Technology

Spot phishing before you click—and limit damage if you did

Verify the request through a route you already trust, separate message clues from proof, and respond according to the information or device that may be exposed.

Key takeaways

  • A familiar logo, correct personal detail, or HTTPS link is not proof that a message is genuine.
  • Open the known app or saved website instead of using the message’s link or phone number.
  • After a mistake, secure email and affected accounts, scan devices when relevant, and document what was shared.

Treat the requested action as the clue

Phishing messages often manufacture a reason to act before verifying: an account will close, a package is held, a payment failed, a refund is waiting, or a manager needs a secret. The message may accurately name you because breached and public data can be combined with impersonation.

The FTC phishing guide warns that links and attachments may steal information or install malware. The useful question is not only ‘does it look real?’ but ‘can I verify the requested action independently?’

Use a verification ladder

  1. 1

    Pause. Do not reply, click, call, scan a QR code, or open an attachment.

  2. 2

    Open the company’s known app, a saved bookmark, a statement, or a number already on your card.

  3. 3

    Check whether the same alert appears inside the authenticated account.

  4. 4

    For a person, contact them through a separate known channel and ask about the exact request.

  5. 5

    Report the message using the organization’s official route, then delete or preserve it as required by work policy.

Do not over-trust surface clues

ClueWhy it is not proof
Display name or logoEasy to copy or spoof
Personal informationMay come from a breach or public record
HTTPS and padlockEncrypts the connection to a site that may still be fraudulent
Urgent deadlineCan be manufactured to suppress checking
Correct email threadAn account or vendor may be compromised
QR codeHides the destination until scanned

Respond according to what happened

  • Clicked but entered nothing: close the page, update security software, and scan if a file or program may have run.
  • Entered a password: change it from a clean device, end other sessions, enable strong MFA, and change reused passwords.
  • Shared card or bank data: contact the institution through a known route and monitor or replace the affected method.
  • Shared identity data: use IdentityTheft.gov for a recovery plan and consider a credit freeze.
  • Approved an MFA prompt or installed remote-access software: treat the account or device as compromised and escalate immediately.

Make the next attempt less effective

Secure the primary email account first because it can reset others. Use unique credentials, a password manager, phishing-resistant sign-in where available, current recovery information, and alerts for important accounts.

Report phishing email to the organization impersonated and the routes listed by the FTC; suspicious texts can be forwarded to 7726 in the United States. At work, follow the incident channel even if no click occurred—other people may receive the same campaign.

Evidence record

Sources and methodology

We used primary public sources for the factual framework, then wrote and structured this guide independently. Links are checked during editorial review and when a guide is substantively updated.

  1. How to Recognize and Avoid Phishing ScamsFederal Trade Commission · Used for: Phishing clues, response, and reporting
  2. Protect Your Personal Information From Hackers and ScammersFederal Trade Commission · Used for: Account security and identity-theft response

This article is general educational information, not individualized financial, medical, legal, tax, cybersecurity, construction, or career advice.

About the byline

Everyday Fieldbook Digital Safety Desk

An organizational byline for our personal-technology and digital-safety workflow, grounded in public standards and agency guidance rather than invented testing claims.

Read our editorial policy