What Is Phishing?

Phishing is a type of online attack where a scammer impersonates a trusted organization — your bank, a popular retailer, a government agency — to trick you into revealing sensitive information like passwords or credit card numbers, or to get you to click a malicious link. Phishing happens primarily through email, but also via text message (called "smishing") and phone calls ("vishing").

Despite being one of the oldest tricks on the internet, phishing remains one of the most effective. Attacks have grown increasingly convincing, which makes knowing the warning signs more important than ever.

6 Warning Signs of a Phishing Email

1. A Sense of Urgency

Phishing emails almost always try to panic you. Phrases like "Your account will be suspended in 24 hours", "Immediate action required", or "Unauthorized access detected" are designed to make you act before you think. Legitimate companies rarely communicate genuine emergencies exclusively through email with a countdown clock.

2. A Suspicious "From" Address

The display name might say "PayPal Support" but the actual email address might be support@paypa1-help.net. Always click on or hover over the sender name to reveal the full email address. Official communications come from the company's real domain (e.g., @paypal.com, @amazon.com).

3. Generic Greetings

Your bank knows your name. A message starting with "Dear Customer" or "Dear User" instead of your actual name is a significant red flag that the email was sent in bulk to thousands of addresses.

4. Suspicious Links

Before clicking any link in an email, hover over it to see where it actually leads. If the visible text says "amazon.com" but the underlying URL shows something like "amaz0n-order-confirm.xyz," do not click it. When in doubt, open a new browser tab and navigate directly to the company's official website.

5. Unexpected Attachments

If you weren't expecting a file, don't open it. Malicious attachments — often disguised as invoices, shipping notices, or documents — can install malware when opened. Be especially wary of .exe, .zip, .doc, and .pdf files from unknown senders.

6. Requests for Personal Information

No legitimate bank, government agency, or reputable company will ask you to confirm your password, Social Security number, or credit card details via email. Period.

What to Do If You Receive a Phishing Email

  1. Do not click any links or download attachments.
  2. Do not reply — even to say "stop emailing me." Replies confirm your address is active.
  3. Report it. Most email clients have a "Report Phishing" or "Report Spam" button. In Gmail, click the three-dot menu on the email and select Report phishing.
  4. Forward it to the impersonated organization. Many companies (e.g., phishing@paypal.com) have dedicated addresses for reporting fake emails about them.
  5. Delete it.

What to Do If You Already Clicked a Link

Don't panic — act quickly:

  • If you entered any credentials, change your password immediately on that account, and on any other site where you use the same password.
  • Enable two-factor authentication on the affected account.
  • Run a malware scan using a reputable security tool (Windows Defender, Malwarebytes).
  • If financial information was involved, contact your bank or card issuer right away.

The Golden Rule

When an email asks you to do something — click, download, pay, or enter information — stop and ask: Did I initiate this interaction? If you didn't request a password reset, an invoice, or a verification, be very suspicious. When in doubt, go directly to the source by typing the company's URL into your browser rather than following the email's link.