How To Prevent Phishing Attacks [15 Easy Tips]

Share this:

Hari Ravichandran

CEO and Founder of Aura

In this article:

    Identity theft and fraud protection for your finances, personal info, and devices.

    See pricing
    Share this:

    Do You Know How To Stop Phishing Attacks?

    When David Barnett’s caller ID showed that Bank of America was calling, he quickly answered. The caller informed him that his bank account had been compromised and someone in another state was attempting to withdraw almost half of his life’s savings [*]. 

    The only way to safeguard his money, Barnett was told, would be to move it temporarily to another account using the payment transfer app Zelle. Confused and scared, he followed the caller’s instructions. But the minute he confirmed the transfer, Barnett realized what was really going on: he was the victim of a phishing attack.

    Phishing attacks occur when fraudsters pretend to be people they’re not in order to steal your money, sensitive information, or passwords. 

    In the first quarter of 2022, the anti-phishing working group (APWG) recorded over a million phishing attempts — the most ever recorded in a three-month period [*]. 

    Understanding the signs of a phishing scam is an essential skill in the digital age. But is it possible to prevent phishing attacks from happening in the first place?

    In this guide, we’ll explain how phishing attacks work, the most common types to be aware of, and how to prevent phishing attacks from putting you at risk of identity theft, fraud, and financial losses. 

    How Do Phishing Attacks Work?

    Phishing is a type of imposter scam in which fraudsters pretend to be someone they’re not — usually a representative from a trusted company or government organization — in order to get you to give up sensitive information and money or click on links to malicious websites. 

    While email is the primary delivery method for phishing attacks, scammers also use phone calls (known as “vishing”), fraudulent text messages (“smishing”), social media messages, and even fake websites

    Here’s how a phishing attack typically works:

    • Scammers reach out to you via emails, phone calls, or text messages and claim to be from a company or organization that you trust — such as Amazon or the IRS. 
    • In some cases, phishing scammers will research your LinkedIn or Instagram profile to collect information about your work and personal experiences to use in their attack (e.g., your name, email address, job title, and company).
    • The message or phone call will create a sense of urgency to try and bypass your suspicions. For example, scammers may pretend to be from your bank and claim that your account has been compromised, or say that they’re with the state lottery and you’ve won a prize. 
    • Next, they’ll ask for your sensitive information (Social Security number, credit card details, passwords, etc.), trick you into sending them money, or ask you to click on a link. 
    • The phisher uses any information that you share to steal your identity or empty your bank account. You may be asked to click on a link that will take you to a fake website designed to steal your passwords and information — or infect your device with malware that allows hackers full access to your most sensitive files, photos, and videos. 

    Phishing attacks target everyone — young or old, rich or poor. According to the FBI, Victims of phishing and similar online scams lost a staggering $6.9 billion in 2021 alone [*].

    Take action: Scammers can take out loans in your name or empty your bank account with your stolen information from your email. Try an identity theft protection service to monitor your finances and receive fraud alerts.

    The Most Common Types of Phishing Attacks Scammers Use

    The first step in phishing prevention is to learn how scammers target you with suspicious emails or fraudulent phone calls. Here are the most common types of phishing attacks to be aware of:

    Spear phishing (personalized phishing attacks) 

    Spear phishing occurs when scammers research information about you or your company in order to tailor their phishing attack just for you. Spear phishing often targets business emails in an attempt to gain access to your company’s network and data. Spear phishing accounted for 90% of all data breaches in 2021 [*].

    Example of a spear phishing text posing as a CEO
    Scammers will pose as your boss to get you to fall for their phishing scams. Source: Aura team

    Here’s how spear phishing works:

    • Scammers research your online footprint to learn more about your job, personal life, and hobbies in order to customize an attack specifically for you. 
    • Next, they’ll use what they’ve learned to craft a personalized phishing attack. For example, they may text you pretending to be your boss, and ask you to wire them money or change payment details for an invoice. 
    • Spear phishing is hard to recognize because scammers use information that you assume they wouldn’t have access to unless they know you. 

    Related: What Is Smishing? How To Avoid Scam Texts

    Email spoofing

    Email spoofing is a type of cyberattack in which hackers use forged or faked email addresses to trick you into thinking they’re someone they’re not. More than 90% of all cyber attacks start with a phishing email [*].

