What Is Phishing and How to Spot It

Imagine you get a phone call from someone who says they’re from your bank. They sound professional, they know your account number, and they’re very urgent about a suspicious purchase on your account. You trust them completely—until it’s too late and you’ve given them your password.

That’s essentially what phishing is, except it usually happens through email or text message instead of a phone call. And honestly, phishing scams are one of the easiest security problems to fall for because the scammers are getting really, really good at pretending to be people you trust.

What Exactly Is Phishing?

Phishing is when a scammer pretends to be someone legitimate—your bank, your email provider, PayPal, Apple, even your boss—to trick you into giving them information they shouldn’t have. Usually they want your password, your credit card number, or your Social Security number. Sometimes they just want you to click a link that will install malware on your computer.

The word “phishing” is a play on “fishing”—they’re casting out a line and hoping someone will bite.

Here’s the thing that makes phishing so common: it works. A lot. Scammers don’t need to fool thousands of people. They just need to fool a handful out of millions to make good money.

The 5 Red Flags of a Phishing Attempt

Save this list somewhere you can easily find it. If an email checks even ONE of these boxes, treat it with suspicion.

1. Urgent or Threatening Language

Legitimate companies almost never create artificial urgency. But scammers do, constantly.

Watch out for emails saying things like:

“Your account has been suspended!”
“Immediate action required or your account will be closed”
“Unusual activity detected - verify your identity NOW”
“Your payment method was declined - update immediately”

Real companies want to help you calmly. Scammers create panic because panicked people don’t think straight.

2. Requests to Click Links or Download Attachments

This is a classic move. The email says something like “Click here to verify your account” or “Download this document to review your account activity.”

Here’s the problem: that link doesn’t go where it says it goes. Or that attachment contains malware.

If you receive an email asking you to click a link to verify personal information, login, or “confirm your identity,” don’t click it. Instead, go directly to the website yourself by typing the address in your browser. For example, if you get an email claiming to be from your bank, ignore the link and open your banking app or go to the bank’s website directly.

3. Generic Greetings Instead of Your Name

Most legitimate emails from companies you do business with will say “Hello [Your Name]” or at least use your email address. Scammers often don’t have your name, so they say:

“Dear Customer”
“Dear Valued User”
“Hello there”

They’re casting a wide net and hoping at least some people bite.

4. Email Address or Domain That’s Slightly Off

This is a subtle one. A scammer might use:

paypa1.com instead of paypal.com (notice the number 1 instead of the letter l)
apple-security.com instead of apple.com
your-bankinline.com instead of yourbank.com

Always look carefully at the sender’s email address. Hover over it to see the actual email address, not just the display name.

5. Asking for Information a Company Already Has

Your real bank already knows your account number. PayPal already knows your email address. Apple already knows your phone number associated with your account.

If an email asks you to “confirm” or “verify” personal information you’ve already given the company, it’s almost certainly a scam.

Real Phishing Examples (Described)

Let me walk you through what these might look like:

The Fake Bank Email: You receive an email that looks like it’s from your bank. It has the bank’s logo, the right colors, and professional formatting. But the message says “We’ve detected unusual activity. Click here to secure your account.” The link doesn’t go to your bank’s website—it goes to a fake website that looks exactly like your bank’s login page. You type in your username and password… straight into the scammer’s hands.

The Amazon Text Message: You get a text that says “Amazon: Your package couldn’t be delivered. Click here to reschedule.” The link takes you to a fake Amazon page asking for your email and password. The scammer now has your login credentials and can access your real Amazon account.

The Fake Paycheck Email: An email arrives claiming to be from your company’s HR department with your “updated paycheck information” and a PDF to download. That PDF, when opened, silently installs malware on your computer.

The Missing Package Call: A scammer calls you pretending to be from a shipping company. They say a package is stuck in customs and they need your credit card number to release it. This is phone-based phishing, sometimes called “vishing.”

What Should You Do If You Already Clicked?

Don’t panic. Here’s what to do:

Don’t enter any information. If you clicked and the page asked for your password or credit card, don’t type anything. Close the browser tab immediately.

Run a malware scan. Use your computer’s built-in security (Windows Defender on Windows, or Activity Monitor on Mac) to check if anything was installed. If you’re not comfortable doing this, ask a tech-savvy friend or take your device to a professional.

Change your password if you entered it. If you typed your password into the fake page, change it for that account immediately. Use a strong new password (see our article on strong passwords for details).

Monitor your accounts. Check your bank and email accounts for suspicious activity. Most banks offer free fraud monitoring—take advantage of it.

Report it. Forward the phishing email to the real company it pretended to be from. PayPal, Amazon, Google, and every major company have an email address you can use to report phishing attempts. Just search “[company name] report phishing” to find the right address.

If you entered your credit card number or banking information, contact your bank or credit card company immediately by phone. Don’t use the number in the phishing email—look up the number yourself or find it on your physical card. Tell them what happened and ask them to watch for fraud.

How to Protect Yourself Going Forward

The best defense against phishing is skepticism. When you receive an unexpected email asking you to do something (especially anything involving money, passwords, or personal information), assume it might be phishing until proven otherwise.

Here’s your checklist:

Does the sender’s email address match the company it claims to be from?
Is there urgent, threatening language?
Does it ask you to click a link or download something?
Can you think of a reason this company would contact you right now?
Is the tone and quality of writing what you’d expect from a professional company?

If something feels even slightly off, it probably is. Legitimate companies are used to customers being cautious—they won’t mind if you call them directly to verify an email.

What to Do Next

Want to build on your security knowledge? Check out our guide on strong passwords to make sure that if a phisher does trick you, at least your passwords are strong enough to withstand an attack. You might also want to read about two-factor authentication, which adds an extra layer of protection to your most important accounts.

Remember: Everyone gets phishing emails. Even security experts. The fact that you’re reading this and learning to spot them puts you way ahead of most people.