// module 01
How to spot deceptive emails, texts, and websites designed to steal your personal information.
Understanding the threat
Phishing is a type of online deception where an attacker pretends to be someone you trust — your bank, your employer, a shipping company, the government — in order to trick you into handing over sensitive information like passwords, credit card numbers, or your Social Security number. Despite the name sounding technical, phishing is really just a confidence trick carried out through digital channels. There is no sophisticated hacking involved. The attacker's only tool is your trust.
Think of it this way: imagine someone slipped a fake letter into your mailbox that looked exactly like an official notice from your bank. The letterhead is right, the tone sounds professional, and it says there's a problem with your account that needs immediate attention. It asks you to call a phone number and verify your account details. If you called, you would be speaking to a scammer — not your bank. That is phishing, except it happens through email, text messages, phone calls, and fake websites instead of paper letters.
Phishing works because it exploits basic human psychology, not technical weaknesses. Attackers rely on three emotions: urgency (act now or something bad will happen), trust (this message appears to come from a legitimate source), and fear (your account has been compromised, your package can't be delivered, your tax refund is on hold). When you are in a hurry or worried, you are far less likely to slow down and examine whether a message is legitimate. That is exactly what the attacker is counting on.
Phishing is not a niche problem. According to the FBI's Internet Crime Complaint Center, phishing is consistently the number one type of cybercrime reported each year, with hundreds of thousands of complaints filed annually. It is the starting point for the vast majority of data breaches, ransomware infections, and identity theft cases. If an attacker wants to break into a company, they almost never start by trying to hack a firewall — they start by sending a convincing phishing email to an employee.
The reason phishing is so effective is that the messages are getting better every year. Early phishing emails were easy to spot: broken English, absurd claims, obviously fake logos. Modern phishing emails can be nearly indistinguishable from real messages. Attackers research their targets, copy exact email templates from real companies, register lookalike domain names, and even personalize messages with your real name and recent activity. Some use AI tools to generate flawless, professional-sounding text.
The good news is that phishing has patterns. Once you learn to recognize the common tactics, you can spot the vast majority of phishing attempts before they do any damage. That is exactly what this module will teach you — the specific red flags to look for, the questions to ask yourself, and the habits to build so you never fall for a phishing attack.
Red flags
The best way to understand phishing is to see it in action. Below is an example of a phishing email. Read through it, and then we will break down every red flag.
This email looks alarming at first glance. But every element has been carefully crafted to manipulate you. Let's break down the red flags one by one:
The display name says "Chase Bank," but the actual email address is security@chase-alerts-verify.com. That is not a Chase domain. The real Chase domain is chase.com. Attackers register domains that look related — like "chase-alerts-verify.com" or "chase-security.net" — but they are completely separate websites controlled by the attacker. Always look at the full email address, not just the name that appears in bold. On a phone, you may need to tap the sender's name to reveal the full address.
The email says "Dear Customer" instead of using your actual name. Your real bank knows your name and will almost always use it. A generic greeting like "Dear Customer," "Dear Account Holder," or "Dear User" is a strong indicator that this email was sent to thousands of people at once, not specifically to you. Some sophisticated phishing attacks do include your name — which they can get from data breaches or social media — but a generic greeting is always a warning sign.
"Your account will be permanently suspended" if you don't act within 24 hours. This is a textbook pressure tactic. The goal is to make you panic and click before you think. Real banks do send alerts about suspicious activity, but they will never threaten to permanently close your account if you don't click a link within a day. If you are ever worried about your account, do not click the link — instead, open a new browser tab and go directly to your bank's website, or call the number on the back of your card.
Look closely: the email says "saftey" instead of "safety." While modern phishing emails are getting better, many still contain subtle spelling mistakes, awkward phrasing, or unusual formatting. Legitimate companies have teams of copywriters and quality assurance processes. A misspelling in an official security alert is a red flag. That said, do not rely on this alone — some phishing emails are grammatically perfect.
The link in the email points to "chase-secure-login.com/verify." That is not chase.com. Before clicking any link in an email, hover your mouse over it (or long-press on a phone) to preview the actual URL. The real destination is often completely different from what the link text says. If the domain does not exactly match the company's official website, do not click it. Even one extra word or hyphen in the domain means it is a different website entirely.
While this example does not include an attachment, many phishing emails do. They might attach a "receipt," "invoice," "shipping label," or "document to review." These attachments can contain malware that installs itself on your computer when you open them. If you were not expecting an attachment, do not open it — even if it appears to come from someone you know. Their account may have been compromised.
No legitimate company will ever ask you to verify your password, Social Security number, PIN, or full credit card number by email or text. If a message asks you to "confirm" or "verify" this type of information through a link, it is almost certainly phishing. Your bank already has your information — they do not need you to send it again over email.
Other channels
Phishing is not limited to email. Attackers use every communication channel available to them, and two of the most common alternatives are text messages and phone calls. These methods can be even more effective than email because people tend to trust their phones more than their inboxes.
Smishing (SMS + phishing) is when attackers send deceptive text messages to your phone. These messages typically impersonate delivery companies, banks, or government agencies and include a link that leads to a fake website. Because text messages are short and we read them quickly, smishing can be harder to spot than email phishing.
Common smishing examples include messages like: "USPS: Your package could not be delivered. Schedule redelivery here: [link]" or "Wells Fargo Alert: Unusual sign-in detected. Verify your account: [link]" or "IRS: You are eligible for a $1,200 stimulus payment. Claim now: [link]." These messages work because they reference things you might actually be waiting for — a package, a bank alert, a tax refund. The links lead to fake websites that look identical to the real ones, where they collect your login credentials or personal information.
