Phishing is a type of cybercrime where scammers pretend to be trusted sources to trick you into sharing personal information or clicking harmful links.

The internet is a very convenient place to be, but it’s also, unfortunately, a convenient place for cybercriminals and identity theft. One of the most common ways scammers try to take advantage of people is by “phishing”. They try to appear as trustworthy or someone you personally know, but try to convince you to give up sensitive information or interact with malicious content.

By understanding how phishing works and recognizing the signs, you can better protect yourself and enjoy the internet more safely.

How does phishing work?

Phishing works by disguising malicious messages as legitimate ones. Scammers pretend to be trusted organizations, brands, coworkers, or even friends so they can trick you into clicking harmful links, opening dangerous attachments, or sharing personal information like passwords or financial details.

These attacks rely heavily on social engineering: techniques that manipulate human emotions like urgency, fear, or curiosity. When a victim takes the bait, attackers may gain access to accounts, steal money or identities, or install malware on the device. Phishing doesn’t happen in just one way, which is why it’s important to understand the channels it uses and the tactics behind it.

Forms of Phishing

Phishing attacks can reach you across multiple communication channels, wherever you spend time online.

  • Email: This is the most common type of phishing, with 96% of phishing attacks occurring by email. Criminals send emails that look like they’re from legitimate companies, prompting users to click links or submit personal information.
  • Phone calls: Scammers might leave messages impersonating banks, government agencies, or tech support, attempting to verbally extract sensitive information.
  • Text messages: Short, urgent messages with the goal of luring users into clicking links to malicious websites or webpages.
  • Fraudulent Wi-Fi hotspots: Scammers create a malicious free Wi-Fi hotspot that appears to be a legitimate access point. Once connected, they redirect you to spoofed websites or intercept access to a user’s system.
  • Social media and messaging apps: Attackers may impersonate friends or official accounts, sharing malicious links or directing users to fake login pages.

Common phishing techniques

Phishing messages often look polished and legitimate because attackers rely on technical deception to fool the eye, and sometimes even security tools.

1. Malicious web links (URL deception)

Attackers use visually convincing links that send victims to harmful websites designed to steal data.

  • URL spoofing: Scammers alter a URL to appear legitimate, often by adding extra characters or using misleading subdomains.
  • Homograph (homoglyph) domains: Criminals register look‑alike domains using characters from other alphabets (e.g., Cyrillic “а” instead of Latin “a”), making fake websites appear identical to real ones.
  • Punycode/IDN spoofing: Unicode characters are translated into ASCII using Punycode, allowing attackers to hide deceptive character substitutions inside a domain name.
  • Redirect chains: Some phishing links pass through multiple seemingly safe sites or URL shorteners before landing on a malicious page.

2. Malicious attachments

  • Attachments may appear to be invoices, HR documents, or shipping notices, but may actually deliver malware or steal information.
  • Macro‑enabled Office documents that run scripts when opened.
  • PDFs containing malicious links or embedded scripts.
  • Executable files (.exe, .scr) disguised as legitimate downloads, which install malware once opened.

These attachments often pressure users to open them quickly by invoking urgency (“Invoice overdue”) or authority (“HR notice”).

3. Fraudulent data‑entry forms on cloned websites

  • Attackers create near‑perfect copies of banking sites, email portals, cloud services, or corporate dashboards.
  • Victims are prompted to “verify your account,” “reset your password,” or “confirm payment details.”
  • Credentials entered on these fake pages are immediately sent to the attacker.
  • This technique commonly appears in business email compromise schemes.

What kind of information are phishing scams after?

We’ve mentioned that phishers are looking to get sensitive information, but what exactly are they after? The kind of information phishing scams are after might include:

  • Login information (including email account and password)
  • Credit card information
  • Bank account numbers
  • Social Security numbers
  • Company data

Types of phishing attacks

Phishing scams can come in many forms, but understanding the common types of phishing attacks can help you keep identity thieves at bay. Here are some to be aware of:

Email phishing scams

A phishing email is a fraudulent email made to look like it’s from a legitimate company or person. It may ask you to provide personal information or click on a link that downloads malware. For example, an email allegedly from Bank of America notes that due to suspicious activity, you should log into your bank account to verify your information.

Fortunately, there are ways to spot a phishing cyberattack like this.

