How to Avoid Phishing Scams

A woman sitting on the couch looks at her phone in a dark room.

Phishing is a type of cyberattack that allows scammers to steal your personal information. But, fortunately, you can take certain actions to spot phishing scams and protect yourself from falling victim to an identity thief.

Here's what you need to know about phishing scams, how to avoid them and what to do if you've been affected by one.

What Exactly Is Phishing?

Phishing is an attempt to get recipients to divulge sensitive information such as usernames, passwords or Social Security numbers, or to transfer money to the scammer through a variety of methods.

Usually, this is done through email, but phishing via text message is becoming more common. The global cybersecurity organization APWG detected more than 600,000 unique phishing websites in the fourth quarter of 2020.

Chances are good that at least once a day, a phishing email lands in your work or personal inbox: 57% of corporate information security professionals polled by ProofPoint in its 2020 State of the Phish report said their organization experienced a successful phishing attack in 2020.

It's worth keeping an eye out for these scams year round, but you may see certain scams pick up around certain times of the year. For example, phishing for tax information is common at the beginning of the year, and phishing targeted at shoppers ramps up around the holidays when a lot of people are buying gifts.

How to Spot a Phishing Scam

Whether they're aimed at a business executive or a consumer, phishing emails have some common characteristics. Learning to spot the warning signs that an email is bogus could help you avoid falling victim to a phishing scam.

Be alert for emails that:

  • Use a generic salutation rather than your name: For example, an email from your mortgage company that begins "Dear account holder" instead of actually addressing you by name.
  • Urgently require you to take a specific action: An email purporting to be from your credit card company may say your account will be frozen unless you click a link in the email and complete a form.
  • Contain implied or explicit threats: For example, "confirm your user credentials immediately or your account will be permanently frozen."
  • Have a suspicious sender email address: Although some phishers may be able to fake an email address that looks credible, phishing emails often come from addresses that don't make sense. For example, a personal email address in the sender line of an email claiming to be from your bank.
  • Have a wrong or bogus recipient address: Scammers may know one of your email addresses, but not the one you gave to the company they're pretending to be. For example, you receive an email from your credit card company on your business account, even though you provided your personal email address as contact information.
  • Contain URLs that don't go where they say they'll go: Often, scammers will embed hyperlinks into an email that directs you to a fake site where they collect your information or load malware onto your computer. Before clicking on links in an email, hover your mouse over it to see what the actual URL looks like to make sure it will take you where it says it will.
  • Include poor grammar or spelling errors: Multiple typos or spelling errors could be a sign the email does not come from a legitimate source.
  • Have an email or web address that is not quite right: Scammers may change a letter or word in a URL or email address so it closely resembles the real thing.
  • Include attachments: It's unusual for a legitimate financial institution or company to send account information as an attachment, so be wary of any email you receive that says a statement or credit card bill is attached. Opening a suspect attachment could allow malicious software to download onto your computer.
  • Request or demand information the company they're imitating should already have: For example, your bank should never need you to verify your account number because they already have it. Likewise, the IRS already knows your Social Security number—plus the IRS only contacts taxpayers by U.S. mail when money is owed.

As you make your way through your personal and business inboxes, keep an eye out for all of these signs that could point to a scam.

What if You Fall Victim to a Phishing Scam?

Even if you're vigilant, you may still mistake something fraudulent for something that seems legitimate. If you suspect you've been the victim of a phishing scam, there are a few steps you may want to take:

  • Contact the company or financial institution with whom you have the account using the main company website and explain the details.
  • If you're on a personal computer, ensure your computer's antivirus protection is up to date with the latest version and run a scan for viruses and malware. If you're using a work computer or email, you'll want to contact your company's information security or IT team immediately so they can help you with any potential concerns or issues.
  • Keep a close eye on your credit card and bank accounts, and contact any companies who need to be on the lookout for withdrawals or charges. You can also check your credit report regularly to keep an eye out for any new accounts or inquiries. If you suspect anything is off on your credit report, you can place a fraud alert on your credit file. Experian IdentityWorks℠ members also get alerts to help with identity theft protection.

Keep in mind that causing a delay by trying to fix something yourself can result in more time for fraudsters to cause damage. Contact the experts as soon as possible for help resolving things quickly and efficiently.

How to Protect Yourself From Phishing Scams

In addition to keeping an eye out for phishing emails and text messages, here are some other steps you can take to protect your information from phishing scammers:

  • Set up multi-factor authentication on your online accounts. This requires anyone trying to access your account to enter a code sent to your phone number, email address or an authentication app.
  • Use a secure password manager to help you create and keep track of unique passwords for each of your online accounts.
  • Avoid clicking on unknown links.
  • Install security software on your computer and keep it up to date at all times.
  • Set your mobile devices to install updates automatically to avoid security vulnerabilities present in older operating system versions.
  • Backup all of your data on your electronic devices.

Check to See if Your Information Has Been Compromised

Sometimes, it can be difficult to know that your personal information has been stolen because an identity thief doesn't use it immediately.

Experian's free dark web scan can help you find out if your information has been stolen and put up for sale on one of hundreds of thousands of webpages on the dark web. This one-time scan can give you the information you need to take the right steps to protect yourself.