What Is Phishing? 6 Tips to Help Protect Yourself

Share this article

Phishing is a type of cyberattack in which someone attempts to trick you into sharing sensitive  personal and financial information by posing as a legitimate source.

To do this, phishers will typically send you an unsolicited email, text message (aka, smishing), or malicious link, asking you to “verify” certain credentials or take action to a request. For example, they may ask you to enter your Social Security number, passwords, bank account, credit card number, etc. They may also call you for this personal information, which then could be used to steal your identity, access important accounts, or withdraw money from your bank.

It can be alarming and stressful if you fall victim to a phishing scam, but there are ways to help you avoid and protect yourself from scammers.

Did you know? If you receive an unsolicited call from Marcus and you have concerns about the call, we encourage you to call us back using a number from our contact page, so you can be sure you’re speaking with Marcus.

If a suspicious email claims to be from Marcus, forward it to [email protected].

Recognizing and avoiding a phishing attempt

Phishing scams have become more sophisticated in the digital age, as scammers frequently change their tactics to try and convince you that they have a legitimate reason to ask for your personal information. Even for the vigilant consumer, it can sometimes be hard to tell if a request is real or fraudulent, especially if the message appears to be from your bank or a government agency.

Whether you’re contacted through email, text message, or phone call, below are some common signs of a phishing attempt. You can also get more tips from the Federal Trade Commission here.

Poor spelling or grammar

Email phishing is one of the most common methods that scammers use to steal sensitive information. Phishers often create fake emails with familiar brand logos to impersonate real businesses (aka, impersonation scam), and it’s not always easy to tell whether the communication is genuine.

But one telltale sign of an email phishing attempt is poor spelling or grammar. Pay close attention to the sender’s email domain and message. Fraudulent email domains may have minor misspellings.

If you spot spelling and grammatical errors, the email may be a scam. The same goes for smishing attempts in which scammers target you via mobile text messages instead of emails.

Tip: If you receive a suspicious email or text message, do not click on any links or attachments. Delete the email or text message immediately. You may also report the suspicious message if your email or mobile provider offers the option. Learn more here.

False sense of urgency

A typical tactic among phishers is to create a false sense of urgency, pressuring you to take action. Be wary of emails, text messages, or unsolicited phone calls urging or threatening you to respond immediately to avoid a penalty, delay, or account closure.

For example, scammers often claim there’s a “problem” with a payment, an order, or one of your financial or government accounts, which you need to resolve right away. They may even claim that a family member or loved one is in trouble. Scammers will then instruct you to send money or confirm your personal details over the phone or via a malicious link.

Tip: It’s important to slow down and study the message carefully. Does the email or text message appear to be genuine? If someone calls and claims to be from your bank, a government agency, or a particular retailer, never give out your personal information. Instead, hang up and call the business back yourself to ensure the request is legitimate.

Sometimes, a scammer may offer you a callback number – do not use it. Always look up the official contact information yourself by visiting the official websites of the business or government agency.

Free prizes, jobs, and tax refunds

Phishers may also offer fake rewards, jobs, and refunds, inviting you to click on a suspicious link or attachment to claim your prize. For instance, they may tell you that you’ve won a free vacation or you’re eligible for a tax refund. This is designed to get you to let your guard down and give up your personal information.

Tip: If you’ve never entered a drawing or applied for a job, you should be suspicious. Also, if something sounds too good to be true, it’s probably a scam. Do not click on any suspicious links attachments, or pop-ups. If the message asks you to confirm your tax identification number for a tax refund, it’s a scam: The IRS never initiates contact with taxpayers via email, text messages, or social media channels to request personal or financial information.

Good to know: If you receive a suspicious email from the IRS requesting personal or financial information, do not reply. Do not click on anything and immediately delete the email. You can also forward the email to [email protected].

More tips to help protect yourself against phishing 

Understanding how to spot a potential phishing attempt is a great first step, but here are a few more smart practices to help you stay safe.

Tip 1: Reduce your online footprint. Be cautious with any information you post online, which could be used by phishers to gain your trust and/or impersonate you to family and friends. Check out our article on cleaning up your digital footprint to learn more.

Tip 2: Double-check email domains. A common email phishing scam involves criminals impersonating a bank. When an email claims to be from your bank (or any business), take a look at the sender’s email domain. If there are misspellings, it’s probably a scam.

For example, compare:

[email protected]

vs.

[email protected]

(Note: For illustrative purposes only)

Did you catch the small spelling errors in the second domain name from a fraudulent sender?

Tip 3: Do not click on links, attachments, or pop-ups from unknown senders. They may contain malware or direct you to a malicious website to steal your personal information. Never enter personal details in any window, pop-up box, or email that you did not initiate or open yourself.

Tip 4: Protect your accounts with multi-factor authentication (MFA). MFA works by requiring at least two different credentials from you to verify your identity before logging into your account. If this option is available to you, it’s worth turning it on because it can provide an additional layer of security. With MFA, you’ll usually be notified almost immediately if someone else is trying to access your account(s).

Tip 5: Set up transaction alerts and regularly monitor your account statements. Many bank and credit card accounts allow you to set up transaction alerts. Any time a certain type of transaction occurs, you’ll be notified. If it’s a charge or withdrawal you didn’t authorize, you can quickly take action to report the fraudulent activity. In addition to setting up real-time alerts, it’s also a good idea to regularly review your account statements for potential suspicious activities.

Tip 6: Keep your software and devices updated. Phishers and other scammers are constantly coming up with new ways to exploit security vulnerabilities. That’s why it’s important to keep your apps and devices updated, so that you’re protected from the latest threats. Also be aware that phishers may sometimes contact you unsolicited, posing as “tech support” to request remote access to your devices. Do not grant remote access unless you initiated the call and have confirmed they are who they say they are.

Reporting a phishing scam

If you receive a suspicious message or call, you can report it to the appropriate business as well as your email or wireless provider. Many banks, businesses, and government agencies (e.g., IRS, FDIC, etc.) have a dedicated fraud department you can contact to file a phishing report.

Remember: If a suspicious email claims to be from Marcus forward it to [email protected].

You can also report the phishing attempt to the Federal Trade Commission at ReportFraud.ftc.gov.

If you responded to a scam and believe your identity has been stolen, visit IdentityTheft.gov. This is the federal government’s one-stop resource for victims of identity theft. The website outlines steps you can take based on the type of personal information stolen.

Read more: What to do if your identity is stolen

This article is for informational purposes only and is not a substitute for individualized professional advice. Articles on this website were commissioned and approved by Marcus by Goldman Sachs®, but may not reflect the institutional opinions of The Goldman Sachs Group, Inc., Goldman Sachs Bank USA, Goldman Sachs & Co. LLC or any of their affiliates, subsidiaries or divisions. Information and opinions expressed in this article are as of the date of this material only and subject to change without notice.