Cybersecurity Guide

How to spot and protect yourself from a phishing attack

Written by Steven BowcutLast updated:
In this guide

Phishing is a technique widely used by cyber threat actors to lure potential victims into unknowingly taking harmful actions.

This popular attack vector is undoubtedly the most common form of social engineering—the art of manipulating people to give up confidential information— because phishing is simple and effective.

Scammers launch thousands of phishing attacks every day, and they’re often successful.

What is phishing?

In the 1990s, it was common for hackers to be called Phreaks. What passed for hacking in those days was referred to as phreaking.

So, the act of using a lure—a more or less authentic-looking email—to catch or trick an unsuspecting computer user adopted the “ph” from phreaking to replace the “f” in fishing and became modern-day phishing. 

Today, the most common type of fraudulent communication used in a phishing attack is still email, but other forms of communication, such as SMS text messages, are becoming more frequent.

Threat actors use any means they can conceive to get a user to follow a link to an illegitimate webpage and enter their computer or banking system login credentials or download malware

In a modern phishing attack, a threat actor uses skillful social human interaction to steal or compromise sensitive information about an organization or its computer systems.

A 2021 Egress Insider Data Breach Survey has revealed that almost three-quarters (73 percent) of organizations have suffered data breaches caused by phishing attacks in the last year.

Learn how to respond to data breaches

Phishing scams are often the “tip of the spear” or the first part of an attack to hit a target. The attack may be aimed at stealing login credentials or be designed to trick a user into clicking a link that leads to deploying a payload of malware on the victim’s network.

Once one or more users within an organization fall prey to an orchestrated phishing campaign, the attackers will have culled credentials or delivered a malware payload needed to launch their full-scale attack. 

There is a wide variety of attack types that begin with a phishing campaign.

The hacker’s objective may be to steal credentials and other personally identifiable information (PII) that they can then sell on the dark web, download the malware for a ransomware attack, or steal valuable information as part of an industrial or military espionage campaign. 

Nation-states and state-sponsored advanced persistent threat (APT) actors use phishing to gain a presence on the victim’s network to begin privilege escalation that can eventually severely compromise our nation’s critical infrastructure or financial institutions. 

Until a few years ago, it was generally pretty easy to spot a phishing email. Users could readily identify a bogus sender address, poor spelling, or a doctored link URL with only a bit of examination.

Today, scammers are much more clever. Phishing emails can be almost undetectable by the average user. 

The various types of phishing attacks

Phishing has become so profitable for bad actors that the methods for attacking various victim types have evolved. Today, there are at least four categories of phishing attacks—each with a specific victim type.

In addition to what we might think of as common phishing that is focused on everyday computer and network users, there is spear phishing, whale phishing, and smishing. 

Spear Phishing: A more targeted form of phishing that focuses on specific individuals or organizations. Attackers often gather information about their targets to make the communication appear highly personalized and credible. For instance, an employee might receive an email seemingly from their CEO requesting an urgent wire transfer.

Whaling: A type of spear phishing that specifically targets high-profile individuals within an organization, such as executives or senior managers, who often have access to sensitive information and financial resources.

Smishing (SMS Phishing): Phishing attacks conducted via text messages. These messages often contain urgent alerts or enticing offers with malicious links. Examples include texts claiming you’ve won a prize and need to click a link to claim it, or notifications about fraudulent activity on your bank account requiring immediate action.

Vishing (Voice Phishing): Phishing attacks carried out over the phone. Attackers may impersonate customer service representatives, government officials, or lottery organizers to trick victims into revealing personal information or making payments.

Social Media Phishing: Phishers use social media platforms to send direct messages, create fake profiles, or post malicious links disguised as legitimate content or advertisements. Angler Phishing: Attackers monitor social media for users complaining about a specific company and then impersonate the company’s customer support to offer assistance, often leading to malicious links or requests for personal information.

Pharming: A more sophisticated attack that aims to redirect users to fake websites even if they type the correct URL. This is often achieved by compromising DNS (Domain Name System) servers or the user’s local host file.  

Notable phishing attacks

  • Gmail Subpoena Phishing Scam (2025): In April 2025, a sophisticated phishing campaign targeted Gmail users by sending emails that appeared to originate from “no-reply@google.com.” These emails falsely claimed to be legal subpoenas and directed recipients to fraudulent support portals hosted on Google Sites.
  • GrubHub Data Theft (2025): A cyberattack compromised the data of customers, drivers, and merchants associated with GrubHub, making them susceptible to phishing attempts.
  • DISA Data Breach (2025): A US drug testing firm, DISA, reported a breach affecting 3.3 million individuals. Sensitive information, including Social Security numbers, was exposed.
  • Hillcrest Convalescent Center Breach (2025): Over 106,000 individuals had their personal and medical data compromised, potentially leading to targeted phishing attacks.
  • Microsoft and Google Brand Phishing Attacks (2024): In the first quarter of 2024, Microsoft and Google were the most impersonated brands in phishing attacks. Microsoft accounted for 38 percent of all attempted brand phishing attempts, making it the top target, followed by Google at 11 percent. These attacks involved emails that closely mimicked official communications, luring recipients into clicking malicious links or providing sensitive information.
  • Student Loan Forgiveness Phishing Scams (2023–2024): Following the announcement of student loan forgiveness programs in the U.S., the FBI issued warnings about phishing schemes targeting borrowers. Scammers sent emails and messages impersonating official government communications, tricking individuals into providing personal and financial information under the guise of processing loan forgiveness applications.
  • MOVEit Data Breach (2023): In May 2023, a critical vulnerability in the MOVEit file transfer software was exploited by the Cl0p ransomware group. While the initial breach was due to a software flaw, phishing was used to further infiltrate systems. Over 2,700 organizations were affected, and approximately 93.3 million individuals’ data were compromised, highlighting the cascading effects of combined cyberattack methods.
  • Reddit BlackCat Attack (2023): In February 2023, Reddit experienced a significant data breach when the ransomware group BlackCat gained access to 80GB of data. The attackers demanded a $4.5 million ransom and a rollback of planned API pricing changes. Reddit attributed the breach to a “sophisticated and highly-targeted” phishing attack against its employees.
  • T-Mobile Data Breaches (2023): T-Mobile experienced multiple breaches in 2023, exposing customer data to phishing campaigns. These incidents highlighted vulnerabilities in corporate systems.

