Skip to main content

What is phishing and how can I fight it?

Robert Mueller, the former director of the FBI and Trump-era special counsel, famously refused to bank online after a close call with a fake-email scam in 2009.

So what had the man who used to be the head of the nation's most respected law-enforcement organization fearing for his financial life? In a word, it's phishing — a term coined by internet con men to describe the process of "baiting" consumers with fake emails that entice them to reply with their private information, just as an angler might lure a fish with a shiny spinner bait.

The FBI once called phishing the "hottest and most troubling new scam on the internet," and understanding what it is and how to protect yourself is now just as important as it ever was.

So what is phishing exactly? Phishing is a form of cybercrime, a means of illicitly acquiring the online credentials that consumers use to identify themselves in the online marketplace. 

Some good examples of those credentials are the usernames, email addresses and passwords to sites that store a customer's credit-card or bank-account details for future use.

Newer forms of phishing don't aim to steal your credentials, but rather to install malware on the device you're using to read the emails.

The key to understanding phishing scams is that they can take many forms, but they all have the same end. They all aim to commit identity theft or install malware.

A good example of a phishing email would be an email message that is supposedly sent to you from your bank, alerting you to an overdraft or negative balance on your account. 

The phishing email might include a link to your bank's website, where you can log in with your credentials (your username and password) to resolve the matter.

Instead of taking you to your bank's website, the link takes you to a look-alike website, one that is run by phishers who want access to your account. If they get your credentials, they may steal your money outright, or use your account to "launder" their ill-gotten gains.

The best way to protect yourself from online phishing attacks is to stay vigilant and to never give away any information online — unless you're 110 percent sure you're entering your personal information into a legitimate website for a legitimate purpose.

Remember that your online identity and your real-life identity are deeply intertwined. Personal information can include everything from your telephone number to your address, as even this seemingly innocent information can be used to "profile" you and make it easier to gain access to other, more secure information.

A scammer can use even basic information to set up phony credit-card accounts, or even claim government benefits, in your name.

The best defense is a good offense, so don't make it easy for phishers to get your information. 

Never use the same password for different websites, and if you suspect you're the target of a phishing scam, report it immediately to the Internet Crime Complaint Center at

Always have one of the best antivirus programs installed and running, because many modern phishing campaigns aim to infect computers rather than steal credentials.

To keep your online accounts as safe as possible, use one of the best password managers and never reuse passwords from one account to another.