All About Cookies is an independent, advertising-supported website. Some of the offers that appear on this site are from third-party advertisers from which All About Cookies receives compensation. This compensation may impact how and where products appear on this site (including, for example, the order in which they appear).
All About Cookies does not include all financial or credit offers that might be available to consumers nor do we include all companies or all available products. Information is accurate as of the publishing date and has not been provided or endorsed by the advertiser.
The All About Cookies editorial team strives to provide accurate, in-depth information and reviews to help you, our reader, make online privacy decisions with confidence. Here's what you can expect from us:
- All About Cookies makes money when you click the links on our site to some of the products and offers that we mention. These partnerships do not influence our opinions or recommendations. Read more about how we make money.
- Partners are not able to review or request changes to our content except for compliance reasons.
- We aim to make sure everything on our site is up-to-date and accurate as of the publishing date, but we cannot guarantee we haven't missed something. It's your responsibility to double-check all information before making any decision. If you spot something that looks wrong, please let us know.
Phishing is a deceptive attack where scammers impersonate someone you trust. The goal is to get your private info, usually to steal money. These scams have grown more sophisticated over time.
Keep reading to learn what phishing is, how to recognize it, and how to recover if you get phished. We also share our favorite identity theft protection services.
Types of phishing
Common tactics
Recognize phishing emails
Consequences
How to protect yourself
What to do after falling for phishing
FAQs
Bottom line
What is phishing?
Phishing is a deceptive cyberattack designed to steal your sensitive info. It starts with a harmless-looking message that mimics a trusted source like your bank or a government agency. Following its instructions can lead you to financial loss and even identity theft.
Fortunately, phishing attacks can't work without your cooperation. They rely on establishing trust and convincing you to take specific actions. Staying safe is only a matter of learning how to recognize phishing emails.
Phishing is different from spam. While spam can be a nuisance, it’s usually harmless junk mail — but phishing emails are malicious in their intent.
How does phishing work?
Regardless of the communication vector, phishing attacks will always try to convince you to do something. These actions range from making a payment and sharing your data to clicking a malicious link.
There are three main components to every phishing scam:
- Electronic communication: They may contact you via phone, email, SMS, or your social media accounts. You should ignore these messages and their calls to action and avoid clicking on any links or images.
- Pretending to be a trusted source: This can include organizations but also individuals (your best friend, doctor, employer, or family member).
- Aim: Phishing’s only goal is to steal your private information, including your social security number, login credentials, and credit card numbers.
Modern technologies (especially social media) can give a lot of your info to phishers. The attacker can use it to embellish their scam and make it incredibly convincing. That's why awareness and vigilance play such a huge role in stopping phishing attacks.
What are the different types of phishing?
While all phishing attacks have the same goal, they come under different names, depending on the platform they're using. We'll review the most common types so you'll recognize them if they target you.
Email scams
When we say phishing, we usually refer to email scams. They are incredibly popular and easy to pull off. All the attacker has to do is compose a phishing email with an alluring hook and pick its targets.
In that regard, phishers can attack:
- Single targets: This approach usually involves more research and sophistication. The attacker must personalize its bait and make it as convincing as possible.
- Multiple targets: Phishers attack more victims with simpler phishing messages, hoping to trick as many people as they can. This is also known as the spray-and-pray approach.
Website spoofing
Scammers can create copies of legitimate websites and drive their victims toward them. They usually spoof social media, financial, and tech pages. Their phishing email will link to these sites, hoping you’ll click on their link and share personal info.
You should never click any links in suspicious emails, but if you have, here's how to recognize phishing websites:
- Misspelled web address: Domain names are unique, and attackers can't copy them. They can, however, create similar web addresses. For instance, they can copy allaboutcookies.org and create allaboutcokies.org or allaboutcookies-com.io. They can use rn instead of the letter m or vv instead of w. This is called a homograph attack, and it's easy to spot as long as you know where to look.
- Website errors: Malicious websites aren’t perfect. Look for anything suspicious, like buttons that don’t work, misaligned text, colors that aren't right, pixelated images, and poor grammar.
Smishing
Smishing (SMS phishing) is a cyberattack via a text message. We tend to open texts more than emails, which makes smishing particularly effective and dangerous. You should never respond or click links if you get a suspicious text.
