What's better than treatment? Prevention.

Halt Hackers

Protect yourself from hackers, malicious sites, infected ads, credit card skimmers and credential stealers with our web and malware protection.

Security Advisor is an all-in-one cyberprotection dashboard highlighting your security status in real time, so you’re better informed and empowered to act.

Plans that just make sense

Award-winning protection you can count on

We've got you covered

Ready to scan your devices?

What's better than treatment? Prevention.

Halt Hackers

Protect yourself from hackers, malicious sites, infected ads, credit card skimmers and credential stealers with our web and malware protection.

That's what Malwarebytes Premium is all about. Block viruses, malware, and ransomware before they can cause harm to your devices or data.

Protect Yourself From Phishing

Phishing is an attempt to trick you into sharing sensitive information by posing as someone trustworthy. Read on to learn to spot phishing.

Available for personal Windows, Mac, iOS, Android, Chromebook devices.
Also available for businesses >

What is phishing?

Phishing is an attack in which the threat actor poses as a trusted person or organization to trick potential victims into sharing sensitive information or sending them money. As with real fishing, there's more than one way to reel in a victim: Email phishing, smishing, and vishing are three common types. Some attackers take a targeted approach, as is the case with spear phishing or whale phishing (more on the types of phishing below). 

How does a phishing attack work?

Phishing attacks begin with the threat actor sending a communication, acting as someone trusted or familiar. The sender asks the recipient to take an action, often implying an urgent need to do so. Victims who fall for the scam may give away sensitive information that could cost them. Here are more details on how phishing attacks work: 

• The sender: In a phishing attack, the sender imitates (or “spoofs”) someone trustworthy that the recipient would likely know. Depending on the type of phishing attack, it could be an individual, like a family member of the recipient, the CEO of the company they work for, or even someone famous who is supposedly giving something away. Often phishing messages mimic emails from large companies like PayPal, Amazon, or Microsoft, and also banks or government offices. 
  
  
• The message: Under the guise of someone trusted, the attacker will ask the recipient to click a link, download an attachment, or to send money. When the victim opens the message, they find a scary message meant to overcome their better judgement by filling them with fear. The message may demand that the victim go to a website and take immediate action or risk some sort of consequence. 
  
  
• The destination: If users take the bait and click the link, they're sent to an imitation of a legitimate website. From here, they're asked to log in with their username and password credentials. If they are gullible enough to comply, the sign-on information goes to the attacker, who uses it to steal identities, pilfer bank accounts, and sell personal information on the black market.

Who is targeted by phishing?

Anyone can be targeted with a phishing attack, but some types of phishing are done to very specific people. Some threat actors will send out a general email to many people, hoping a few will take the bait based on a common trait. An example would be saying something is wrong with your Facebook or Amazon account, and you need to click this link right away to log in and fix it. The link would likely lead to a spoofed webpage where you might give away your login credentials. 

Threat actors use more targeted phishing attacks if they are after something specific, like access to a certain company's network or data, or information from a politician or political candidate. This is called spear phishing. In this case, they may research information to make their attack sound familiar and credible, so the target is more likely to click a link or provide information. An example would be researching the name and communication style of a target company's CEO, then emailing or texting specific employees at that company pretending to be the CEO asking for something. 

While threat actors often pretend to be CEOs in their phishing attacks, sometimes the target is the CEO themself. "Whale phishing" describes phishing attacks toward high-profile people like company executives, celebrities, or well-known wealthy individuals.  Whether an attack is general or highly targeted, sent to one person or many people, anyone can become a phishing target, so it's important to

“Phishing is the simplest kind of cyberattack, and at the same time, the most dangerous and effective.”

How to identify a phishing attack

Recognizing a phishing attempt isn't always easy, but a few tips, a little discipline, and some common sense will go a long way. Look for something that's off or unusual. Ask yourself if the message passes the “smell test.” Trust your intuition, but don't let yourself get swept up by fear. Phishing attacks often use fear to cloud your judgement.

Here are a few more signs of a phishing attempt:

• The email makes an offer that sounds too good to be true. It might say you've won the lottery, an expensive prize, or some other over-the-top item. 
• You recognize the sender, but it's someone you don't talk to. Even if the sender's name is known to you, be suspicious if it's someone you don't normally communicate with, especially if the email's content has nothing to do with your normal job responsibilities. Same goes if you're cc'd in an email to folks you don't even know, or perhaps a group of colleagues from unrelated business units.
• The message sounds scary. Beware if the email has charged or alarmist language to create a sense of urgency, exhorting you to click and “act now” before your account is terminated. Remember, responsible organizations do not ask for personal details over the Internet.
• The message contains unexpected or unusual attachments. These attachments may contain malware, ransomware, or another online threat.
• The message contains links that look a little off. Even if your spider sense is not tingling about any of the above, don't take any embedded hyperlinks at face value. Instead, hover your cursor over the link to see the actual URL. Be especially on the lookout for subtle misspellings in an otherwise familiar-looking website, because it indicates fakery. It's always better to directly type in the URL yourself rather than clicking on the embedded link.

How do I protect myself against phishing?

As stated previously, phishing is an equal opportunity threat, capable of showing up on desktops, laptops, tablets, and smartphones. Most Internet browsers have ways to check if a link is safe, but the first line of defense against phishing is your judgement. Train yourself to recognize the signs of phishing and try to practice safe computing whenever you check your email, read Facebook posts, or play your favorite online game.

Once again from our own Adam Kujawa, here are a few of the most important practices to keep you safe:

• Don't open e-mails from senders you are not familiar with.
• Don't ever click on a link inside of an e-mail unless you know exactly where it is going.
• To layer that protection, if you get an e-mail from a source you are unsure of, navigate to the provided link manually by entering the legitimate website address into your browser.
• Lookout for the digital certificate of a website.
• If you are asked to provide sensitive information, check that the URL of the page starts with “HTTPS” instead of just “HTTP.” The “S” stands for “secure.”It's not a guarantee that a site is legitimate, but most legitimate sites use HTTPS because it's more secure. HTTP sites, even legitimate ones, are vulnerable to hackers.
• If you suspect an e-mail isn't legitimate, take a name or some text from the message and put it into a search engine to see if any known phishing attacks exist using the same methods.
• Mouseover the link to see if it's a legitimate link.

As always, we recommend using antivirus/anti-malware security software like Malwarebytes Premium. Most cybersecurity tools have the ability to detect when a link or an attachment isn't what it seems, so even if you fall for a clever phishing attempt, you won't end up sharing your info with the wrong people. You can even try Malwarebytes free before you buy. 

So stay vigilant, take precautions, and look out for anything phishy.