What is phishing?

 ‹ Barclays money basics

Phishing is a type of scam that uses messages (such as emails, texts, or phone calls) to trick victims into revealing sensitive information. The ultimate goal of a phishing scam is often to steal a victim’s money or commit identity theft. Scammers often commit phishing by impersonating a trusted business or organization, such as an online shopping platform, bank, or government official.

How does phishing happen?

Phishing often happens using social engineering tactics designed to pressure targets into acting quickly. For example, you might receive an email with a fake invoice for $400 in printing equipment. The possibility of being charged a lot of money puts you in a state of fear, which may compel you to quickly click a link to “review your order.” The link may lead to a spoofed website that asks you to provide your bank account number or other sensitive personal information. Or it may download malicious software, or malware, to your device.

Because scammers push you to act before you have had the chance to think about their request, the best defense is to slow down before you decide whether and how to engage with a sender.

Types of phishing attacks

Phishing scams are an ever-evolving threat, with criminals constantly updating their approaches to take advantage of new technology. Here are some different types of phishing attacks based on who the target is and the modes of communication the fraudster uses.

  • Spear phishing: Spear phishing targets a specific person or group in an organization using information designed to get them to click on an attachment or link, rather than casting a wide net in hopes that someone will take the bait.
  • Whaling: Whaling is a phishing attack that targets high-level or high-profile business executives, such as CEOs. These victims are of high value to criminals because they may have access to vast amounts of sensitive data or money.
  • Email spoofing: Email spoofing is when a scammer creates a fake email impersonating a trusted source, such as a company’s CEO or a popular online shopping platform. In reality, these emails are designed to phish information from you. They may also include links or attachments containing malware.
  • Smishing: A combination of “SMS” and “phishing,” smishing uses text messages designed to trick you into sharing your sensitive data or into clicking on a malicious link.
  • Vishing: A combination of the words “voice” and “phishing,” vishing scams target victims using fraudulent phone calls, often including fake caller IDs.
  • Quishing: Quishing is a relatively new form of phishing that uses QR codes that lead to harmful websites. Scammers may plant these malicious QR codes over authentic ones, such as on parking meters. Once you navigate to the site, you may be prompted to enter sensitive information, or your device may be infected with malware.

Common signs of phishing

Here are some common red flags that could tip you off to a phishing attempt:

  • Language that urges you to act quickly to avoid something, like account deletion or  monetary penalties
  • Offers that seem too good to be true
  • Requests for sensitive information, like account login credentials, or money
  • Spelling errors and unusual grammar
  • Sender email addresses or phone numbers that seem unprofessional or unusual
  • Suspicious or unusual email attachments and links

How to avoid phishing attacks

  1. Be skeptical. When in doubt, do not engage with texts, emails, phone calls or other communication from someone you can’t confirm is who they say they are. Never give your Social Security number or financial information to someone who contacts you to ask for it.
  2. Contact organizations directly. If you get a phone call or message from someone claiming to be a trusted organization (such as your doctor or your bank), you don’t have to interact with them. Instead, hang up and contact the organization using a number that you’ve looked up on your own or have on your account statements.
  3. Increase your accounts’ security. Avoid reusing passwords: if a scammer gets access to one password, they could use it to get into other accounts that share it. Enroll in multifactor authentication for an added layer of security.
  4. Do not click on suspicious links or attachments. Do not click any links or attachments in emails or texts from unknown senders. Deceptive links can lead to spoof websites designed to phish your information, or they could install malware on your device.
  5. Do not give in to pressure. Phishing attacks use psychological tactics meant to make you feel rushed into a decision, such as explicit or implied threats, or promises of prizes if you act now.

For more information on security, see the following articles: