Phishing is the most common form of cybercrime and it's getting harder to detect. AI tools now let attackers create personalized, convincing phishing emails in seconds using information from data broker sites. Here's how to recognize them and what to do.
What Phishing Is
Phishing is when an attacker impersonates a trusted entity — your bank, Amazon, the IRS, your employer — to trick you into clicking a malicious link, entering your login credentials, or providing personal information.
Classic phishing emails were obvious: poor grammar, generic greetings, suspicious sender addresses. Modern phishing, especially targeted attacks (called spear phishing), uses your name, employer, and recent activity to create messages that are nearly indistinguishable from legitimate ones.
How to Identify a Phishing Email
Check the sender's actual email address, not the display name. The display name can say "Amazon Customer Service" while the actual email is from amazon-support@gmail247.com. Always expand the sender field and read the actual address.
Hover over links before clicking. In most email clients, hovering over a link shows the actual URL in the status bar. If the link says "amazon.com" but the URL shows a different domain, it's phishing.
Look for urgency. "Your account will be suspended in 24 hours" is a phishing red flag. Legitimate companies don't operate with artificial urgency.
Verify out-of-band. If you get an email claiming there's a problem with your bank account, don't click any links in the email. Go directly to your bank's website by typing the address yourself, or call the number on the back of your card.
SMS Phishing (Smishing)
Text message phishing — called smishing — is increasing rapidly. Common formats: "Your package is delayed, verify your address here," "Your bank account has been locked," or fake two-factor authentication requests. Apply the same skepticism as email: never click links in unsolicited texts. Go directly to the service's official app or website.
Voice Phishing (Vishing)
Scammers call you impersonating banks, government agencies, or tech support. They use your personal information (from data broker sites) to sound legitimate. Remember: your bank will never call you and ask for your full card number or PIN. Any caller asking for this information is a scammer, regardless of what number shows on your caller ID (which can be spoofed).
What to Do If You Clicked a Phishing Link
- Don't enter any information on the page you landed on
- Close the browser immediately
- Change your password for the account being impersonated
- Enable 2FA on that account if you haven't already
- Run a malware scan (Malwarebytes has a free version)
- If you entered payment information, contact your bank immediately
The Best Defense
Use a password manager — it will only autofill credentials on the legitimate domain, never on a lookalike phishing site. This alone prevents the majority of credential-harvesting phishing attacks.