Phishing scams identification guide
Phishing is the starting point for over 90% of cyberattacks. Attackers have moved far beyond poorly written Nigerian prince emails. Today's phishing campaigns are sophisticated, targeted, and convincing enough to fool experienced professionals.
Know the Variants
Types of phishing attacks
Phishing is not a single attack type. It encompasses a range of techniques across email, text messages, phone calls, and even social media. Understanding each variant helps you recognize attacks regardless of the channel.
Email Phishing
Mass-distributed emails designed to look like they come from legitimate organizations such as banks, shipping companies, or cloud service providers. These emails typically contain a sense of urgency ("Your account has been compromised," "Your package cannot be delivered") and include a link to a fake login page that captures your credentials. Millions of phishing emails are sent daily, making this the most common form of the attack.
Spear Phishing
Highly targeted emails crafted for a specific individual using personal information gathered from LinkedIn, social media, company websites, and previous data breaches. The attacker may reference your job title, a recent project, or a colleague by name to build trust. Spear phishing has a significantly higher success rate than generic phishing because the personalization makes the email appear legitimate.
Whaling
A form of spear phishing that specifically targets executives, business owners, and senior leaders. Whaling attacks often impersonate other executives, board members, attorneys, or regulators. Common scenarios include fake wire transfer requests from the CEO, fraudulent legal subpoenas, or urgent tax document requests. A single successful whaling attack can result in losses exceeding six figures.
Smishing (SMS Phishing)
Phishing delivered via text messages instead of email. Common smishing attacks impersonate banks ("Suspicious activity detected on your account"), delivery services ("Your package is being held"), or government agencies ("Your tax refund is ready"). Text messages have a 98% open rate compared to 20% for email, making smishing increasingly effective.
Vishing (Voice Phishing)
Phone-based attacks where callers impersonate tech support, bank representatives, IRS agents, or IT helpdesk staff. Attackers use caller ID spoofing to display legitimate phone numbers and create urgency to prevent victims from thinking critically. AI-generated voice cloning now allows attackers to impersonate specific individuals with frightening accuracy.
Business Email Compromise (BEC)
Attackers either compromise or convincingly spoof a business email account, then use that access to redirect wire transfers, change payment details for invoices, or request sensitive employee data like W-2 forms. BEC attacks caused over $2.7 billion in losses in a single year according to the FBI. Unlike other phishing, BEC emails often contain no malicious links or attachments, making them harder to detect technically.
Warning Signs
Red flags that indicate phishing
Train yourself to check for these indicators every time you receive an email, text, or phone call that requests action or information.
Urgency and pressure tactics
Phrases like "Act immediately," "Your account will be suspended," "You have 24 hours to respond," or "Failure to act will result in legal action" are designed to bypass your critical thinking. Legitimate organizations do not demand immediate action via email for serious matters.
Mismatched sender addresses
The display name may say "Microsoft Support" but the actual email address is support@micr0soft-security.com. Always check the full email address, not just the display name. Hover over the sender name in your email client to reveal the actual address. Look for subtle misspellings, extra characters, or unusual domains.
Generic greetings instead of your name
"Dear Customer," "Dear Account Holder," or "Dear User" instead of your actual name. Legitimate companies that have your account typically address you by name. However, be aware that spear phishing attacks will use your real name, so a personalized greeting alone does not guarantee legitimacy.
Suspicious links that do not match the claimed destination
Hover over (do not click) any link in the email and check the actual URL in the bottom-left of your browser or email client. If the email claims to be from PayPal but the link goes to paypa1-secure-login.com, it is phishing. Shortened URLs (bit.ly, tinyurl) in business communications are also a red flag.
Unexpected attachments
Be especially cautious of Word documents, Excel spreadsheets, PDFs, and ZIP files you did not request. Macro-enabled Office documents (.docm, .xlsm) are a primary malware delivery mechanism. If a colleague sends an unexpected attachment, verify with them through a separate channel before opening it.
Requests for sensitive information
No legitimate organization will ask for your password, Social Security number, or full credit card number via email. Banks, the IRS, and tech companies explicitly state they will never request this information through email. Any email requesting credentials or financial details should be treated as phishing until proven otherwise.
