ADVERTISEMENT

Tips to avoid phishing scams

Tips to Avoid Phishing Scams Banner
Konstantinas Kofanovas
Konstantinas Kofanovas Tech Content Writer
Nov 27, 2024 Updated: 28 July 2025 11 min read

Understanding phishing scams: the most common types

1. Email phishing

PayPal scam email letter
PayPal scam email letter

2. Spear phishing

Apple scam phishing email letter
Apple scam phishing email letter

3. Whaling

4. Smishing

USPS sms phishing scam
Example of USPS phishing scam

5. Vishing

Real depiction of vishing scam in progress
Real depiction of vishing scam in progress

6. Quishing

ADVERTISEMENT
Quishing illustration
Quishing illustration

How phishing works

TechniqueDescription
ImpersonationScammers create emails or websites that mimic legitimate entities to make recipients believe the communication is authentic
Urgency creationAttackers craft messages that convey a sense of urgency or fear, prompting hasty actions such as clicking on a malicious link
Email and website spoofingEmbedding malicious links in seemingly legitimate emails that lead to duplicated websites designed to harvest user credentials
Attachment scamsDistributing malware through seemingly innocuous attachments that can compromise the recipient’s data when opened
Targeted spear phishingHighly personalized attacks aimed at specific individuals or organizations to increase the likelihood of success
Smishing and vishingUsing deceptive SMS and calls, attackers impersonate trusted sources to request personal information under urgent pretenses

Tips to avoid phishing scams

Type of phishingRed flagsHow it worksHow to react
Email phishingGeneric greetings, urgency, misspelled URLs, strange links, a suspicious sender’s emailScammers send emails that mimic legitimate people or companies to steal dataCheck the sender's email address for mismatches; hover over links to preview URLs; verify with the company/person directly if suspicious
Spear phishingOften imitates a known contact or organization; requests action or confidential informationTargeted emails to specific individuals using personal information to appear legitimateDouble-check the sender’s details against known information; if suspicious, contact the alleged sender through another channel to confirm
WhalingDirected at high-level executives; often involves legal or financial requests; may include fake corporate emailsTargets senior management with requests for large financial transfers or sensitive dataVerify urgent financial requests by speaking directly to the requester via a known phone number, not the one provided in the email
Vishing (voice phishing)Urgent requests for action over the phone, unverifiable caller ID, requests for personal informationAttackers use phone calls to extract personal information directly from the victimVerify the caller by ending the call and dialing the official number of the organization they claim to represent
Smishing (SMS phishing)Text messages containing links to supposedly urgent updates or deals, requests for personal infoSends SMS with links leading to phishing sites asking for personal or financial detailsConfirm the legitimacy of the message by contacting the sender's organization through official channels before responding
Quishing (QR code phishing)QR codes in public or unexpected digital places that lead to login pages or requests for personal dataQR codes direct to malicious sites that mimic legitimate login pages to steal credentialsBefore scanning a QR code, ensure it is from a trusted source; scan with an app that previews URLs
  • Use strong antivirus and anti-phishing software. Tools like Norton, TotalAV, and Bitdefender deliver wide-ranging protection with automatic updates to defend against the latest threats. Real-time scanning also helps by catching threats in the act.
  • Use smart password practices. Effective password management is crucial, and tools like NordPass can help by securely storing and organizing your passwords. It also generates strong passwords and auto fills them on websites and apps. Password managers simplify keeping multiple passwords and make it easier to update them regularly.
  • The most effective way to prevent phishing attacks is implementing two-factor authentication (2FA). Adding an extra layer of security to all of your accounts makes a big difference. Two-factor authentication combines something you know (your password) with something you have (a code from your phone) to significantly reduce the risk of unauthorized access. Use an authenticator app like Google Authenticator or Authy instead of SMS codes, which are more susceptible to interception. On most services, you can activate your 2FA by following these steps:
  1. Log in to your account. Go to account settings or security settings and look for the 2FA option
  2. Choose a 2FA method. Use an authenticator app like Google Authenticator or Authy to scan a QR code or enter a key and verify with the generated code, or set up a USB, NFC, or Bluetooth security key by following the on-screen instructions
  3. Verify your email. Enter the code sent to your email for confirmation
  4. Save backup codes. Download or store backup codes securely in case you lose access to your primary method
  5. Test and secure. Log out and try logging in with MFA enabled
  • Use your email's built-in phishing filters. Services like Gmail and Outlook have advanced detection systems that usually flag suspicious emails automatically.
  • Install browser extensions that alert you about risky websites. Tools like Norton or TotalAV are excellent for providing real-time alerts about potentially dangerous sites.
  • Regularly update. Regularly updating your software is essential. Updates often include critical patches that fix vulnerabilities, reducing the risk of exploitation by cybercriminals. By keeping your software up to date, you enhance your defenses against potential phishing attacks.

What to do if you encounter phishing

  1. Do not engage. First and foremost, do not interact with the content. Do not click on any links, do not download attachments, and do not reply to the message.
  2. Report the phishing attempt.
  • Emails and websites. Report phishing emails to your email provider. Most email services have a Report Phishing option. You can also forward the letter to the Anti-Phishing Working Group at [email protected] or to the Federal Trade Commission at [email protected]. Many companies also have dedicated channels for reporting phishing attempts that impersonate them.
  • Notify your supervisor. If you have received a phishing attempt on one of your workplace channels, depending on the organization's policies,you should inform your supervisor or a relevant department (such as IT) so they know potential threats and can assist you in following proper protocols.
  • Quishing. For phishing attempts using QR codes, report them to the impersonated company and avoid scanning unverified codes. Notify your IT department if it’s encountered in the workplace.
  • Smishing. Report smishing attempts to your mobile carrier. Some countries also have dedicated hotlines or online services for reporting SMS-based scams.
  • Vishing. For phone call scams, you can report the number to your phone service provider and, if applicable, to local authorities or consumer protection organizations.
  1. Change your passwords. If you suspect your information may have been compromised, change your passwords immediately. This is especially critical for accounts with the same password and username/email combination.
  2. Monitor your accounts. Check your financial statements and accounts for unauthorized activity.
  3. Alert your financial institutions. If the phishing attempt involved any financial accounts or there’s a possibility that your financial information was compromised, contact your bank or credit card company to alert them. They can monitor your accounts for suspicious activity and, if necessary, put additional security measures in place.

Conclusion

FAQ

ADVERTISEMENT