Do You Know How To Stop Phishing Attacks?
When David Barnett’s caller ID showed that Bank of America was calling, he quickly answered. The caller informed him that his bank account had been compromised and someone was attempting to withdraw almost half of his life’s savings [*].
The only way to safeguard his money, Barnett was told, would be to move it temporarily to another account using the payment transfer app Zelle. Confused and scared, he followed the caller’s instructions. But the minute he confirmed the transfer, Barnett realized what was really going on: he was the victim of a phishing attack.
Phishing attacks occur when fraudsters pretend to be people they’re not in order to steal your money, sensitive information, or passwords.
In the third quarter of 2022, the anti-phishing working group (APWG) recorded over 1.2 million phishing attempts — the most ever recorded in a three-month period [*].
Understanding the signs of a phishing scam is an essential skill in the digital age (unfortunately, 97% of people can’t recognize sophisticated phishing attempts [*]).
But is it possible to prevent phishing attacks from happening in the first place?
In this guide, we’ll explain how phishing attacks work, the most common types to be aware of, and how to prevent phishing attacks from putting you at risk of identity theft, fraud, and financial losses.
How To Prevent Phishing: 17 Phishing Protection Tips
- Learn to recognize a phishing attack
- Boost your email security
- Install antivirus software
- Don’t click on links in messages
- Use phone spam filters and anti-spam apps
- Scrub data broker lists
- Activate call filters on your phone
- Don’t reply to unsolicited emails
- Safeguard your contact information
- Check if your information is on the Dark Web
- Update your privacy settings on social media
- Avoid using public Wi-Fi whenever possible
- Ignore pop-ups
- Don’t fall for alarming messages and calls
- Keep your apps and software updated
- Use Safe Browsing tools
- Consider signing up for a digital security solution
While you’ll never be able to block or prevent all phishing attacks, these tips will help reduce your risk of being targeted.
1. Learn to recognize the warning signs of a phishing attack
Phishing is a type of imposter scam in which fraudsters pretend to be someone they’re not — usually a representative from a trusted company or government organization — in order to get you to give up sensitive information and money or click on links to malicious websites.
While email is the primary delivery method for phishing attacks, scammers also use phone calls (known as “vishing”), fraudulent text messages (“smishing”), social media messages, and even fake websites.
Phishing attacks target everyone — young or old, rich or poor. And scammers are constantly updating their phishing schemes. To prevent falling victim to these attacks, it’s essential that you learn to recognize their red flags.
Warning signs of a phishing attack include:
- Spelling and grammatical errors in the body of an email, text message, or direct message. Legitimate companies employ professional writers and check for errors. Don’t assume it was just a simple mistake.
- Email addresses or “from” names that don’t match. Also, beware of any email coming from a public email address (Yahoo!, Gmail, etc.).
- Messages or phone calls asking for personal information — such as your Social Security number (SSN), Medicare number, credit card numbers, passwords, or two-factor authentication (2FA) codes.
- Threatening language or claims that you won money, prizes, or sweepstakes that you never entered. Scammers often use social engineering to fool you into acting without thinking.
- Invoices or bills you don’t recognize — especially from companies that you don’t use.
- Suspicious or shortened links. Always hover over links (don’t click on them) to see where they’re taking you.
2. Boost your email security, and use spam filters
According to the FBI, victims of phishing and similar online scams lost a staggering $6.9 billion in 2021 alone [*].
The majority of phishing attacks happen via email. And unfortunately, scammers have learned how to bypass basic email security in order to get their scam messages into your inbox. To avoid receiving spam and scam emails, update your spam filters to block out more potential phishing attacks.
Here’s how to customize your spam filters in:
3. Install antivirus software to protect against malware
Antivirus software scans your computer, phone, and inbox for signs of malware. Many antivirus solutions also include a firewall to prevent you from visiting phishing sites or accidentally downloading malware contained in email links.
