Phishing emails: How to protect yourself

Image of fishhook hooking an @ symbol above a white computer keyboard

Be on the alert for phishing scams that aim to hook your personal information

You have probably heard about phishing scams – fraudulent emails designed to rob you of sensitive data. Because phishing is one of the most widespread forms of cybercrime, it’s important to learn how to recognize these scams so you don’t get caught in the net.

Phishing definition

A “phishing” scam is when cybercriminals pretend to be from a reputable company to try to trick you into revealing personal information, like login credentials or credit card numbers, or into installing malware on your device. Phishing is often an email scam, such as the well-known example of Paypal scam emails.

What does a phishing email look like?

A phishing email tries to imitate a message from a trusted sender, like your bank or credit card company, or a well-known online retailer or social media site. The scam emails will either contain malicious attachments designed to install malware (like a virus or spyware) on your computer when opened, or links to fraudulent websites designed to trick you into revealing your password or other personal data.

Phishing email examples

Email scammers have some favorite tricks to try to get you to open the infected attachment or click the fake link, like:
  • Saying there’s a problem with your account or your payment information
  • Sending you a fake invoice and claiming it’s overdue
  • Telling you you’re eligible for a government benefit, like COVID relief payments
  • Requesting that you contribute to a charity, especially around the holidays
  • Claiming you won a prize or sending you a coupon
What phishing mails all have in common: They come unprompted or unsolicited by you, and they try to create a sense of urgency that immediate action is required on your part.

How to avoid phishing scams

When you receive an email that asks you to click on a link or open an attachment, you should proceed carefully. Always be suspicious of “urgent” emails that pressure you for an immediate response. Don’t open attachments unless they are expected and come from a trusted source. Emails that contain spelling and grammatical mistakes should also be treated with caution. When in doubt, call the sender by phone – never reply to the suspicious message. Or go directly to the homepage of the institution or company and log in there instead of using the link in the email.

How to identify phishing links and fake sender addresses

When it comes to emails requesting security information like account names or passwords, it pays to be vigilant and check before you click. For example, phishing emails will often claim to be from a reputable company like Amazon or Paypal and contain fake sender information designed to trick you. However, if you hover with your mouse over the display name in the “From” line, the email address that pops up will often reveal that the email is a fake, containing misspellings, strings of numbers, or a different domain name entirely.

Another favorite trick of online scammers is using faked links in phishing emails to get your user data or to install malware on your device. If you take the bait and click the link, it’s often already too late. So take a moment to examine any links before you click on them. To see a link embedded in a text, simply hover over it with your mouse and it will appear in the lower corner of your browser window. There are often clues in this link that reveal that it is not the real thing. For example, if at the start of the link you see “http”  instead of “https,“ this means the site is not SSL encrypted – which means it is not a secure website and therefore probably not the homepage of your bank or a major national retailer. You should also look carefully for small changes or errors in the domain name – like “” instead of “” – or a different ending, like “”.

What to do if you suspect phishing

If you realize an email is a phishing attack, move it to your Spam folder so your spam filter will recognize emails from that sender as spam automatically next time. If you think you may have clicked on a link or opened an attachment that downloaded harmful software, make sure your computer’s security software is up to date, then run a virus scan. After that, you should change any affected passwords.

If you suspect phishing, you can report scams to your email provider – in the case of, please use our contact form. Many countries also have government agencies where you can report email scams, for example the Federal Trade Commission (FTC) in the United States.

Bonus explainer: Phishing and passwords

One important way to protect yourself against phishing scams is to use strong and unique passwords for each online account you have. When you use the same password for everything, if you accidentally reveal your password in a phishing scam any account it is attached to is no longer safe. We know it can be hard to come up with and remember a new secure password for every login. Our security expert recommends using a multi-word password and always changing the last word to fit the account, like “Sandwich-backpack-pencil-money” for a bank account and “Sandwich-backpack-pencil-messages” for an email account. Or you could consider using a secure password manager.

Did you find this post helpful? We look forward to your feedback below!

This article was first posted on May 27, 2021 and updated on Dec. 20, 2021

Image: 1&1/Shutterstock

390 people found this article helpful.

Related articles

Ask the expert: How to protect yourself from spam and phishing

Unsubscribe email scam: How to protect yourself

The “Hi Mom!” phishing scam: How to recognize and avoid it