Types of Phishing: Tips to Prevent, Spot and Report Scam Emails

October is National Cybersecurity Awareness Month, and it's an excellent reminder that protecting your personal information online is important. One way to do that is to recognize and avoid phishing scams.

What is Phishing, and How Does It Work?

Cybercriminals use social engineering, which is the art of manipulating people into divulging information or doing something they wouldn't normally do to steal information, said Judith Dionne, an information security awareness and training manager for Southern New Hampshire University (SNHU).

Dionne has been working with information security at SNHU for the past five years, including managing a phishing simulation training program and designing a variety of other trainings. She said that phishing is the most successful form of social engineering that cybercriminals use — because it works.

It's a tactic scammers use to impersonate legitimate companies or individuals using email, text messages or phone calls to trick people into revealing sensitive information such as usernames, passwords, credit card details, other banking and payment information and more.

Think of how fishermen use bait to catch fish — your personal information is the fish in this scenario, the scammer is the fisherman and the bait is the fraudulent email they send you. For example, the email might ask you to click on a link and update your information.

What's the Difference Between Spam and Phishing Emails?

Spam is when someone sends an email to several users at once or tries to sell something by pushing their product on users as a usually unsuccessful attempt at marketing. Think of it as annoying junk mail where the sender isn’t purposely trying to steal your information compared to a phishing attempt, which has malicious intent.

What Are 8 Types of Phishing?

There are many types of phishing to be aware of, according to Dionne.

Here are some of the common kinds:

Email Phishing

This is the most common type, where attackers send fraudulent emails that appear to be from legitimate sources, attempting to trick recipients into revealing personal information or clicking on malicious links or attachments.

Smishing (Text Phishing)

Involves sending text messages that trick recipients into revealing personal information or downloading malware. Messages may claim to be from banks or delivery services.

Vishing (Voice Phishing)

Uses phone calls to impersonate legitimate organizations (like banks or tech support) to extract sensitive information from victims.

Quishing (QR Code Phishing)

Uses QR codes that will take the victim to a fake website where they may be asked for credentials or malware to be downloaded.

Website Phishing

Attackers create fake websites that closely mimic legitimate ones to capture login credentials and sensitive data. Users are often directed to these sites through phishing emails or ads.

Social Media Phishing

Involves using social media platforms to send messages or posts that trick users into providing personal information or clicking on malicious links.

Business Email Compromise (BEC)

This sophisticated form of phishing targets companies by impersonating an executive or vendor to authorize fraudulent transactions or data transfers.

Search Engine Phishing

Attackers use search engine optimization techniques to place malicious links at the top of search results, leading unsuspecting users to phishing sites. "Sponsored" links can also be malicious, so be careful with those, too.

What is an Example of Phishing?

One example Dionne provided was when a cybercriminal seeks usernames and passwords. In this case, an alarming email is sent warning the recipient that an account has been compromised and the password must be reset, she said.

"The email would include a link to a site to help the person reset their password, but the site is spoofed," said Dionne. "Following the link would take them to the fake site that is branded to look like it belongs to the business, and they would be prompted to enter their existing username and password to create a new one. For example, if you have a bank account with Bank of America (BOA), the phishing message would have the BOA logo, and the link the site brings you to would look like a BOA log-in page."

Typing in your credentials would send them directly to the cybercriminal. After you type them into the fake site, nothing happens on it, and most users think it's a faulty link and won't question it. In reality, the cybercriminal just learned the username and password for your bank account.

Read more: What is Cybercrime?

How is AI Changing Phishing?

Artificial intelligence (AI) has created some alarming new trends in phishing, according to Gina Cramer '20, who earned a bachelor's in cybersecurity from SNHU and currently works in application security at a global financial services company.

"AI has made things completely different as far as phishing schemes and threat actors trying to steal identities and whatnot, with the deepfakes now that they can do," she said.

Cramer noted that deepfakes can convincingly mimic an actual person, often featuring AI-generated video and voice. And since deepfakes can pose as real people in your life, they can be especially difficult to discern.

In one 2024 incident, a deepfake phishing scheme impersonating a CEO managed to capture $25 million after an unsuspecting employee authorized the transactions, according to Forbes. With these innovations in fraud, security awareness might be more important than ever.

"The threats that are out there today will be different a year from now," Cramer said.

She noted that it's important to keep up with current events as the threat landscape continues to evolve. You might even discover a passion for cybersecurity in the process.

Dig deeper: What is Cybersecurity and Why is It Important?

