How to detect – and avoid — phishing scams

This increasingly common scam can be costly for you or your company. Here’s how to spot the five telltale signs of a phishing email.


5 minute read


Key Takeaways

  • Phishing scams are normally delivered as an email that spoofs a known acquaintance or company, such as a bank or online shopping site.
  • All phishes aim to steal personal or proprietary information for fraudulent purposes.
  • Open emails with caution, examining the sender address, links (before clicking on them) and other content until you can verify their authenticity.

Phishing is one of the Internet’s oldest and longest-running scam techniques. Since its first appearance in the mid-90s, it’s fooled countless individuals, costing people and organizations billions of dollars. And it shows no signs of slowing down.


Forty one percent of business email compromise breaches in 2022 involved phishing – according to the Verizon Data Breach Investigations Report.1 And the international nonprofit Anti-Phishing Working Group reports that there were 381,717 phishes in June 20222 alone. How has this scam been so successful for so long?


Phishing is a method of social engineering designed to mislead people into believing they are dealing with a legitimate party. Cyber criminals employ deception, urgency, or too-good-to-be-true promises to exploit common human responses like trust in authority, fear of missing out, greed or curiosity.

The aim of phishing is to trick you into revealing sensitive data — which might include login credentials and passwords, credit card numbers, bank account numbers, corporate contacts, vendor names or other proprietary information — for fraudulent purposes. The scam is most delivered as an email that spoofs a known company, such as a bank or online shopping site, but it can also appear to come from an individual of authority or personal acquaintance.


Phishing emails may contain a link that sends users to a replica of a valid website where usernames, passwords and other data are transmitted to cyber criminals. From there, they can sell personal data on the dark web black market or use it to commit identity theft or drain bank accounts.


Today phishing scams have become more refined. Phishing may be widespread or targeted, sent by text or voicemail or even show up in search results. Data leaks and social media accounts with lax privacy settings often expose information on individuals and organizations that criminals can use to create smarter, more stealthy phishing content.


For all their sophistication, today’s phishing scams still rely on exploiting the human psyche. Detecting a phish therefore requires you to maintain a healthy level of skepticism when receiving any kind of digital communication and shore up on your best defense: awareness.

The telltale signs of phishing

There are often clues that an email is not legitimate. The five below are the most common.


  1. There are grammatical, spelling and/or formatting errors in the content. If the email is unsolicited and it seems like it was written by a robot or someone not completely fluent in your native language, it’s best to investigate further before clicking.
  2. The “from” address doesn’t match the authentic email address of the sender, especially if it says it’s from a business. (If you can’t see the email address, either hover over the sender's name or right click on it to show details.) Cyber criminals often use fake company email addresses from common, public domains. Or they might create an address that spells the company name just slightly wrong.
  3. The email contains a hyperlink or button that, when hovered over, displays a URL that doesn’t match the destination it claims to be. For example, if an email purports to be from a favorite online store needing you to update account information, but the URL shows an unfamiliar address, do not click on the link. Instead, go directly to the store’s account on your browser to confirm.
  4. The email contains attachments from unknown sources that you were not expecting. Don’t open the attachments. They might contain malware that could infect your system.
  5. The tone of voice is urgent. Criminals love to use urgency to fool users into  acting without looking too closely. Emails with phrases like, “Update your password before we close your account!” should be treated as highly suspect. 

Remember that Bank of America — and most other reputable companies — will never ask for account details unless you contact us first. If there’s any doubt, go directly to a trusted source, such as the company’s website, or call to check using a phone number you can independently verify belongs to the company or individual who apparently sent the email. Never call the phone number on an email you suspect might be a scam, and never share your banking credentials or one-time passwords.