While antivirus software won’t stop phishing attacks, it can help you avoid some of the worst consequences of getting scammed.
4. Visit websites directly (don’t click on links in messages)
Phishing scams often try to get you to enter information on fake websites. If you receive a text message, email, or message that claims to be from a company that you know and trust and asks you to click on a link, don’t. Instead, visit the site directly to make sure you’re not getting scammed.
For example, a recent UPS text message scam claims that you missed a package delivery and need to click on a link to reschedule. But the website you’re taken to steals your credit card and personal information.
Instead, always visit the site in question directly. In this case, go to the official UPS.com site and check the tracking number for your package.
The same goes for attachments in unsolicited messages. Cybercriminals use email attachments to install malware that damages your device or steals your data.
📚 Related: How To Know If a Website Is Safe →
5. Use phone spam filters and block spam numbers
There are numerous apps and tools that you can use to limit the amount of phishing text messages you receive. Most mobile carriers include anti-spam tools including: Verizon Call Filter, AT&T Call Protect, U.S Cellular Call Guardian, and T-Mobile Scam Shield.
When you do receive phishing text messages, make sure you report them by forwarding the message to 7726. Then, block the phone number so that you will stop receiving these unsolicited messages.
- Blocking phone numbers on iPhone: Scroll to the top of the conversation and tap the number or name. Click on “Block this Caller” from the list of options. You can manage your blocked contacts under Settings – Messages – Blocked Contacts.
- Blocking phone numbers on Android: Open the spam text and tap the number or name at the top of the screen. Next, click the three-dot icon on the top right corner of the screen. Finally, select “Block Number” and check “Report as Spam.”
Alternatively, Aura's spam call and text protection can block known spam (or scam) callers and filter unwanted messages.
You can even set up intent-based filtering to allow our AI Call Assistant to forward legitimate calls. All spam call protection features are available for iOS users on Aura's family plans or as add-ons for $5 a month.
6. Remove your contact information from data brokers
Phishing attackers need your personal information to target you (email address, phone number, etc.). There are many ways for scammers to get your information — such as finding it online or through data breaches.
But one of the easiest methods for scammers is to buy massive lists of contact information from data brokers.
Data brokers collect and sell your contact information to telemarketers, advertisers, and scammers. You can request that data brokers remove your information from their lists. Or better yet, let Aura do it for you.
7. Activate call filters on your phone
Call filters create a separate inbox for text messages that come from people not on your contacts list. This is a great initial screen to help you avoid phishing attacks. Here’s how to set up call filters on your phone:
- On iPhone: Go to Settings – Messages – Toggle switch for “Filter Unknown Senders.”
- On Android: Navigate to the Message App, and click on the three-dots in the top right corner. Next, select “Settings” from the options and click on “Spam protection.” Make sure that “Enable spam protection” is turned on to receive spam alerts.
8. Don’t reply to unsolicited emails, texts, or phone calls
It can be tempting to reply to scam emails, calls, or texts — even just to tell off the scammer. But any interaction with a phishing attacker can open you up to unnecessary risks.
Replying to a phishing email (or even sending “STOP” to a text message) confirms that your contact information is active. You might also accidentally be giving scammers more information about you, such as whatever is in your email signature (name, phone number, job title, etc.).
Whatever you do, never give away passwords, PINs, or 2FA codes via email, text, or phone calls. Companies will never ask for this kind of sensitive information.
Even worse, with 72% of people reusing passwords across personal accounts [*], you could accidentally be giving scammers access to your entire digital life.
9. Be selective about where you share your contact information
The less information about you that scammers can access, the fewer phishing attacks and security threats you’ll receive. Whenever you sign up for a new online service, give them the minimal amount of required information.
10. Check if your sensitive information is on the Dark Web
Scammers use your leaked personal information to fool you into believing they’re legitimate. For example, a phishing email or text might include your bank account number. Or a scammer on the phone might know your SSN and address — making you believe you should follow their instructions.