    Here’s how email spoofing works:

    • Cybercriminals either mask the “from” name of their emails or use a spoofed domain name (such as “Walmrat.com” instead of “Walmart.com”) to trick you into thinking they’re emailing from an official email address. 
    • Your email client will often show you only the “from” name and not the actual email address. So, if scammers change their name to “PayPal Support” you could be fooled into thinking it’s a legitimate email from PayPal
    • Scammers will also use similar branding, design, and language to make the email look authentic — and trick you into responding, clicking on malicious links, or downloading malware hidden in attachments. 
    Aura phishing site protection
    Aura can warn you if you've clicked on a link taking you to a dangerous website. Learn more

    Vishing (i.e. phone scams)

    Vishing is a type of phone scam in which fraudsters call you and pretend to be a representative from a well-known organization. 

    Once on the phone, they’ll try and trick you into “confirming” sensitive information or sending them money. Vishing attacks increased by 554% in 2021 [*] with 27% of those attacks using a hybrid approach of sending a scam email and following up with a vishing call to “prove” legitimacy.

    Here’s how vishing works:

    • Fraudsters call you and pretend to be from a company or organization that you trust. They often use phone number spoofing technology to manipulate your caller ID and make it look like they’re calling from an official number. 
    • Once on the phone, they run a variety of phone scams — like pretending to be from Medicare or your bank. They’ll ask for personal information or convince you to send them money via non-reversible payment methods, such as Cash App, Venmo, or cryptocurrency. 
    • Many vishing scams start as a spoofed email asking you to call a phone number. 

    Related: How To Identify Medicare Scam Calls: Don’t Fall For These 7 Scams

    Smishing (i.e., fake text messages) 

    Smishing is a form of phishing in which scammers use fake text messages to trick you into sharing personal identifiable information (PII). Smishing attacks more than doubled last year alone [*].

    Example of a smishing scam text
    Smishing texts create a sense of urgency to try and get you to click on links or call scammers. Source: Aura team

    Here’s how smishing works:

    • Scammers send text messages claiming to be a representative from a trusted organization like the IRS, PayPal, or USPS. 
    • The text will say that you need to act quickly to redeem a prize, secure your financial accounts, or claim a package. These texts will include a phone number or suspicious link. 
    • If you click on the link, you’ll either be taken to a phishing website or your phone will be infected with malware. 

    Related: How To Know if Your Phone Is Hacked (and What To Do) →

    Social media phishing

    Scammers can also send phishing attacks over social media sites like Instagram, Facebook, or LinkedIn. The goal with social media phishing is often to get you to give up your account login and password — so that scammers can use your profile to scam your friends. Approximately 12% of clicks to phishing sites originate from social media messages [*].

    Here's how social media phishing happens:

    • Fraudsters send you a direct message (DM) that includes a special offer — such as a guaranteed cryptocurrency investment — or warns you that your account is compromised.
    • The message will include a malicious link. In some cases, scammers want to get you involved in a long-term scam and will try to lure you into investing money in a fraudulent business deal. 

    Phishing websites 

    A phishing website is a malicious website that scammers use to trick you into sharing confidential information. For example, they might create a website that looks like your online banking login page to induce you to enter your account numbers and password. 

    Here’s how phishing websites work:

    • In order to build trust, scammers create a fake website to impersonate a known organization by mimicking its logo and other vital elements.
    • Then, they send a link to the fake site via phishing emails, text messages, or social media messages. 
    • Any information that you provide to the fake website goes right to the scammers who then use it to steal your identity or drain your account.

    How To Prevent Phishing: 15 Phishing Protection Tips

    1. Learn to recognize the warning signs of a phishing attack
    2. Boost your email security, and use spam filters
    3. Install antivirus software to protect against malware
    4. Visit websites directly (don’t click on links in messages)
    5. Use phone spam filters and anti-spam apps 
    6. Remove your contact information from data brokers
    7. Activate call filters on your phone
    8. Don’t reply to unsolicited emails, texts, or phone calls
    9. Be selective about where you share your contact information
    10. Update your privacy settings on social media
    11. Avoid using public Wi-Fi whenever possible
    12. Ignore pop-ups (especially those that claim your device has been infected)
    13. Don’t fall for alarming or threatening messages and calls
    14. Keep your apps and software updated, and maintain good cyber hygiene
    15. Consider signing up for an all-in-one digital security solution

    While you’ll never be able to block or prevent all phishing attacks, these tips will help reduce your risk of being targeted.

