Phishing is a type of cyber attack in which scammers attempt to trick you into revealing sensitive information, like passwords, account numbers, or Social Security numbers. Phishing attacks are typically part of an email, text, social media direct message, or phone call designed to give criminals access to your wallet.
If you have ever wondered “what does phishing mean,” the answer is it’s a digital scam that “fishes” for victims. The “fish” in digital phishing is the target. An assailant uses fear and a false sense of urgency as bait to dupe people into taking an action that threatens the confidentiality of their personal information, exposes their financial account information or otherwise compromises their digital security.
There were more than 500 million phishing attacks in 2022, and this cybercrime hooked more than 300,000 victims in the U.S. alone.¹ The cost is substantial, with scammers stealing over $52 billion from those victims in 2022.
How phishing works
Phishing messages often appear to come from a legitimate source – like a bank, credit card company, or well-known brand – warning you that your account has been compromised somehow, or that you have won a sweepstakes that you entered. The message uses fear to “hook” the recipient to click on a link,enter their login or account credentials, or call a number and provide information over the phone. Emails sometimes mimic popular consumer companies like Amazon® or Google®. Other variations include malicious attachments, texts, or DMs, requesting account login details.
Phishing is a common scam that usually follows a three-step formula designed to trick unsuspecting recipients:
- The scammer sends a message or calls from what appears to be a legitimate source, like a financial institution, large business, or government agency.
- The phishing message includes a link or attachment and encourages you to click to log in to a malicious website, download an infected file, or call “customer service,” where you’re asked to provide additional personal or financial information to resolve the matter (which would actually be giving your information to scammers).
- For electronic requests, once you’ve clicked on a malicious link, entered a bogus URL, or downloaded an infected attachment, you may be taken to a fake website and/or you would have malicious software (“malware”) automatically loaded on your device.
The fake website will often copy the look and “feel” of a real site. But once you enter your personal information – like login credentials or credit card numbers – scammers can steal it.
Malware downloads often happen in the background without you knowing. By simply downloading an attachment that contains the malware, it’s possible to give the scammer complete control over your device, including access to files, stored passwords, or the ability for the bad actor to monitor your keyboard or type entries remotely.
Common phishing attack techniques
Phishing scams involve a variety of techniques to trick people into divulging their personal information, including:
- Email phishing: This is the simplest form of phishing, and involves the use of an email that links to a malicious website and sometimes includes a phone number connected to the scammers. An attack that sends you to a fraudulent website is also called “pharming.”
- Social phishing: Threat actors often phish people through social media DMs, often claiming the target won a prize or that they can help the target with customer support. These are common among scams targeting Chime members.
- Spear phishing: This email phishing attack targets specific individuals or organizations. Spear phishing emails are often more sophisticated than general ones because they include personalized information, such as your name, job title, shared connections or colleagues, or similar areas of interest, to create an illusion of legitimacy.
- Whaling: This is often an attack on high-value targets, “whales,” such as business owners, CEOs, and government officials. Whaling attacks are often targeted and well-planned. They can leverage several of the listed techniques (sometimes simultaneously) to compromise the target’s device or account information.
- SMS Phishing (“Smishing”): People often wonder: what is smishing? Well, it’s a type of phishing attack that is carried out through SMS (i.e. text) messages. Smishing messages often contain a link or attachment that the scammer encourages the recipient to click. Because of the more casual nature of SMS messages, and their common usage, it’s particularly important to stop and review the message before clicking that link or calling the associated number. If you don’t immediately recognize the number, consider blocking it or reporting it as a scam to your phone carrier.
- Voice Phishing (“Vishing”): This type of phishing attack is essentially a phone scam. Vishing scammers often pretend they are legitimate customer service reps, IT department representatives, or government officials. They may ask for your personal information. They may try to trick you into installing malware on your computer, which grants permission for them to get remote access to your device to control it or view your sensitive information. They may convince you to log in to a bogus website.
Phishing scam types
Phishing scams can take many different forms, but the common denominator is that bad actors try to access the recipient’s device or accounts, with the aim or compromising personal information or gaining access to financial or other sensitive account credentials. Some of the most common variations include:
- Bogus email notifications that appear to be from legitimate senders. These emails often claim that there’s a problem with your account and instruct you to click on a link or attachment to resolve the issue.
- SMS or email messages claiming an issue with a package or shipment that has been delayed or requires additional information to resolve a “mix-up” with the shipping. Given the common use of online merchants, this technique is particularly common, even when the recipient knows or believes that they haven’t ordered the item(s) in question. These package delivery scams are particularly common around the holidays.
- Fake login pages are designed to mimic legitimate websites to steal the recipient’s login credentials.
- Malware could infect your computer. When you open a malicious attachment, software is installed that can steal your personal information, install other malware programs, or even lock your computer. Some malware can be installed by simply clicking on a link and opening a malicious webpage.