You can check if you’re at risk by using Aura’s free Dark Web scanner. This tool will show you what accounts and passwords have been leaked to the Dark Web in recent data breaches or hacks.
Then, consider signing up for a Dark Web monitoring tool that will constantly scan for new personal data leaked to the Dark Web. Aura includes Dark Web monitoring with every plan, meaning you’ll know in near real-time if your information has been leaked.
11. Update your privacy settings on social media
Limiting who can see your personal information and posts on social media can greatly protect you against spear phishing campaigns.
Here’s how you can update your privacy settings on most major social media sites:
12. Avoid using public Wi-Fi whenever possible
Public Wi-Fi and unsecured networks are notoriously easy to hack. When scammers gain access to a Wi-Fi network you’re using, they can intercept your messages and steal critical information, such as saved passwords, financial account information, and login details. They can also target your devices with malicious pop-ups and phishing messages.
Whenever you have to use your computer or device in public, use either a mobile hotspot or a virtual private network (VPN). A VPN encrypts your data so that hackers can’t intercept your sensitive information and use it in a phishing attack.
13. Ignore pop-ups (especially those that claim your device has been infected)
Cybercriminals use pop-ups to distribute spyware, adware, and other destructive malware. Often, they’ll include messages that claim your device has been infected with malware — and that you need to call tech support to resolve the issue. But this is all part of an elaborate phishing scam.
Ignore these pop-ups and instead close your browser. If you think you may have been hacked, here’s what to look for and what to do.
14. Don’t fall for alarming or threatening messages and calls
Scammers are masters at human psychology. They use threatening language or the promise of an incredible deal to bypass your alarm instincts. But reputable companies will never threaten you if you don’t disclose personal information.
Whenever you feel a sense of urgency from a message or phone call, slow down. This is a major warning sign of a phishing attack.
Instead, contact the company directly (if you’re on the phone, ask for a reference number and then hang up). This way, you know for sure that you’re talking to the real company.
📚 Related: What Is "Whaling?" How To Avoid Executive Fraud →
15. Keep your apps and software updated, and maintain good cyber hygiene
Software updates often include security patches for known vulnerabilities that hackers can otherwise exploit to hack into your computer and mobile phone. Always update your software and operating system immediately. Even better, enable auto-updates to make sure that your device automatically stays as secure as possible.
Outside of software updates, it’s important to safeguard your accounts. At a minimum, you should follow these cyber hygiene guidelines:
- Use a password manager: About 20% of people forget passwords within two weeks [*]. A secure password manager stores your login credentials in a safe space to which you always have access. This way, you can use strong passwords for all of your accounts.
- Enable two-factor authentication (2FA): Multi-factor authentication offers extra security by requiring an additional code or step to log into your online accounts. However, online scammers can intercept text messages; so using SMS for two-factor authentication is not safe. Instead, use an authentication app like Microsoft Authenticator or Google Authenticator.
- Regularly back up your device: If you fall for a phishing attack, you could lose access to your devices. Regularly back up your data to cloud storage services like Google Drive and DropBox. Additionally, create offline backups with an external hard drive to defend against ransomware attacks.
16. Use Safe Browsing tools to warn you of fake websites (i.e. “pharming”)
Most modern phishing scams involve links to fake websites. These sites are designed to look like legitimate ones (such as your bank’s log-in page or a package delivery notification). However, any information you submit goes straight to scammers.
Always double-check the URL before submitting data on a website. Make sure that you’re on the official site — and not a lookalike website (for example “Walmrat.com” instead of “Walmart.com”).
For added protection, Safe Browsing tools can warn you if you’re entering a phishing website.
17. Consider signing up for an all-in-one digital security solution
Phishing attacks are only getting more sophisticated, which means it’s often a question of when you fall for one — not if.
For peace of mind, consider signing up for an all-in-one digital security solution that will protect your devices from hackers, warn you of phishing websites, and monitor your financial and personal accounts for signs of fraud.
