Skip links

What Is Phishing?

So much of our personal and professional lives are online — from online banking to connecting with friends and family to unwinding after a long day with our favorite movies and shows. The internet is a pretty convenient place to be! Unfortunately, it can also be a convenient place for cybercriminals and identity theft. 

One way these scammers may try to take advantage of someone is by trying to convince them to give up their personal information or click on links that download things like malware. They might try to appear as a trustworthy source or someone you personally know. This fake online communication is called “phishing.” 

As we’ve all heard before, knowledge is power. By understanding what phishing is, how it works, and the signs to look for, you can help minimize your risk and get back to enjoying the internet the way it was intended. Here’s what you should know. 

How does phishing work?

You’ve probably heard of the term “phishing,” but maybe you don’t know what it means. Here’s a quick overview of how it works.  

Phishing is a type of cybercrime where scammers send communications that appear to be from trusted sources like a major corporation — basically, they’re trying to play off people’s trust through what is known as social engineering. They might request sensitive information like passwords, banking information, and credit card numbers. Hackers may then use this information to access your credit cards or bank accounts 

The thing with phishing attacks, though, is that they can come through several platforms, including:  

  • Email: This is the most common type of phishing, with 96% of phishing attacks occurring by email. 
  • Phone calls: Scammers might leave messages encouraging targets to call a number where someone will ask for their personal information.  
  • Text messages: The goal is to get people to click links to a malicious website or webpage 
  • Wi-Fi spoofing: Scammers create a malicious free Wi-Fi hotspot that appears to be a legitimate access point. Once connected, they have access to a user’s system. 

What kind of information are phishing scams after?

We’ve mentioned that phishers are looking to get sensitive information, but what exactly are they after? The kind of information phishing scams are after might include:  

  • Login information (including email account and password) 
  • Credit card information 
  • Bank account numbers 
  • Social Security numbers 
  • Company data 

Types of phishing attacks

Phishing scams can come in many forms, but understanding the common types of phishing attacks can help you keep identity thieves at bay. Here are some to be aware of:  

Email phishing

A phishing email is a fraudulent email made to look like it’s from a legitimate company or person. It may ask you to provide personal information or click on a link that downloads malware. For example, an email allegedly from Bank of America notes that due to suspicious activity, you should log into your bank account to verify your information.  

Fortunately, there are ways to spot a phishing cyberattack like this.  

  • There are typos and grammatical errors. If the email is filled with spelling and grammatical errors, it’s likely a phishing scam. Corporations don’t send out emails riddled with errors. 
  • A bank requests personal information. Financial institutions don’t email you to ask for personal information like your PIN, Social Security number, or bank account number. If you receive an email like this, delete it and don’t provide any information. 
  • The URL doesn’t match. To see the sender’s email address, hover over the name of the sender or on the link in the email. If the sender’s address doesn’t match the name that shows, that’s a red flag. For example, if an email that appears to be from FedEx has an email address without the company name in it or if it’s spelled wrong, it’s most likely a phishing email. To check the URL of a link on a mobile phone, press the link and hold it with your finger. 
  • The email isn’t personalized. A company you do business with will address you by name. A phishing email might use a general greeting like “Dear Account Holder.” 
  • There’s a sense of urgency. Phishing messages create fake emergencies to get you to act without thinking. They might claim an account is being frozen unless you immediately confirm your personal details. Requests for emergency action are usually phishing emails. A legitimate business gives its customers a reasonable amount of time to respond before closing an account. 
  • It’s from an unfamiliar sender. Consider deleting an email from a sender you don’t recognize or a business you don’t patronize. Also, be cautious with a message from someone you know who seems unusual or suspicious. 

Spear phishing 

While some phishing emails are sent to a broad audience, spear phishing emails target specific individuals or businesses. This allows the scammers to research the recipient and customize the message to make it look more authentic.  