  • There are typos and grammatical errors. If the email is filled with spelling and grammatical errors, it’s likely a phishing scam. Corporations don’t send out emails riddled with errors.
  • A bank requests personal information. Financial institutions don’t email you to ask for personal information like your PIN, Social Security number, or bank account number. If you receive an email like this, delete it and don’t provide any information.
  • The URL doesn’t match. To see the sender’s email address, hover over the name of the sender or on the link in the email. If the sender’s address doesn’t match the name that shows, that’s a red flag. For example, if an email that appears to be from FedEx has an email address without the company name in it or if it’s spelled wrong, it’s most likely a phishing email. To check the URL of a link on a mobile phone, press the link and hold it with your finger.
  • The email isn’t personalized. A company you do business with will address you by name. A phishing email might use a general greeting like “Dear Account Holder.”
  • There’s a sense of urgency. Phishing messages create fake emergencies to get you to act without thinking. They might claim an account is being frozen unless you immediately confirm your personal details. Requests for emergency action are usually phishing emails. A legitimate business gives its customers a reasonable amount of time to respond before closing an account.
  • It’s from an unfamiliar sender. Consider deleting an email from a sender you don’t recognize or a business you don’t patronize. Also, be cautious with a message from someone you know who seems unusual or suspicious.

Spear phishing scams

While some phishing emails are sent to broad audiences, spear-phishing emails target specific individuals or businesses. This allows the scammers to research the recipient and customize the message to make it look more authentic.

Examples of spear phishing emails include:

  • Enterprise hacking: Cybercriminals send emails to employees in a corporation to find vulnerabilities in the corporate network. The emails might appear to be from a trusted source. It only takes one person to click on a link to download ransomware that infects the company’s network.
  • A note from the boss: An employee receives a fraudulent email that appears to be from an executive asking them to share company information or expedite payment to a vendor.
  • Social media scam: Cybercriminals can use information from your social media account to request money or data. For example, a grandparent might receive a text using the name of their grandchild asking for money for an emergency. But when they call to check, they find out their grandchild is safe at home.

One of the best defenses against spear phishing is to contact the source of an email to verify the request. Call the colleague who’s asking you to do a wire transfer or log onto your Amazon account to check for messages.

Clone phishing scams

For this highly customized scam, scammers duplicate a legitimate email you might have previously received and add attachments or malicious links to a fake website. The email then claims to be a resend of the original. Clicking a malicious link can give spammers access to your contact list. Your contacts can then receive a fake email that appears to be from you.

While clone phishing emails look authentic, there are ways to spot them. They include:

  • Follow up directly. Go to the website of the bank, online retailer, or business to see if you need to take action.
  • Look at the URL. Only websites that begin with HTTPS should be trusted, never sites that begin with HTTP.
  • Look for mistakes. As with any phishing email message, be on the lookout for spelling errors and poor grammar.

Voice phishing scams

Through vishing or voice phishing, scammers call you and try to persuade you to provide sensitive data. They might use caller ID spoofing to make the call appear to be from a local business or even your own telephone number. Vishing calls are usually robocalls that leave a voicemail or prompt you to push buttons for an operator. The intent is to steal credit card information or personal and financial information to be used in identity theft.

Fortunately, there are signs that give away these attacks. They include:

  • The call is from a federal agency. If a caller pretends to be from a federal agency, it’s likely a scam. Unless you’ve requested it, agencies like the IRS won’t call, text, or email you.
  • It requires urgent action. Scammers might attempt to use fear to make you act quickly. The pressure to act immediately is a giveaway.
  • They request personal information. It’s a red flag when the caller asks for your information. Sometimes, they’ll have some of your data, even the first few digits of your Social Security number. The scammer will try to make you think the call is legit and get you to provide additional information.

If you’d like to avoid vishing calls, there are several things you can do. When you don’t recognize the number, don’t answer the phone. Let the call go to voicemail, then block it if it isn’t legitimate. Use a call-blocking app to filter calls coming to your cellphone. To block calls on a landline, check with your service provider regarding the services offered.

Dealing with a cybercriminal is no time to be polite. If you do answer a vishing call, hang up as soon as you realize it. Don’t answer any questions, even with a yes or no. Your voice could be recorded and used for identity theft. If they ask you to push a button to be removed from a call list, don’t do it. You’ll just receive more calls.

If you receive a voicemail and are unsure if it’s legitimate, call the company directly using the phone number on the company website. Don’t call the number in the voicemail.

Smishing scams

If you’ve ever received a text pretending to be from Amazon or FedEx, you’ve experienced smishing. Scammers use smishing (SMS phishing) messages to get people to click on malicious links with their smartphones. Some examples of common fraudulent text messages include:

  • Winning prizes: If it seems too good to be true, it probably is.
  • Fake refunds: A company you do business with will credit your account or credit card, not text you.
  • Relatives who need help: These messages might request bail money or other assistance for a relative who is abroad.
  • Messages from government agencies: Always delete these texts because federal agencies don’t conduct business by text message.
  • Texts from companies like Amazon or Apple: These are the most frequently spoofed businesses because most people do business with one or both of them.

