How to protect against phishing: 18 tips for spotting a scam

A mother researching protection against phishing scams on her computer.

Have you ever come across a phishing email and wondered how to best protect yourself? Check out this guide to learn how to protect yourself against phishing attacks. Criminals are good at making email scams look like actual emails, so that it's easy to get tricked into opening, clicking, or sharing shady links. Norton Genie Scam Detector can tell you if it could be a scam before you get scammed. 

Have you ever received an email from your bank urgently asking you to input your personal information to secure your account? 

While this may be alarming, the email may not actually be from your bank. In fact, the email could be from a cybercriminal, using a tactic known as phishing.

But what is phishing? Phishing is when a cybercriminal tries to trick you into giving them sensitive information by impersonating a legitimate source. 

How can you avoid this? We’ve compiled these 18 tips to teach you how to protect against phishing attacks, including:

Phishing attack protection tips

Follow along to learn more about what you can do to help protect yourself from phishing attacks and what you should do if you receive a phishing message.

1. Recognize the signs of phishing

One of the best ways to prevent phishing is to know how to spot phishing emails. While every message may look a little different, there are red flags to help you spot phishing. 

Common warning signs of phishing include:

  • Unfamiliar greeting or tone
  • Unsolicited messages
  • Grammar and spelling errors
  • Sense of urgency
  • Suspicious links or attachments
  • Requests for personal information
  • Inconsistencies in email addresses, links, etc.
  • Unusual requests
  • Alerts that you’ve won something

If the email in question checks any of these boxes, it could be a phishing scam.

2. Don’t respond to a phishing email

If you’re ever suspicious about a message in your inbox, it's best to avoid sending a response. By responding, you’re letting the scammer know that they’re dealing with an active email address. This can prompt them to continue trying to scam you in the future.

3. Report suspicious messages to your email provider

After noticing a suspicious message in your inbox, it’s best to report it as soon as possible. If the phishing message was sent to your work email, be sure to also inform your company’s IT department. This can help them stay on top of potential phishing threats and keep you and your coworkers' inboxes safe.

Work incidents or not, it’s also best to report a potential phishing scam to your email provider. This process can differ depending on the provider. 

To report phishing emails on Gmail:

  1. Go to the phishing email
  2. Click the three-dot icon next to the “Reply” button
  3. Select “Report phishing”
  4. Click “Report Phishing Message”

And to report phishing emails on Outlook: 

  1. Go to the phishing email
  2. Click the three-dot icon next to the “Reply” button
  3. Select “Mark as phishing”
  4. Click “Report”

You can also forward the message to the Anti-Phishing Working Group at or report it to the Federal Trade Commission. By doing so, your message will be reviewed by a team of security experts, financial institutions, and law enforcement agencies. 

4. Avoid sharing personal information

When using email, it’s crucial that you avoid sending any sensitive data. This can help ensure prevent your private data from getting into the wrong hands to be used for fraudulent purposes. 

It’s also important to note that a legitimate financial institution wouldn’t ask for your personal information over email. If someone is, it’s likely a phishing attempt.

5. Use strong passwords

Whether it's to open your device or log in to an online account, a password is usually the last line of defense between your personal information and a nosy cybercriminal. To ensure everything is as safe as possible, it’s essential that you use strong passwords.

That way, if you accidentally fall victim to a phishing attack, you know that your accounts are equipped with strong passwords to help keep any hackers out of your private information.  

6. Keep your operating system up to date

One great way to ensure your device is protected from phishing is to keep your operating system up to date. Most times, operating system updates include essential security patches to keep your device safe. This can help protect you from phishing-related threats such as malware.

7. Avoid jailbroken devices 

Jailbreaking is the act of removing software restrictions on your device. This practice is commonly done on smartphones to unlock additional features or install third-party applications. While the idea of removing certain restrictions might seem enticing, it often leaves your device vulnerable to mobile security threats.

8. Keep an eye on your financial statements

Because most phishing attacks are used to gain control of your financial information, it’s key that you keep an eye on your financial statements. If you ever notice any unfamiliar charges or suspicious activity, it could be a sign that your accounts have been compromised by a phishing attack.

9. Never click on unknown links or attachments

No matter where you are on the internet, avoiding suspicious links and attachments is a personal cybersecurity best practice. When it comes to phishing, an unknown link could secretly be malware and could put you and your device at risk. Because of this, never click a link or attachment you’re unsure about.