    1. Learn to recognize the warning signs of a phishing attack

    Scammers are constantly updating their phishing schemes. And unfortunately, 97% of people can’t recognize sophisticated phishing attempts [*]. To prevent falling victim to these attacks, it’s essential that you learn to recognize their red flags. 

    Warning signs of a phishing attack include: 

    • Spelling and grammatical errors in the body of an email, text message, or direct message. Legitimate companies employ professional writers and check for errors. Don’t assume it was just a simple mistake. 
    • Email addresses or “from” names that don’t match. Also, beware of any email coming from a public email address (Yahoo!, Gmail, etc.). 
    • Messages or phone calls asking for personal information — such as your Social Security number (SSN), Medicare number, credit card numbers, passwords, or two-factor authentication (2FA) codes.
    • Threatening language or claims that you won money, prizes, or sweepstakes that you never entered. Scammers often use social engineering to fool you into acting without thinking. 
    • Invoices or bills you don’t recognize — especially from companies that you don’t use. 
    • Suspicious or shortened links. Always hover over links (don’t click on them) to see where they’re taking you.

    2. Boost your email security, and use spam filters

    The majority of phishing attacks happen via email. And unfortunately, scammers have learned how to bypass basic email security in order to get their scam messages into your inbox. To avoid receiving spam and scam emails, update your spam filters to block out more potential phishing attacks. 

    Here’s how to customize your spam filters in: 

    3. Install antivirus software to protect against malware

    Antivirus software scans your computer, phone, and inbox for signs of malware. Many antivirus solutions also include a firewall to prevent you from visiting phishing sites or accidentally downloading malware contained in email links. 

    While antivirus software won’t stop phishing attacks, it can help you avoid some of the worst consequences of getting scammed.

    4. Visit websites directly (don’t click on links in messages)

    Phishing scams often try to get you to enter information on fake websites. If you receive a text message, email, or message that claims to be from a company that you know and trust and asks you to click on a link, don’t. Instead, visit the site directly to make sure you’re not getting scammed. 

    For example, a recent UPS text message scam claims that you missed a package delivery and need to click on a link to reschedule. But the website you’re taken to steals your credit card and personal information.

    Example of a smishing scam

    Instead, always visit the site in question directly. In this case, go to the official UPS.com site and check the tracking number for your package. 

    The same goes for attachments in unsolicited messages. Cybercriminals use email attachments to install malware that damages your device or steals your data.

    5. Use phone spam filters and block spam numbers

    There are numerous apps and tools that you can use to limit the amount of phishing text messages you receive. Most mobile carriers include anti-spam tools including: Verizon Call Filter, AT&T Call Protect, U.S Cellular Call Guardian, and T-Mobile Scam Shield.

    Or, you can try a third-party spam blocking app such as TrueCaller (for Android) or TextKiller (for iPhones).

    When you do receive phishing text messages, make sure you report them by forwarding the message to 7726. Then, block the phone number so that you will stop receiving these unsolicited messages. 

    • Blocking phone numbers on iPhone: Scroll to the top of the conversation and tap the number or name. Click on “Block this Caller” from the list of options. You can manage your blocked contacts under Settings – Messages – Blocked Contacts.
    • Blocking phone numbers on Android: Open the spam text and tap the number or name at the top of the screen. Next, click the three-dot icon on the top right corner of the screen. Finally, select “Block Number” and check “Report as Spam.”

    6. Remove your contact information from data brokers

    Phishing attackers need your personal information to target you (email address, phone number, etc.). There are many ways for scammers to get your information — such as finding it online or through data breaches

    But one of the easiest methods for scammers is to buy massive lists of contact information from data brokers. 

    Aura watchlist
    Aura’s all-in-one digital security solution can send requests on your behalf to remove your information from data broker lists. Learn more →

    Data brokers collect and sell your contact information to telemarketers, advertisers, and scammers. You can request that data brokers remove your information from their lists. Or better yet, let Aura do it for you. 