Here are some common red flags that could indicate a smishing scam:
- Getting a request for payment, information, or action from an unknown number
- Getting an SMS alert you haven’t signed up for (discounts, deals, coupons, verifying medical or financial information, checking order statuses)
- Receiving an order confirmation for a purchase you didn't make
- Receiving a message about a missed package delivery
Vishing
Vishing is a verbal variant of phishing (done over the phone or VoIP). Since a conversation is more immediate than a message, the scammer has to close the deal quickly. They'll likely create a frantic sense of urgency, possibly even threaten you.
Modern technologies have given vishers a lot of sinister tools -- they can even spoof official phone numbers, making the scam harder to spot. They usually pose as Medicare, IRS, or Social Security Administration agents or representatives.
Here are some common vishing scenarios:
- The IRS needs your Social Security number.
- There is a warrant for your arrest.
- Your bank account is flagged for suspicious activity.
- A family member needs help immediately.
- You have a once-in-a-lifetime investment opportunity.
- An extended warranty on your vehicle is available.
- The IRS is after you to collect a debt, but the caller can help (this can lay the foundation for tax identity theft).
If you get this type of call, you should hang up, never respond to it again, and join the National Do Not Call Registry.
Social media phishing
We share a lot of personal info on our social media accounts. This makes them a fertile ground for phishing attacks. Scammers can use them both for research and as attack vectors.
Usually, the attacker will try to steal your information or take over your account. They may send you a friend request, follow you, and communicate with you to gain trust. They might even add some of your friends and family members to show mutual connections.
Here are some common social media phishing scenarios you should look out for:
- Too-good-to-be-true coupons and discounts
- Friend requests from compromised or fake accounts
- Contests or surveys asking for personal info
- Fake photos and videos that lead to malicious sites
You should never accept friend requests from unknown, low-activity accounts. If you receive a suspicious link or tag, don’t click on it, even if it comes from a friend. Phishers could've taken over their accounts and started targeting you as well.
What are the most common phishing tactics?
It's important to differentiate between phishing types and techniques. Phishing attacks get their names after the platform they're using. So we can talk about smishing or vishing as phishing types or variants. On the other hand, spear phishing attacks can happen on any platform, making them a phishing technique.
With that in mind, we’ll review some of the most common phishing tactics.
Posing as a legitimate company (deceptive phishing)
Deceptive phishing scams trick users by establishing brand authority and gaining trust. They usually use official-sounding domains like support@apple.com, for example.
The actual message always warns of a current cyberattack, creating a sense of urgency. Once the victim clicks on the provided link, their device is infected.
Spear phishing
Spear phishing targets a specific person or organization (hence, the name). Its goals and outcomes are similar to regular phishing, but the method is more personalized.
The attacker will do extensive research and learn all about the victim. The bait is usually delivered via email, but other attack vectors are also an option. The victim is less likely to notice something wrong since so much time and effort was put into this scam.
Spear phishing attempts are difficult but not impossible to spot. Here are some common red flags:
- Deceptive domain names that resemble real businesses but have minor differences. For example, using a 1 instead of the letter l.
- A sense of extreme urgency and emotional manipulation. The attacker will try to elicit feelings of guilt, panic, or anything that will make you want to act quickly.
- Unsolicited links or attachments, which will usually infect your device with malware. It’s best to delete the email without opening it once you recognize it as a spear phishing attack.
Whaling (CEO fraud)
Whaling is a spear phishing variant that targets high-level executives like CEOs and CFOs. The end goal is usually stealing money or corporate secrets.
Whaling takes even more preparation than regular spear phishing. The attacker will meticulously craft the baiting email and include as many specific details as possible. They usually pose as HR representatives, familiar vendors, or fellow senior executives. Sometimes, they'll even follow up on their email with a phone call.
Whaling attacks are difficult to spot since they don't have the usual phishing red flags. You won't see poor grammar here or general emails with shady attachments. This attack relies heavily on social engineering and building trust.
BEC attack (business email compromise) is another form of spear phishing targeting employees. It typically spoofs an executive’s requests to various people in the organization. The message requires payment or sharing of confidential info.
The employee will usually comply since the request looks legitimate and is from a trusted source. BEC emails ask for immediate action, mimic routine workflows, and contain attachments like fake invoices or contracts. Many companies have moved to two-factor authentication and MFA to keep company resources more secure.
