What Is Phishing?

Phishing is a type of online scam where criminals send fake emails (or texts, or messages) that impersonate trusted organizations — banks, delivery companies, government agencies, or popular services like PayPal or Amazon — to trick you into handing over personal information or clicking malicious links.

Phishing attacks are the most common form of cybercrime, and they've become increasingly sophisticated. Modern phishing emails often look near-identical to legitimate ones. Knowing what to look for is your best defense.

The Most Common Red Flags

1. A Sense of Urgency or Fear

Phishing emails almost always try to pressure you into acting immediately. Watch for language like:

  • "Your account has been suspended — act now!"
  • "Unauthorized access detected. Verify your identity within 24 hours."
  • "Your payment failed. Update your details to avoid service interruption."

Legitimate companies rarely demand instant action via email. When you feel pressure, slow down.

2. A Suspicious or Mismatched Sender Address

The "From" name might say "PayPal Support," but always check the actual email address. Phishing addresses often look close but not quite right:

  • support@paypa1.com (the letter "l" replaced with the number "1")
  • noreply@amazon-secure-billing.com (legitimate Amazon emails come from amazon.com)
  • Long, random addresses like billing@xk29a.net

3. Generic Greetings

Legitimate companies that you have an account with will usually address you by name. "Dear Customer," "Dear User," or "Hello Account Holder" are common signs of a mass phishing attempt.

4. Links That Don't Go Where They Claim

Before clicking any link in an email, hover your mouse over it (on desktop) to see the actual URL in your browser's status bar. If the visible text says "www.yourbank.com" but the actual link goes to "www.secure-login-banking.net," don't click it.

On mobile, press and hold a link to preview the URL before opening it.

5. Requests for Sensitive Information

No legitimate organization will ask you to provide passwords, PINs, full card numbers, or Social Security numbers via email. If an email asks for any of this, treat it as a scam.

6. Unexpected Attachments

Be cautious of unexpected attachments, especially files ending in .exe, .zip, or even .pdf. These can contain malware that installs itself when opened.

What to Do When You Receive a Suspicious Email

  1. Don't click any links or download attachments.
  2. Don't reply — this confirms your address is active.
  3. Go directly to the company's website by typing the address in your browser, and log in there to check if there's actually an issue.
  4. Report it — most email clients have a "Report Phishing" option. You can also forward suspicious emails to your country's cybercrime reporting service.
  5. Delete it.

If You've Already Clicked a Link

Don't panic, but act quickly:

  • If you entered credentials, change your password immediately on that site and any others where you use the same password.
  • Enable two-factor authentication (2FA) if you haven't already.
  • Run a malware scan on your device.
  • Monitor your bank accounts for unusual activity.

Your Best Long-Term Defense

Beyond recognizing phishing emails, two habits provide strong ongoing protection: using a password manager (so every account has a unique password) and enabling two-factor authentication wherever possible. Even if a phishing attempt captures your password, 2FA adds a critical second barrier that stops most attackers in their tracks.