If you receive a smishing text, don’t respond, or you’ll get more texts. Instead, delete the text and block the number.

Pop-up phishing scams

Pop-up phishing occurs when you’re on a website and a fake pop-up ad appears. It encourages you to click a link or call a number to resolve the issue. Some of these reload repeatedly when you try to close them or freeze your browser.

Common pop-up scams include:

  • Infected computer alert: This scam ad tries to persuade you to click a link to remove viruses from your computer. For added urgency, some even include fake countdown clocks that give you a few seconds to click a link and install antivirus software. The link actually installs malware. Legit antivirus software like McAfee Total Protection won’t do that. Instead, keep your connected life safe from things like malware, phishing, and more.
  • AppleCare renewal: This pop-up encourages you to call a fake Apple number to give credit card information to extend your Apple warranty.
  • Email provider pop-ups: You’re encouraged to provide personal data by this pop-up, which appears to come from your email provider.

If you see a scam pop-up ad, don’t click on the ad or try to click the close button within the ad. Instead, close out of the browser window. If your browser is frozen, use the task manager to close the program on a PC. On a Mac, click the Apple icon and choose Force Quit.

What to do if you’re a victim of phishing?

Being online makes us visible to a lot of other people, including scammers. Fortunately, there are things you can do if you become a victim of phishing, allowing you to get back to enjoying the digital world. They include:

  • File an FTC report. Go to IdentityTheft.gov to report phishing and follow the steps provided.
  • Change your passwords. If you provided the passwords to your bank account or another website, log in to your account and change your passwords and login credentials. If you have other accounts with the same passwords, change those too. Don’t use the same passwords for more than one account.
  • Call the credit card company. If you shared your credit card number, call and let them know. They can see if any fraudulent charges were made, block your current card, and issue a new credit card.
  • Review your credit report. You can get free copies of your credit report every 12 months from all three major credit agencies — Experian, TransUnion, and Equifax — by going to AnnualCreditReport.com. Check to see if any new accounts were opened in your name.
  • Scan your devices. There’s a chance you downloaded malware during the phishing attack. Antivirus software, like what’s included in McAfee Total Protection, can scan your devices in real time to detect malicious activity and remove viruses on your devices.

Phishing protection: How to prevent attacks?

You deserve to live online freely. But that might mean taking steps to protect yourself from phishing attempts. Here are some ways you can improve your cybersecurity and keep scammers at bay:

  • Don’t click email links. If you receive an email from your bank or a company like Amazon, open a browser window and go directly to the company’s site. Don’t click a link in an email.
  • Use unique passwords. If you use the same password for multiple accounts, a hacker who accesses one of your accounts might be able to break into all of your accounts. Use different passwords for each of your accounts. A password manager like McAfee True Key can help you create and save passwords.
  • Check your browser security. Web browsers like Google Chrome and Safari can be set to block fraudulent websites. Go into the settings for your browser and adjust the security level.
  • Use spam filters. All major email providers have spam filters that move suspicious emails into a junk or spam folder. When phishing emails do get to your inbox, always mark them as spam so all other emails from that source will go to the spam folder.
  • Delete suspicious emails. Delete emails from financial institutions with urgent subject lines, for example.
  • Use antivirus protection. All of your internet-connected devices should have antivirus protection like McAfee Total Protection. Set it to update automatically to keep your coverage current.
  • Don’t email information. Banks and credit card companies won’t email you for personal data. If you want to confirm information with a financial institution, contact them directly with the information on their website, such as a phone number.
  • Watch your social media posts. Be careful about what you post on social media. Those quizzes where you mention life details, such as your pet’s name, school mascots, and so on, can provide hackers with a wealth of information. Make sure only friends can view your posts.

Browse online safely and securely

You don’t have to stop enjoying the internet just because of phishing attempts. McAfee’s identity theft protection services, including antivirus software, make it possible to enjoy your digital world while staying safe from scammers and identity thieves.

With 24/7 active monitoring of your sensitive data, including up to 60 unique types of personal information, McAfee is all about proactive protection. This means you’ll be alerted 10 months sooner than our competitors, so you can take action before your data is used illegally. We also provide up to $1 million of ID theft coverage and hands-on restoration service in the case of a data breach.

The best part is that you can customize a package to meet your needs, including virus protection, identity theft monitoring, and coverage for multiple devices. We make it safer to surf the net.