Examples of spear phishing emails include:  

  • Enterprise hacking: Cybercriminals send emails to employees in a corporation to find vulnerabilities in a corporate network. The emails might appear to be from a trusted source. It only takes one person to click on a link to download ransomware that infects the company’s network.  
  • A note from the boss: An employee receives a fraudulent email that appears to be from an executive asking them to share company information or expedite payment to a vendor. 
  • Social media scam: Cybercriminals can use information from your social media account to request money or data. For example, a grandparent might receive a text using the name of their grandchild asking for money for an emergency. But when they call to check, they find out their grandchild is safe at home. 

One of the best defenses against spear phishing is to contact the source of an email to verify the request. Call the colleague who’s asking you to do a wire transfer or log onto your Amazon account to check for messages. 

Clone phishing

For this highly customized scam, scammers duplicate a legitimate email you might have previously received and add attachments or malicious links to a fake website. The email then claims to be a resend of the original. Clicking a malicious link can give spammers access to your contact list. Your contacts can then receive a fake email that appears to be from you. 

While clone phishing emails look authentic, there are ways to spot them. They include:  

  • Follow up directly. Go to the website of the bank, online retailer, or business to see if you need to take action. 
  • Look at the URL. Only websites that begin with HTTPS should be trusted, never sites that begin with HTTP. 
  • Look for mistakes. As with any phishing email message, be on the lookout for spelling errors and poor grammar. 

Voice phishing

Through vishing or voice phishing, scammers call you and try to persuade you to provide sensitive data. They might use caller ID spoofing to make the call appear to be from a local business or even your own telephone number. Vishing calls are usually robocalls that leave a voicemail or prompt you to push buttons for an operator. The intent is to steal credit card information or personal and financial information to be used in identity theft. 

Fortunately, there are signs that give away these attacks. They include:  

  • The call is from a federal agency. If a caller pretends to be from a federal agency, it’s likely a scam. Unless you’ve requested it, agencies like the IRS won’t call, text, or email you. 
  • It requires urgent action. Scammers might attempt to use fear to make you act quickly. The pressure to act immediately is a giveaway. 
  • They request personal information. It’s a red flag when the caller asks for your information. Sometimes, they’ll have some of your data, even the first few digits of your Social Security number. The scammer will try to make you think the call is legit and get you to provide additional information. 

If you’d like to avoid vishing calls, there are several things you can do. When you don’t recognize the number, don’t answer the phone. Let the call go to voicemail, then block it if it isn’t legitimate. Use a call-blocking app to filter calls coming to your cellphone. To block calls on a landline, check with your service provider regarding the services offered.  

Dealing with a cybercriminal is no time to be polite. If you do answer a vishing call, hang up as soon as you realize it. Don’t answer any questions, even with a yes or no. Your voice could be recorded and used for identity theft. If they ask you to push a button to be removed from a call list, don’t do it. You’ll just receive more calls. 

If you receive a voicemail and are unsure if it’s legitimate, call the company directly using the phone number on the company website. Don’t call the number in the voicemail. 


If you’ve ever received a text pretending to be from Amazon or FedEx, you’ve experienced smishing. Scammers use smishing (SMS phishing) messages to get people to click on malicious links with their smartphones. Some examples of common fraudulent text messages include: 

  • Winning prizes: If it seems too good to be true, it probably is. 
  • Fake refunds: A company you do business with will credit your account or credit card, not text you. 
  • Relatives who need help: These messages might request bail money or other assistance for a relative who is abroad. 
  • Messages from government agencies: Always delete these texts because federal agencies don’t conduct business by text message. 
  • Texts from companies like Amazon or Apple: These are the most frequently spoofed businesses because most people do business with one or both of them. 

If you receive a smishing text, don’t respond because it’ll cause you to receive more texts. Instead, delete the text and block the number. 

Pop-up phishing

Pop-up phishing occurs when you’re on a website and a fake pop-up ad appears. It encourages you to click a link or call a number to resolve the issue. Some of these reload repeatedly when you try to close them or freeze your browser.  