    7. Activate call filters on your phone

    Call filters create a separate inbox for text messages that come from people not on your contacts list. This is a great initial screen to help you avoid phishing attacks. Here’s how to set up call filters on your phone:

    • On iPhone: Go to Settings – Messages – Toggle switch for “Filter Unknown Senders.”
    • On Android: Navigate to the Message App, and click on the three-dots in the top right corner. Next, select “Settings” from the options and click on “Spam protection.” Make sure that “Enable spam protection” is turned on to receive spam alerts.

    8. Don’t reply to unsolicited emails, texts, or phone calls

    It can be tempting to reply to scam emails, calls, or texts — even just to tell off the scammer. But any interaction with a phishing attacker can open you up to unnecessary risks. 

    Example of a smishing text trying to get you to respond
    Scammers will say anything to try and get you to respond to them. Source: Aura team

    Replying to a phishing email (or even sending “STOP” to a text message) confirms that your contact information is active. You might also accidentally be giving scammers more information about you, such as whatever is in your email signature (name, phone number, job title, etc.). 

    Whatever you do, never give away passwords, PINs, or 2FA codes via email, text, or phone calls. Companies will never ask for this kind of sensitive information. 

    Even worse, with 72% of people reusing passwords across personal accounts [*], you could accidentally be giving scammers access to your entire digital life. 

    9. Be selective about where you share your contact information

    The less information about you that scammers can access, the fewer phishing attacks and security threats you’ll receive. Whenever you sign up for a new online service, give them the minimal amount of required information. 

    10. Update your privacy settings on social media

    Limiting who can see your personal information and posts on social media can greatly protect you against spear phishing campaigns. Take a few minutes to update your privacy settings on:

    11. Avoid using public Wi-Fi whenever possible

    Public Wi-Fi and unsecured networks are notoriously easy to hack. When scammers gain access to a Wi-Fi network you’re using, they can intercept your messages and steal critical information, such as saved passwords, financial account information, and login details. They can also target your devices with malicious pop-ups and phishing messages. 

    Whenever you have to use your computer or device in public, use either a mobile hotspot or a virtual private network (VPN). A VPN encrypts your data so that hackers can’t intercept your sensitive information and use it in a phishing attack.

    12. Ignore pop-ups (especially those that claim your device has been infected)

    Cybercriminals use pop-ups to distribute spyware, adware, and other destructive malware. Often, they’ll include messages that claim your device has been infected with malware — and that you need to call tech support to resolve the issue. But this is all part of an elaborate phishing scam. 

    Ignore these pop-ups and instead close your browser. If you think you may have been hacked, here’s what to look for and what to do.

    13. Don’t fall for alarming or threatening messages and calls

    Scammers are masters at human psychology. They use threatening language or the promise of an incredible deal to bypass your alarm instincts. But reputable companies will never threaten you if you don’t disclose personal information. 

    Whenever you feel a sense of urgency from a message or phone call, slow down. This is a major warning sign of a phishing attack. 

    Instead, contact the company directly (if you’re on the phone, ask for a reference number and then hang up). This way, you know for sure that you’re talking to the real company. 

    14. Keep your apps and software updated, and maintain good cyber hygiene

    Software updates often include security patches for known vulnerabilities that hackers can otherwise exploit to hack into your computer and mobile phone. Always update your software and operating system immediately. Even better, enable auto-updates to make sure that your device automatically stays as secure as possible. 

    Outside of software updates, it’s important to safeguard your accounts. At a minimum, you should follow these cyber hygiene guidelines:

    • Use a password manager: About 20% of people forget passwords within two weeks [*]. A secure password manager stores your login credentials in a safe space to which you always have access. This way, you can use strong passwords for all of your accounts.
    • Enable two-factor authentication (2FA): Multi-factor authentication offers extra security by requiring an additional code or step to log into your online accounts. However, online scammers can intercept text messages; so using SMS for two-factor authentication is not safe. Instead, use an authentication app like Microsoft Authenticator or Google Authenticator.
    • Regularly back up your device: If you fall for a phishing attack, you could lose access to your devices. Regularly back up your data to cloud storage services like Google Drive and DropBox. Additionally, create offline backups with an external hard drive to defend against ransomware attacks.

