support phishing
- Clone phishing
Watch out for these common types of phishing attacks scammers use to trick you into giving up sensitive information, money, or more.
1. Email phishing
Email phishing is the most common type of phishing attack. A recent survey found that 80% of people were targeted by a phishing email in 2021 — up 46% from 2020 [*].
Phishing emails appear legitimate, but contain links to malicious websites that infect your device with malware. If you click on the link, you’ll be taken to a fake website that asks for personal information, such as your login credentials, SSN, or credit card numbers.
Here’s an example of a phishing email:
In this malicious email, phishers impersonated Bank of America and claimed that the victim’s account would be suspended if they didn't download and fill out the attached document.
This is a common phishing tactic aimed to scare users into clicking on suspicious links or taking actions that they otherwise wouldn’t.
How to identify a phishing email
- Check the sender’s name and email address to ensure that it’s coming from an official domain. For example, all legitimate Bank of America emails must come from “[name]@bankofamerica.com.”
- Look out for a lack of personal information, such as your full name or account number. Scammers send thousands of phishing emails, hoping that a small percentage of recipients will click on their links.
- When in doubt, contact the company directly. Don’t click on links or download attachments. Instead, log in to your account directly or call the company’s phone number listed on its website to ensure that the message is legitimate.
2. Spear phishing
While phishing attacks are vague messages sent to thousands of people in hopes that a few may respond, spear phishing uses highly customized messages to target specific individuals. For example, a spear phishing attack may claim to be from someone you trust personally, like your boss or a colleague.
A whopping 65% of scammers use spear phishing in targeted attacks [*].
Here’s an example of spear phishing:
A spear phishing email or text may impersonate a CEO or other supervisor in your company and ask you to do a “small favor.” The “favor” can be anything from buying gift cards to paying invoices that disburse money to fake companies. The scammers always claim to be busy, which is why you can’t call them.
How to identify spear phishing
- You receive a request from someone you know, but from an email or phone number that you don’t recognize. This is a clear warning sign. When in doubt, contact the person directly to be sure, and use a trusted method of communication.
- You’re asked to buy gift cards and provide the sender with the numbers and PIN codes on the backs of the cards. Scammers love gift cards because they’re nearly untraceable — and impossible to refund once redeemed.
- The sender claims they can’t speak on the phone — but that the request is urgent. Never buy gift cards, send invoices, or give up sensitive information without confirming the validity of the message.
💡 Related: Facebook Messenger Scams: What Are They & How To Avoid Them →
3. Whaling (i.e. executive phishing)
A whaling attack — also known as CEO fraud or executive phishing — is a phishing scam that targets high-profile individuals, such as CEOs, CFOs, and other executives.
During a whaling attack, scammers send emails that attempt to get executives to give up sensitive information, pay fake invoices, or download malware.
Here’s an example of a whaling attack:
In November 2020, the co-founder of an Australian hedge fund, Levitas Capital, clicked on a fake Zoom link that installed malware on the company’s network [*]. The attackers attempted to steal over $8.7 million through fraudulent invoices, and got away with $800,000.
The attack hit the fund's reputation significantly, causing Levitas to lose its biggest client — forcing them to close.
How to identify whaling
- You receive an “urgent” request from someone claiming to be an executive, either asking you to change payment details on an invoice or wire money. Beware of any email that uses a subject line that strikes urgency, such as “Request,” “Follow Up,” or “Urgent.”
- Never click on links or download attachments from unsolicited emails. Scammers often disguise malware as invoices or “sensitive information” about an employee to fool you into clicking on the links.
Smishing is a phishing attack in which the scammer sends a text message (SMS) instead of an email. While the medium is different, the goal is the same: to trick victims into giving up sensitive information or doing something that gives the attacker access to their system.
Since 2020, the number of smishing attacks has grown by more than 328%, with people losing over $3.5 billion [*]. Common smishing attacks come from fake companies either trying to collect debts or pretending to be financial institutions.
