What Is Phishing? Recognize It and Avoid Scams

Learn
Written By Guest User
Six colorful fishing lures on a wood board background.

Something’s fishy about that email message. Or is it phishy? Either way, don’t take the bait.

Guest post from Laura Harris

Social engineering comes in many forms. One of the most common is called phishing, which often leads to many more attacks. Here’s how it might start:

  • An email from a supply company warns that you haven’t paid your invoice. The message usually includes a link and maybe offers a discount if you pay it ASAP. It might even include a PDF of the invoice. But do you have an account with that company?

  • The email is from someone in HR telling you to review the policy changes to your employer’s 401 (k) program. They just need you to provide your e-signature to confirm you’ve read the material.

  • It’s an alert from your email host warning you that someone is trying to change your password. But something just doesn’t feel right in the message or the sender’s email address.

Welcome to the World of Phishing Scams

Phishing is a cybercrime and an attack, but it may not appear that way on first glance. The fraudster hopes you won’t notice any peculiarities in the exchange until it is too late. They may even rely on wearing you down with repetitive messages until you decide to click on a link to figure out what’s happening.

Phishing attempts may come through different methods and appear like any other message you’d expect from a friend or online business.

The term phishing is easy to remember because of the play on words. Bad actors are fishing for a victim. They send out thousands of emails hoping the numbers will work in their favor: Someone will believe the email, click through, which compromises their data and lets the attackers take over.

Scammers often use names of trusted organizations to try to get would-be victims to click on a link. The link may lead to a fake website that mimics the original site in an attempt to steal login credentials. (This is called spoofing.) Or the link may trigger a download of malware that will infiltrate the victim’s computer, stealing information and more.

Phishing emails are not what they claim to be, making them very dangerous. Your best action is to discard them immediately.

Common Phishing Tactics

A phishing email will make every attempt to appear as legitimate as possible. Techniques designed to fool the target include:

  • Using a name that appears to belong to a trusted sender. Examples include:

    • Social media platforms such as Instagram, TikTok, and Facebook.

    • Technology companies offering assistance, like Microsoft, Google, or Zoom.

    • Commerce sites like Amazon and eBay.

  • Creating web addresses that are similar to the real business.

    • Adding IT-, IThelp-, MemberAlerts-, customerservice-, or another word to the real organization’s name.

    • Using the real company’s name as a subdomain of a fraud site, as in target.badphishers.com.

    • Combining letters and numbers to look like other words. An “r” and an “i” can look like an “n,” substituting lowercase “l” for the number one (1) or a capital “I.”

  • Mimicking documents that require verification, such as HR, insurance, invoices, or tax documents.

Five Red Flags of Phishing Messages

  1. The sender’s address in the “from” field doesn’t match the company name.

  2. The message tries to create a sense of urgency, emphasizing the importance of time and the need to act quickly.

  3. Poor grammar, misspellings, or misused names in the text. (AI is helping scammers improve their writing, however.)

  4. Changes in font type and size throughout the email.

  5. Low-resolution logo graphics or incorrect colors.

But Wait, There’s More: Spear Phishing

Another type of phishing attack targets specific people to get particular or sensitive information. While phishing is more generic, spear-phishing targets are carefully researched based on their connections, positions within a company, or potential access. The email will be customized to appeal to them and request something that only they can do. Similarly, a business email compromise (BEC) is a spear phishing attack targeting an employee who can initiate a transaction or provide sensitive data.

A Spear Phishing Example

Mary works as an executive assistant to the CEO of Drindle Co. She receives an email from the CEO, asking her to pay the attached invoice immediately. The email says the bill slipped through the accounts receivable process, but they know Mary can get it handled quickly.

Later, when the CEO calls to ask Mary about another topic, Mary mentions she can’t find the vendor in the payment system. Her boss has no idea what she is talking about and denies sending the email when she explains further. When she looks more closely at the original email, she sees that it’s not actually from her boss’s address but rather one that looks very similar. She reports the incident to the IT department.

Bad actors study people on LinkedIn and other platforms to identify their connections and how to leverage their networks. They can create fake websites and emails to appear as close to the source as possible.

If an email looks suspect, look more closely. Before replying, sending money, or sharing information or credentials, reach out to a manager, coworker, or IT to verify the request. In fact, don’t hit “reply” at all. Pick up the phone, send a text or DM, start a new email, and add a contact from your address book — better yet, type it in manually.

The Alphabet Soup of Phishing

Other varieties of social engineering and phishing we’ll cover in upcoming posts include:

  • Vishing uses phone calls or voicemail to try to steal information. Callers often impersonate law enforcement, bank employees, or relatives.

  • Smishing uses SMS or text messages, such as those about unpaid tolls or suspected credit card fraud.

  • Quishing uses QR codes to take targets to a fake website that has malicious code to steal login credentials or install malware.

  • Pop-up phishing uses windows that try to get you to click through to a fraudulent website, often for tech support or a special offer.

More Stories from Our Blog

Featured
What Is Phishing? Recognize It and Avoid Scams
What Is Phishing? Recognize It and Avoid Scams

Something’s fishy about that email message. Or is it phishy? Either way, don’t take the bait. Learn about phishing, spear phishing and how to avoid them.

Triage Team: 2025 Stats, 2026 Goals
Triage Team: 2025 Stats, 2026 Goals

In 2025, our Triage Team worked 207 cases, representing more than $162 million in reported losses from people in 38 U.S. states, plus Washington, DC; Puerto Rico; and Canada.

Five Holiday Scams to Avoid
Five Holiday Scams to Avoid

As we shop for gifts, donate to charities, and travel more frequently, scams targeted to those activities can trick even the most vigilant consumers.

Operation Shamrock: The Year in Review
Operation Shamrock: The Year in Review

Webinar Wrap: Video and summary of Operation Shamrock’s successes, ongoing efforts, and direction in the fight against the scamdemic.

Guest User
Next

Triage Team: 2025 Stats, 2026 Goals