How to Spot and Stop Phishing Attacks

Phishing is still the single most common way accounts get compromised — and it's gotten sharper. Generic "Dear customer" emails are out. Modern phishing references real orders, pulls your name from a breach, and lands in your inbox with convincing branding.

The signals that matter

• Urgency. "Act in 24 hours or your account will be closed." Real companies don't operate like that.
• Mismatched sender. The display name says "PayPal" but the actual address is something random. On mobile, tap the sender to expand it.
• Link that hides its destination. Hover before you click. If the visible link says one thing and the URL bar would show another, stop.
• Unexpected attachments. Invoices, shipping notices, or "shared documents" from people you weren't expecting.
• Requests for codes or passwords. No legitimate support team will ever ask for your one-time code.

The new variants

Smishing (SMS phishing)

"Your package couldn't be delivered — confirm your address here." Text messages strip away most of the context that helps you spot a fake email, which is exactly why attackers like them.

Callback phishing

An email tells you to call a number about a charge you didn't make. You call, they're very helpful, and by the end they've walked you into installing remote-access software.

AI-generated lures

Grammar and tone used to be tells. They aren't anymore. Assume the writing will be clean and judge the message on the request, not the prose.

What to actually do

1. Don't click — navigate. Open a new tab and go to the site directly.
2. Turn on two-factor authentication everywhere, especially email.
3. Use a password manager. It won't auto-fill on a look-alike domain, which is a nice built-in sanity check.
4. Run security software that blocks known phishing domains at the network level.
5. Report phishing attempts to your email provider so the next recipient is protected.