Here’s an example of smishing:
In the example above, the hackers sent a text message claiming the recipient’s Netflix account would be canceled if they didn’t update their account information. But if the victim clicks on the link, they’re taken to a fake Netflix login page that sends their account details to the scammer.
How to identify smishing attacks
- You receive an unsolicited text message claiming to be from a company or government agency. In actuality, these organizations rarely text you without your explicit permission. If you’re not expecting the message, it could be a scam.
- The message contains a shortened, suspicious link. If you don’t know where the link is taking you, it’s most likely a scam.
- The message tries to create a sense of urgency, either by claiming you’ll owe money, lose access to an account, or miss out on a prize if you don’t click on the link. If you think the message could be legitimate, reach out to the company directly using the contact information on its official website.
Vishing — a shortened version of “voice phishing” — includes any phone call scam in which fraudsters try to steal your sensitive information or get you to send them money. Nearly one in three Americans fell victim to vishing in 2021, collectively losing up to an estimated $9.8 billion [*].
During a vishing attack, scammers pose as a trusted entity, such as a bank or a government agency, and use social engineering attacks to pressure the victim into disclosing private information.
Here’s an example of vishing:
The voicemail transcript above shows a vishing attempt from a hacker posing as someone from the Amazon fraud department. The attackers are hoping to get the potential victim on the phone to update payment details or to continue duping the victim with some other phone scam.
How to identify vishing attacks
- You receive an unsolicited call from a number you don’t recognize. Don’t blindly trust your caller ID, either. Scammers can spoof phone numbers to make them look like they’re coming from trusted callers.
- Vishing campaigns are common during times of stress, like tax season. Be wary if a government organization like the IRS “calls” you for information. These organizations will almost never call you unless you’ve given them permission or have specifically requested that they call you.
- Never give out personal information over the phone — especially if someone calls you. Instead, always hang up and call back the official phone number of the company from which they claimed to represent so that you can make sure the call was legitimate.
💡 Related: What To Do If a Scammer Has Your Phone Number →
6. Angler phishing
Angler phishing is a type of attack that targets users on social media. Attackers impersonate representatives of a big company, like PayPal, to gain information about you. More than 55% of these attacks come from fraudsters posing as financial institutions [*].
Here’s an example of angler phishing:
This example showcases a Twitter user sharing a bad experience with PayPal — and what almost looks like PayPal responding back.
However, if you pay close attention, you’ll see that the handle is @AskPayPal_Tech, and they’re not verified. They’re also sharing a short link for the victim to input personal information, which is another big red flag.
How to identify angler phishing
- Check to see if the suspicious account is verified. Major brands that use social media for customer support will always be verified or have a handle that’s linked to the main account’s bio. For example, check @PayPal’s account to see if it lists the account that’s messaging you.
- Beware of shortened links, and avoid clicking on them. If you do, don’t enter personal details or account credentials until you confirm that you’re on the company’s official website.
- Take customer service issues directly to a company’s website. Never trust responses from a social media account.
💡 Related: Social Media Security: How To Secure Your Social Accounts →
Pharming is an extremely technical form of phishing that can be difficult to identify. In a pharming attack, hackers hijack a domain name server (DNS) and redirect users from the actual website to a malicious site instead.
These attacks are difficult to execute and hard to identify because the URL in the address bar is the same as the real site. Insidiously, the scam happens behind the scenes of your web browser.
Here’s an example of pharming:
The most famous example of pharming happened in 2007 when 50 financial institutions were targeted at once [*]. Hackers created lookalike websites for each of the banks they targeted, making it look like they were the actual websites. Over three days, thousands of people entered their account details and login information to the fake websites.
How to identify pharming attacks
- Use safe browsing software to warn you if you’re entering a potentially dangerous website. Every Identity Guard membership comes with safe browsing tools to protect you online.
- Make sure the website you’re on has HTTPS — or a lock icon near the URL — to ensure that it’s using a secure connection. This isn’t a foolproof way to protect yourself from phishing websites, but it can offer an early warning sign that your sensitive information could be at risk.