10. Be wary of fake unsubscribe messages

Another common phishing tactic is fake unsubscribe messages. In these scam emails, you may be convinced to click an “unsubscribe” button or add your email to an unsubscribe list to get rid of spam. But instead of actually removing you from the list, you may be taken to a malicious website or marked as an active email account.

11. Only respond to known senders

Whenever you receive an unsolicited message from an unknown sender, you should be extra cautious. If you respond to just anyone, you’re increasing your chances of falling for a phishing attack and could accidentally give a hacker valuable information. To prevent email phishing, only respond to people you know and trust.

12. Stay informed

As technology advances, so do the methods scammers use when phishing. To stay prepared, always try to inform yourself about any known phishing scams that are circulating. Also, many workplaces offer anti-phishing and cybersecurity training that can help you stay safe.

13. Use two-factor authentication

Another way to ensure that your accounts are protected against phishing attacks is to enable two-factor authentication (2FA) — an extra layer of protection that can boost the security of your online accounts. Rather than needing only a password, 2FA will require that you input a second form of verification, such as a unique code or security question.

14. Regularly back up your data

Routinely backing up your data is a good way to increase your peace of mind and help protect against the damage of phishing attacks. That way, if something goes wrong with your device, you’ll know that you’ll still have access to all your important files and data.

15. Block pop-ups

In some instances, scammers may use pop-ups in their phishing attacks. To avoid accidentally clicking on one, you can enable a pop-up blocker to provide extra protection from phishing attacks. Luckily, most-used browsers block pop-ups automatically, but it’s always best to double-check.

16. Use a firewall

Smart firewalls are an effective way to help block any outsiders from gaining access to your private data. While using a firewall may not stop phishing messages from coming into your inbox, it can provide an additional layer of protection between your personal information and a hacker.

17. Keep your browser up to date

Just like your operating system, it's crucial that you also keep your web browser updated. This can help ensure that you’re browsing the web with the most up-to-date security features your browser has to offer, so you and your device stay safe.

18. Use antivirus software

Lastly, a great way to protect yourself from phishing and other cybersecurity threats is to use antivirus software. If you accidentally click on a suspicious link, your antivirus software can step in before any viruses can infect your device and leave you and your personal information unprotected.

What to do if you get a phishing email

Plus, what to do if you get a phishing email

Now that you know how to prevent phishing emails, you might be wondering what exactly you should do if you get one. 

If a phishing email makes it into your inbox, follow these steps:

  1. Don’t respond
  2. Don’t open any links or attachments
  3. Upload a screenshot, or copy and paste the email into Norton Genie to confirm if it may be a phishing scam
  4. Report the email as phishing
  5. Delete the message 

By following these phishing attack protection tips, you can be sure that you aren’t putting your device or personal data at risk by interacting with a phishing message.

And what to do if you responded to a phishing email

If you’ve accidentally responded to a phishing email, there are ways you can try and get ahead of any of the damage a phishing attack can cause. 

So, if you do respond to a phishing email, follow these steps:

  1. Report the message
  2. Change account passwords
  3. Inform your financial institution of the attack

Cyber threats have evolved, and so have we.

Norton 360™ with LifeLock™, all-in-one, comprehensive protection against viruses, malware, identity theft, online tracking and much, much more.

Try Norton 360 with Lifelock.

Following the attack, it's important that you keep a close watch over all of your online accounts and banking statements. This can help you catch if the scammer successfully made it into any of your accounts.
In addition to all of the phishing email protection steps listed above, practicing good email security is an excellent way to ensure that you and your device stay Cyber Safe. By prioritizing your cybersecurity, you can send, surf, and scroll all while knowing you’ve taken the proper steps to stay secure online.

Clare Stouffer
  • Clare Stouffer
  • Gen employee
Clare Stouffer, a Gen employee, is a writer and editor for the company’s blogs. She covers various topics in cybersecurity.

Editorial note: Our articles provide educational information for you. Our offerings may not cover or protect against every type of crime, fraud, or threat we write about. Our goal is to increase awareness about Cyber Safety. Please review complete Terms during enrollment or setup. Remember that no one can prevent all identity theft or cybercrime, and that LifeLock does not monitor all transactions at all businesses. The Norton and LifeLock brands are part of Gen Digital Inc. 


    Want more?

    Follow us for all the latest news, tips and updates.