According to a 2022 Internet Crime Report, the FBI’s Internet Crime Complaint Center received over 800,000 complaints of internet-related scams in 2022. These crimes cost victims over $10 billion, and phishing, a form of cyberattack using emails, text messages, and websites, topped the report’s list as one of the most commonly reported crimes.

Hackers attempt to collect your most valuable and confidential information through phishing. This may include bank account numbers, Social Security numbers, or credit card numbers — anything to commit identity or monetary theft. Often using insidious tactics such as urgent language and copied company logos, these criminals trick individuals and businesses through some of our most frequently used means of communication.

Common Features of Phishing Emails

Emails are a hackers’ common phishing weapon, but several indicators within the messages can often make them easy to spot. If you receive an email asking for payment or important personal information, scan it and ask yourself these questions before taking action:

  • Does the email ask you for money or personal information?
  • Because obtaining an individual or business’s money or valuable confidential or personal information is often a phisher’s goal, no matter who the sender appears to be, always be wary of any email asking for these things. While it’s especially likely to be a phishing email from a sender you don’t recognize, phishers sometimes hack email accounts to send emails that appear to be from a person or company you know.
  • Does the email contain an urgent or threatening tone?
  • Often, phishers attempt to prey on an email recipient’s emotions through urgent language, such as suggesting payments are past due and an account is about to be closed. If you receive an email with this tone, take a few minutes to breathe and relax.
  • Do not immediately click on a link, reply, or act in any way. Because hackers use this standard tactic, ensure you’re calm and level-headed before interacting with the email to determine whether the communication is legitimate.
  • Does the email contain grammatical errors or misspellings?
  • While not always the case, many phishing emails contain spelling, grammatical, or even formatting errors that may indicate the sender is not who they claim to be. The email may read as if it’s not in the sender’s native language or may include unprofessional mistakes unlikely for a company to send.
  • Additionally, the greeting may be out of context by being too generic (“Hey you” or “Dear Customer,” for example), informal, or formal for your relationship with the sender.
  • Does the email ask you to click on a link?
  • If an email asks you to click a link to make a payment or provide your personal information, this is considered highly suspicious behavior. A bank or financial institution will never use email to request your bank account number or identifying information.
  • If you receive an email with a link, hover over it before clicking on it. The link’s actual website address should appear on your screen. If this website address does not exactly match the official address of the company the email claims to represent, do not click on it.
Need a password manager?
Protect your data with these top-rated password managers.
Best password generator for enterprise
Best value password manager
Best password manager for security

Types of Phishing Campaigns

As with any legal business or industry, the criminal world of phishing is constantly evolving. These criminals can be sophisticated and creative in capitalizing on advancements in how people use technology. Individuals and companies may be vulnerable to several types of phishing campaigns. The most common ones to recognize include spear, clone, whaling, and pop-up phishing.

Spear phishing

This occurs when a hacker specifically targets a group of people with something in common. Often by using “insider” information obtained through hacking an organization’s computer or pulling from social media or a website, spear phishers create a fake email that appears to be an official email from the organization or entity.

These emails typically ask victims — targets such as university students or a company’s clients or employees — to click on a link that takes them to a website to update personal information, enter a password, or pay a bill.

Clone phishing

Like with spear phishing, clone phishing hackers prey on email recipients by taking advantage of their trust in other people or businesses. With clone phishing, hackers “clone” a real email someone already received and create a new one that looks like the original. They can also make it appear as if the sender of the original email sent it again. In these cloned emails, phishers add or replace a link or attachment with a harmful one.


This form of phishing targets specific victims, often the “whales” of a corporation or large entity, such as a CEO, a board member, or a wealthy individual. Whaling phishers typically use similar methods as those used in spear phishing.

Pop-up phishing

Through pop-up phishing, hackers can also take advantage of people as they browse the internet. Hackers may infect certain websites and cause a pop-up to appear when you visit the page.

These pop-ups can be difficult to close, causing the victim to click on a link accidentally. They may direct you to take action, such as providing personal information, downloading something, or calling a specific phone number.

How Do You Prevent Phishing?

Along with having a general understanding of what phishing is and how it can appear, there are a few things you can do to help prevent phishing attempts:

Two-Factor authentication

Two-factor authentication (2FA) may make it difficult for a hacker to access your online account by requiring a scan of your fingerprint or an additional code sent to your mobile phone. Hackers cannot access your phone unless you’re already using a compromised site or device. They should not be able to receive this code needed to log in to your account even if they already have your password.

Strict password management and policies

Whether you’re trying to protect yourself or your business from phishing attacks, it’s important to implement strong password management policies. Secure, reputable password management software can help protect you from logging in to a dangerous phishing website.

If you use a password manager that securely stores your password and automatically fills it into authentic websites when you log in to an account, the same software will not automatically enter your password in a fake site that only looks like the original.

Additionally, changing your passwords regularly and using a different, strong password for each online account can prevent hackers from accessing more than one account if they ever do manage to steal a password.



  • What is phishing?

    It is a fraudulent practice of sending emails or other messages claiming to be from reputable companies so that individuals reveal personal information, such as passwords and credit card numbers.

  • What are the four types of phishing?

    The types are spear phishing, clone phishing, whaling, and pop-up phishing.

  • What is a real example of phishing?

    An example would be a fraudulent SMS asking you to update your account details or change your password.

  • Why do people do phishing?

    People typically use phishing attacks to gain sensitive data, such as logins and passwords from their victims to access the targeted network or company.

  • Does phishing mean being hacked?

    Phishing and hacking are both mainly used to defraud people in some way. But phishing relies on people voluntarily giving information, while hacking entails forcefully gaining unauthorized access to it, such as by disabling the security measures of a computer network.

Learn More


About The Password Manager, Gunnar Kallstrom:

Kallstrom, The Password Manager, is a Cyber Team Lead for a Department of Defense (DOD) contracting company in Huntsville, Alabama, and has worked as a Computer Network Defense (CND) Cyber Analyst. An author and content creator for a cybersecurity academy, Kallstrom spent nearly 15 years in the Army as a musician before entering the cybersecurity field.

He holds a bachelor’s degree in music from Thomas Edison State University and a master’s in organizational development and leadership from the University of the Incarnate Word.

Kallstrom has completed several Computing Technology Industry Association (CompTIA) courses, including Security+, Network+, A+ Core 1, and A+ Core 2. He earned a CompTIA Security+ Certification. Additionally, he has completed the Cyber Warrior Academy program with more than 800 hours of hands-on, intensive, and lab-driven technical training in cybersecurity methods and procedures.

Passionate about all things cyber, Kallstrom was a speaker on a panel at the 2022 InfoSec World conference, giving a talk entitled “Hacking into a Cyber Career – True Stories.” Kallstrom is also a mentor to entry-level cybersecurity candidates seeking to break into the field. When he’s not working, he still enjoys playing guitar and fishing (not phishing).