How to Catch Phishing Emails Before They Catch You

Phishing attacks can lead to serious problems like money loss and identity theft. Learn how to spot a phishing email and keep your information safe.
We receive compensation from the products and services mentioned in this story, but the opinions are the author's own. Compensation may impact where offers appear. We have not included all available products or offers. Learn more about how we make money and our editorial policies.

Many people today are bombarded with fraudulent fake emails. Cybercriminals were especially busy once the COVID-19 pandemic hit. The Federal Trade Commission (FTC) had tallied over 750,000 consumer complaints related to stimulus payment scams by mid-June of this year.

The term “phishing” was first mentioned in 1996. These attacks use malicious emails and fake websites to lure people into handing over their personal information. It’s referred to as “phishing” because the hackers were called “phreaks.”

There are several ways to spot a phishing email. Knowing what to look for can save you lots of frustration. Be on the lookout for these signs of email spam:

  • Spelling and grammar errors
  • Mismatched email domain names
  • Unrecognized senders
  • Generic greetings
  • Unfamiliar or suspicious links
  • Urgent messages calling you to act immediately
In this article
How does phishing work?
Types of phishing attacks
Email phishing
Phishing email warning signs
What if a phishing attack is successful?
How to prevent phishing attacks
Phishing FAQs
Bottom line

How does phishing work?

The reason phishing is so effective is that attackers send compelling emails that look legitimate at first glance. The fraudulent emails usually direct you to a webpage that either delivers malware or gets you to enter your private account information. You also may receive an attachment or link redirecting you to a fraudulent site.

The goal of scammers is to steal as much of your personal data as possible. Once they have that, they can access your social media accounts, financial information, and other sensitive data.

This is known as social engineering. The scammer manipulates you into doing something dangerous online, like revealing private information. Phishing is a form of social engineering where the perpetrators are looking for things like:

  • Passwords
  • Phone numbers
  • Social security numbers
  • Login credentials
  • Credit card numbers
  • Bank account numbers

Types of phishing attacks

Phishing attacks are a threat to everyone, so you need to know how to recognize them when they come your way. There are numerous types of threats that use phishing to steal your information. We cover these so you can spot them, hopefully before they can do any damage.

Email phishing

Email phishing is a technique used by criminals who send a fraudulent message with the hopes you’ll respond by clicking a link or opening an attachment. Once you do, you’ll be directed to a site asking for you to enter private information. All of this comes as a savvy email that looks like something genuine you might need to open.

Spear phishing

Spear phishing campaigns use previously collected data in the email attack. That may be information regarding you or your employer. You may receive an email that creates a sense of urgency by asking you to act right away. If you get a spear phishing email at work, it is usually an attempt to obtain your login credentials. It may have some information about you in the email to look like it comes from someone you can trust.

Malware phishing

Malware phishing attempts to install malicious software on your device or company network. These come as email attachments and might look valid. Sometimes malware phishing can be disguised as seemingly harmless eBooks, PDFs, GIFs, or funny videos to tempt you to open them.


Pharming is a bit different from regular phishing. It uses malicious code executed on your device to redirect you to the criminal’s website. You won’t get a link to click or an attachment to open. Pharming relies solely on code being run on your computer to target you. It’s a good idea to check your privacy settings on your device to limit who has access to your data.


Whaling (AKA executive phishing) is a technique used by hackers wherein they pretend to be senior members of an organization. Then they target other people who are in administrative positions. The aim is to steal money or data for criminal gain.

Whaling uses email and website spoofing to get the target to reveal data or even transfer money. Spoofing works by creating a website that looks legitimate so you’ll click on it and reveal private information to the scammers. Whaling targets specific individuals who would have access to sensitive information.


Smishing is a combination of phishing and short message service (SMS). People tend to use text messaging more frequently than emails, so many hackers use this method to get your information. They may send a text to you with an infected link for you to click. The criminal will get your information and commit fraud to make money. Smishing scams are so popular with criminals, they’ve increased by over 300% in the last two years.


Vishing is a combination of phishing and voice recordings. The caller will leave you an urgent voicemail that tells you to respond immediately and call a certain number back. An example would be a message that your bank account has been hacked or suspended.

