How Phishing Scams Work – And How to Protect Yourself

In a phishing scam, the scammer emails their target in an attempt to obtain money, passwords, or personal information. Typically, their motives are financial. Once they have your bank login info, for instance, they can then proceed to loot your bank account.

In this guide, we’ll walk you through how phishing scams operate, and provide some key pointers on how to spot scams and stay safe.

How Phishing Scams Work: Step-by-Step

1.) Probe for Targets

To begin with, the phishing scammer searches for targets. They’ll take one of two approaches, either sending generic emails en masse or carefully selecting individual targets. We’ll call these two approaches blast phishing and spear phishing.

Blast phishing entails sending generic phishing emails to as many people as possible. Your classic “Nigerian prince” scam falls under this bucket, but it’s not the only approach scammers take. They’ll often impersonate specific organizations, such as banks or the IRS. Because these organizations deal with millions of people, an email claiming to be from a major bank can be sent far and wide.

Spear phishing is more selective. The spear phisher carefully selects a high value target, diligently researches their victim, and sends a highly personalized email to their target. Spear phishing attacks are far more time intensive than blast phishing, which is why they tend to pursue high value targets, such as business owners and executives.

2.) Prep the Attack

Once they know their target, the phishing scammer prepares their attack. In some cases, they’ll go directly for money. Advance fee frauds like the Nigerian Prince scammers fall under this bucket. These scammers promise a massive sum if you only send them a small advance fee. Needless to say, the treasure chest isn’t coming.

Often, phishing scammers will go for your critical passwords. To make this approach work, they create a duplicate website designed to look exactly like your official bank website, for instance. They’ll send an email that looks just like one you might receive from your bank. They can even fake the “from:” line on the email using a technique known as email spoofing.

Phishing scammers also fool their victims into giving up critical personal information, which they can then use to steal your identity and loot your pocketbook. That can include your name, address, social security number, where you grew up, mother’s maiden name – any information they could use to infiltrate your accounts. Passwords are only one way in.

3.) Draft and Send the Phishing Email

When it comes to the email itself, phishing scammers exploit your trust and your emotions, while creating a false sense of urgency compelling you to act before you can think twice.

Phishing emails exploit trust by pretending to be from a credible organization. A capable phish can send an email that looks just like it came from a legitimate organization. As I mentioned above, you can’t even count on the “from:” line to tell you the truth. From there, they’ll take you to a carefully faked website.

One thing they can’t fake? The web domain URL itself. More on this in a minute, but look closely and carefully at URLs before you submit any passwords or personal information online.

Phishing emails exploit your emotions as well. Most frequently, they create a sense of fear. Common phishing approaches will tell you you’re being investigated by the IRS, or that your bank account has been hacked. They’ll sometimes exploit other emotions – the advance fee fraudsters offer an enticing opportunity, for example. The goal of these tricks is to get your emotions to override your intellect, so that you click through without even thinking about it.

Finally, phishing emails exploit a false sense of urgency. They might warn that you’ll get locked out of your bank account unless you act now, for example. Any email that urges you to act immediately should be treated as suspect.

Not all types of phish operate via email. In SMS phishing, for instance, they’ll try to fool you over text messages. Other scammers phish via social media, dating apps, or phone calls. Read more in our article on the Types of Phishing Attacks.

4.) Follow Up

Not all phishing attackers follow up. But many do. Some of these fit the profile of an advanced persistent threat: a person or group that will relentlessly try to infiltrate a target organization. The hackers that infiltrated the Democratic National Committee in 2016, for example, were an advanced persistent threat. These kinds of groups very rarely target specific individuals, unless that individual is seriously rich or powerful.

But even low level scammers might send a follow up email to get back on top of your email inbox. Others will follow up with a phone call to put more pressure on you to act on their scam. This technique is sometimes called voice phishing, or vishing.

How to Protect Yourself From Phishing Scams

So how can you protect yourself? Read on for a few quick tips to stay safe online.

Carefully Examine URLs

The best way to guard against phishing is to carefully check any web link someone sends you. If the link is from an organization where you already have an account, you don’t even have to click it at all. Instead, just open a new tab and type in the web address directly. If you go to a website on your own – rather than following a link from someone else – you minimize the risk a phishing email will mislead you to a fake website.

You can also mouseover the link to see where it’s pointing. Hover over the link and look to the bottom corner of your web browser. Read it carefully: one letter might only be a few pixels’ difference, which can be very hard to spot.

If you’re sure absolutely about the URL, you can click through to the website. But this method isn’t quite as safe as navigating to the website on your own.

Picture of mousing over a link to see the URL address.

Safeguard Your Personal Information

If a website asks you to enter in your passwords or personal information, you should step back and think twice before doing so. If you haven’t already, it’s not too late to carefully examine the URL. Even if you have, it never hurts to double check.

Some personal information is more sensitive than others. You’re hopefully aware that giving out your Social Security Number freely is probably a bad idea. But even details like your address, phone number, and birthdate can be repurposed for identity theft. You should only give out this kind of info if you’re sure you’re talking to an organization you trust.

Use a Password Manager

Do you use the same password across multiple websites? If you do, all someone needs is one password and they can break into several of your accounts.

Many cybersecurity professionals encourage people to use unique strong passwords across every site they visit. They even recommend people change those passwords regularly.

That can be a lot to remember, which is why I recommend using a password manager. Because a password manager holds all of your password, it should come from a highly trusted company. I encourage you to do your own research to find a password managers that works for you.

Stay Aware

To avoid phishing scams, you’ll have to stay aware of their ever-evolving techniques. The better acquainted you are with common phishing techniques, the more likely you’ll be able to spot them before they hook you.

Don’t know where to start? The next article I’d recommend would be Phishing Email Examples, which provides five examples of common phishing techniques.

Stay vigilant.

About the Author

Find Michael on LinkedIn

Michael X. Heiligenstein

Michael X. Heiligenstein is the founder and editor-in-chief of the Firewall Times. He has six years of experience in online publishing and marketing. Before founding the Firewall Times, he was Vice President of SEO at Fit Small Business, a website devoted to helping small business owners. He graduated from the University of Virginia with a degree in English and History.