SkipToMainContent

Online Scams

What is phishing? How to recognize and avoid phishing scams.

Try Norton 360 with LifeLock Select FREE 30-Day Trial*

30 days of FREE* comprehensive antivirus, device security, online privacy, and identity theft protection with LifeLock.

Join today. Cancel anytime.

*Terms Apply

Ever get an email that looks like it’s from your bank warning you that it will freeze your checking account unless you verify your personal information? The email might have contained a link. And if you clicked? You might have landed on a website that asked you to fill in such personal information as your Social Security number and bank account numbers.

The problem? These emails never come from your actual bank. Instead, they’re the tools wielded by scammers and a threat to your cybersecurity.

Such emails are an example of phishing, an effort by scammers to trick you into giving up personal information that they can then use to access your bank accounts or credit cards. Phishers can reach you through email, text or even by phone.

The ultimate goal no matter which method scammers use? They want your personal information. And they’ll send countless fake email and text messages across the globe in the hope that they’ll trick enough people into surrendering this sensitive information.

Some phishing emails or texts might look unprofessional to you, using poor grammar or asking you to click onto links with odd-looking URLs. But phishers don’t have to be sophisticated. These cybercriminals work in volume, and only need to trick a small number of victims to consider their work a success.

The Federal Trade Commission points to a recent attack targeting Netflix users. The phishing email purports to be sent from Netflix and warns recipients that the streaming company is “having some trouble” accessing the customer’s billing information. The message asks victims to click on a link to update their payment method. That link, of course, doesn't take users to Netflix. It takes them to a fake website created by the scammers.

How do you make sure you’re not one of these unlucky victims? It’s all about learning how to recognize phishing scams and resolving to never click on a link in a text or an email supposedly sent from a bank, credit-card provide, or other well-known company. And that doesn’t include all the phishing emails that get caught in your spam filter.

Warning signs of phishing emails

Scammers have become more sophisticated when it comes to sending out phishing emails. But there are still some signs you can look for.

  • A bank — maybe not even your own — is asking for your account information or other personal financial information. Your bank, or any financial institution, will never ask for your Social Security number, bank account number, or PIN by email. Never provide this information in response to an email.
  • Spelling and grammatical mistakes. There was a time when you could easily spot phishing emails because they were littered with spelling and grammar mistakes. Scammers have gotten better at avoiding these errors, but if you do receive an email littered with typos and weird language, that email might be sent from someone phishing. 
  • The generic greeting. Phishing emails might not be addressed specifically to you. Instead, the email might start with a generic greeting such as “Dear Sir or Madam” or “Dear Account Holder.”
  • A call for immediate action. Phishers want you to act quickly, without thinking. That’s why many will send emails asking you to immediately click on a link or send account information to avoid having your bank account or credit card suspended. Never reply hastily to an emergency request. Urgent requests for action are often phishing scams.
  • Too good to be true offers. Phishing emails may try to hook you with what appear to be incredibly cheap offers for things like smartphones or vacations. The offers may look irresistible, but resist them. They’re likely phishing emails.
  • Senders you don’t recognize. If you don’t recognize the sender of an email, consider deleting it. If you do decide to read it, be careful not to click on links or download files.
  • Senders you think you recognize. You might get a phishing email from a name you recognize. But here’s the catch: That email may have come from the compromised email account of someone you know. If the email requests personal information or money, it’s likely it’s a phishing email.

Types of phishing attacks

Phishing can take a variety of forms. Some phishing emails will ask you to click on a link to prevent your bank account or credit card from getting closed. When you click on the link, you’ll be taken to a website that asks for your personal financial information. That could open the door to identity theft.

Other phishing emails ask that you click on a link to verify that a credit card or bank account is yours. Again, that link will take you to a fraudulent website that will ask you to provide personal or financial information that will likely be captured by fraudsters.

