Phishing attacks are one of the most common cybersecurity threats, using fake emails, text messages, websites, or phone calls to trick people into revealing sensitive information. Knowing how to spot these scams and respond appropriately can help protect your accounts, personal data, and finances.
Check the sender's full email address, not just the display name. Phishing emails often use addresses that closely resemble legitimate ones but contain slight spelling variations, extra characters, or unusual domains.
Look for signs of manipulation, such as urgent requests, warnings about account suspension, unexpected payment demands, or requests to verify personal information. Attackers often rely on pressure and urgency to encourage quick action.
Hover your mouse over links to preview the destination URL. If the web address looks unfamiliar, misspelled, or unrelated to the organization it claims to represent, do not click it.
Many phishing messages contain spelling mistakes, awkward wording, inconsistent formatting, or branding that does not match the legitimate organization.
Avoid opening attachments from unknown senders or unexpected emails. Files such as .zip, .exe, and .html can contain malicious software or redirect you to fraudulent websites.
If you receive a request for account credentials, payment details, or other sensitive information, contact the organization directly using its official website or customer support contact information.
If you believe a message may be a phishing attempt, report it to your IT department, security team, or email provider. Reporting helps improve security and protects other users from similar threats.
After reporting the email, delete it from both your inbox and trash folder to prevent accidental interaction later.
Most email platforms include built-in spam and phishing detection. Verify that these protections are enabled to help identify and filter suspicious messages automatically.
Avoid reusing passwords across multiple accounts. Unique passwords limit the impact if one account becomes compromised.
MFA adds an additional layer of security by requiring a second form of verification during sign-in. Even if a password is stolen, unauthorized access is significantly more difficult.
Email headers can help identify the originating mail server and determine whether the message was actually sent from the domain it claims to represent. If you are unfamiliar with email header analysis, contact your IT administrator or security team for assistance.
Use trusted domain lookup tools to research suspicious websites before providing any information or downloading content. If you are unsure how to verify a domain, seek assistance from your IT administrator or security team.
Regularly review login history, security alerts, and financial transactions for any unusual or unauthorized activity.
If you clicked a suspicious link or opened an attachment, perform a full antivirus or anti-malware scan to detect and remove potential threats.