Fake job offer emails appear to come from a legitimate company interested in offering you a job and instructing you to click on a link or attachment to learn more. The link takes you to a fake website where you are asked to enter your personal information, or the attachment contains malware that infects your computer when you download it. There are more legitimate ways to get paid instantly than these “work from home” offer scams.
How to spot a phishing scam
Due to reduced setup and maintenance costs and potentially high rewards, for most scammers, phishing is a “numbers” game. Why should that matter to you?
For every 100,000 phishing emails a scammer sends out, they only need to be successful a handful of times to make the effort worth their time. Scammers don’t need to invest a lot of time and effort to create a convincing message to trick the average person; they just need the message to be “good enough” that you can make an honest mistake and click a link or call a number to clear things up.
These scammers are counting on you being a proactive person who’s worried about your money or your information, and they’re hoping to catch you unaware. But there are simple things you can do to stay safe and avoid becoming a victim.
If you see anything suspicious, or you don’t know who the sender is, do not follow any links or download any attachments. When in doubt, don’t click on any links contained in unsolicited emails or text messages if you’re unsure.
Here are some best practices that will help you spot a phishing scam:
- Pay attention to the sender’s email address. Although phishing emails often come from addresses that look similar to a real email address, there are usually noticeable differences, such as misspelled words, a slightly different domain name, like “.net” instead of “.com,” or the use of numbers, symbols or spaces to slightly tweak the sender’s business name to look “enough” like the real address (e.g., @©hime.com or @chime..com instead of @chime.com)
- Beware of typos and messages that try to create an atmosphere of false urgency. Phishing emails sometimes contain red flags, like poor grammar and spelling, account closure threats, and urgent action requests, but with the availability of certain AI tools, phishing emails are getting more sophisticated, so these flags may not be there in all circumstances.
- Be wary of links and attachments. Phishing emails often contain links and attachments designed to steal your personal information or install malware on your computer. Do not click on a link or attachment if you are unsure whether a link or attachment is safe. If you think a message is a scam, delete it, and, if possible, report the sender to your email or phone provider. Many email providers and telephone companies have embedded reporting options in their tools or devices that allow you to flag messages as SPAM or phishing attempts.
- Hover over links before clicking on them. Hovering over an email hyperlink lets you see the real URL of the website connected to that link. If the URL does not look like the real address of a sender you can verify, do not click on it. Note: this is much harder to do on a mobile device.
- Keep your operating system up to date (on both your computer and your mobile device). This will ensure that you have all the latest automatic safety features. You might also consider purchasing antivirus protection, as several companies offer multi-device packages that allow for continuous virus scanning and malware detection.
- Err on the side of caution. This recommendation applies to all of our tips; if you weren’t expecting a call, an email, or a message from a company or organization, do a quick web search for that organization’s contact information and reach out to them on your own. Do not use the contact information provided in the message. If the message claims to be from your financial institution, call the number on the back of your card to confirm whether the message is legitimate. This extra step takes only a couple of minutes but can help to separate real contacts from fake ones quickly. As the saying goes, “an ounce of prevention is worth a pound of cure.”
Here’s what to look out for to avoid P2P scams.
Security solutions for phishing
Several security solutions can help protect you against phishing attacks, including:
- Multi-factor authentication adds an extra layer of security to your online accounts by requiring you to verify your identity when logging into an account. Several companies offer free authenticator tools on app stores, and these tools enable more secure email and app use. Some mobile applications also allow you to use biometrics in addition to or instead of more traditional account login methods, which can significantly improve your security. Biometrics may also be more privacy-protecting because you can securely store your biometric information directly on your device rather than having it saved and held by a third party.
- Antivirus software that scans emails and attachments for malicious code.
- Email scanning programs that detect and block phishing emails before they reach your inbox.
- Password managers that make it more difficult for scammers to gain access to your personal information.
- Regular information backups. Depending on the phishing method being used, your personal information and the applications across your device could be compromised. If this happens, you may have to wipe your device and start fresh, but if you haven’t backed up your personal information (e.g., photos, videos, documents, messages, etc.), everything could be lost following a hard reset of your device. Regularly back up your information to avoid losing it.
If you are a victim of phishing or wish to report suspicious activity, you can contact the Internet Crime Complaint Center.
While taking steps to protect yourself, learn how to prevent identity theft.
What is spear phishing?
Spear phishing is a type of phishing attack, often carried out via email, that targets specific individuals or organizations.
What does phishing mean?
Phishing is the fraudulent practice of sending emails or other communication that pretends to be from a reputable source and is aimed at tricking individuals into revealing personal information or financial information, such as passwords and account numbers.
What is a common indicator of a phishing attempt?
Requests for personal information – like login credentials, credit card numbers, or Social Security numbers – are a common indicator of a phishing attempt. Legitimate companies will never ask for this information in an email and will never ask for the information unsolicited. Another red flag is an email or phone call that creates a false sense of urgency that tries to make you act out of fear.