You might receive a phishing email warning you that your email account is full and in danger of being shut down. Unless you click on a link, the email warns, you will lose access to your email messages. Again, links like this could request and capture your personal information or could install malware or adware onto your computer.

The unfortunate truth? Phishing emails come in a variety of types. You need to be on the lookout for all of them.

What is a phishing email?

The basic phishing email is sent by fraudsters impersonating legitimate companies, often banks or credit card providers. These emails are designed to trick you into providing log-in information or financial information, such as credit card numbers or Social Security numbers.

Other phishing emails might try to trick you into clicking a link that leads to a fake website designed to look like Amazon, eBay, or your bank. These fake websites can then install malware or other viruses directly onto your computer, allowing hackers to steal your personal information or take control of your computer, tablet, or smartphone.

An example? You might receive an email that looks like it was sent by PayPal. The email might say that you need to click on a link to verify your PayPal account. If you don’t? The email says that your PayPal account will be shut down.

Here’s an example of a phishing email.

Source: Secure World

Of course, this is a scam. If you click on the link, you’ll be taken to a fake log-in page designed to look like it is PayPal. If you then enter your password and username, the scammers will capture this information.

These emails often feature spelling errors, odd grammar, and generic greetings such as “Dear User” or “Dear client.” The links you are supposed to click will often lead to websites with odd URLs or ones that are spelled just a bit differently from the institution’s legitimate website.

PayPal, credit card companies, mortgage lenders and banks will never contact you by email to request any personal information from you. Instead of clicking on links in emails, log into your account on your own. If there is a legitimate concern, you’ll see it when you log in.

What is spear phishing?

While most phishing emails are sent to large groups of people, there is one type of attack that is more personalized in nature, spear phishing.

Spear-phishing emails are targeted toward a specific individual, business, or organization. And unlike more generic phishing emails, the scammers who send them spend time researching their targets. The technique is sometimes called social engineering. These criminals will send emails that look like they’re from legitimate sources.

For instance, in 2016, millions of customers who had made a purchase from Amazon received an email with the subject line “Your Amazon.com order has been dispatched” with an order code after it. When consumers opened the email, there was no message, just an attachment. If they opened the attachment, consumers ran the risk of installing ransomware on their computers.

In another example, spear-phishing emails might target a company employee. The email may appear to come from the boss, and the message requests access to sensitive company information. If the spear-phishing target is tricked, it could lead to a data breach where company or employee information is accessed and stolen.

What is clone phishing?

Another type of phishing, clone phishing, might be one of the most difficult to detect. In this type of phishing attack, scammers create a nearly identical version of an email that victims have already received.

The cloned email is sent from an address that is nearly, but not quite, the same as the email address used by the message’s original sender. The body of the email looks the same, too. What’s different? The attachment or link in the message has been changed. If victims click on those now, it will take them to a fake website or open an infected attachment.

What is whaling?

Sometimes phishers go after the biggest of targets, the whales. Whaling attacks target chief executive officers, chief operating officers, or other high-ranking executives in a company. The goal is to trick these powerful people into giving up the most sensitive of corporate data.

These attacks are more sophisticated than general phishing attacks and require plenty of research from scammers. They usually rely on fraudulent emails that appear to be from trusted sources within the company or from legitimate outside agencies.

What is pop-up phishing?

Pop-up phishing is a scam in which pop-up ads trick users into installing malware on their computers or convince them to purchase antivirus protection they don’t need.

These pop-up ads sometimes use scare tactics. An ad might pop up on a user’s screen warning the user that their computer has been infected and the only way to remove the virus is by installing a particular type of antivirus software.

Once the user installs this software, it either doesn’t work or, worse, actually does infect the computer with malware.

How to recover after responding to a phishing email

What if you've fallen for an email scam? Perhaps you sent financial information to a scammer or clicked on a link that installed malware on your computer.

You’ll want to act quickly. Here are some steps you can take to help protect yourself against identity theft.

