How to Recognize and Avoid Phishing Attacks: A Practical Guide

by

Phishing is the #1 method attackers use to compromise accounts and steal data. According to the Verizon Data Breach Investigations Report, over 36% of all breaches involve phishing. It’s effective because it targets humans, not software — and humans are the hardest to patch.

This guide shows you exactly how phishing works, how to spot it, and what to do when you’re targeted.

How Phishing Works

A phishing attack follows a simple pattern:

  1. Attacker crafts a convincing message (email, text, voice call)
  2. The message creates urgency and impersonates a trusted entity
  3. Victim clicks a link and enters credentials on a fake site — OR opens an attachment that installs malware
  4. Attacker harvests credentials or gains system access

Types of Phishing

Email Phishing (Most Common)

Mass-sent emails impersonating banks, services like Netflix or PayPal, or government agencies. Sent to thousands of people hoping some percentage will bite.

Spear Phishing (Targeted)

Personalized attacks using information about the victim gathered from LinkedIn, social media, or prior breaches. The email might reference your company, your boss’s name, or a recent project.

Example: An email appears to come from your CEO: “Hey [your name], I’m in a meeting — can you wire $15,000 to this vendor urgently? I’ll explain later.” This is called a Business Email Compromise (BEC) attack.

Smishing (SMS Phishing)

Phishing via text message. Common examples:

  • “USPS: Your package cannot be delivered. Update your address: [malicious link]”
  • “Your bank account has been locked. Verify now: [fake link]”

Vishing (Voice Phishing)

Phone calls from “tech support,” “the IRS,” or your bank. Often paired with spoofed caller ID to appear legitimate.

Anatomy of a Phishing Email

From: security@paypa1.com              ← Note the "1" instead of "l"
To: you@youremail.com
Subject: ⚠️ URGENT: Your account has been compromised!

Dear Customer,

We have detected unusual activity on your PayPal account.
Your account has been TEMPORARILY LIMITED.

To restore full access, verify your identity within 24 hours:

[Verify Account Now]  ← Link goes to: paypa1-secure-verify.ru

Failure to verify will result in permanent account suspension.

PayPal Security Team

Red flags in this email:

  • Sender domain: “paypa1.com” (not paypal.com)
  • Creates urgency (24-hour deadline)
  • Threatens consequences (permanent suspension)
  • Generic greeting (“Dear Customer”)
  • Link goes to a suspicious domain (.ru, not paypal.com)

How to Verify a Suspicious Email

Step 1: Check the Sender’s Actual Address

# Display name vs actual address:
Display name: "PayPal Support"
Actual address: security@paypa1-support.net  ← This is NOT PayPal

# Legitimate PayPal emails come from @paypal.com ONLY

Step 2: Hover Over Links Before Clicking

In email clients and browsers, hovering over a link shows the real destination URL in the status bar. If the link shows something different from what it says, it’s suspicious.

Step 3: Check Email Headers

# In Gmail: Click three dots > "Show original"
# Look for SPF, DKIM, DMARC results:

Authentication-Results: mx.google.com;
   spf=fail (sender IP not authorized)     ← RED FLAG
   dkim=fail                               ← RED FLAG
   dmarc=fail                              ← RED FLAG

# All three should PASS for legitimate emails from major companies

Step 4: Go Directly to the Website

Never click links in suspicious emails. Instead, open a new browser tab and navigate directly to the company’s website (type it yourself or use a bookmark). Then check your account status from there.

Reporting Phishing

  • Gmail: Three dots > Report phishing
  • Outlook: Report Message button > Phishing
  • US users: Forward to reportphishing@apwg.org or phishing-report@us-cert.gov
  • Business: Report to your IT/security team immediately — one phishing click can affect the whole organization

What to Do If You Clicked a Phishing Link

  1. Don’t panic — clicking alone often isn’t enough if you didn’t enter credentials
  2. If you entered credentials: change that password immediately from a different device
  3. Enable 2FA on the affected account
  4. Check for unauthorized activity (logins, sent emails, transactions)
  5. Run a malware scan if you downloaded anything
  6. Notify your IT team if on a work device

Wrap Up

Phishing attacks succeed because they’re designed to bypass your rational thinking with urgency and emotion. Slow down, verify before you click, and when in doubt — go directly to the website instead of using links from emails. Those 30 extra seconds can save you from a devastating breach.