Key takeaways
- A familiar logo, correct personal detail, or HTTPS link is not proof that a message is genuine.
- Open the known app or saved website instead of using the message’s link or phone number.
- After a mistake, secure email and affected accounts, scan devices when relevant, and document what was shared.
Treat the requested action as the clue
Phishing messages often manufacture a reason to act before verifying: an account will close, a package is held, a payment failed, a refund is waiting, or a manager needs a secret. The message may accurately name you because breached and public data can be combined with impersonation.
The FTC phishing guide warns that links and attachments may steal information or install malware. The useful question is not only ‘does it look real?’ but ‘can I verify the requested action independently?’
Use a verification ladder
- 1
Pause. Do not reply, click, call, scan a QR code, or open an attachment.
- 2
Open the company’s known app, a saved bookmark, a statement, or a number already on your card.
- 3
Check whether the same alert appears inside the authenticated account.
- 4
For a person, contact them through a separate known channel and ask about the exact request.
- 5
Report the message using the organization’s official route, then delete or preserve it as required by work policy.
Do not over-trust surface clues
| Clue | Why it is not proof |
|---|---|
| Display name or logo | Easy to copy or spoof |
| Personal information | May come from a breach or public record |
| HTTPS and padlock | Encrypts the connection to a site that may still be fraudulent |
| Urgent deadline | Can be manufactured to suppress checking |
| Correct email thread | An account or vendor may be compromised |
| QR code | Hides the destination until scanned |
Respond according to what happened
- Clicked but entered nothing: close the page, update security software, and scan if a file or program may have run.
- Entered a password: change it from a clean device, end other sessions, enable strong MFA, and change reused passwords.
- Shared card or bank data: contact the institution through a known route and monitor or replace the affected method.
- Shared identity data: use IdentityTheft.gov for a recovery plan and consider a credit freeze.
- Approved an MFA prompt or installed remote-access software: treat the account or device as compromised and escalate immediately.
Make the next attempt less effective
Secure the primary email account first because it can reset others. Use unique credentials, a password manager, phishing-resistant sign-in where available, current recovery information, and alerts for important accounts.
Report phishing email to the organization impersonated and the routes listed by the FTC; suspicious texts can be forwarded to 7726 in the United States. At work, follow the incident channel even if no click occurred—other people may receive the same campaign.
Evidence record
Sources and methodology
We used primary public sources for the factual framework, then wrote and structured this guide independently. Links are checked during editorial review and when a guide is substantively updated.
- How to Recognize and Avoid Phishing ScamsFederal Trade Commission · Used for: Phishing clues, response, and reporting
- Protect Your Personal Information From Hackers and ScammersFederal Trade Commission · Used for: Account security and identity-theft response
This article is general educational information, not individualized financial, medical, legal, tax, cybersecurity, construction, or career advice.