Phishing Scams: What Are the Signs & How Can You Avoid Them?

Phishing scams are normally delivered as an email that spoofs a known acquaintance or company, such as a bank or online shopping site.
All phishes aim to steal personal or proprietary information for fraudulent purposes.
Open emails with caution, examining the sender address, links (before clicking on them) and other content until you can verify their authenticity.

Phishing is one of the Internet’s oldest and longest-running scam techniques. Since its first appearance in the mid-90s, it’s fooled countless individuals, costing people and organizations billions of dollars. And it shows no signs of slowing down.

Thirty six percent of all breaches in 2021 involved phishing — that’s 11 percent more than last year — according to the Verizon Data Breach Investigations Report.¹ And the international nonprofit Anti-Phishing Working Group reports that there were 222,127 phishes in June 2021² alone. How has this scam been so successful for so long?

Phishing is a method of social engineering designed to mislead people into believing they are dealing with a legitimate party. Cyber criminals employ deception, urgency or too-good-to-be-true promises to exploit common human responses like trust in authority, fear of missing out, greed or curiosity.

Phishing takes many forms

Phishing refers to a seemingly legitimate message or email meant to trick you into taking an action to benefit the criminal who sent it.

While phishes are typically sent by email, they can be sent in many other ways.

Vishing – also known as voice phishing – is like phishing, but is conducted over the phone, either by a person or through robocall.

Smishing is phishing through SMS text messages. These texts or instant messages might appear to be sent by trusted organizations, but they are fraudulent. Smishing scams could request personal information or contain unsafe links.

Search engine phishing – also known as SEO poisoning – targets users through fake websites optimized to show up in your search results. Once you’re on the website, scammers may trick you into revealing valuable information or passwords.

Spear phishing is phishing aimed at a specific person or organization. Cyber criminals often conduct background research on their target to make the scam more believable.

Whaling is a form of spear phishing aimed at top executives. It’s often conducted by cyber criminals impersonating other high-level employees.

Remember that Bank of America, like many businesses, will never ask you for account details unless you call us first.

Neither Bank of America nor its affiliates provide information security or information technology (IT) consulting services. This material is provided "as is,“ with no guarantee of completeness, accuracy, timeliness or of the results obtained from the use of this material, and without warranty of any kind, express or implied, including, but not limited to warranties of performance, quality and fitness for a particular purpose. This material should be regarded as general information on information security and IT considerations and is not intended to provide specific information security or IT advice nor is it any substitute for your own independent investigations. If you have questions regarding your particular IT system or information security concerns, please contact your IT or information security advisor.

“Bank of America” and “BofA Securities” are the marketing names used by the Global Banking and Global Markets divisions of Bank of America Corporation. Lending, other commercial banking activities, and trading in certain financial instruments are performed globally by banking affiliates of Bank of America Corporation, including Bank of America, N.A., Member FDIC. Trading in securities and financial instruments, and strategic advisory, and other investment banking activities, are performed globally by investment banking affiliates of Bank of America Corporation (“Investment Banking Affiliates”), including, in the United States, BofA Securities, Inc. and Merrill Lynch Professional Clearing Corp., both of which are registered broker-dealers and Members of SIPC, and, in other jurisdictions, by locally registered entities. BofA Securities, Inc. and Merrill Lynch Professional Clearing Corp. are registered as futures commission merchants with the CFTC and are members of the NFA.

Bank of America Private Bank is a division of Bank of America N.A. Member FDIC, and a wholly owned subsidiary of Bank of America Corporation (“Bofa Corp.”).

Merrill Lynch, Pierce, Fenner & Smith Incorporated (also referred to as “MLPF&S” pr “Merrill”) makes available certain investments products sponsored, managed, distributed or provided by companies that are affiliates of Bank of America Corporation (“Bofa Corp.”). MLPF&S is a registered broker-dealer, registered investment adviser, Member SIPC and a wholly owned subsidiary of BofA Corp.

Investment products offered by Investment Banking Affiliates:

|Are Not FDIC Insured | May Lose Value | Are Not Bank Guaranteed.

The aim of phishing is to trick you into revealing sensitive data — which might include login credentials and passwords, credit card numbers, bank account numbers, corporate contacts, vendor names or other proprietary information — for fraudulent purposes. The scam is most commonly delivered as an email that spoofs a known company, such as a bank or online shopping site, but it can also appear to come from an individual of authority or personal acquaintance.

Phishing emails may contain a link that sends users to a replica of a valid website where usernames, passwords and other data are transmitted to cyber criminals. From there, they can sell personal data on the dark web black market or use it to commit identity theft or drain bank accounts.

Today phishing scams have become more refined. Phishing may be widespread or targeted, sent by text or voicemail or even show up in search results. Data leaks and social media accounts with lax privacy settings often expose information on individuals and organizations that criminals can use to create smarter, more stealthy phishing content.

For all their sophistication, today’s phishing scams still rely on exploiting the human psyche. Detecting a phish therefore requires you to maintain a healthy level of skepticism when receiving any kind of digital communication and shore up on your best defense: awareness.

The telltale signs of phishing

There are often clues that an email is not legitimate. The five below are the most common.

There are grammatical, spelling and/or formatting errors in the content. If the email is unsolicited and it seems like it was written by a robot or someone not completely fluent in your native language, it’s best to investigate further before clicking.
The “from” address doesn’t match the authentic email address of the sender, especially if it says it’s from a business. (If you can’t see the email address, either hover over the sender name or right click on it to show details.) Cyber criminals often use fake company email addresses from common, public domains. Or they might create an address that spells the company name just slightly wrong.
The email contains a hyperlink or button that, when hovered over, displays a URL that doesn’t match the destination it claims to be. For example, if an email purports to be from a favorite online store needing you to update account information, but the URL shows an unfamiliar address, do not click on the link. Instead, go directly to the store’s account on your browser to confirm.
The email contains attachments from unknown sources that you were not expecting. Don’t open the attachments. They might contain malware that could infect your system.
The tone of voice is urgent. Criminals love to use urgency to fool users into taking action without looking too closely. Emails with phrases like, “Update your password before we close your account!” should be treated as highly suspect.

Remember that Bank of America — and most other reputable companies — will never ask for account details unless you contact us first. If there’s any doubt, go directly to a trusted source, such as the company’s website, or call to check using a phone number you can independently verify belongs to the company or individual who apparently sent the email. Never call the phone number on an email you suspect might be a scam, and never share your banking credentials or one-time passwords.

¹ Verizon DBIR 2021, https://www.verizon.com/business/resources/reports/2021-data-breach-investigations-report.pdfx

² Phishing Activity Trends Report Q2 2021, https://docs.apwg.org/reports/apwg_trends_report_q2_2021.pdf

Insights to protect your business from cyber threats

Learn tips on how to avoid falling for the latest “vishing” tricks

5 minute read

Smishing is a form of fraud that primarily takes place through texts on mobile devices. Learn how to detect and avoid this increasingly common type of scam.

5 minute read

How cyber criminals engineer deception online

Learn tips on how to defend against “Social engineering”

5 minute read

How to detect – and avoid — phishing scams

Key Takeaways

Fraud and Cyber Security

Explore more

How to avoid telephone scams

Five tips to help avoid smishing scams

How cyber criminals engineer deception online