Avoiding Phishing Attacks


Phishing is a form of social engineering, in which cybercriminals use email or malicious websites to solicit personal information by posing as a trustworthy organization or person.

For example, an attacker might send email seemingly from a reputable credit card company or financial institution that requests account information, often suggesting that there is a problem. When users respond with the requested information, attackers can use it to gain access to the accounts.

Phishing attacks might also appear to come from other types of organizations, such as charities. Attackers often take advantage of current events and certain times of the year, such as

  • Natural disasters (e.g., hurricanes, tornadoes or earthquakes)
  • Epidemics and health scares
  • Economic concerns (e.g., IRS scams)
  • Major political elections
  • Holidays

Phishing Examples

The following messages are examples of what attackers may email or text when phishing for sensitive information:

  • "We suspect an unauthorized transaction on your account. To ensure that your account is not compromised, please click the link below and confirm your identity."
  • "During our regular verification of accounts, we couldn't verify your information. Please click here to update and verify your information."
  • “Our records indicate that your account was overcharged. You must call us within 7 days to receive your refund.”

To see examples of actual phishing emails, and steps to take if you believe you received a phishing email, visit www.irs.gov/uac/report-phishing.

Simple Tips

When in doubt, throw it out. Links in emails and online posts are often the way cybercriminals compromise your computer. If it looks suspicious – even if you know the source – it’s best to delete or, if appropriate, mark it as “junk email.” Contact the company directly (via phone) to be sure the email is not legitimate.

  • Think before you act. Be wary of communications that implore you to act immediately, offer something that sounds too good to be true or ask for personal or financial information.
  • Use stronger authentication. Always opt to enable stronger authentication when available, especially for accounts with sensitive information, including your email or bank accounts. A stronger authentication helps verify a user has authorized access to an online account. For example, it could be a one-time PIN texted to a mobile device, providing an added layer of security beyond the password and username.
  • Make passwords long and strong. Combine capital and lowercase letters with numbers and symbols to create a more secure password.
  • Install and update anti-virus software. Make sure all of your computers are equipped with regularly updated antivirus software, firewalls, email filters and anti-spyware.
  • Be wary of hyperlinks. Avoid clicking on hyperlinks in emails. Instead, type the URL directly into the address bar instead. If you choose to click on a link, make sure it is authentic before clicking on it. You can check a hyperlinked word or URL by hovering the cursor over it to reveal the full address.

What to Do If You Think You’re a Victim

  • Report it. If you believe you might have revealed sensitive information about your organization, report it to the appropriate people within the organization, including network administrators. They can be alert for any suspicious or unusual activity.
  • Watch for changes to your accounts. If you believe your financial accounts may be compromised, contact your financial institution immediately and close any accounts that may have been compromised. Watch for any unexplainable charges to your account.
  • Change your passwords. Immediately change any passwords you might have revealed. If you used the same password for multiple resources, make sure to change it for each account, and do not use that password in the future.
  • Watch for other signs of identity theft. These signs could include but are not limited to: unusual or unexplainable charges on your bills; phone calls or bills for accounts; products or services that you do not have; new, strange accounts appearing on your credit report; or unexpected denial of your credit card.

About This Page

Content is provided by the U.S. Department of Homeland Security's Stop.Think.Connect. public awareness campaign aimed at increasing the understanding of cyberthreats and empowering the American public to be safer and more secure online.

The campaign’s main objective is to help you become more aware of growing cyber threats and arm you with the tools to protect yourself, your family and your community. For more information, visit www.dhs.gov/stopthinkconnect.