What Is Phishing: Types, Stages and Tips to Avoid Phishing Attack

What Is Phishing: Types, Stages and Tips to Avoid Phishing Attack
Graphic: Nathaniel Blum

What Is Phishing: Types, Stages and Tips to Avoid Phishing Attack

Kim Porter
Updated July 29, 2020

While many people associate phishing attacks with emails gone wrong, there are several ways scammers can reel in a victim and fraudulently snatch their information.

Using emails, text messages or phone calls, phishing is “any attempt to lure you into clicking on a link and downloading something or providing private, personal information that usually leads to identity theft,” said Steve Weisman, an expert in cybersecurity and founder of Scamicide.com. It’s “the perfect storm for scammers,” Weisman said, because it’s easy to do, doesn’t require much cost and is often effective. Here’s how to spot these types of scams and how to avoid losing your cash or your identity.

What is phishing?

Phishing is a type of message that seems to be from a person or company you know. Vishing is the telephone version of phishing, while messages that come in the form of texts are called smishing.

No matter the platform, the message is crafted to get you to open an attachment, click on a link, or divulge personal information, such as passwords, bank account numbers or your Social Security number. Once the criminal has that information, they could gain access to your email, bank or other accounts and steal money.

3 Most common forms of phishing

Scammers launch successful phishing attacks every day, stealing more than $48 million from victims in 2018 alone, according to the FBI’s Internet Crime Complaint Center. Some forms of phishing include:

Deceptive phishing

Deceptive phishing is generally any attack in which a fraudster impersonates a legitimate business or person in hopes of stealing a victim’s money or identity. These messages aren’t personalized to the victim. For example, they may start with “Dear customer.”

Spear phishing

Spear phishing is an attack in which scammers customize phishing attacks with personal information, usually gleaned online. In these cases, the recipient may be more willing to believe they have a connection with the sender.

CEO fraud

CEO fraud is a phishing attack in which the fraudster steals an executive’s login credentials, impersonates the executive and uses the stolen identity to carry out fraudulent wire transfers.

How phishing attacks work

Like an angler casting a fishing line, a scammer will carry out a phishing attack in three stages: bait, hook and catch.

3 Stages of a phishing attack


The scammer tries to trick you with a lie by using familiar company names or pretending to be someone you know. Urgent language will pressure you to act now. For example, there’s a problem with your PayPal account and you must quickly rectify the problem.


The scammer will ask you to click on a provided link, open an attachment or provide details about your account—but if you do so, you’ll be hooked. The link or attachment might download malware, for example, or you’ll be taken to a fake website that harvests your banking username and password.


Once the scammer has your information or has accessed your account, he’ll use it for nefarious reasons, such as draining your bank account.

What is a phishing email example

Some phishing scams look very real, so you might have to look closely. Phishing messages often have these factors in common:

  • The sender’s email address or phone number has been spoofed.
  • The message is missing your name, or the person calling on the phone doesn’t have your information.
  • You don’t actually have an account with this particular company.
  • The spelling or grammar is off.
  • You’re asked to click links, open attachments or supply personal information.
  • The message or caller uses urgent language to get you to act now.

Here’s an example of a phishing email attempt:

Phishing email example

How to protect yourself against a phishing attack

Email providers can help you keep unwanted messages from flooding your inbox, but scammers are always trying to outsmart these filters. Here are a few ways you can protect yourself from phishing attacks:

Use security software

Protect your computer and smartphone by setting up automatic security updates.

Use multifactor authentication

This option requires you to supply two or more credentials to log in to an account. For example, an email provider will ask for your password plus one more piece of information, such as a passcode or a scan of your face or thumbprint. If a criminal does get your username or password, multifactor authentication will make it harder to get in to your account.

Backup your computer and phone data

Copy your computer files to an external hard drive or cloud storage. If they’re compromised in a phishing attack, you’ll be able to recover them.

Watch what you share online

Posting your thoughts and shared interests is what social media is all about—but it’s also a good way for criminals to find out more about you and use that information in a spear phishing attack. Update your privacy settings and try not to share “TMI.”

Don’t engage with suspicious emails or text messages

Don’t click links, open attachments or respond to requests for personal information unless you’re sure you’re working with a legitimate company. You can use an email lookup or a reverse phone service to possibly uncover who’s sending those messages or calling from a particular number.

Don’t answer unknown phone calls

A scammer may spoof a phone number to make it look familiar, so it’s best to let calls from unknown numbers go to voicemail and use the reverse phone service to check the number.

You can report suspicious emails by forwarding them to the Federal Trade Commission at spam@uce.gov and to the Anti-Phishing Working Group at reportphishing@apwg.org. If you received a phishing text message, forward it to SPAM (7726). Also report the phishing attack to the FTC at ftc.gov/complaint.


A little caution can go a long way toward protecting yourself from a phishing attack, whether it’s from a phone call, text message or email.

Because scammers are crafty, Weisman said, “you’ve got to have the state of mind to never provide personal information or click on the link unless you confirm it’s absolutely legitimate. If you do that, you’ve inoculated yourself from 99% of the scams in the world.”

Disclaimer: The above is solely intended for informational purposes and in no way constitutes legal advice or specific recommendations.