Common pop-up scams include:  

  • Infected computer alert: This scam ad tries to persuade you to click a link to remove viruses from your computer. For added urgency, some even include fake countdown clocks that give you a few seconds to click a link and install antivirus software. The link actually installs malware. Legit antivirus software like McAfee® Total Protection won’t do that — instead, keeping your connected life safe from things like malware, phishing, and more. 
  • AppleCare renewal: This pop-up encourages you to call a fake Apple number to give credit card information to extend your Apple warranty. 
  • Email provider pop-ups: You’re encouraged to provide personal data by this pop-up, which appears to come from your email provider. 

If you see a scam pop-up ad, don’t click on the ad or try to click the close button within the ad. Instead, close out of the browser window. If your browser is frozen, use the task manager to close the program on a PC. On a Mac, click the Apple icon and choose Force Quit. 

What should I do if I am a victim of phishing?

Being online makes us visible to a lot of other people, including scammers. Fortunately, there are things you can do if you become a victim of phishing — allowing you to get back to enjoying the digital world. They include: 

  • File an FTC report. Go to to report phishing and follow the steps provided. 
  • Change your passwords. If you provided the passwords to your bank account or another website, log into your account and change your passwords and login credentials. If you have other accounts with the same passwords, change those too. Don’t use the same passwords for more than one account. 
  • Call the credit card company. If you shared your credit card number, call and let them know. They can see if any fraudulent charges were made, block your current card, and issue a new credit card. 
  • Review your credit report. You can get free copies of your credit report every 12 months from all three major credit agencies — Experian, TransUnion, and Equifax — by going to Check to see if any new accounts were opened in your name. 
  • Scan your devices. There’s a chance you downloaded malware during the phishing attack. Antivirus software, like what’s included in McAfee Total Protection, can scan your devices in real time to detect malicious activity and remove viruses on your devices.  

How can I protect myself from phishing attempts?

You deserve to live online freely. But that might mean taking steps to protect yourself from phishing attempts. Here are some ways you can improve your cybersecurity and keep scammers at bay: 

  • Don’t click email links. If you receive an email from your bank or a company like Amazon, open a browser window and go directly to the company’s site. Don’t click a link in an email. 
  • Use unique passwords. If you use the same password for multiple accounts, a hacker that accesses one of your accounts might be able to break into all of your accounts. Use different passwords for each of your accounts. A password manager like McAfee True Key can help you create and save passwords. 
  • Check your browser security. Web browsers like Google Chrome and Safari can be set to block fraudulent websites. Go into the settings for your browser and adjust the security level. 
  • Use spam filters. All major email providers have spam filters that move suspicious emails into a junk or spam folder. When phishing emails do get to your inbox, always mark them as spam so all other emails from that source will go to the spam folder.  
  • Delete suspicious emails. Delete emails from financial institutions with urgent subject lines, for example. 
  • Use antivirus protection. All of your internet-connected devices should have antivirus protection like McAfee Total Protection. Set it to update automatically to keep your coverage current. 
  • Don’t email information. Banks and credit card companies won’t email you for personal data. If you want to confirm information with a financial institution, contact them directly with the information on their website, such as with a phone number. 
  • Watch your social media posts. Be careful about what you post on social media. Those quizzes where you mention life details, such as your pet’s name, school mascots, and so on, can provide hackers with a wealth of information. Make sure only friends can view your posts. 

Browse online safely and securely

You don’t have to stop enjoying the internet just because of phishing attempts. McAfee’s identity theft protection services, including antivirus software, make it possible to enjoy your digital world while staying safe from scammers and identity thieves.  

With 24/7 active monitoring of your sensitive data, including up to 60 unique types of personal information, McAfee is all about proactive protection. This means you’ll be alerted 10 months sooner than our competitors — so you can take action before your data is used illegally. We also provide up to $1 million of ID theft coverage and hands-on restoration service in the case of a data breach.  

The best part is that you can customize a package to meet your needs, including virus protection, identity theft monitoring, and coverage for multiple devices. We make it safer to surf the net.