Phishing: What it is And How to Protect Yourself

What Is Phishing?

Phishing is a method of identity theft that relies on individuals unwittingly volunteering personal details or information that can be then be used for nefarious purposes. It is often carried out through the creation of a fraudulent website, email, or text appearing to represent a legitimate firm.

A scammer may use a fraudulent website that appears on the surface to look the same as the legitimate website. Visitors to the site, thinking they are interacting with a real business, may submit their personal information, such as social security numbers, account numbers, login IDs, and passwords, to this site. The scammers then use the information submitted to steal visitors' money, identity, or both; or to sell the information to other criminal parties.

Phishing may also occur in the form of emails or texts from scammers that are made to appear as if they are sent from a legitimate business. These fake emails or texts may install programs like ransomware that can allow scammers to access a victim's computer or network.

Key Takeaways

  • Phishing is a type of data theft that involves people unknowingly volunteering their personal information to a bad actor.
  • A phishing attempt may utilize an official-looking website, email, or other forms of communication to trick users into handing over details like credit card numbers, social security numbers, or passwords.
  • Phishing websites can appear identical to official websites, prompting users to input their real credentials on the malicious website.

What Is Phishing?

Understanding Phishing

Phishing scammers create a false sense of security for their targets by spoofing or replicating the familiar, trusted logos of well-known, legitimate companies, or they pretend to be a friend or family member of their victims. Often, the scammers attempt to persuade victims they need personal information urgently, or the victim will experience a severe consequence, such as frozen accounts or personal injury.

A classic example of phishing is an identity thief setting up a website that looks like it belongs to a major bank. Then, that thief sends out many emails that claim to be from the major bank and request the email recipients to input their personal banking information (such as their PIN) into the website so the bank may update their records. Once the scammer gets a hold of the needed personal information, they attempt to access the victim's bank account.

$44.2 million

Phishing scams are some of the most common attacks on consumers. According to the FBI, more than 323,972 people fell victim to phishing scams in 2021. Collectively, they lost $44.2 million.

Protecting Yourself from Phishing Attacks

The following highlights signs of phishing, and how to protect yourself.

  1. Exceptionally good deals or offers. If an email touts offers that are too good to be true, they probably are. For example, an email claiming you've won the lottery or some other lavish prize may be luring you in to get you to click a link or relay sensitive personal information.
  2. Unknown or unusual senders. Though phishing emails may look like they originate from someone you know, if anything seems out of the ordinary, be cautious. When in doubt, hover over the email address of the sender to ensure the email address matches the email address you expect. Place a phone call to the company if you are unsure of an email or website. Don't respond to emails with any personal information. (See the image below for an example of an unusual sender's email address).
  3. Hyperlinks and attachments. These are particularly concerning if received from an unknown sender. Never open links or attachments unless you are confident they are from a safe sender. Type in the link address rather than clicking the link.
  4. Incorrect spelling in the web address. Phishing sites often use web addresses that look similar to the correct site, but contain a simple misspelling, like replacing a "1" for an "l".
  5. Immediate pop-ups. Be wary of websites that immediately display pop-up windows, especially those asking for your username and password. Use two-factor authentication, a browser with anti-phishing detection, and keep security on your systems up-to-date.
Netflix Phishing Scam Email
A phishing email. Note the suspicious return email address that has nothing to do with Netflix.

Phishing Attempts

According to the Federal Trade Commission (FTC), phishing emails and text messages frequently tell stories to trick people into clicking on a link or opening an attachment. For example, phishing attempts may:

  • Say they've noticed suspicious activity or log-in attempts on your account
  • Claim there's a problem with your account or payment information
  • Say you need to confirm or update personal information
  • Include a fake invoice
  • Ask you to click on a link to make a payment
  • Claim you're eligible to sign up for a government refund
  • Offer a coupon for free goods or services
Article Sources
Investopedia requires writers to use primary sources to support their work. These include white papers, government data, original reporting, and interviews with industry experts. We also reference original research from other reputable publishers where appropriate. You can learn more about the standards we follow in producing accurate, unbiased content in our editorial policy.
  1. Federal Bureau of Investigation. "2021 Internet Crime Report," Page 22-23.

  2. Federal Trade Commission. "How to Recognize and Avoid Phishing Scams."

Take the Next Step to Invest
The offers that appear in this table are from partnerships from which Investopedia receives compensation. This compensation may impact how and where listings appear. Investopedia does not include all offers available in the marketplace.