Phishing remains one of the most common online threats, which is why knowing how to avoid phishing scams is essential for protecting your accounts and personal data.
Multiple recent cybersecurity reports estimate that approximately 3.4 billion phishing emails are sent worldwide each day.
Programs.com states that in 90% of successful cyberattacks, phishing played a role in the attack chain.
This is a step-by-step guide on how you can avoid phishing scams, so you can safeguard your identity, your wallet and your data.
What is phishing?
Phishing is a form of cyberattack where criminals pretend to be a trusted person or organization to trick you into:
- giving away passwords
- clicking malicious links
- opening infected attachments
- sending money
- revealing personal information
By gathering this data, the wrongdoer will attempt to utilize and/or sell it. By pretending to be an official source with an enticing request, the perpetrator is ”phishing” for sensitive information.
Here are a few red flags that tell you an e-mail might be phishing:
- Requests for passwords, verification or information
- Unexpected urgency or threats
- Suspicious attachments
- Recipient did not initiate contact
- Tries to impersonate a friend or coworker
- Generic greeting (dear user, hello customer)
- grammar and spelling errors
- inconsistency in e-mail address, link and/or domain
- low-resolution images
Why phishing scams are so effective
Your digital footprint consists of your trail of data which you create as a result of online activity. This includes any website you visit, but also when you access banking systems, software, healthcare information and corporate networks.
If one of your accounts or passwords of your digital footprint is compromised it could cause serious harm.
The key reasons for phishing attacks being effective are that they are convincing, personal, they rely on human lack of focus and often reach you through more ways than just e-mail.
Different types of phishing
E-mail phishing
Phishing e-mails vary greatly in terms of targeting and effectiveness. They range personalized and persistent to very broad and ”random.”
Here is what they may look like:
1. Email account upgrade scam
This e-mail does not contain any grammatical errors and the link itself would seem safe, and not fraudulent. If there’s doubt, do not interact with the e-mail.
2. Paypal scam
Quite convincing since the headline is in Paypal’s style. Again, this e-mail is trying to create a sense of urgency and panic in the recipient.
The e-mail looks fairly legitimate, but the tone is forceful and the grammar incorrect.
3. Message from HR
We all trust our HR teams, right?
The above is a malicious e-mail; e-mails coming from ”HR” often contain a malicious link or attachment. Double-check with your own HR department to figure out if the mail is legitimate or an attempt at phishing.
4. Unusual sign-in activity
Unusual sign-in activity e-mails urge you to click the button to log in, change your password, or verify your account.
Indeed, any information you’d put in would immediately be in the hands of the hacking party.
5. Fake invoice
Fake invoice scams are about receiving invoices from ”legitimate” companies, but where they quote you for items or services you haven’t actually purchased.
The e-mail above is a good example.
Recognizing different variations is an important step in ”how to avoid phishing scams.”
Breaking it down in more detail
This is another good example of a phishing e-mail:
This is a phishing e-mail because:
services@paypal-accounts.com is not an official e-mail address.
The first sentence tries to pressure the user to update their information.
There are grammar and spelling errors in the e-mail.
Generic greeting that could indicate a mass phishing attempt.
Tip: hover over (don’t click) any links or buttons of e-mails you suspect of phishing. It will reveal what site you will be taken to. For example:
It’s a good sign if the link of the button (or the link you hover over) contains the actual and complete domain the e-mail address also contains:
How to check the validity of a domain, after receiving a potential phishing e-mail
On lookup.icann.org, you can enter the domain paypal-accounts.com to see if there are signs that give away it’s a phishing attempt.
You can enter the domain like this:
When you scroll down, you can look at information like registration date. If this domain was registered last month, or even years ago, it is likely invalid since Paypal has been in business for a lot longer.
The actual site (and domain) of Paypal is Paypal.com. Not Paypal-accounts.com.
Another way to test domains for legitimacy is entering the domain in Mxtoolbox:
If DMARC checks out negative, like in the example above, it shows the domain is not set up properly and that the mail is likely malicious.
The content above will set you up to identify and avoid phishing scams through e-mail. However, the phishing e-mails above are fairly generic and easier to identify as harmful.
Let’s look at different variations of (e-mail) phishing.
Spear phishing
Unlike the above examples that were fairly general, spear phishing is a very personalized attack that is aimed at specific individuals or roles within an organization.
This type of phishing often involves more deliberate research and effort on part of the attacker.
More often than not they will extract certain information beforehand through social media or corporate websites.
Their goal is the same: to get you to click a link or open an attachment so they can steal your data or infect your system.
In a report by Barracuda Networks analyzing 50 billion e-mails, spear phishing made up less than 0.1% of messages—yet caused 66% of successful breaches.
Common victims of spear phishing include:
- C-level executives (CEO’s, CFO’s, CTO’s)
- Members of the finance department
- Members of HR
- System administrators
The following is an example of a spear phishing attempt:
The recipient receives a message of his superior requesting for a purchase to be made. What stands out immediately is the personal aspect; he greets him with Brian.