A particularly effective smishing tactic involves fake two-factor authentication codes. You receive a text that says something like "Your verification code is 847291. If you did not request this code, click here to secure your account." The attacker is actually trying to log into your account and needs you to hand over the real code — or to click the link and enter your credentials on a fake site. Never click links in text messages about security codes you did not request.
Vishing (voice + phishing) uses phone calls instead of written messages. The caller pretends to be from a trusted organization — the IRS, your bank's fraud department, Microsoft tech support, or even local law enforcement. Using caller ID spoofing, they can make it appear that the call is coming from a legitimate phone number, which makes the deception even more convincing.
One of the most common vishing scams is the "IRS phone call." The caller claims to be an IRS agent, says you owe back taxes, and threatens immediate arrest or legal action unless you pay immediately — often by gift card, wire transfer, or cryptocurrency. The real IRS will never call you to demand immediate payment, threaten you with arrest, or ask for payment by gift card. They communicate primarily through postal mail.
Tech support scams are equally common. You receive a call (or a pop-up on your computer) claiming that your device has been infected with a virus. The "technician" asks you to grant remote access to your computer so they can "fix" the problem. Once they have access, they can install malware, steal files, or lock you out of your own machine and demand payment. Microsoft, Apple, and Google will never call you unsolicited about a virus on your computer.
Bank impersonation vishing is particularly dangerous. The caller says they are from your bank's fraud department and that there has been suspicious activity on your account. They ask you to "verify" your identity by providing your account number, PIN, or the one-time security code that was just texted to you. In reality, the attacker is trying to access your account in real time and needs those details to complete the login. If you ever receive a call like this, hang up and call your bank directly using the number on your card or statement.
Consequences
Understanding what actually happens after a successful phishing attack helps you see why prevention matters. This is not about fear — it is about knowing the real, concrete chain of events so you can appreciate why a few seconds of caution can save you weeks or months of recovery.
The most common outcome of clicking a phishing link is landing on a fake website that looks identical to a real login page. When you enter your username and password, that information goes directly to the attacker. They now have your credentials. If you use the same password on other accounts — which most people do — the attacker will try those credentials on every major service: your email, bank, social media, Amazon, PayPal, and more. This is called credential stuffing, and it often happens within minutes of the initial theft, frequently through automated tools that can test hundreds of sites simultaneously.
Some phishing links do not lead to fake login pages. Instead, they trigger a download — a file that installs malicious software on your device. This malware can take many forms: a keylogger that records every keystroke you make (capturing passwords, messages, and credit card numbers as you type them), ransomware that encrypts all your files and demands payment to unlock them, or spyware that silently monitors your activity and sends data back to the attacker. In many cases, you will not notice anything unusual at first. The malware operates quietly in the background.
Once an attacker has access to your email account, the damage can cascade rapidly. Your email is the master key to your digital life because it is how you reset passwords for every other account. With email access, an attacker can reset your banking passwords, change recovery information so you cannot regain control, send phishing emails to your contacts (who will be more likely to trust messages that appear to come from you), access tax documents and file fraudulent returns in your name, open new credit cards or loans using your personal information, and redirect important correspondence so you do not notice what is happening.
This chain reaction can unfold in hours. A single compromised email account can lead to drained bank accounts, fraudulent credit lines, a destroyed credit score, and months of paperwork to undo the damage. The average victim of identity theft in the United States spends over 200 hours resolving the issue, and the financial impact can linger for years.
The point is not to terrify you. It is to illustrate that a phishing email is not just an annoyance you can ignore — it is the first step in a chain of events that can have serious, lasting consequences. The good news: the entire chain breaks if you simply do not click the link or enter your credentials. That is why awareness is so powerful.
Recovery
If you think you have fallen for a phishing attack — you clicked a link and entered your credentials, opened a suspicious attachment, or gave information to someone on the phone — do not panic. The faster you act, the more damage you can prevent. Here is exactly what to do, step by step:
Start with the account that was directly compromised. If you entered your email password on a fake site, change your email password right now. Then change the password for any other account that uses the same or a similar password. Use a different device if possible — if you opened a malicious attachment, your current device may be compromised.
If you have not already enabled MFA on your accounts, do it now — especially on your email and banking accounts. MFA adds a second layer of protection so that even if someone has your password, they cannot access your account without also having your phone or authentication device. We cover this in detail in Module 02.
Look for any transactions you do not recognize. Even small charges can be a sign — attackers sometimes make small test purchases before attempting larger ones. If you see anything suspicious, contact your bank immediately. Most banks have 24/7 fraud hotlines and will freeze your card while they investigate.
If this happened at work, contact your IT or security team immediately — even if you are embarrassed. They need to know so they can prevent the attack from spreading to others. If it happened on a personal account, report the phishing attempt to the organization that was impersonated (most companies have a dedicated phishing report email, like phishing@chase.com or reportphish@apple.com).
In the United States, report online fraud at reportfraud.ftc.gov. If you believe your identity has been stolen, go to identitytheft.gov — this is a free government resource that will walk you through a personalized recovery plan, help you dispute fraudulent charges, and provide pre-written letters to send to companies and credit bureaus.
Contact one of the three major credit bureaus (Equifax, Experian, or TransUnion) to place a fraud alert on your credit report, which makes it harder for someone to open new accounts in your name. For stronger protection, you can request a credit freeze, which blocks new credit applications entirely until you lift it. Both are free.
Recovery from a phishing attack is very possible, especially when you act quickly. The most important thing is to not let embarrassment stop you from seeking help. Phishing works on millions of people every year, including security professionals. The moment you realize something is wrong, you have the power to limit the damage.
Take action
You do not need to become a cybersecurity expert to protect yourself from phishing. These seven actions take less than 30 minutes total and will make you dramatically harder to fool: