What Is Phishing?

Phishing is a social engineering attack where criminals impersonate a trusted entity — your bank, Amazon, Microsoft, the IRS, a coworker — to trick you into revealing credentials, clicking a malicious link, or transferring money. It's the #1 entry point for ransomware, account takeovers, and financial fraud.

Phishing arrives most commonly via email, but also through text messages (smishing), phone calls (vishing), social media messages, and fake websites that appear in search results or ads.

How to Spot a Phishing Attempt

Mismatched Sender Address

The display name says "Amazon" but the actual address is amazon-support@randomdomain.com. Always check the full email address, not just the display name.

Urgency and Threats

"Your account will be closed in 24 hours," "Immediate action required," "Your payment failed." Legitimate organizations don't threaten account closure via unexpected email.

Suspicious Links

Hover over any link before clicking — the URL that appears in the bottom bar should match the organization's real domain. amazon.account-verify.com is NOT Amazon.com.

Requests for Credentials or Payment

No bank, Microsoft, Apple, or government agency will ever ask for your password, gift card numbers, or wire transfer via an unsolicited email or phone call.

Unexpected Attachments

An invoice, shipping notice, or document from someone you didn't expect contact from. Opening these can execute malware even if the file appears legitimate.

Poor Grammar/Spelling

Many phishing emails contain subtle grammar errors, odd phrasing, or mixed fonts — signs of hastily assembled or machine-translated content.

If You Clicked a Phishing Link

Don't panic — but act quickly. What happens next depends on what you did after clicking:

You Just Clicked the Link (Didn't Enter Anything)

  1. Close the browser tab immediately.
  2. Run a malware scan with Malwarebytes — some links trigger drive-by downloads that install malware silently.
  3. Update your browser and OS — exploits often target known vulnerabilities in unpatched software.
  4. Monitor the affected accounts for unusual activity for the next 30 days.

You Entered Your Password or Credentials

  1. Immediately change the password for that account from a different device.
  2. Enable two-factor authentication (2FA) on the account if not already active.
  3. Check the account's recent activity for unauthorized access or changes.
  4. Change the same password anywhere else you used it — reused passwords mean multiple accounts are compromised.
  5. If it was your email password, every account that uses "Forgot password?" to that email is now potentially compromised — change the most sensitive accounts first (banking, email itself, Apple/Google ID).

You Entered Payment Information

  1. Call your bank or card issuer immediately to report potential fraud and freeze the card.
  2. File a report at reportfraud.ftc.gov (US Federal Trade Commission).
  3. Monitor your statements for unauthorized charges — dispute anything suspicious immediately.

If you opened an attachment that triggered unfamiliar programs, popups, or a ransom demand — disconnect from the internet immediately and bring the machine to us. Ransomware begins encrypting files the moment it launches. Time is critical.

How to Report Phishing

  • Email providers: Gmail, Outlook, and Apple Mail all have "Report phishing" options — use them to help train filters and protect others
  • FTC: reportfraud.ftc.gov
  • CISA: report@phishing.gov for government-impersonation attacks
  • Your IT department: If on a work computer, report immediately — security teams need to know if credentials were harvested

Protecting Yourself Going Forward

  • Enable 2FA on every important account — even if credentials are stolen, 2FA blocks account access
  • Use a password manager so every account has a unique password — one breach doesn't cascade into many
  • Verify unexpected requests through a separate channel — call the bank's official number, not one in the email
  • Keep your browser, OS, and antivirus updated — this patches the vulnerabilities phishing links try to exploit

Think you've been compromised? Bring the machine in. We run a full forensic scan, identify any malware dropped by phishing links, remove it, and help you secure your accounts before further damage occurs.