How to Catch a Phishing Attempts

Phishing works because it targets human behavior, not just technology. Attackers know that people can be rushed, distracted, or unaware of cyber threats. Phishing messages are carefully crafted to trigger emotions like fear, urgency, curiosity, or trust. For example, a message might claim your account is locked, your boss needs a task completed urgently, or you’ve won a prize. These psychological triggers cause people to react quickly, often without thinking or verifying. According to the Verizon 2023 Data Breach Investigations Report, phishing continues to succeed because it exploits the natural human tendency to trust and respond to authority or emotionally charged situations.

Phishing is also successful because it constantly adapts to new trends and tools. Attackers use real company logos, copywriting styles, and even spoof email addresses or phone numbers. Some campaigns are highly personalized, known as spear phishing, and use public data from social media or business websites to make the message more convincing. Even tech-savvy users can fall for well-designed attacks. Furthermore, phishing bypasses many technical defenses because it doesn’t rely on breaking into systems but on convincing a person to open the door. That’s why experts, including CISA and Proofpoint, stress the importance of regular training, multi-factor authentication (MFA), and promoting a workplace culture of caution.

References:

• Verizon. (2023). Data Breach Investigations Report (DBIR)

• CISA. (2022). Avoiding Social Engineering and Phishing Attacks

• Proofpoint. (2023). State of the Phish Report

To protect yourself, you must train your brain to avoid automatic reactions. The first rule is simple: Stop. Think. Then Click. This means that instead of responding immediately to an email, text, or phone call, you should take a few seconds to verify its authenticity. Slowing down allows your judgment to kick in and helps you avoid becoming a victim. The goal is to break the habit of reacting instantly, which attackers count on.

One of the easiest ways to spot phishing is to pause and apply the “Who, Why, What” check before clicking or replying. First, ask who the message is really from. Does the sender’s email or phone number match your official contact? Look closely for small changes, like extra letters or misspelled domains. Next, ask why this person is contacting me. Is the message unexpected, urgent, or asking for sensitive information like passwords or payment? Lastly, ask What are they asking me to do? Are they rushing me to click a link, download a file, or enter my credentials?

If anything feels off during the "Who, Why, What" check, stop and verify before taking action. Contact the person or company using a trusted method (not by replying to the same message). According to CISA and Proofpoint, quick reactions are what phishing relies on—slowing down and thinking carefully can prevent most attacks. This simple habit can protect individuals and organizations from giving away valuable information or opening the door to more serious cyber threats.

Phishing messages often contain subtle clues that something isn’t right. Common red flags include spelling or grammar mistakes, generic greetings like “Dear user,” and urgent language that pressures you to act fast (e.g., “Your account will be closed in 24 hours!”). Be cautious if the message asks for personal or financial information, especially through email or text. Hovering over links (without clicking) can also reveal suspicious URLs that don’t match the company’s official website. According to CISA and the FTC, unexpected attachments, unfamiliar senders, or strange formatting are all signs that something may be off.

 Another major red flag is spoofed sender information, where the email appears to come from a trusted source, but the address is slightly altered (like support@micros0ft.com). Also, be alert for messages that offer deals that seem too good to be true, such as fake job offers, prize notifications, or refund requests. In the workplace, watch for emails that claim to be from your boss or HR, especially if they ask for urgent tasks involving money or sensitive data. When in doubt, don’t click; verify first by contacting the sender through a known method. Spotting these signs early can prevent serious damage.

References:

• Cybersecurity & Infrastructure Security Agency (CISA). (2022). Avoiding Social Engineering and Phishing Attacks

• Proofpoint. (2023). State of the Phish Report

Vishing, short for voice phishing, happens when scammers call and pretend to be someone you trust, like your bank, a government agency, or even a coworker. These calls often sound urgent and convincing. For example, the caller may say your account has suspicious activity, and you must verify your identity immediately. They may ask for your PIN, passwords, or security codes. Some even use caller ID spoofing, making it appear like the call is coming from a real organization. According to the Federal Trade Commission (FTC), vishing scams are becoming more common and harder to spot because scammers are skilled at creating panic and pressure.

 To protect yourself, always pause and verify. Legitimate organizations will never ask for sensitive information over the phone. Hang up and call back using the official number on the organization’s website or your account statement. Be cautious if the caller refuses to let you verify their identity or pressures you to act fast. Don’t trust a voice just because it sounds professional. Vishing relies on emotion, not logic. If you suspect a vishing attempt, report it to your IT team or cybersecurity contact. Staying calm and cautious is the best way to stop voice scams before they cause harm.

Smishing, or SMS phishing, involves scam messages sent via text to trick you into clicking a malicious link, downloading malware, or revealing personal information. These texts often pretend to come from well-known sources like banks, delivery services, or government agencies. Examples include messages like “Your package couldn’t be delivered. Click here to reschedule” or “Unusual activity detected on your account. Log in now to verify.” According to the Federal Communications Commission (FCC), these messages are designed to create urgency or fear, prompting quick action before the user has time to think critically.

 To stay safe from smishing, never click on links in unexpected text messages, especially if they ask for personal or financial information. Legitimate companies will not ask for sensitive details via SMS. Instead, go directly to the organization’s official website or app. If the message seems suspicious, block the number and report it to your mobile carrier by forwarding the text to 7726 (SPAM). Keeping your phone’s software updated and enabling spam filters can also reduce the chances of receiving these messages. Always think twice before acting on a text; when in doubt, don’t click.

Phishing on social media happens when attackers create fake accounts or hijack real ones to trick users into clicking malicious links or sharing personal information. These scams often start with fake friend requests, direct messages, or posts that offer free giveaways, job offers, or urgent help requests. Attackers may clone a trusted profile, using the same photos, name, and message you with something like, “Is this you in this video?” or “Can you help me urgently?” According to the Federal Trade Commission (FTC), many people fall for social media phishing because it feels personal and comes from a familiar name.

To protect yourself, never click on suspicious links, even if they come from a friend’s account, especially if the message seems out of character or urgent. Confirm unusual messages through another method, like calling or messaging the person through a different platform. Watch out for look-alike accounts, poor grammar, or requests for money or personal data. Report suspicious profiles to the platform immediately. Enabling two-factor authentication (2FA) on your social media accounts and keeping your privacy settings tight can also help prevent unauthorized access or impersonation.

 References:

• Federal Trade Commission (FTC). (2023). How to Recognize and Avoid Phone Scams

• FBI Internet Crime Complaint Center (IC3). (2023). Vishing and Social Engineering Tactics

• Proofpoint. (2023). State of the Phish Report

• NortonLifeLock. (2023). How to Spot a Social Media Scam