Phishing 101

Overview

You open your inbox and see an email that looks like it came from your bank asking you to click a link to "verify your identity." It looks authentic, but it is a carefully crafted deception. This is phishing-a form of social engineering where attackers impersonate a trusted entity to steal your secrets. The Impact: Financial Loss: Unauthorized bank transfers. Identity Theft: Using your name to take out loans. Malware: Using links to "lock" your computer for ransom.

This chapter explains what phishing is, how attackers use it, and the concrete steps you can take right now to protect yourself. You will learn how to recognize common signs, how to respond safely, and how to limit damage if an attack succeeds. The chapter focuses on practical actions you can follow immediately.

Core Content

What is phishing (in plain terms)

• Phishing is a deliberate attempt to trick you into giving up private information-passwords, bank details, or access to devices-by pretending to be someone you trust. Attackers use emails, text messages, phone calls, and fake websites to make the deception believable.

Why phishing works

• Attackers exploit normal human reactions: urgency, curiosity, fear, or helpfulness. When a message pressures you to act fast or promises something attractive, you become more likely to click without checking. Understanding this "why" helps you slow down and apply the checks below.

Recognize common phishing traits (do these checks for every suspicious message)

1. Check the sender address: Open the message headers or expand the sender details. If the domain looks odd (extra words, misspellings, or a public email service where a company would use a corporate domain), treat it as suspicious. Do not click links before you verify.

2. Hover links before you click: Move your mouse over a link (or long-press on mobile) to reveal the real destination. If the visible URL differs from the displayed text or goes to a strange domain, don’t click.

3. Look for mismatched branding: Logos and fonts can be copied, but poor image quality, unusual wording, or a greeting that uses generic terms like "Dear customer" are red flags.

4. Watch for urgent or threatening language: Messages demanding immediate action to avoid account closure or loss often aim to rush you into mistakes.

5. Verify via another channel: If a message claims to be from your bank or a service you use, call the official number printed on your statement or go to the verified website manually. Do not use contact details provided in the suspicious message.

Immediate actions to take when you suspect phishing

• Do not click any links or download attachments.
• Mark the message as spam/phishing in your email client to help filter future attacks.
• Delete the message after reporting it, or quarantine it in a secure folder if your organization requires review.
• If you clicked a link or entered credentials, change your password immediately on the real site using a new device if possible. Then enable multi-factor authentication (MFA) on that account.

Protective steps to apply now

1. Use unique passwords: Create different passwords for each important account to limit damage if one password leaks. Use a reputable password manager to generate and store strong passwords.

2. Turn on multi-factor authentication (MFA): Add a second verification step-an authentication app or hardware key provides strong protection beyond just a password.

3. Keep devices and software updated: Install updates for your operating system, browser, and antivirus to close known security holes attackers exploit.

4. Back up important files regularly: Maintain offline or cloud backups so ransomware or "locked" files do not force you to pay attackers.

5. Verify financial changes by phone: For bank transfers or billing changes, call a verified number from your statement to confirm the request.

If you fall victim (step-by-step damage control)

1. Immediately change affected account passwords from a secure device and revoke active sessions where possible.

2. Contact your bank or card issuer to freeze or monitor transactions and follow their fraud process.

3. Report identity theft to the relevant authorities in your country and place a fraud alert with credit agencies if they provide that service.

4. Scan your device with an updated anti-malware tool and restore from backups if malware remains.

5. Learn how the attacker got in and remove that vector-cancel compromised cards, update credentials, and tighten account recovery options.

Real-world application: a simple verification routine

• After receiving any unexpected message about your accounts: pause, inspect sender and links, verify via phone or the official website, and never provide credentials directly in reply. This routine replaces impulsive clicking with a short set of checks that block most scams.

Summary

Phishing tricks you by imitating people or organizations you trust....