News Center
01/05/2024|Products & Plans|Privacidad y seguridad

Anatomy of a phishing attack

The best defense against phishing attacks? Knowing what to watch for—and what to do if you’re targeted.

Cybersecurity Glossary

Full Transparency

Our editorial transparency tool uses blockchain technology to permanently log all changes made to official releases after publication. However, this post is not an official release and therefore not tracked. Visit our learn more for more information.

Descubre más

An unexpected text message arrives on your phone. It reads: “Your package has arrived but could not be delivered. Please click to confirm your address.” And it includes a link to what looks like a familiar delivery company’s website. But when you take a closer look at the text message, the phone number is not one you recognize. Or perhaps you receive an email that looks like it comes from your bank, with a subject line that says “URGENT: Payment overdue.” How could this be? You see that there’s also an attachment called “invoice.” But in the email, the sender’s email address misspells your bank’s name.

These are just two examples of what phishing attacks could look like. In both instances, bad actors may be trying to get you to provide sensitive information such as credentials, passwords, account information or some other personal information—or perhaps even download malware (malicious software meant to disrupt or steal data) onto your device that might, for example, seek out confidential personal or corporate information.

How can you spot phishing attacks—and what should you do if you’re targeted by one?

What is a phishing attack, really?

A phishing attack is when bad actors impersonate legitimate institutions as a way to get potential victims to share sensitive data such as passwords, bank or credit card information and Social Security numbers. It’s a type of social engineering: When perpetrators pretend to be something they’re not (such as a company, an authority figure or family member) and use psychological manipulation or social pressure to get users to click links or divulge information because they think it’s for a legitimate request. The perpetrator’s attempt to contact you can happen via email, text or even a phone call.

Phishing attacks are becoming increasingly common: The FBI’s Internet Crime Complaint Center lists it as the most reported complaint in 2022.

You might hear other terms used to describe specific types of phishing attacks:

  • Smishing is a phishing attack done via SMS/text messaging.

  • Vishing is a phishing attack done via voice/phone calls. (For example, calling a potential victim and impersonating a customer care representative.)

  • Spear phishing is a phishing attack directed at a specific person such as a network administrator, a wealthy individual or a C-suite executive (which is also known as “whaling”) with access to highly sensitive information about that person. While most phishing attacks happen in huge numbers, and messages are sent to as many people as possible in hopes that one will respond, spear phishing perpetrators spend time studying their specific targets to try to pinpoint a vulnerability before reaching out.

How to identify a phishing attack

Most phishing attacks can be identified through a few common features, listed below. When in doubt, delete the message—do not click any attachments or links, do not share any information and do not respond. If it’s a voice call, end the call immediately.

  • Scare tactics and urgent messages or subject lines. The “URGENT: Payment overdue” subject line mentioned earlier is an example—bad actors want you to think that there’s some kind of problem with your account that needs immediate attention. Vishing attacks might say that they’ve identified fraud on your credit card or that you’re in trouble with the IRS.

  • Unprompted calls from “customer service.” Beware of unsolicited calls from “customer care agents,” or from a “billing” or “fraud” department, that ask you for help to access your account or to provide them with sensitive account information. If you’re at all suspicious, hang up and then call the publicly listed customer care number of the company in question (not the number given by the caller) to report the incident. Note: Verizon will never proactively contact a customer asking for sensitive information such as a password,account PIN or to perform authentication.

  • Lookalike or misspelled web or email addresses. A lookalike URL in a link or a misspelled email address is a sure sign of trouble. Remember, you can hover your cursor over a link without clicking to see the actual URL in the link. One example given by Phishing.org: a misspelled link using “bankofarnerica.com” that could look correct at a quick glance; clicking such a link could take you to a malicious site.

  • Suspicious attachments. Any unsolicited email attachment should be viewed as a warning sign. If the email is from an unknown sender, you didn’t ask for the attachment or the attachment doesn’t make sense in the context of the message, don’t open the file.

  • Impersonal greetings or bad phrasing. Beware of messages starting with “Dear user”—most organizations that you have accounts with know your name and it’s easy to personalize an email greeting. Also be cautious with messages that use odd phrasing or words that are out of context (for example, “we sincerely ask that you reconfirm the follow link”). And stay alert—new generative AI tools that make it easy to create readable copy could make these issues harder to spot in the future.

  • Anything strange. The tactics that perpetrators use are continuously evolving, so keep an eye out for anything that seems out of place, even if it isn’t on the list above.

Verizon has put together a list of helpful phishing attack email examples as well as smishing examples—take a look to familiarize yourself with what’s out there now.

What to do next

Let’s go back to the start of our story with the text message and the fake “invoice.” What should you do if you clicked the link or the file before you took a closer look and spotted that they were problems?

  1. Do not share any additional information. If the link or file takes you to a site asking for more details, do not share those details. Ignore the request and close your browser.

  2. Stop doing anything online that involves passwords or sensitive information until your device is cleared. If the attack happened on a work device, alert your IT department immediately for help. If it’s a personal device, move on to step 3.

  3. Protect your personal information. You should also take action to protect your personal accounts—including changing passwords and PINs, monitoring or freezing your credit report and reviewing your accounts for any fraudulent transactions. See “Your post-data-breach action list ” for what to do.

  4. Update your operating system and your security software. Make sure the operating system on the device in question is as up-to-date as possible, which can help minimize security vulnerabilities. Then perform a scan with your security software. Don’t have security software? Your work IT department might be able to make recommendations, or you can search reviews online—from another device if possible—for trusted security software applications and then install the latest version.

  5. If possible, scan for malware using security software. Delete anything identified as a problem and/or delete any apps or files that you don’t recognize or that were installed after clicking on the malicious message. Restart your device and scan again. Continue to scan until the device is clear. If your device can’t be cleared, consider the next step.

  6. Get help from a professional. In some situations, you may continue to have issues, or your device may not function as it did previously. In those cases, you might consider getting help from a service like Verizon’s Mobile Secure, which offers 24/7 premium tech support, as well as other benefits.

  7. Restore from a backup. In some worst-case situations, you may need to completely erase your device and reinstall your operating system and files from a backup that was made before you downloaded any malware. (Note: Verizon Cloud can provide secure storage and allows for easy automatic backups.)

Remember, phishing is common and perpetrators are hoping to catch you with your guard down. But most companies will never proactively reach out to you. And Verizon will never proactively contact a customer asking for sensitive information such as a password, account PIN or to perform authentication.

So keep it simple: Trust your gut. When in doubt, hang up, delete the message and contact the respective company directly.

If you receive a suspicious text message claiming to be from Verizon, please forward it to us right away at S-P-A-M (7726). You can also report it to the Federal Trade Commission.

Related Articles

Fighting password fatigue: how to secure your digital life
11/15/2023
The passwords that protect our online identities and accounts are hard to manage—and often easy for others to guess. Here’s how to regain control and fight password fatigue.
What you need to know about multi-factor authentication
11/15/2023
Passwords help keep our sensitive information safe, but multi-factor authentication can add powerful layers of protection. Here’s how it works.