Phishing Scams: How to Spot, Prevent, and Report Attacks

From catfishing to email phishing scams to AI deepfakes to ransomware cyberattacks, at times it may feel as though malevolent hackers are lurking in every corner of our online lives, just waiting to attack. Although collectively, we have built-in cybersecurity measures on our laptops, smartphones, and other smart devices, anybody can fall victim to an internet scam. If you don’t know how to recognize and prevent cyberattacks, you may unwittingly have vulnerabilities that make you easy prey. As technology rapidly advances, cybercriminals grow increasingly sophisticated and the red flags of phishing and other scams can become harder to detect. The good news is that there are simple proactive steps you can take to understand phishing scams, learn to recognize their warning signs, prevent them from inundating your email inbox, and protect yourself from their negative consequences. Phishing scams have existed since the 1990s. However, if you’re wondering, “What in the world is a phishing scam?”, you’re not alone. Many consumers are aware of malware scams, and understand that scammers often use email and direct messaging to target people, but aren’t familiar with the word “phishing.” According to the Federal Trade Commission (FTC) , phishing scams are online scams that target consumers by posing as a well-known, credible source. Cybercriminals cast a figurative line to reel in their fish.  Although subcategories of phishing (such as vishing, spear phishing, and smishing) may lure victims in using varying tactics, phishing scammers attack their victims via email. A phishing scam attempts to trick people into revealing their confidential information like financial information, passwords, and personal data. Once they’ve hooked you, scammers might use a phishing scam to install malware on your devices, steal your money, and other illegal activity. In today’s digital landscape, email phishing scams share many common characteristics and use similar deceptive tactics. Some of the common characteristics of a phishing scam include: Phishing scams differ from other forms of cyberattacks by focusing on the manipulation of people. Many cyberattacks look to expose firewall or weak cybersecurity measures with a primary focus on malware installation, ransomware attacks , or the disruption of operating systems. A phishing scam primarily relies on social engineering tactics to manipulate the trust of unsuspecting victims, whereas other forms of cyberattacks target technical vulnerabilities via networks, software, and systems. Daily, there are numerous phishing scam examples that occur across the globe. The first phishing scams occurred in the early days of public internet use, and targeted users of the ‘90s favorite internet service provider (ISP), America Online (AOL). Hackers “fished” for victims by posing as AOL employees and sending urgent emails and instant messages to AOL account holders. People who took the AOL phishing bait often willingly handed over their credit card information to fix “issues” and quickly experienced fraudulent charges and drained bank accounts. Through the following decades, phishing emails became par for the course for email users. Everyone with an email account has received at least one of these nefarious messaging attempts to steal personal information. Since the advent of smart devices, phishing scams have evolved from instant message and email attacks to multi-platform attacks. Today, social media profiles, QR codes, AI, and SMS are all used as vehicles for phishing scams. There have even been recent cases involving cybercriminals hacking hotel systems to target hotel guests’ personal data. Email phishing scams are easy to generate, and still remain a go-to phishing tactic for cybercriminals. Nevertheless, as phishing attacks evolve, the ways bad actors can target you evolve as well. It’s important to understand common types of phishing attacks targeting victims in recent years so that you can protect yourself against their consequences. According to the FBI , traditional phishing and spoofing emails, along with vishing and smishing attacks, are among the most common types of modern phishing attacks. The increase of remote workers since 2020 has contributed to cybercriminals’ consistent use of phishing email scams to target people, and a staggering 3.4 billion phishing emails are sent daily. Phishing emails attack both individuals and businesses, but universally use deceptive messaging tactics to dupe their victims. You may receive at least one of these emails every day — even email providers with built-in cybersecurity protocols may miss several phishing emails that find their way to your inbox. Phishing emails often contain the following: Phishing emails almost always demand that you take immediate action. For example, an email might state that something is wrong with your account, a fraudulent transaction has occurred, or you owe money and face cancellation. This sense of urgency is meant to cause you to panic and ignore red flags. In the “From:” field of an email, phishing scams may attempt to spoof a valid sender address. Display and sender names can easily be forged, although the actual email address cannot. For example, if you receive a bogus email supposedly from FedEx about a package you need to pay for, your “From:” and sender fields may read, “FedEx.”  