- Look for any website design inconsistencies, like mismatched colors, incorrect fonts, or low-quality images. These can signal that you’re not on the company’s official website.
8. Search engine phishing
Search engine phishing — also called SEO poisoning — occurs when cybercriminals create fake product pages and get them to rank on legitimate search engines; or, they run search engine ads so that you’ll find their fake pages on your own.
These sites often promote ridiculously good deals and low prices. But if you enter your payment information, it goes straight to the scammer. Google said it detected 25 billion spam web pages each day in 2020 alone [*].
Here’s an example of search engine phishing:
Cryptocurrency exchange site Coinbase recently shared a PSA with its users about a search engine phishing scam targeting their business [*].
Coinbase’s legitimate login page in search results looks like this:
However, scammers created lookalike login pages in hopes that users would share their login credentials with the cybercriminals.
How to identify search engine phishing
- Always make sure you’re logging in to a site using their official domain. For example, a Coinbase login page should always be on “www.coinbase.com.”
- If you see a search engine ad for a deal that seems too good to be true, it probably is. Check other reputable websites or online stores to see if you can find the same deal.
9. Watering hole phishing
Watering hole phishing is another high-tech scam in which attackers target high-traffic websites (like government or healthcare sites) and infect their IP addresses with malicious code. Anyone who visits these infected websites gets malware on their device right away.
Here’s an example of watering hole phishing:
One infamous attack occurred in 2019, targeting religious and charity groups by prompting users to visit certain sites to update Adobe Flash [*]. By accepting this prompt, malware was immediately installed on the users’ devices. This attack was live for several months before it was discovered.
How to identify watering hole phishing
- Browsers like Google Chrome are good at detecting malicious code. If you receive a warning not to enter a website, do not proceed.
- Keep an active firewall on your device to avoid getting malicious software installed without your knowledge.
10. Tech support phishing
Tech support phishing scams occur when hackers reach out via email, pop-up, or another mode of communication to claim there’s an issue with your software or device. Scammers may claim your device is infected with malware or that it will be locked until you call their support number.
Then, they either ask for a large fee to “fix” the issue, or convince you to download software that gives them remote access to your device.
Here’s an example of tech support phishing:
Scammers regularly use pop-ups that claim your device has been infected with malware to scare you into calling them. In this case, hackers impersonated Microsoft tech support to build trust before starting their scam.
How to identify tech support phishing scams
- Never trust a message, pop-up, or website that claims your device is infected with malware. No one can tell you this without direct access to your device.
- Don’t download remote access software, such as AnyDesk or TeamViewer. These applications give hackers remote access to your device — which they can use to spy on you, steal information, or break into your bank accounts.
- Beware if a customer support agent requests payment for their services. Almost every major company offers its support for free. If someone wants payment — especially via gift cards, wire transfers, or payment apps — it’s a scam.
11. Clone phishing
Clone phishing is a newer type of phishing attack in which scammers reply to email messages with the same email — but swap out the original attachment with malware.
For example, let’s say your business regularly sends documents that need to be signed for new clients. A scammer will go through the process but send back your email with an attachment that looks like the signed document, but is really malware.
In other cases, scammers recreate common email messages sent by a business (such as a password reset request or one saying “click here to view a message from customer support”). Then, they’ll include malware where the legitimate link should be.
Here’s an example of clone phishing:
Most people are familiar with the way an email from Apple looks. Apple sends confirmation emails after each purchase in the App store.
In this example, the scammer has cloned an App store confirmation email to make it look like you’ve been charged for an app you didn’t download. The only way to “dispute” the charge is to click on a malicious link.
How to identify clone phishing
- Be suspicious of any unexpected invoices or charges. Always log in to your account directly (on the official website or app) to check if the charge was actually made.
- Use antivirus software to protect your devices from malware. You can also hover over any suspicious links to see if they match the sender’s domain.