How to avoid phishing attacks

Phishing emails are designed to spoof a company that potential victims are likely to be familiar with. In low-budget, widely broadcasted scams, attackers will often create an email that appears to be from a major bank or other institution, then send the email to hundreds of thousands of email addresses.

Only a percentage of the recipients will be customers of the spoofed company, but it costs the hackers nothing to play the numbers game.

They know that even if only a small percentage of the recipients are customers and only a tiny fraction of those people fall for the scam, they still come out on top. 

Common phishing ploys include stating in an email that they have noticed some suspicious activity or login attempts, telling the potential victim to follow a link in the email to remedy the situation. Most of these low-budget scams are easy to detect.

There will be misspellings or language that is not consistent with a business email. The address from which the email is sent can often be identified as not belonging to the company that purports to have sent it. 

Low-budget mass email scams are often targeted toward senior citizens who may not know how to detect obvious clues indicating a phishing scam.

An example of an easy-to-detect sender email address is BankofAmerica@gmail.com. To anyone familiar with email address formats and business email practices, it should be evident that Bank of America does not use a Gmail account for customer emails.

More sophisticated spear phishing and whale phishing attempts can be challenging for users to identify.

Scammers will devise URLs that look similar to the spoofed company’s legitimate email address, such as service@account.paypl.com, if they are attempting to persuade victims that the email is from PayPal. 

The cardinal rule for avoiding phishing scams is never to click a link in an email unless you are sure the email is from someone you trust. Most companies will not ask their customers to click a link in an email.

If a company asks you to interact with them on their website, type the company’s known URL directly into your browser rather than using a link from an email.

Email spam filters are an effective—but not foolproof—tool for protecting against low-budget phishing attacks. 

A spam filtering solution integrated with your email platform uses a set of rules to determine which of your incoming messages are spam and which are legitimate.

The several types of spam filters include content filters, header filters, blacklist filters, permission filters, and challenge-response filters. Each applies a different set of rules to your incoming emails and can be beneficial in detecting phishing scams. 

Cyber threat actors are always finding new and innovative ways to bypass spam filters to trick email or SMS users, enabling them to steal sensitive information or deliver destructive payloads. Beyond spam filters, there are steps that users should take to avoid becoming a victim of a phishing attack.

Use security antivirus and other appropriate security software on all digital devices, including mobile phones, and apply automatic update settings to ensure you have the most current protection. 

For all accounts that contain sensitive information, use multi-factor authentication if available. This extra level of protection ensures that even if you fall victim to a credential-culling phishing scam, the bad actors will be unable to access your accounts. 

Always back up your data. Phishing is a common prelude to a ransomware attack.

You can mitigate the adverse effects of having your data encrypted in a ransomware attack by maintaining a current backup. 

Learn more about internet safety

Conclusion

Phishing is but a modern twist to any number of age-old ploys to trick people into giving up information that can be used against them.

From eavesdropping to mail tampering, criminals have always sought to steal information as a precursor to launching other exploits. 

As it has always been, each individual must shoulder the responsibility to protect themselves from trickery and deception.

There are software tools, such as spam filters and antivirus software, that can help, but in the end, we must all be ever-diligent and even a little suspicious of email and SMS communications.

Frequently asked questions

What is a phishing attack?

A phishing attack is a malicious attempt by cybercriminals to deceive individuals into sharing sensitive information, such as passwords, credit card numbers, or Social Security numbers, by posing as a trustworthy entity, often via email or other online communication methods.

How can I recognize a phishing email?

Look for suspicious email addresses, spelling errors, generic greetings, unexpected attachments, and urgent or threatening language. If something feels off, trust your instincts.

Are phishing attacks limited to emails?

No, phishing attacks can also occur through phone calls, text messages, social media, and fake websites. Always be cautious of unsolicited communications.

What should I do if I receive a phishing email?

Do not click on any links, download attachments, or provide any personal information. Report the email to your IT department or email provider and delete it immediately.

How can I protect myself from phishing attacks?

Always verify the sender’s identity, especially if they request sensitive information. Use two-factor authentication, keep your software updated, and never enter personal information into a website unless you’re certain it’s legitimate.

Are there tools to help protect against phishing?

Yes, many email providers offer built-in phishing filters. Additionally, there are specialized security software and browser extensions designed to detect and block phishing attempts.

How do cybercriminals benefit from phishing attacks?

Cybercriminals use the stolen information for various illegal activities, including identity theft, financial fraud, or even selling the data on the dark web.

Sources