Phishing is a type of scam in which criminals impersonate a trusted person or organization to trick you into clicking a link, downloading a file, or sharing sensitive information such as passwords or credit card numbers. These scams come at us through basically every inbound form of communication, including emails, text messages, social media posts, phone calls, or direct messages. Scams can also try to victimize you through your physical mailbox – although this is typically classified as mail fraud.  

Phishing is the most common form of "social engineering," which refers to attackers relying on deception rather than hacking skills to succeed.  

The good news: once you know what to look for, phishing attempts become easier to spot. This is even true in our age of AI and deepfakes – while typos and grammatical errors are less common now, phishing messages always try to create a sense of urgency.  

What does a phishing message look like? 

Phishing messages are more convincing than ever these days, but they almost always try to create urgency and attempt to convince you to do something (like open a link, respond to a text, download an attachment, or input a password). Even in our AI age, you can watch out for red flags.  

Too good to be true offers

Often, a phishing message tries to inspire a positive sense of urgency: "You won an expensive cooler!" Messages promising free money, prizes, or exclusive deals are often scams, especially if you don’t remember signing up. In many cases, the sender's email address will seem very unofficial, like using lots of numbers and an odd email domain. But delete and report any unexpected message that seems too good to be true.

Urgent or threatening language

Scammers also use negative senses of urgency. They try to rush you with messages like:

• “Your account will be locked!”

• “Act now to avoid penalties!”

• “You’re under investigation!”

Ignore, delete, and report messages like this – real organizations, companies, and government agencies won't contact you through email like this.

Requests for sensitive information

Legitimate organizations won’t ask for passwords, Social Security numbers, or financial details over email or text. If you get a strange message from a real organization, contact it directly for more details (i.e., not through the contact info in the message), such as its official website.

Unexpected requests

Be extremely cautious of any unexpected request:

• Invoices you don’t recognize

• Sudden payment requests

• Messages asking for gift cards or wire transfers

Never send any money in odd payment forms, such as cryptocurrency, gift cards, wire transfers, or cash via a courier – any request for payment like this is usually a scam.

Suspicious sender addresses

Look closely at the sender’s email. Small misspellings or unusual domains (like pavpal.com instead of paypal.com) are a major red flag.

Strange links or attachments

On laptops or desktops, you can usually hover over links before clicking to see the real destination

Never download attachments you weren’t expecting, even from someone you know. Double-check independently that it's safe.

Poor writing or formatting

While phishing messages used to be easy to spot, many now use polished language thanks to AI. Still, awkward phrasing or inconsistencies should make your phishy sense tingle.

Generic greetings

Messages that start with “Dear Customer” rather than your name may indicate a mass phishing attempt. Again, this is less common now with AI, but still, something to look out for.

Why do phishing scams feel so urgent?

A sense of urgency is one of the biggest warning signs of phishing.

Scammers want you to act fast before you have time to think.

They may create urgency in two main ways.

Positive urgency

• “You’ve won a prize!”

• “Claim your reward now!”

• “Limited-time offer!”

Negative urgency

• “Your account was hacked!”

• “The IRS is investigating you!”

• “You’ll be arrested if you don’t respond!”

Think before you click

These messages are designed to trigger panic or excitement, both of which can lead to quick, risky decisions.

Reality check: Legitimate organizations, especially government agencies like the local police or IRS, don’t contact you this way for serious matters.

Take a few seconds with each message

One of the simplest ways to avoid phishing is to pause before you act. Even taking 5 to 9 seconds with every email can calm you down and help you think more clearly. Yes, the seconds add up, but the peace of mind is well worth it.

Before clicking a link, responding, or downloading anything, ask yourself:

• Was I expecting this message?

• Does anything feel off?

• Is the sender who they claim to be?

• Am I feeling like I need to act fast?

If you’re unsure, don’t engage.

A great move is to ask a coworker, friend, or family member for a second opinion.

No legitimate message requires an instant response.

What is spear phishing?

Some phishing attacks are more targeted. This is called spear phishing (think about targeting a special spear at a tasty fish in the river).

In these cases, scammers may already know details about you, like:

• Your name

• Your job or company

• Your email address

• Names of coworkers or friends

Scammers use this information, often gathered from social media or public sources, to make their message more believable.

You can dart away from the spears, though!

Even if a message feels personal, stay cautious, especially if it includes urgency or unusual requests.

Your company's CEO probably doesn't need you to buy gift cards.

What to do if you receive a phishing message

If you think you’ve spotted a phishing attempt:

1. Don’t click or reply

Don't click links, download attachments, or respond. Even “unsubscribe” links or buttons can be malicious.

2. Report the message

At work: Report it to your IT or security team

At home: Use your email provider’s “Report Phishing” feature

• Report a phish on Outlook. 

• Report a phish on Gmail.   

• Report a phish on Mac Mail. 

3. Block the sender

Prevent future messages from the same source.

4. Delete the message

Remove it from your inbox once reported. This prevents you from accidentally clicking on it in the future.

How to protect your digital ocean from phishing damage 

Phishing emails can slip through spam filters, so it’s important to build strong security habits that can help you stay resilient even if you fall for a phishing message: 

Use multifactor authentication (MFA) 

Adding a second verification step makes it much harder for attackers to access your accounts. Never give anyone your MFA code! 

Create strong, unique passwords 

Use a different password for every account, ideally at least 16 characters long. Password managers are a huge help! 

Keep software updated 

Updates fix security vulnerabilities that scammers try to exploit. 

Why reporting phishing matters 

Reporting phishing isn’t just about protecting yourself – it helps protect everyone. 

Email providers and security teams use reports to: 

• Block scam messages 

• Shut down malicious senders 

• Improve detection systems 

Your report can stop the next attack! 

A brief pause is your best defense against phishing 

Phishing scams rely on quick reactions. Your best defense is a few seconds of thought. 

If something feels off, trust your instincts. Take a moment, double-check, and when in doubt, don’t click! For more online safety tips, sign up for our email newsletter! 

FAQs 

What is phishing in simple terms? 

Phishing is when scammers use digital communication (like email or text) to try to trick you into clicking a link, downloading an attachment, or sharing personal information. 

How can you tell if a message is phishing? 

Messages that create urgency and messages that are unexpected (or both!) are oftentimes phishing. You can also look for suspicious links and sender addresses that don’t match the company. 

What should you do if you click a phishing link? 

Report the incident to your IT or security team if you’re at work. Disconnect from the internet, run a security scan using your device’s security software, and change any passwords that you sent away or otherwise believe might be affected. 

Can phishing happen through text messages or social media? 

Yes. Phishing can happen via texts (“smishing”), phone calls (“vishing”), social media, or direct messages, not just email. 

Additional Resources

• Watch our on-demand webinar "Spot Phishing Before It Hooks You"

• How to report phishing in Gmail

• Learn how to outsmart phishing scams with cybersecurity tips from Accenture

• Bounce back from a scam

• Get scam alerts from the Better Business Bureau