Even if you've never been the victim of a phishing attack, you've likely seen attempts — that email from "Apple" or "Google" asking you to "update your account information," or Nigerian princes looking for money to restore them to the throne.
But while those phishing lures may be fairly obvious, there are others that might be a little trickier to identify. Luckily, there are a lot of signs that you can look for in order to determine if someone is trying to illicitly obtain important credentials from you.
Here's how you might be able to identify a phishing attack, and how to report one.
What is phishing?
At its most basic, phishing is when someone attempts to gain information like passwords and credit card numbers by posing as someone you might trust. The attacker will often spoof a legitimate website, for instance, Apple's, and attempt to guide their target to that location in an attempt to access some sort of credentials.
While phishing attacks generally take place over email, attackers have also been known to use other methods such as instant messaging and phone calls.
How do I identify a phishing scam?
The most common type of phishing scam attempts to try and retrieve your passwords and usernames through social engineering. These attacks are often disguised as emails from major companies like Apple, Google, Facebook, or your bank; largely, it's because these companies have millions of customers and the chance of sending an email to someone who actually uses services from that website is very high. These emails will contain links to a spoofed website posing as the legitimate company's page, usually asking you to sign in or provide a security question.
There are a number of different things you can do that might help you identify if you're the target of a phishing attack.
Note that you should never rely solely on one of these techniques to identify a phishing scam; sophisticated attackers work hard to pass off their scams (and related websites) as legitimate, and spotting a scammer can be harder than it first appears.
Go with your gut
The first piece of advice is also the least technical. If you feel at all suspicious about an email, don't click on it at all. Also reach out to the person or company who sent you the message (with an original message, don't reply to the one you just received) and ask them if they sent you something.
Posing as a legitimate company, an attacker will often ask you to do something like "verify your password" or "update your account information." Most companies, banks and other legitimate institutions won't solicit account details over email or SMS.
Check the address (and the links)
You should take a look at the email address from the sender of the message you received, which you can often do by clicking (or tapping) their display name (another thing to watch out for). If the email address is strange, or seems overly long for the company is question, don't trust that email. However, smart attackers will have included the company's name somewhere in the email address in an effort to appear more legitimate. It's important to pay attention to the legitimate emails that your bank, for instance, sends you, and what email address or addresses they use.
This also goes for the links they send you. Without clicking on the link, hover your mouse cursor over it or tap and hold the link on a mobile device to get more detail. If it doesn't look like a link from the company, it's probably not.
It's also worth checking out which email address a message has been sent to. For instance, I've often received emails "from Google," but they've been sent to my iCloud email address and not the backup email address that I've established with Google.
Check the names
While many attackers are able to easily spoof the names of companies in their phishing attempts, less sophisticated attacks will get even these details wrong. Others will use names that might seem correct at first glance, but on closer inspection contain errors.
For example, a recent attempt I saw was sent by "AppleID Support". This name has a couple of red flags. For one, Apple spells it "Apple ID" with a space. Second, Apple's emails are often just sent from "Apple," with no particular branding like "Support".
Spelling and grammar matter
As strange as it may sound to some, spelling and grammar can often give away a phishing attempt. Someone I know recently received an email with this phrase:
We have prevented an unusual activity at your account. Someone login and reset your password.
Things like this are a dead giveaway. In this case, the email was from "AppleID Support", and there are some pretty obvious mistakes in the grammar.
Check the style
Be sure to pay attention to the style of email sent to you. Get a Google email whose colors or logo seem a little outdated? That might be a scam, for instance. Companies almost always have contact details or at least an address at the bottom of the email, while many phishing emails do not.
The Federal Trade Commission
The Federal Trade Commission maintains a Scam Alerts site that warns consumers of the dangers of phishing attacks. The site offers news on new attacks, as well as general bulletins about online safety and avoiding scams.
Use all of these
The thing about avoiding phishing is that it's not about a single technique. Attacks can be extremely incompetent or highly sophisticated. It's important to be careful, and not place all of your trust in one solution.
How do I report phishing?
There are a number of resources that you can use to report phishing attempts, both to companies and to the government. Company's like Apple and Facebook often have email addresses specifically for forwarding phishing attempts, while Google has a button in Gmail that lets you do just that.
When using the following links, be sure to forward the phishing email that you're reporting:
- Report phishing to Apple
- Report phishing to Facebook
- Report phishing to the FTC
- Report phishing to US-CERT
I've been the victim of a phishing scam. What do I do?
Get in contact with the company whose credentials were phished, and see what they can do to help you. If an attacker got your credit card, be sure to cancel that card. As soon as you can, you'll also want to reset any passwords that you need to.
If you want to know anything more about phishing, or even relay a phishing attack or attempt that has happened to you, be sure to sound off in the comments.
Updated January 2019: We've updated this piece with the latest information in light of the latest phishing scams.