However, if you hover over the sender field to read the actual email address, it may read [email protected] and reveal a scammer using a fake email address . Phishing scams often include a link to a login page that resembles the legitimate page. For example, a cybercriminal posing as your bank might ask you to link to a login in order to verify your credentials. When you click on the link, it appears credible. Thus, you enter your details and the hackers steal your information. Spear phishing is a focused form of phishing that targets specific people, businesses, or groups with subjects of interest. In other words, rather than target people en masse a la phishing emails, spear phishing scammers research specific people before launching their attacks. Spear phishing cybercriminals might research their intended victims by scraping social media accounts, conducting online research about job titles and corporate information, or using data breaches to collect exposed sensitive and confidential information. For a real-world example, a spear phishing attack against a business occurred in February 2024. European retail juggernaut, the Pepco Group, was the victim of a spear phishing scam that cost the company 15 million euros ( USD $16.3 million). This attack used credible-looking emails to infiltrate employee communications and duped the Pepco financial department into the authorization of significant and fraudulent money transfers. The most notable scams to evolve from traditional phishing, smishing and vishing go far beyond attacking you via email. According to the FTC , in 2024, imposter scams (including smishing and vishing attacks) accounted for the most commonly reported forms of attempted fraud in the U.S. Smishing attacks, also known as SMS phishing, have been on the rise since 2020, and currently account for over 1 billion unwanted texts sent per minute. These sophisticated phishing attacks use text (SMS) messages to send spam messages that often contain malicious links. Smishing scams are attempts to install malware on your smart device or steal your personal data by masquerading as official communications from your personal or professional contacts, well-known brands, or government entities. Cybercriminals using smishing tactics may also text you pretending that they’ve sent a message to the wrong number and try to engage you to solicit your personal information. For example, if you receive a “wrong number text” and then respond, a scammer might reply with any of the following questions, “What’s your name? Do you live in (fill-in-the-blank)? Where do you work?” Another common smishing scam comes via ostensibly political texts. You might receive a text that looks like it’s from an elected official, asking you to click on a link to donate. Although some politicians may send similar messages, it’s important to go directly to an official website to donate to prevent falling victim to a scammer. Smishing targets cellphones and although most phone carriers have spam blockers and allow you to block unwanted numbers, it’s nearly impossible to completely prevent your phone from receiving these texts. Vishing (or Voice Phishing) tactics use phone calls to attack their victims. Cybercriminals impersonate trusted contacts, brand representatives, and government agents to persuade people to disclose their personal information. A vishing scammer might call you from a spoofed number that registers as legitimate on your Caller ID. This bad actor might impersonate a government official, cybersecurity agent from your phone carrier, or tech support for one of your accounts. For example, every tax season, IRS phishing and vishing scams abound. In an IRS vishing scheme, a scammer calls and claims to be an IRS agent. They might threaten you with arrest if you don’t confirm your information, or call claiming they need to verify your confidential and personal details to send your refund. The IRS will never email or call you to ask for these details. If you do receive an official email or snail mail letter from the IRS, there may be a request to call them directly or visit the extremely secure IRS website , but you’ll never be required to disclose these details via an email link or on a received phone call. Phishing scams are annoying and, at times, easy to spot and avoid. However, increasingly sophisticated tactics can catch unsuspecting victims off-guard and have a lasting, adverse impact. Financial, organizational, and personal consequences of phishing scams can have a ripple effect on many people. Individuals often lose money as a direct result of a phishing scam. Similarly, many businesses feel that phishing attacks are the most disruptive cyberattacks threatening their organizations today. Phishing scams can result in stolen identities, destroyed brand trust, drained bank accounts, and more. Relentless, targeted attacks have resulted in real-world consequences for individuals and businesses alike. For example, in 2023, an orchestrated phishing attack against the Circa