Another example is the extended car warranty phone call that most of us have received repeatedly. The end goal is the same as it is with email phishing: The criminal wants to steal your information for financial gain.

Phishing email warning signs

If you get an email that seems suspicious, the best defense is to delete it. You may spot a phishing scam by looking for bad grammar or misspellings in the message. Some emails have generic greetings, which wouldn’t normally come from friends or professional companies.

Many phishing messages also have mismatched email domains, claiming to be from reputable companies. If you get a suspicious link, you can see the address it comes from by hovering over the link with your mouse. Don’t click on the link. If you see any warning signs, always use caution when you see these:

  • Bad grammar or misspelled words
  • Generic greetings
  • Mismatched email domains
  • Links that look suspicious
  • Use of Gmail addresses

A phishing example where a scammer is pretending to be a CEO and is asking for the user's phone number.

The example above shows an email with a friendly message, but it is probably from a stranger attempting to get you to send back information. Once the scammer gets your data, it could be used to steal your identity or money.

There are several warning signs in this example. In the email, the first thing you’ll notice is the warning message that lets you know it could be phishing. Also, there’s no comma after the greeting, and the sender makes up an excuse as to why a phone call wouldn’t work.

Then, you get asked for your personal number. That’s something that can be used to steal your identity and other data. It’s also from a CEO supposedly, but it’s unlikely that a CEO would email you asking for your personal number.

A phishing example where a scammer is trying to trick a user into renewing their McAfee subscription.

The above example is one you may receive frequently. You get a receipt or confirmation about a product that you know you haven’t ordered, in this case, what appears to be a McAfee product. It contains a link that entices you to click on it, which may take you to a site to enter your credit card information to remain protected or to opt out.

What if a phishing attack is successful?

If a phishing attack is successful, it can compromise your financial and social media accounts. That can mean unauthorized purchases and even identity theft. You can also get hit with ransomware that holds your information hostage until you pay to get it back. If you use identity theft protection, you should be notified if someone is using your information.

Phishing attacks can also harm companies. They can cause data loss and distribute malware throughout the organization. That can lead to devastating financial loss, reputation issues, and consumer mistrust.

How to prevent phishing attacks

You can prevent phishing attacks by staying vigilant. There will always be cybercriminals looking to make a fast buck, but you don’t have to succumb to their savvy phishing games. Some ways to stop phishing attacks include:

  • Education: Being aware of how scammers use phishing attacks can help keep you from becoming a victim. Cybersecurity training will keep you updated on the latest phishing trends.
  • Installing antivirus software: Antivirus software helps guard against malware, including phishing attacks.
  • Using a password manager: A password manager can generate strong passwords for websites to help keep your data more secure.
  • Using spam filters: Spam filters can be your first line of defense to block a phony email before it gets to you.
  • Reporting: If you receive a suspicious message, report it to your email client, such as Microsoft Outlook. You can also report phishing emails to the FTC and to local law enforcement.

Phishing FAQs


What is a common indicator of a phishing attempt?

A common indicator of a phishing attempt is noticing something unusual or suspicious about the email, such as grammar or spelling errors. You may also receive a generic greeting or an unrecognized link.


What is the difference between a scam and phishing?

The difference between a scam and phishing is a scam is a scheme or fraudulent business that tries to get money or goods from you, while phishing is a type of online scam that targets you by email.


How do I report a suspicious email?

You can report a suspicious email to your email clients, such as Gmail or Microsoft Outlook. You can also report to the FTC.

Bottom line

Phishing is a real threat to everyone these days. Cybercriminals are getting smarter with their methods to deceive us and take advantage of vulnerabilities. Fortunately, you can use the above anti-phishing tips to prevent scams. Always look for red flags, like spelling and grammar mistakes, suspicious links, and urgent demands or requests.

If you get any suspicious emails, report them to your email client or the FTC. Now that you understand how phishing works, you can protect yourself and not fall victim to this cyberattack. For more advanced security, learn how to browse online anonymously.

Editorial Rating
Learn More
On NordPass's website
Password Manager
60% off + 3 months free
  • Strong encryption and security
  • User-friendly interface

Author Details
Patti Croft is a seasoned writer specializing in technology, with three years of experience. With a B.S. in Computer Science and a background as a technical analyst and security specialist, she covers a range of topics like data security and parental control software.