Don’t Get “Hooked” by a Phishing Scheme

Money Matters

Phishing Attack or Spam Email?

keys and locks on a keyboard to represent cyber security and vigilance to prevent phishing.

“Phishing” is a form of social engineering where cybercriminals try to fool people into revealing personal information online. The name comes from the idea of fishing: Scammers send a message that acts as bait, hoping to “hook” someone.

Phishing attacks use email or malicious websites to solicit personal information by posing as a trustworthy organization, prompting you to click on a link that may infect your machine with malware and viruses. For example, an attacker may send an email seemingly from a reputable credit card company, or financial institution that requests account information, often suggesting that there is a problem. When users respond with the requested information, attackers can use it to gain access to their accounts. Attackers often take advantage of current events and certain times of the year, such as:

  • Natural disasters (e.g., hurricanes)
  • Pandemics, epidemics and health scares (e.g., H1N1, COVID-19)
  • Economic concerns (e.g., IRS scams)
  • Major political elections
  • Holidays (e.g., Valentine’s Day, Independence Day)

Spam is any unsolicited email that arrives in your inbox. You didn’t request it, but through the efforts of organizations that specialize in collecting and curating email addresses, it found its way to you. Spam does not necessarily contain viruses — valid messages from legitimate sources could fall into this category.

Cybercriminals who use spam target millions of inboxes with phishing emails that look like normal spam but that contain malicious links and attachments. Responding to one could lead to identity theft, email fraud, a ransomware attack on your business, or any number of other devastating consequences.

If you suspect the spam is a phish, do not click on any links in the email, download any attachments, engage or respond, or fall for any emotional traps, like promises of rewards or threats for not acting.

Please check out the Spam Email or Phishing Attack infographic for more great tips on spotting and avoiding phishing.

Vigilance is the Best Defense

Verify the sender: Were you expecting something from them? Check the sender’s email address (URL). If the highlighted URL contains characters that aren’t in the company’s main website, it could be a fake email. It may be a URL that does not reference the legitimate company at all or that alters the official URL in some way. You can always call the company to verify that they sent the email.

What is in the message?
Is the tone urgent? Are there grammatical or spelling errors? If so, be suspicious.

Look for links or QR codes: If the email or text tries to get you to click on links or scan a QR code to visit a website and provide information, beware. Make sure the sender is someone you trust before clicking a link or scanning a code. QR codes should be treated with care since it can be difficult to discern where they point before scanning them. For more on QR code safety, read this blog from

Confirm: Verify the request separately by phone with the office of the individual or system referenced.