The spear phisher tries to mimic normal workplace communications to lull the victim in a false sense of security.
It again creates a sense of urgency and panic: ”This is my boss. I should respond quickly.”
Ignoring it feels risky, and questioning it feels awkward.
More signs that this is a spear phishing attempt:
- ”your confidentiality would be highly appreciated.” -> the victim is being isolated, preventing them from double-checking with colleagues.
- The message tries to produce a believable scenario: the sender has a ”busy morning,” ”important purchase,” ”surprise for staff.”
Smishing
Smishing is phishing via SMS messages.
Very often they try to impersonate banks, institutions or delivery services.
In the following message the criminals try to impersonate a government body to create legitimacy and pressure:
Moreover, the shortened link (probably) hides the real destination of the link, which is a common phishing tactic.
These are some steps you can take if you receive a perceived fraudulent text message:
- Never click links when they seem suspicious
- Be cautious of shortened URLs (bit.ly, lnkd.in)
- If you think something might be phishing, analyze it the same way you would an email.
- Watch out for emotional triggers: money, urgency, threats, authority.
- Verify the sender by contacting the organization directly.
- Block and report. Most phones allow you to block the number and report the message as spam.
QR code phishing (quishing)
This type of phishing involves QR-codes so that people visit a harmful website or download a bad attachment.
They may look like this:
This one looks very convincing, and there is seemingly no way to tell that this is fraudulent in nature.
But it’s the same idea as other phishing attempts. You scan the QR-code so you download a harmful attachment or are lead to a fake portal to enter your username, passwords or other sensitive information.
Never scan a QR-code if you aren’t sure of the source.
Voice phishing (vishing)
In this form of phishing, the phisher impersonates a government official, bank employee, support engineer, representative of a company or another relevant person.
Certain tactics are being used to add to the legitimacy of the phone call. These forms of phishing are successful when the scenario is ”real” in the victim’s mind.
When there’s any doubt, hang up the phone and call the official telephone number of the organization that called.
To sum it up, these are the most common and harmful variations of phishing:
Anti-phishing checklist
To help you recognize phishing attempts, the checklist below outlines key warning signs to look for.
If you’re unsure:
- Stop interacting immediately
- Don’t click, reply, or download anything
- Open the official website or app manually
- If still suspicious, contact the company yourself
Golden rule: Legitimate organizations will never ask for your password via email, SMS, or phone.
I clicked on a phishing link. What now?
If you clicked a phishing link, the goal is to assume compromise might have already started. Act quickly to limit what the attacker can access. Not every click leads to infection or account takeover, but you should treat it as serious until you’ve ruled it out.
1.
Start by disconnecting the device from the internet if you suspect anything was downloaded or if you entered sensitive information. This helps prevent potential malware from communicating with external servers.
2.
Then, from a separate trusted device, immediately change passwords for any accounts that may have been exposed—especially email, banking, work accounts, and any accounts where you reuse passwords. Prioritize your email account first, because it can often be used to reset other passwords.
Note: pay extra attention if you use the password for more than 1 website/app/account.
3.
If you entered login details, assume they may be compromised. Change the password and enable multi-factor authentication (MFA) if it isn’t already active. If you can’t do it independently, contact your IT department or the person that’s in charge of your Microsoft tenant.
4.
Next, check for obvious signs of damage. Look for unexpected e-mails sent from your account, changes to account settings, new forwarding rules in email (a common attacker tactic), unfamiliar devices logged into your accounts, or unauthorized transactions in financial accounts.
If this involves a work device or corporate account, report it immediately to IT/security so they can check logs and contain the threat properly.
5.
Running a full system scan is recommended, but it should not be your only step. Use a reputable antivirus or endpoint protection tool and perform a full scan of the device, not just a quick scan. If malware is found, follow the tool’s remediation steps carefully.
6.
Finally, monitor your accounts closely for at least the next few weeks. Watch for password reset e-mails you didn’t request, login alerts from unfamiliar locations, and financial activity you don’t recognize.
Even if you gather all this information from Outlook for example, damage may still be done you’re not aware of. If the hacker has extracted sensitive information, they may purchase items with your identity and/or your banking information.
If you get invoices from companies where you didn’t authorize the payment, contact the company and tell them you might have been phished.
How to avoid phishing scams: conclusion
Phishing works by exploiting urgency, trust, and distraction. The best defense is slowing down and never trusting links at face value.
In practice, this means pausing before you click, checking sender details carefully, and accessing important accounts only through official websites or apps—not through links in messages.
If something feels off, treat it as suspicious rather than convenient. A few seconds of verification can prevent significant damage to your identity, finances, and accounts. Furthermore, it protects the company or organization you work for.
I hope you enjoyed this practical article on how to avoid phishing scams.
You can enjoy more content like this by visiting our blog.
Geef een reactie