How to Spot a Phishing Scam Before It Costs You
Phishing is the most common way accounts get hijacked — and it's beatable with a few habits. Here's how to recognize the red flags and what to do when one slips through.
Most accounts aren't lost to clever hacking. They're handed over — by someone who typed their password into a convincing fake page, or clicked a link they shouldn't have. That's phishing, and it's the most common attack you'll face. The good news: it relies on tricking you, which means a little awareness defeats most of it. Here's how to see it coming.
What phishing actually is
Phishing is any attempt to trick you into revealing sensitive information — passwords, codes, card numbers — usually by impersonating someone you trust. The classic form is an email that looks like it's from your bank, a delivery company, or a service you use, urging you to "verify your account" via a link to a fake login page that harvests whatever you type.
It has evolved well beyond email: text messages ("smishing"), phone calls ("vishing"), fake login pop-ups, and messages on social platforms. The medium changes; the goal never does — get you to act before you think.
The universal red flags
Almost every phishing attempt trips at least one of these wires. Train yourself to notice them:
1. Urgency and fear
"Your account will be suspended in 24 hours." "Suspicious login detected — act now." Manufactured urgency is the signature move, because panic shuts down careful thinking. Any message pushing you to act immediately deserves more suspicion, not less. Real organizations rarely threaten you into instant action.
2. A link that doesn't match
Hover over a link (or long-press on mobile) before tapping, and read the actual destination. paypa1.com, apple-support-verify.net, amaz0n-security.co — the display text says one thing, the real URL says another. When in doubt, don't click the link at all; go to the site by typing the address yourself.
3. Requests for secrets
No legitimate company will email or call asking for your password, full card number, or two-factor code. None. Ever. A request for any of these is, by itself, near-proof of a scam. This is especially true for the 2FA codes attackers need to get past your second layer of defense — they'll call pretending to be "support" and ask you to read one out. Never do.
4. Generic greetings and off details
"Dear Customer" instead of your name, slightly wrong logos, odd phrasing, a sender address that's almost-but-not-quite right. Individually minor; together, a pattern. Scammers operate at scale and the details slip.
5. Unexpected attachments
A file you weren't expecting — especially .zip, .exe, or a document urging you to "enable macros" — is a classic malware delivery. If you didn't ask for it, don't open it.
The one habit that beats most phishing
Here's the rule that covers the majority of cases: never log in by following a link in a message. If an email says there's a problem with your account, don't click — open a new tab and navigate to the site yourself, or use the app. The fake page can only catch you if you go to it. Bookmark the real login pages for your important accounts and use those.
Why a password manager quietly protects you
A subtle benefit of a password manager: it autofills your credentials based on the site's real domain. So if you land on paypa1.com instead of the genuine site, your manager simply won't offer to fill in the password — because it doesn't recognize the address. That silence is a warning. A human eye can be fooled by a convincing look-alike; a password manager checks the actual domain and isn't.
Your safety nets when something slips through
Awareness isn't perfect, so build layers behind it:
- Two-factor authentication means even a stolen password isn't enough on its own. This is your biggest safety net — turn it on for your important accounts.
- Unique passwords (courtesy of a password manager) mean one phished password doesn't unlock everything else.
- Backups mean ransomware delivered by a phishing click doesn't erase your data — see the 3-2-1 backup rule.
Layered defense is the whole game: each layer catches what the previous one missed.
What to do if you think you clicked
If you entered credentials on a page you now suspect was fake, act quickly but calmly:
- Change that password immediately — and anywhere you reused it (a reason never to reuse).
- Check that 2FA is on for the affected account; if the attacker got in, review and revoke active sessions.
- Watch for follow-on activity — unexpected password-reset emails, login alerts, messages sent "by you."
- If it's financial, contact the institution directly using the number on your card, not any number from the suspicious message.
- If it's a work account, tell IT right away. Speed limits the damage, and you're not the first person it's happened to.
Stay a little suspicious
You don't need to be paranoid — just reflexively skeptical of any message that creates urgency, asks you to log in via a link, or requests something secret. Slow down for three seconds before you click, verify the sender and the real URL, and go to sites directly rather than through links. Those small habits, backed by 2FA and a password manager, defeat the overwhelming majority of phishing you'll ever encounter. The attackers are counting on you to hurry. Don't.
Related reading
Set Up a Password Manager This Weekend (Step by Step)
A password manager is the single highest-impact security upgrade you can make. Here's how to choose one, set it up, and migrate your logins without the overwhelm.
Two-Factor Authentication, Explained Without the Jargon
What 2FA actually is, why SMS codes are the weakest version, and how to set up authenticator-based two-factor on the accounts that matter most.
VPNs Explained: What They Actually Do (and Whether You Need One)
VPN ads promise the world. Here's the honest, jargon-free truth about what a VPN really protects, what it doesn't, and the handful of situations where one genuinely helps.