Change your passwords: Make sure to change the passwords you use for your banking, credit card and other accounts. Use a combination of numbers, letters and symbols to make these passwords more difficult to crack. Consider enabling multi-factor authentication if it’s available. Multi-factor authentication requires entering a second piece of information — such as a code sent to your smartphone — to access an account.

Alert the credit bureaus: Visit the home pages of Experian, Equifax, and TransUnion, the three national credit bureaus, and alert them that you've been the victim of a phishing attempt. You might freeze your credit with each of the bureaus to make sure that criminals can't open new credit accounts or take out new loans in your name.

Contact your credit card providers: If you've given up credit card information, immediately call your credit card providers. They can freeze your credit to prevent unauthorized purchases. They can also work with you to determine which purchases on your accounts are legitimate and which were made by criminals.

Check your credit reports: Order free copies of your credit reports from AnnualCreditReport.com. Check these reports carefully for any unfamiliar activity to make sure no one has opened credit card accounts or loans in your name.

Study your credit card statements: Be on the lookout for any unauthorized or suspicious charges.

How to report phishing

If you’ve been victimized by a phishing scam, you should alert the proper authorities. You can report a phishing attempt or crime to the Federal Trade Commission at its Complaint Assistant page. You can also report the attack to the Anti-Phishing Working Group.

How can I help protect myself from phishing?

The good news? You can avoid being scammed by phishing attacks. All it requires is some common sense.

Don’t open suspicious emails. If you receive an email supposedly from a financial institution with an alarming subject line — such as “Account suspended!” or “Funds on hold” — delete it. If you are worried that there is a problem, log in to your account or contact the bank directly. If there really is a problem with your bank account or credit card, you’ll find information once you’ve logged in.

Don’t click on suspicious links in emails. If you do open an email from someone you don’t know and you are instructed to click on a link, don’t. Often, these links will take you to fake websites that will then encourage you to either provide personal information or to click on links that might install malware on your computer.

Don’t send financial information through email. Your bank or credit card provider will never ask you to provide bank account numbers, your Social Security number, or passwords through email.

Don’t click on pop-up ads. Hackers can add fraudulent messages that pop up when you visit even legitimate websites. Often, the pop-ups will warn you that your computer is infected and instruct you to call a phone number or install antivirus protection. Avoid this temptation. Scammers use these ads to either install malware on your computer or scam you out of a payment for a computer clean-up you don’t need.

Sign up for antivirus protection. Make sure your computer is protected by strong, multi-layered security software.

Try Norton 360 with LifeLock Select FREE 30-Day Trial*

30 days of FREE* comprehensive antivirus, device security, online privacy, and identity theft protection with LifeLock.

Join today. Cancel anytime.

*Terms Apply


Editorial note: Our articles provide educational information for you. NortonLifeLock offerings may not cover or protect against every type of crime, fraud, or threat we write about. Our goal is to increase awareness about cyber safety. Please review complete Terms during enrollment or setup. Remember that no one can prevent all identity theft or cybercrime, and that LifeLock does not monitor all transactions at all businesses.

Copyright © 2020 NortonLifeLock Inc. All rights reserved. NortonLifeLock, the NortonLifeLock Logo, the Checkmark Logo, Norton, LifeLock, and the LockMan Logo are trademarks or registered trademarks of NortonLifeLock Inc. or its affiliates in the United States and other countries. Firefox is a trademark of Mozilla Foundation. Android, Google Chrome, Google Play and the Google Play logo are trademarks of Google, LLC. Mac, iPhone, iPad, Apple and the Apple logo are trademarks of Apple Inc., registered in the U.S. and other countries. App Store is a service mark of Apple Inc. Alexa and all related logos are trademarks of Amazon.com, Inc. or its affiliates. Microsoft and the Window logo are trademarks of Microsoft Corporation in the U.S. and other countries. The Android robot is reproduced or modified from work created and shared by Google and used according to terms described in the Creative Commons 3.0 Attribution License. Other names may be trademarks of their respective owners.