Pharming (DNS spoofing)
Pharming is the act of manipulating your online traffic. The scammer creates a fake malicious website and redirects you to it. They can achieve this in two ways:
- Malware-based pharming: The attacker infects your device with a virus, changes its hosts file, and redirects your traffic to their site. Even when you type the correct site address in your browser, the corrupted hosts file will take you to its malicious counterpart.
- DNS poisoning: Pharmers can also tamper with DNS tables in servers, causing users to visit their site instead of the real one. DNS poisoning is extremely dangerous since it requires minimal action from the victim. Keeping your device malware-free, entering the correct site address, or using bookmarks can't help against this attack. Furthermore, it can spread to other DNS servers, routers, and devices.
Pharming attacks are generally described as phishing without a lure since they don't include the initial baiting email. Fortunately, they're much harder to pull off and, therefore, quite rare. You can protect yourself from these scams by following our advice from the website spoofing section.
Login screen phishing
Login screen phishing is designed to trick users into entering credentials that can later be used to access information. The phishing attempt will look similar to a real message from a legitimate company or business, like Facebook or Gmail.
This type of phishing will typically send a communication requesting you to reset your password or enter your credentials to access a deal or special offer. Once you enter your secure login information, the criminals will have access to your private data. One way to prevent identity theft is to learn how to spot these malicious login phishing attacks.
How to recognize phishing emails
Modern phishing emails are only limited by the scammer's imagination. Fortunately, most of these emails will raise some common red flags that will help you spot them and avoid the attack.
Here are the usual tell-tale signs of a phishing email:
- Poor writing: Phishing baits are usually riddled with grammatical errors and typos. This red flag intensifies if the sender spoofs a major institution like a bank or hospital.
- Misspelled links: Phishers will use a misspelled version of legitimate URLs. They’ll also employ link-shortening services to hide their malicious links. You should always check shortened email links by hovering over them to see where they lead. Since mobile devices don't have this functionality, we recommend extreme caution.
- An irresistible offer: Scammers will offer you amazing deals and once-in-a-lifetime opportunities. Remember that if something sounds too good to be true, it usually is.
- The email is not personalized: Spray-and-pray phishers target many victims with one message. So, they'll never address you by name. It will likely be something vague like dear sir/madam or dear user/customer. Note that this red flag doesn't work for single-target attacks like spear phishing.
- Sense of urgency: Phishers infuse their messages with FOMO, threats, and a general sense of urgency. Staying calm is essential here since getting nervous is playing right into the scammer's hand.
- Suspicious attachments: You should never open attachments from unknown sources (especially files with .scr, .zip, and .exe extensions). Phishers can hide malware in them, even if they’re just PDF files or clickable images. Also, most service providers will direct you to their websites to download files, updates, apps, or documents.
- Personal info requests: An email requesting personal data from an unknown source is most likely a phishing scam (company data, social security numbers, bank account numbers, credit card info, login credentials).
The consequences of a phishing scam
Phishing is a sinister attack that can last months or even years. Some phishing attacks can cause a one-time financial loss, but they're usually more severe than that.
Here are the potential consequences you could experience as a phishing victim:
- Financial loss: Phishers can duplicate your credit cards, get loans or lines of credit, empty your bank account, and commit check fraud in your name. They can also destroy your credit score.
- Medical identity theft: With your PHI (Protected Health Information), scammers can receive treatments under your name and use your health benefits. This can enter your medical history, causing you to receive wrong and even dangerous treatments.
- Account takeover: If a phisher gets your email password, they can reset passwords for all your accounts. They can also disseminate malicious messages to your friends, family, and coworkers.
- Mortgage and deed fraud: Scammers can transfer the ownership of your home to their name and rent or sell it, leaving you homeless. This is a classic case of home title theft.
- Tax identity theft: With enough data stolen (name, birthdate, and social security number), criminals can file taxes under your name. They can report false income, claim fraudulent benefits, and get huge refunds. This will damage your standing with the IRS and flag your legitimate returns as fraudulent.
- Criminal record: Phishers can commit crimes while using your identity. This will lead to legal action.
- Your data on the dark web forever: Once information like your Social Security number ends up on the dark web, it will remain there forever.