    Related: What Is Cyber Hygiene? 10 Easy Habits That Keep You Safe Online

    15. Consider signing up for an all-in-one digital security solution

    With Aura, you get:

    • Powerful Antivirus and Wi-Fi security. Keep your computer, phone, and home network safe from hackers with powerful antivirus software and a military-grade virtual private network (VPN). 
    • A secure password manager and phishing site protection. Aura includes an advanced password manager that can warn you if your passwords are weak or have been leaked, as well as a warning system to alert you if you’re entering a phishing site. 
    • Financial fraud protection. Aura monitors your credit and bank accounts in near real-time and alerts you of fraud 4X faster than the competition. 
    • Instant credit lock. Lock and unlock your Experian credit file with one click from your desktop or mobile app.
    • Identity theft protection. Aura can alert you if an online account has been compromised, will monitor your SSN for signs of fraud, and can even reduce the amount of spam calls and emails that you receive. 
    • Family identity theft monitoring for up to five people including children and adults. 
    • $1,000,000 in insurance coverage for eligible losses due to identity theft. If the worst should happen, Aura will be there to help you through the needed steps to secure your identity and get back on your feet.

    Did You Give Information or Money to a Phishing Scammer? Do This!

    Online safety and security awareness can go a long way in helping you avoid phishing attacks. But with the rise of phishing, there’s no way to totally protect yourself. 

    Here’s what to do if you accidentally gave a phishing scammer money or sensitive data:

    Contact your bank and credit card companies

    If you've shared sensitive information with phishers, contact your bank and credit card company to notify them about credit card fraud. Your credit card company will cancel your card and replace it with a new one.

    Lock or freeze your credit file

    A credit lock (or credit freeze) stops companies from accessing your credit file. This makes it much harder for scammers to open new accounts or take out loans in your name. To place a credit freeze, contact each of the three major credit bureaus individually — Experian, Equifax, and TransUnion. They’ll give you a PIN to freeze and unfreeze your credit file.

    Report phishing to the FTC

    If you've shared personal information with scammers, file an official identity theft report with the FTC at identitytheft.gov. You should also forward phishing emails to APWG at reportphishing@apwg.org and report phishing attacks to the FTC at reportfraud.ftc.gov.

    Follow the fraud victim’s checklist

    Fraud can happen to anyone. Act quickly and follow the steps in our fraud victim’s checklist to minimize the damage that scammers can do to your identity, credit score, and reputation.

    Take action: Aura’s $1,000,000 identity theft insurance covers lost wages, phone bills, and other expenses due to identity theft. Try Aura free for 14 days and see if it’s right for you.

    The Bottom Line: Be Proactive in the Fight Against Phishing

    Scammers continuously enhance their phishing attacks to prey on human weakness and exploit vulnerabilities in your devices. 

    Instead of worrying about how to defend against phishing, a proactive approach — like signing up for Aura’s all-in-one digital security solution — ensures that you have protection against the latest phishing techniques. 

    Outsmart phishing scams. Try Aura free for 14 days.

    Related Articles

    What is identity theft insurance: header image
    Identity Theft

    What Is Identity Theft Insurance? Do You Really Need It?

    Identity theft insurance may be a standalone policy or an add-on with your home insurance. What do these cover? How much do they cost? More inside.

    Read More
    November 23, 2022
    what to do after a data breach
    Internet Security

    Here's What To Do After a Data Breach

    Hackers have stolen billions of pieces of personal information through data breaches. Here’s how to protect your identity and finances after a breach.

    Read More
    May 26, 2022

    Try Aura—14 Days Free

    Start your free trial today**

    This is some text inside of a div block.

    Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.

    1. Financial identity theft and fraud
    2. Medical identity theft
    3. Child identity theft
    4. Elder fraud and estate identity theft
    5. “Friendly” or familial identity theft
    6. Employment identity theft
    7. Criminal identity theft
    8. Tax identity theft
    9. Unemployment and government benefits identity theft
    10. Synthetic identity theft
    11. Identity cloning
    12. Account takeovers (social media, email, etc.)
    13. Social Security number identity theft
    14. Biometric ID theft
    15. Crypto account takeovers