- Look for other signs of a phishing email, such as a strange or unexpected “From” email address, poor design, or spelling and grammatical errors.
Were You the Victim of a Phishing Attack? Do This!
If you fell victim to a phishing attack, don’t worry. There are steps you can take to minimize the damage or gain back access to your accounts.
If you gave scammers your sensitive information:
- Freeze your credit so that scammers can’t open a new line of credit under your name.
- File an official identity theft report with the Federal Trade Commission (FTC) at identitytheft.gov.
- Change all of your passwords and enable two-factor authentication (2FA) to secure your accounts.
- Consider signing up for identity theft protection to monitor your accounts and alert you to signs of fraud.
If you sent scammers money, gift cards, or cryptocurrency:
- Report the scam to the authorities to see if they’re able to help.
- If you sent money via bank transfer, your bank may be able to help you recoup those funds.
- If you sent money via gift cards or cryptocurrency, you’re unlikely to get those funds back.
- Consider looking into financial and/or emotional support offered for scam victims.
If you entered your passwords onto a phishing website:
- If this was done at work, immediately contact your IT department to prevent a data breach.
- Disconnect your device from the internet and back it up.
- Scan your device for malware or ransomware — if you find any, delete or remove it from the device.
- Change all of your passwords to be more secure.
- Turn on two-factor authentication (2FA).
- Set up a fraud alert with all three credit bureaus (Experian, TransUnion, and Equifax), and consider filing an identity theft report with the FTC.
If you downloaded an attachment or clicked on a link:
- Again, if you did this on a work email, contact your IT department before anything else.
- Disconnect your device from the internet, either by turning off Wi-Fi or manually disconnecting the ethernet cable.
- Scan your device for malware or ransomware and remove any that you find.
- Change all of your passwords and enable 2FA.
If you gave scammers remote access to your computer:
- Immediately disconnect your device from the internet.
- Scan your device for malware or ransomware. Delete anything you find that shouldn’t be on your device.
- Use a different device to change all of your passwords and turn on 2FA.
- Back up your computer and essential files.
- Completely wipe the device and restore it to factory settings.
- Freeze your credit, and order new debit/credit cards.
- Monitor your accounts manually, or sign up for account monitoring and fraud alerts.
- Report the scam to ReportFraud.ftc.gov.
How To Protect Yourself From Phishing
- Double-check all “from” email addresses. If you’ve received an email saying your payment was declined or are asked to log in to your account, make sure it’s coming from the company’s official domain.
- Don’t click on suspicious links. Every time you receive a random email about your account (or communication from a brand you didn’t subscribe to), pause before clicking on anything. Do your due diligence to make sure it’s accurate. Or log in to your official account by opening a new tab and going to the website yourself rather than clicking on an email link.
- Set strong passwords. Use a combination of lowercase and capital letters, numbers, and symbols to create strong passwords. Try not to use the same password for multiple accounts.
- Use cybersecurity software. Download security software on your devices, and keep it up to date so that you can easily discover if scammers have gained access to your device and uploaded malware.
- Use multi-factor authentication (MFA). Don’t make it easy for anyone (other than you) to gain access to your accounts. Enable multi-factor authentication on all accounts.
- Freeze your credit. A credit freeze can help stop scammers from opening new accounts or taking out loans in your name. Contact each of the three major credit bureaus — Experian, Equifax, and TransUnion — and request a freeze.
- File an identity theft report with the FTC. Filing an official report at identitytheft.gov provides you with a recovery plan and is essential when disputing fraudulent charges.
- Back up your data regularly. Keep a regular backup of your files in case you need to wipe your device in the event of a cyberattack.
The Bottom Line: Don’t Fall for Phishing Scams
Be vigilant with your internet use. Cybercriminals are everywhere, so it’s key to be wary of suspicious emails, malicious links, and other attempts to gain access to your sensitive data.
For added protection, consider signing up for Identity Guard to monitor your accounts, protect your finances, and warn you of phishing websites.