And don’t forget, phishing attacks also have an emotional component. The stress and anxiety you'll experience will significantly affect your well-being and quality of life.
How to protect yourself from phishing attacks
Seeing how dangerous a phishing attack can be, we want to help you mitigate the chances of getting scammed. We’ve included the most crucial recommendations you should consider to keep phishing attempts at bay.
- Install security software: A good security tool, like Aura Identity Theft Protection, can help keep your identity safe from phishing attacks.
- Install an ad blocker: The best ad blockers prevent pop-ups on your screen that lead to accidental clicks and possible malware infections.
- Enable two-factor authentication: 2FA helps prevent phishing scams by adding an extra layer of security to your accounts.
- Change your passwords regularly: Reusing passwords gives hackers a better chance of guessing your credentials. Instead, we suggest using unique passwords for different accounts and changing them every month. It keeps you a step ahead of the cybercriminals.
- Check your accounts: Checking your financial accounts frequently is the best and quickest way to detect a scam. Look for fraudulent charges and withdrawals you didn’t make.
- Stay vigilant: It’s easy to go into autopilot online, but that can lead to phishing scams. Keep good security habits, like avoiding suspicious links, not responding to messages from strangers, never sharing passwords or other sensitive data, and always verifying that websites are legitimate. Keep your personal life private, and don’t post too much on social media.
- Keep learning: Scammers will keep finding ways to trick people, so you shouldn’t stop learning how to stay safe. Always be vigilant and keep yourself and your family educated regarding phishing tactics.
Service | |||
Individual monthly price | Starts at $7.50/mo (billed annually) for first year | Starts at $9.00/mo (billed annually) | Starts at $10.00/mo |
Family monthly price | Starts at $18.49/mo (billed annually) for first year | Starts at $25.00/mo (billed annually) | - |
ID theft insurance | Up to $3 million | Up to $1 million per adult | Up to $2 million |
Credit monitoring | |||
3-bureau credit reports | |||
Details | Get LifeLock Read Our LifeLock Review |
Get Aura Read Our Aura Review |
Get Omniwatch Read Our Omniwatch Review |
What to do after falling for phishing
If you fall prey to a phishing attack, it’s important not to panic. Keeping a clear head will help you act quickly and sort through the puzzle without further complications.
When phishing attacks succeed in tricking you, some damage will happen. However, keeping your cool and reacting quickly can prevent further harm. Here’s what to do:
- Change your passwords immediately: You should create strong passwords that include a mix of upper and lowercase letters, symbols, and numbers.
- Enable 2FA: Using two-factor authentication provides an extra layer of security
- Alert your credit card provider(s): Notifying these institutions quickly will allow them to reissue new cards and disconnect the old ones.
- Check your credit reports: This should be done more than once to be sure everything is in order.
- Alert the credit bureaus: Give them a heads-up so they can monitor your credit.
- Inspect your credit and bank statements: Look for any charges you didn’t make.
- Report the incident: Let your financial institutions know so they can take appropriate steps to help protect your money and credit.
- Run a malware scan: Using antivirus software and using it often will help remove malware from your device.
FAQs
What is a phishing attack?
A phishing attack is a communication that seems to come from a legitimate source, designed to trick you into revealing sensitive data. The goal is to get access to personally identifiable information and to steal money.
How can you prevent phishing?
You can prevent phishing by staying vigilant online. Stay educated about the phishing methods that are used and employ tools on your device, like the best antivirus software that you can use to scan for malware.
Is phishing a virus?
Phishing is not a virus, but it can be used to install a virus or other malware on your device. Phishing is a cyberscam used to steal your most sensitive information.
Can I get my money back if I get phished?
You may be able to get your money back in some cases if you get phished. There are other issues to consider, like criminal identity theft, which can lead to your record showing false information.
Bottom line
Phishing is a dangerous scam that can cost you money and time. These scams are designed to cause damage through deception, misdirection, and trust. There are numerous kinds of phishing, and knowing the most common methods can help you avoid them.
Although these scammers are sometimes stealthy, you can detect phishing by knowing the signs to recognize, like misspelled words, malicious links, and fraudulent websites. By spotting phishing and other online scams, you can prevent identity theft and keep your private data secure.