With Aura, you get:
- Powerful Antivirus and Wi-Fi security. Keep your computer, phone, and home network safe from hackers with powerful antivirus software and a military-grade virtual private network (VPN).
- A secure password manager and phishing site protection. Aura includes an advanced password manager that can warn you if your passwords are weak or have been leaked, as well as a warning system to alert you if you’re entering a phishing site.
- Financial fraud protection. Aura monitors your credit and bank accounts in near real-time and alerts you of fraud 4X faster than the competition.
- Instant credit lock. Lock and unlock your Experian credit file with one click from your desktop or mobile app.
- Identity theft protection. Aura can alert you if an online account has been compromised, will monitor your SSN for signs of fraud, and can even reduce the amount of spam calls and emails that you receive.
- Family identity theft monitoring for up to five people including children and adults.
- $1,000,000 in insurance coverage for eligible losses due to identity theft. If the worst should happen, Aura will be there to help you through the needed steps to secure your identity and get back on your feet.
The Most Common Types of Phishing Attacks Scammers Use
As scammers get more advanced in their attacks, a major part of phishing prevention is to learn how scammers target you with suspicious emails or fraudulent phone calls.
Here’s how a phishing attack typically works:
- Scammers reach out to you via emails, phone calls, or text messages and claim to be from a company or organization that you trust — such as Amazon or the IRS.
- In some cases, phishing scammers will research your LinkedIn or Instagram profile to collect information about your work and personal experiences to use in their attack (e.g., your name, email address, job title, and company).
- The message or phone call will create a sense of urgency to try and bypass your suspicions. For example, scammers may pretend to be from your bank and claim that your account has been compromised, or say that they’re with the state lottery and you’ve won a prize.
- Next, they’ll ask for your sensitive information (Social Security number, credit card details, passwords, etc.), trick you into sending them money, or ask you to click on a link.
- The phisher uses any information that you share to steal your identity or empty your bank account. You may be asked to click on a link that will take you to a fake website designed to steal your passwords and information — or infect your device with malware that allows hackers full access to your most sensitive files, photos, and videos.
However, there are numerous phishing variations that you could be targeted by. Here are the most common types of phishing attacks to be aware of:
Spear phishing (personalized phishing attacks)
Spear phishing occurs when scammers research information about you or your company in order to tailor their phishing attack just for you. Spear phishing often targets business emails in an attempt to gain access to your company’s network and data. Spear phishing accounted for 90% of all data breaches in 2021 [*].
Here’s how spear phishing works:
- Scammers research your online footprint to learn more about your job, personal life, and hobbies in order to customize an attack specifically for you.
- Next, they’ll use what they’ve learned to craft a personalized phishing attack. For example, they may text you pretending to be your boss, and ask you to wire them money or change payment details for an invoice.
- Spear phishing is hard to recognize because scammers use information that you assume they wouldn’t have access to unless they know you.
📚 Related: What Is Smishing? How To Avoid Scam Texts →
Email spoofing is a type of cyberattack in which hackers use forged or faked email addresses to trick you into thinking they’re someone they’re not. More than 90% of all cyber attacks start with a phishing email [*].
Here’s how email spoofing works:
- Cybercriminals either mask the “from” name of their emails or use a spoofed domain name (such as “Walmrat.com” instead of “Walmart.com”) to trick you into thinking they’re emailing from an official email address.
- Your email client will often show you only the “from” name and not the actual email address. So, if scammers change their name to “PayPal Support” you could be fooled into thinking it’s a legitimate email from PayPal.
- Scammers will also use similar branding, design, and language to make the email look authentic — and trick you into responding, clicking on malicious links, or downloading malware hidden in attachments.
Vishing (i.e. phone scams)
Vishing is a type of phone scam in which fraudsters call you and pretend to be a representative from a well-known organization.