Casino resulted in the Las Vegas casino getting scammed out of $1.2 million . The real-world financial, organizational, and personal consequences of phishing scams can include: The recovery time of a phishing attack that lures in an individual could take anywhere from a day to several weeks, as it may take time to close or change your various accounts and for your bank to return any funds fraudulently taken from your account. For an organization that’s suffered from a phishing scam, the recovery time could last for several months or years. Forensic investigations, encryption used in the attack, and the mitigation of reputational damage may take significant time and money for small and large businesses alike. The good news is that there are still ways you can spot a phishing scam, despite the sophisticated methods cybercriminals might use to create them. Phishing emails contain a multitude of red flags that are relatively easy to spot if you know what to look for. Some of the signs that you’re being targeted by a phishing scam include: Phishing scams bypass basic security measures by sending a voluminous amount of emails to overwhelm cybersecurity protections. When sent to businesses, IT departments can have a challenging time attempting to block all of them. A lack of multi-factor authentication can also make an organization vulnerable to phishing attacks. When sent to personal email accounts, these scams might target email carriers that have a limited amount of spam filters. Similarly, if your personal antivirus software isn’t up-to-date, phishing attacks can infiltrate your device. Phishing scams also use social engineering tactics to manipulate users and bypass cybersecurity measures. On social media, this might be a direct message sent to you by an account you don’t follow and aren’t “friends” with. If you read this message and choose to respond or click on a contained link, the scammer might steal your account credentials to continue their scam. The fake account then hacks into your profile and sends phishing messages to accounts that you follow or have “friended.” For a business example, a scammer might infiltrate your professional email account by posing as a member of the IT team claiming your computer needs an update. This can disarm you and lull you into a sense of security and trust. If you take the bait, the hacker then uses your compromised account to send internal emails and ensnare your coworkers. Using credible email providers like Google (Gmail) helps to block phishing emails by using robust cybersecurity measures. For example, Google blocks 100 million spam emails every day. Nevertheless, phishing scams can occasionally get through even the most vigorous layers of cybersecurity protection, and 74% of successful phishing attacks are caused by human error. Preventing phishing attacks requires knowledge and intentional, proactive steps. Fortunately, there are ways to stop these scams from constantly hitting your inbox. Cybersecurity measures that individuals can take to thwart phishing attacks include: Businesses can protect their employees from falling prey to phishing scams by: Cybersecurity firms Cisco and Imperva offer protections that can help protect you and your business from falling victim to phishing attacks. Cisco’s email and endpoint protection tools, Cisco Secure Email Defense and Cisco Endpoint Protection , offer cloud-based email security solutions and a cloud-delivered endpoint security platform (respectively). Imperva prevents phishing scams through excellent data and application security products, including Login Protect , Web Application Firewall (WAF) , and Runtime Application Self-Protection (RASP) . These products work together to protect your Application Programming Interfaces (APIs), microservices, and web applications from phishing attacks. If you fall for a phishing scam, you’re not alone. Every day, sophisticated cybercriminals count on catching people off guard and manipulating them into falling for malicious schemes. Here are some key actions you can take to mitigate the damage you incur. As soon as you recognize that you’ve “been phished,” disconnect your affected devices. Set up MFA for every sensitive account, immediately change all compromised passwords, and ensure you update your software. Reporting phishing attempts can also help shut down bad actors. You can report suspected phishing attacks to your company and the person or brand who was impersonated. You can also file a complaint with the FTC and forward the email you’ve received to the Anti-Phishing Working Group: [email protected] . Reporting phishing scams helps the federal government and cybersecurity watchdogs track cybercriminals. Reporting these attacks can also help improve global security by helping to identify and neutralize phishing threats, enhancing knowledge of phishing email content and quantity, and providing crucial information to cybersecurity professionals and law enforcement. If you’re ready to proactively prevent and protect yourself against phishing scams, visit What Is My IP Address to access our free online privacy tools and be sure to check out our Easy Prey podcast and our blog to discover more cybersecurity tips.