Poor grammar, spelling errors, or unusual formatting
While AI has improved phishing email quality, many attacks still contain grammatical errors, awkward phrasing, inconsistent formatting, or mismatched logos. Compare the email to legitimate communications you have received from the same organization. Even subtle differences in font, spacing, or logo quality can indicate a fake.
Requests to bypass normal procedures
"Keep this confidential," "Do not verify this with anyone else," or "This is a special process." Attackers try to isolate victims from the verification steps that would expose the scam. Any request to circumvent established business processes, especially for financial transactions, is a major red flag.
Learn from Real Attacks
Real-world phishing examples
These scenarios are based on actual attacks that have compromised businesses and individuals. Study the patterns so you can recognize them when they target you.
The Microsoft 365 Login Page
An email arrives claiming your Microsoft 365 password is expiring and you need to update it immediately. The link leads to a perfect replica of the Microsoft login page, complete with your organization logo (scraped from your company website). You enter your credentials, and the page redirects you to the real Microsoft site so you never suspect anything happened. Meanwhile, the attacker now has your email credentials and access to everything in your mailbox.
Lesson Learned
Microsoft never sends password expiration notices via email with login links. Always navigate directly to portal.office.com or account.microsoft.com rather than clicking email links.
The CEO Wire Transfer
The company controller receives an email that appears to be from the CEO requesting an urgent wire transfer to a new vendor. The email mentions a confidential acquisition and requests the transfer be completed that day without discussing it with others. The email address is either spoofed or sent from a compromised account. The controller, not wanting to question the CEO, processes the transfer. The money is gone within hours.
Lesson Learned
Establish a mandatory dual-authorization policy for all wire transfers and any changes to payment details. Verify all financial requests by phone using a known number, not one provided in the email.
The Fake Invoice
An accounts payable employee receives what looks like a routine invoice from a known vendor, but the bank account details have been changed. The email comes from an address nearly identical to the vendor (vendor-name.com vs vendorname.com) and references a real purchase order number obtained from a previous email breach. The payment is routed to the attacker instead of the real vendor.
Lesson Learned
Always verify bank account changes by calling the vendor at their known phone number. Never use contact information provided in the email requesting the change. Implement a policy requiring verbal confirmation for all payment detail modifications.
The Shipping Notification
During the holiday season, a text message claims your FedEx package cannot be delivered and you need to click a link to update your delivery address. The link leads to a page that asks for your name, address, and credit card number for a "redelivery fee." Alternatively, the link may install malware on your phone. Attackers exploit the high volume of legitimate shipping notifications during holiday periods.
Lesson Learned
Never click links in delivery notification texts. Go directly to the carrier website (fedex.com, ups.com) and enter your tracking number manually. Legitimate carriers do not charge redelivery fees or request credit card numbers via text.
Incident Response
What to do if you fall for phishing
It happens to the best of us. The critical thing is to act quickly. Speed is the difference between a minor inconvenience and a major breach.
Change your passwords immediately
If you entered credentials on a phishing site, change the password for that account immediately. If you use the same password on other accounts (which you should not), change those too. Start with your email account, as it is the gateway to resetting passwords on all your other accounts.
Enable MFA on all affected accounts
If multi-factor authentication is not already enabled, set it up immediately on every account that was potentially compromised. Authenticator apps are preferred over SMS. MFA ensures that even if the attacker has your password, they cannot access your account without the second factor.
Scan your device for malware
If you clicked a link or opened an attachment, run a full malware scan on your device immediately. If your organization uses EDR, contact your IT department so they can check the endpoint telemetry for indicators of compromise. Disconnect from the network if you suspect active malware.
Report the incident
Report the phishing attempt to your IT department or managed security provider. Forward the phishing email to your organization email security team and to reportphishing@apwg.org. If financial information was compromised, contact your bank immediately. File a report with the FTC at reportfraud.ftc.gov.
Monitor your accounts
Watch for unauthorized transactions, password reset emails you did not initiate, and new account creation using your information. Set up account alerts for logins and transactions. Check your credit reports for new accounts opened in your name. Consider a credit freeze if personal financial information was exposed.
Learn from it and share the warning
Analyze how the attack succeeded so you can recognize similar tactics in the future. Share the details with your team or family so they can learn from your experience. Organizations should document the incident and use it as a training example in their next security awareness session.
Protect your team from phishing
We deploy email security, train your staff with simulated phishing exercises, and implement the technical controls that catch what humans miss.
Schedule Free Consultation