Once on the phone, they’ll try and trick you into “confirming” sensitive information or sending them money. Vishing attacks increased by 554% in 2021 [*] with 27% of those attacks using a hybrid approach of sending a scam email and following up with a vishing call to “prove” legitimacy.
Here’s how vishing works:
- Fraudsters call you and pretend to be from a company or organization that you trust. They often use phone number spoofing technology to manipulate your caller ID and make it look like they’re calling from an official number.
- Once on the phone, they run a variety of phone scams — like pretending to be from Medicare or your bank. They’ll ask for personal information or convince you to send them money via non-reversible payment methods, such as Cash App, Venmo, or cryptocurrency.
- Many vishing scams start as a spoofed email asking you to call a phone number.
Smishing (i.e., fake text messages)
Smishing is a form of phishing in which scammers use fake text messages to trick you into sharing personal identifiable information (PII). Smishing attacks more than doubled last year alone [*].
Here’s how smishing works:
- Scammers send text messages claiming to be a representative from a trusted organization like the IRS, PayPal, or USPS.
- The text will say that you need to act quickly to redeem a prize, secure your financial accounts, or claim a package. These texts will include a phone number or suspicious link.
- If you click on the link, you’ll either be taken to a phishing website or your phone will be infected with malware.
📚 Related: How To Know if Your Phone Is Hacked (and What To Do) →
Social media phishing
Scammers can also send phishing attacks over social media sites like Instagram, Facebook, or LinkedIn. The goal with social media phishing is often to get you to give up your account login and password — so that scammers can use your profile to scam your friends. Approximately 12% of clicks to phishing sites originate from social media messages [*].
Here's how social media phishing happens:
- Fraudsters send you a direct message (DM) that includes a special offer — such as a guaranteed cryptocurrency investment — or warns you that your account is compromised.
- The message will include a malicious link. In some cases, scammers want to get you involved in a long-term scam and will try to lure you into investing money in a fraudulent business deal.
A phishing website is a malicious website that scammers use to trick you into sharing confidential information. For example, they might create a website that looks like your online banking login page to induce you to enter your account numbers and password.
Here’s how phishing websites work:
- In order to build trust, scammers create a fake website to impersonate a known organization by mimicking its logo and other vital elements.
- Then, they send a link to the fake site via phishing emails, text messages, or social media messages.
- Any information that you provide to the fake website goes right to the scammers who then use it to steal your identity or drain your account.
Did You Give Information or Money to a Phishing Scammer? Do This
Online safety and security awareness can go a long way in helping you avoid phishing attacks. But with the rise of phishing, there’s no way to totally protect yourself.
Here’s what to do if you accidentally gave a phishing scammer money or sensitive data:
- Contact your bank and credit card companies. If you've shared sensitive information with phishers, contact your bank and credit card company to notify them about credit card fraud. Your credit card company will cancel your card and replace it with a new one.
- Lock or freeze your credit file. A credit lock (or credit freeze) stops companies from accessing your credit file. This makes it much harder for scammers to open new accounts or take out loans in your name. To place a credit freeze, contact each of the three major credit bureaus individually — Experian, Equifax, and TransUnion. They’ll give you a PIN to freeze and unfreeze your credit file.
- Report phishing to the FTC. If you've shared personal information with scammers, file an official identity theft report with the FTC at identitytheft.gov. You should also forward phishing emails to APWG at email@example.com and report phishing attacks to the FTC at reportfraud.ftc.gov.
- Follow the fraud victim’s checklist. Fraud can happen to anyone. Act quickly and follow the steps in our fraud victim’s checklist to minimize the damage that scammers can do to your identity, credit score, and reputation.
The Bottom Line: Be Proactive in the Fight Against Phishing
Scammers continuously enhance their phishing attacks to prey on human weakness and exploit vulnerabilities in your devices.
Instead of worrying about how to defend against phishing, a proactive approach — like signing up for Aura’s all-in-one digital security solution — ensures that you have protection against the latest phishing techniques.