AVASC — Association of Victims Against Cyber-Scams: shield, globe, and padlock wordmark logo
Report
Scam DatabaseReport CaseStoriesGuidesRecoveryAboutDonateSign in
Back to guides

How to Protect Yourself from Phishing Emails and Fake Websites

Phishing is one of the most common ways scammers steal credentials, drain bank accounts, and gain access to sensitive information. The good news: you can learn to recognize and avoid phishing attacks.

What Is Phishing?

Phishing is a scam where attackers impersonate legitimate organizations (banks, PayPal, Microsoft, Apple, etc.) to trick you into revealing passwords, credit card numbers, or other sensitive information. Most phishing happens via email, but it also occurs via text messages (smishing), phone calls (vishing), and fake websites.

Why phishing is so effective

  • Fake emails look nearly identical to real ones
  • Attackers create artificial urgency ("Your account will be closed," "Suspicious activity detected")
  • People often don't check URLs carefully
  • Most people receive thousands of legitimate emails, making it easier to miss a fake one
  • Legitimate companies occasionally send similar emails, which confuses people

How to Spot Phishing Emails

Check the sender's email address

This is one of the most important checks. Legitimate companies email from their official domain. A fake from "paypa1.com" (with a 1 instead of l) or "secure-verification@banking.service" is not real.

Pro tip:

Hover over the sender's name in your email to reveal the actual email address. Some email clients hide the real address by default.

Suspicious greeting

Phishing emails often use generic greetings like "Dear Customer," "Dear User," or "Dear Valued Member" rather than your actual name. Legitimate companies know your name because they have your account information.

Artificial urgency or threats

"Your account will be closed in 24 hours," "Unusual activity detected," "Confirm your information now," "Your card has been compromised." These create panic that prevents careful thinking.

Requests for sensitive information

Legitimate companies will NEVER ask you to verify passwords, credit card numbers, Social Security numbers, or other sensitive information via email. Period. If an email asks for this, it's a phishing attempt.

Links that don't match the text

Hover over any link in the email (don't click). Look at the URL at the bottom of your screen. If the link text says "Click here to verify your account" but the actual URL is "malicious-site.com," it's phishing.

Spelling, grammar, or formatting errors

Professional companies proofread their communications. Emails with misspellings, awkward phrasing, or poor formatting are often phishing attempts. However, some phishing emails are well-written, so don't rely on this alone.

Unexpected attachments

Legitimate companies usually don't send unsolicited attachments. Be especially suspicious of Excel files, PDFs, or software downloads you didn't request. These often contain malware.

RED FLAG: "Click here to confirm" or "Verify now"

Any email asking you to click a link to "confirm," "verify," "update," or "validate" your account is likely phishing. Legitimate companies may ask you to log in, but they'll direct you to their official website, not via email links.

How to Verify URLs

URLs are easy to fake. Here's how to check if a website is legitimate:

Check the domain (the main part of the URL)

The real Coinbase URL is coinbase.com. Fake sites might use:

  • coibase.com (1 instead of i)
  • coinbase-secure.com (adding words)
  • coinbase.net or coinbase.co (different extension)
  • mycoinbase.com (adding a prefix)

Type the URL directly into your browser from memory or a trusted source. Never click links from emails or messages.

Look for the padlock (HTTPS)

Legitimate websites use HTTPS (secure connection). Look for a padlock icon in your browser's address bar. While HTTPS is standard, some phishing sites use it too, so this is helpful but not sufficient alone.

Verify the SSL certificate

Click the padlock to view the SSL certificate. It should show the legitimate company's name. If it shows a different name or a generic certificate provider, it's likely fake.

Go directly to the official website

Don't click email links. Instead, type the company's website into your browser or use a bookmark. This ensures you're visiting the real site. If there's an issue with your account, you'll see it when you log in directly.

Use browser security tools

Modern browsers (Chrome, Firefox, Safari, Edge) have built-in phishing detection. They may warn you if you're about to visit a known phishing site. Pay attention to these warnings.

Protecting Your Accounts

Enable two-factor authentication (2FA)

Even if a scammer gets your password through phishing, they can't log in without a second factor (usually a code from your phone). Enable 2FA on:

  • Email accounts
  • Banking and financial accounts
  • Social media accounts
  • Password managers
  • Any account with sensitive information

Use authenticator apps (Google Authenticator, Authy) rather than SMS when possible, as SMS can be intercepted.

Use unique, strong passwords

Use a password manager (1Password, Bitwarden, LastPass) to generate and store unique passwords for each account. If one password is compromised through phishing, the others remain secure.

Never enter passwords on email links

Even if an email looks legitimate and asks you to "confirm your password," don't click the link. Log in directly to the website (type the URL yourself) to check if anything is wrong.

Check your accounts regularly

Monitor bank, credit card, and email accounts for suspicious activity. Many breaches go unnoticed for months. Early detection can prevent significant loss.

What to Do If You Click a Phishing Link

You clicked the link but didn't enter information

You're likely fine. Just close the page immediately. Don't stay on the fake website. Monitor your email and accounts for unusual activity, but no sensitive information was compromised.

You entered your password

Change your password immediately on the real website (not by clicking email links). Use a strong, unique password. Enable 2FA if you haven't already. Monitor your account for unauthorized activity.

You entered credit card, bank, or personal information

Contact your bank and credit card company immediately. Report the fraud. They can:

  • Monitor your accounts for suspicious transactions
  • Dispute fraudulent charges
  • Issue new cards if necessary

Also freeze your credit to prevent identity theft. Contact the three credit bureaus (Equifax, Experian, TransUnion).

Report Phishing

Report to the company being impersonated

Most companies have a phishing reporting email (usually phishing@companyname.com). Forward the phishing email to them (include the full headers if possible). They can take down fake websites and warn other customers.

Report to your email provider

Gmail, Outlook, and other email services have report buttons. Marking phishing emails as "phishing" helps improve their detection systems.

Report to the FTC

Report phishing and credential theft to reportfraud.ftc.gov. This creates an official record and helps law enforcement identify patterns.

Report phishing URLs

Submit phishing websites to abuse databases like PhishTank.com. This helps browsers and security providers block the sites.

Remember: Legitimate Companies Never Ask for Passwords via Email

This is the golden rule. Your bank, email provider, PayPal, Amazon, or any legitimate organization will never ask you to verify your password, Social Security number, or credit card via email. If they need to contact you about your account, they'll direct you to log in directly on their secure website, not through email links.

Take Action

Report Phishing or Fraud

Document your experience and help protect others from the same scam.

How to Identify a Scam

Learn other warning signs and manipulation tactics.