What are phishing scams — and how to avoid them

A fishing hook resting on a laptop keyboard.
(Image credit: wk1003mike/Shutterstock)

Robert Mueller, the former director of the FBI and the Trump-era special counsel, famously refused to bank online after a close call with a fake-email scam in 2009.

So what had the man who used to be the head of the nation's most respected law-enforcement organization fearing for his financial life? In a word, phishing — a term coined by internet con men to describe the process of "baiting" consumers with fake email, text, social-media, instant or even voice messages that entice them to provide their private information, just as an angler might lure a fish with a shiny spinner bait.

The FBI once called phishing the "hottest and most troubling new scam on the internet." 

While it's no longer new, phishing is still the most reliable way for crooks and spies to get secret information and break into computer networks and online accounts. Understanding what phishing is and how to protect yourself from it is just as important as ever.

What phishing scams want

So what is phishing, exactly? Phishing is a confidence trick. Information-security experts will call it "social engineering," but it's a con job that tricks people into handing over sensitive personal information, often (but not only) the online credentials that consumers use to identify themselves in the online marketplace. 

Some good examples of those valuable credentials are the usernames, email addresses and passwords that are used to log into sites that store a customer's credit-card or bank-account details for future use. 

Passwords for social-media or webmail accounts can also be phished, since those accounts also tend to hold a lot of useful information. Some phishing scams target not passwords, but items such as credit-card information or Social Security numbers.

The newest forms of phishing don't aim to steal your credentials or any other kind of information right away, but rather to install malware on the device you're using to read the phishing messages.

The key to understanding phishing scams is that they can take many forms, but they all aim to steal money, take over accounts, commit identity theft or install malware.

A good example of a phishing email would be an email message that is supposedly sent to you from your bank alerting you to an overdraft or negative balance on your account. 

The phishing email might include what looks like a link to your bank's website, where you can log in with your credentials (your username and password) to resolve the matter.

But instead of taking you to your bank's real website, the link takes you to a look-alike website, one that is run by criminals who want access to your account. If they get your credentials and seize control of your account, they may steal your money outright or use your account to "launder" their ill-gotten gains.

Spear phishing

Most phishing attacks are "spray and pray," sending tons of identical messages to thousands of potential victims in the expectation that a few dozen will fall for the scam. 

Far more effective are "spear phishing" emails that target just a few people or even a single person. In spear phishing, the lure is a message specifically tailored to the victim's expectations. 

A spear-phishing message may address you by name, refer to your workplace or look like it comes from your boss or a co-worker. It will invite you click on a link that leads to the login page of a service your company uses, or to download and open an email attachment relating to urgent company business. 

A few years ago, we here at Tom's Guide were hit by a phishing email message that seemed to come from one of our human-resources staffers. The message said we had to resolve an urgent payroll matter. There was a link inside the body of the message that took us to what looked one of our company's employee portals, where we were invited to log in. 

Not everyone fell for the phishing scam, and several people had the link blocked by antivirus software. But a few unlucky people did "log into" the fake employee portal, only to discover a few days later that their direct-deposit paychecks had been redirected to unknown bank accounts.

SMS text-message phishing or 'smishing'

Phishing attacks don't just come via email any more. We're seeing more and more "smishing" attacks coming from SMS text messages that are sent out to thousands of numbers at a time. 

Sometimes the messages tell you that you've got a package, typically a desirable expensive item such as a new iPhone, that needs to be picked up. When you click the included web link to find out how, you may see that the package is meant for someone else — but either way, you've got to download and fill out a form first. 

If you're on an Android phone, the download is malware; if you're on an iPhone, you'll be send to a phishing page that wants your personal and credit-card information.

There are also text-based spear-phishing attacks. One common ploy involves texting a company employee with a message that seems to come from the boss, who then asks the employee to purchase gift cards or to wire money to strange accounts.

Worst of all are bank-fraud smishing attacks. The victim gets a text that seems to come from their bank warning of a "fraud alert" and asking them to confirm or deny a transaction involving quite a bit of money. 

When the victim denies the transaction, he or she gets a call from someone pretending to be a bank "representative" who will help them resolve the matter — but the technician actually moves money out of your account.

Because the victim helped the "representative" move the money, the real bank considers that to be an authorized transfer and has no legal obligation to refund the victim, who is left out of pocket — sometimes by several thousand dollars.

Voice phishing or 'vishing'

You may already be familiar with "vishing" attacks. These are automated phone calls made to random telephone numbers. 

When you pick up, a prerecorded message tells you that your Social Security number is in danger of being stolen, or that someone has bought something expensive on your Amazon account, or that the FBI or IRS are coming after you for unpaid taxes, for viewing pornography online, or for outstanding warrants. (Speaking of Amazon, here are some tips for avoiding Amazon scams, including phishing attempts.)

Naturally, you'd be alarmed to learn this. The messages always invite you to click "1" to connect to someone who can "help." That person is part of the con, and he or she may ask you for your Social Security number or Amazon username and password. Or they may ask you to pay "fines" or "taxes" on the spot using credit cards or gift cards.

How to protect yourself from phishing attacks

The best way to protect yourself from online phishing attacks is to stay vigilant and to never give away any information online — unless you're 110 percent sure you're entering your personal information into a legitimate website for a legitimate purpose.

If you're lured by an email, text, instant or social-media message to what appears to be the login page for one of your online accounts, check the URL — the web address — of the login page in your browser's address bar. 

Make sure that the name of the company is spelled properly, that the company name comes right before ".com," ".org" or "co.uk" in the URL, and that the URL starts with "https://" instead of "http://". Check very carefully, because sometimes a "1" may be substituted for an "l" or a "0" for an "o". 

This can be hard to do on some mobile browsers that don't always display any or all of the web address. Tap on the browser address bar and see if a menu pops up that includes the words "copy" or a symbol of two rectangles lying atop one another — select that to copy the URL, and then switch to a text-editing or email app into which you can past the URL. 

Also check to make sure that the English-language text on the page contains no misspellings, odd words or awkward grammar. If it does, you may have landed on a phishing page.

If the page looks legitimate, but what it promises sounds too good (or too scary) to be true, then contact the company involved by other means. Send them an email, call them, or even hit them up on Twitter to verify that what the page is offering — or warning about — is real.

The dangers of phishing attacks

Remember that your online identity and your real-life identity are deeply intertwined. Personal information can include everything from your telephone number to your address, as even this seemingly innocent information can be used to "profile" you and make it easier to gain access to other, more secure information.

A scammer can use basic information to set up phony credit-card accounts, or even claim government benefits, in your name.

The best defense is a good offense, so don't make it easy for phishers to get your information. 

Never use the same password for different websites, and if you suspect you're the target of a phishing scam, report it immediately to the Internet Crime Complaint Center at http://www.ic3.gov/complaint/ (opens in new tab).

Always have one of the best antivirus programs installed and running, because many modern phishing campaigns aim to infect computers rather than steal credentials. Good antivirus programs also will block known phishing websites from loading in your web browser.

To keep your online accounts as safe as possible, use one of the best password managers and never reuse passwords from one account to another.

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.