How to Spot a Phishing Email

At first glance, it can be easy to miss an email phishing attempt. Some red flags to be aware of include:

• Poorly written emails with misspellings or spoof display names, although, Dionne said that AI can help cybercriminals craft more professional emails today.
• Language trying to instill a sense of urgency
• The web and email addresses don’t look genuine
• They ask you to confirm personal information

Dionne noted some additional signs to look out for, including:

• Links and attachments in the email
• Unusual requests (such as transferring overdue funds)
• Unsolicited offers for part-time employment or work-from-home jobs

Questions to Ask Yourself

Dionne said another tip to identify phishing is to slow down when reading emails. She advised taking your time and considering these questions:

• Do you know the sender?
• Are you expecting an email from the sender?

With regard to the tone of the email:

• Is it urgent?
• Does it tell you that you missed a payment or that someone jeopardized your account?

"Cybercriminals may send one message to many people at once and at odd times of day," Dionne said.

If the message looks unusual or suspicious, look at:

• The time of day you received it
• The amount of people copied on it
• If you know anyone copied on it

"You may also get phishing emails from people you know," said Dionne. "If you get an unusual email from a family member or friend, check the message's validity through another channel."

You can call or text the original sender to see if they sent it. Dionne said don't trust a message is secure if it's unexpected or out of character for the sender. Because of deepfake technology, that could even apply to videos and voice messages.

So, What Happens If You Open a Phishing Email?

Most phishing emails are relatively safe to open as long as you don't interact with them, said Dionne. Just be sure you don't click on links or open/preview any attachments.

What Happens If You Click a Phishing Link?

If you do click on a phishing link, Dionne said you could open yourself up to potential risks, such as:

• Computer worms
• Keyloggers
• Malware
• Ransomware
• Spyware

If you open a phishing email and click on a link or attachment, there are a few things you can do to try and protect your information.

To start, you should immediately close all your tabs and browsers, according to Identity Guard. Next, check for any automatic downloads that may have started and delete those too.

Identity Guard also recommends potentially changing your usernames and passwords. Remember the Bank of America scenario? In that case, change your username and password immediately to prevent unwanted access to your account.

If you use the same password for multiple accounts, change your passwords, too. Identity Guard recommends considering a password manager, which can help you create and organize your usernames and passwords. Added bonus, a password manager can create strong and secure passwords for you.

For some additional peace of mind, you could consider installing antivirus or anti-malware software that can scan and remove potential threats from your devices.

If you interact with phishing on a work device, be sure to notify the appropriate contact at your organization to follow company protocol and next steps.

How to Protect Yourself From Phishing

Phishing scams can be costly to businesses and individuals. So, it’s important to know how to try and prevent falling prey to phishing attempts.

Here are a few tips to protect yourself:

• Use strong, unique passwords for each of your online identities. Never re-use the same password for multiple online identities. Choose different letters, numbers and symbols and avoid using anything familiar that others can publicly research about you, such as your date of birth or a pet's name.
• Never click links in an email. For example, if you receive a notification from your bank, log in directly to the bank’s website instead of using the link provided in the email.
• Never share personal or financial information in an email.
• Always be suspicious of unsolicited emails, text messages and phone calls. If it sounds “too good to be true,” it probably is, for example, a work-from-home job.
• Never scan QR codes unless you know the source of them.

You can also use antivirus, email filtering and firewalls to reduce phishing traffic.

How to Protect Yourself From Employment Phishing Scams

Employment scam emails are one type of email phishing that can affect people looking for work, especially college students.

"These emails are usually looking for one thing: Information," Dionne said. They trick you into giving personal information to cybercriminals posing as potential employers.

One way to protect yourself is to know what you've applied for and pay attention to who's sending the email. "Never respond to an unsolicited request for employment through email," Dionne said. 

How to Report Scam Emails

If you feel you’ve received a phishing attempt, report the scam to help prevent it from happening to others.

If you come across suspicious forms of communication, there are a variety of ways you can report them.

For example:

• Report emails as phishing or spam. The way you report emails can vary from platform to platform but most have a button that you can click to mark a message as phishing or spam. For instance, Microsoft Outlook has a "report message" ribbon that you can click and then select "phishing." According to Microsoft Support, this is the fastest way to report and remove a suspicious message from your inbox.
• Report suspicious websites to sources like Google Safe Browsing or the security solution software firm ESET.
• Report scams and fraud to places like the Federal Trade Commission (FTC) Online Complaint Assistant or the Internet Crime Complaint Center (IC3).

See how savvy you are by taking Google’s Phishing Quiz to learn to identify phishing emails better and protect yourself from potential cyber threats.

Nicholas Patterson ’22 ’25MFA is a writer based in West Michigan with several years of experience as a content creator in higher education. He’s an alumnus of Southern New Hampshire University (SNHU), where he earned both his bachelor’s in English and creative writing and his Master of Fine Arts in Creative Writing. When his head’s not in novels, you can find him outside dreaming up his own stories. Connect with him on LinkedIn.