10 Tips to Avoid Phishing Scams

Last updated: April 2021

They’ve become all too commonplace: those pesky emails that flood your inbox, designed only to siphon your personal and most sensitive information without you knowing. Some are easier to detect than others; if you get an email from a Nigerian prince looking for a place to store his fortune, for example, it’s probably best to delete it.

But others are more crafty, better designed and harder to detect. These digital scam artists have become quite adept at making fraudulent emails look exactly like legitimate ones, often time from businesses or establishments with which you are familiar and trust. It’s not just emails either.

What is phishing?

Phishing is defined as leveraging or exploiting the design of web pages in a social engineering attack that tricks the user into thinking they are in a legitimate and secure web session with a trusted site. Often phishing emails will contain links to these phishing sites, which appear to be real. In reality, the phishing site is designed to install malicious software or acquire personal information, including credit card numbers, personal identification numbers (PINs), social security numbers, banking numbers and passwords. This information is then used by the phisher for identity theft, to steal money or for other fraudulent purposes.

How to protect yourself from phishing

So what can you do to avoid becoming a victim of phishing? There are steps you can take to minimize your risk. By following these 10 tips, you’ll be well on your way to becoming a phishing scam defense expert.

1. Instead of clicking on a link in an email, open a new browser page and type in the address/URL for the site that you intended to visit. Sometimes a fraudulent link will be very similar to a trusted one, just changing a few imperceptible letters.
2. Upgrade both your operating system and browser software. The latest versions of most browsers come equipped with anti-phishing filters. As attackers devise new attacks, software updates improve your filters.
3. It’s a good idea to block pop-ups when browsing the internet. You can find your way around the web without the help of unsolicited directions.
4. Never input personal information into pop-up windows unless you are completely confident they are from the intended site.
5. For day-to-day computer use, use a standard user account instead of an administrator account. Switch over to the administrator account only when administrator functions are necessary. This protects your computer by reducing access to critical administrative functions.
6. Delete and do not open suspicious email messages. It may be tempting, and sometimes the subject line can be catchy or so generic that you want to learn more — but avoid the temptation and simply delete it.
7. Only accept trusted certificates. Do not ignore browser warnings. Sometimes we receive so many warnings from our computer or browser it’s almost like the boy who cried wolf. Don’t simply dismiss warnings you think you’ve seen without reading them thoroughly and considering the implications.
8. Do not click on links that will take you to an unfamiliar site or IP address.
9. Look for a padlock. Browsers display a padlock in the address bar when a site is secured with a TLS/SSL certificate. Clicking on the lock icon will reveal more information about who the certificate was issued to. Open up the certificate details to ensure you are where you think you are.
10. Enable malware protection. This can usually detect and deter most threats without you needing to do a thing.

How to report phishing

It’s also a best practice to forward phishing emails to spam@uce.gov, to the organization being impersonated, and to reportphishing@antiphishing.org.

Learn more about phishing scams, the different types of scams out there and how to secure your email.