Cyber thieves have numerous ways to steal personal information. Phishing is one of the most popular techniques because it’s simple and effective. The typical phishing attack involves creating an email that appears to be from a reputable company or organization and encourages potential victims to click on a link.

These messages are compelling: Offering a free coupon or gift card, warning your bank or credit card account has been compromised, or promising a package is waiting for you at the warehouse.

Click on the link and you’ll wind up on a website (run by the fraudsters), that looks authentic but is designed to get you to provide information the scammers can use to hack into your accounts.

“They’re looking at getting your credentials or user name, and because we use those same credentials across multiple accounts, it gives [criminals] access to lots of other things that you definitely don’t want them to have access to,” said Christopher Scott with IBM X-Force IRIS, the company’s Instant Response and Intelligence Services.

To do their dirty work, the phishers create email that will grab your attention, make you open it and get you to click on the link that takes you to their phony website so they can capture your personal info. An effective way to do that is to pretend to be a well-known company. We trust certain consumer brands, so if we get an email that looks like it’s from one of them, we may be willing to open the email and click a link to get a coupon or special deal.

These 10 brands were targeted most often in phishing attacks last year, according to IBM X-Force data (companies are listed in order of number of attacks):

  1. Google
  2. YouTube
  3. Apple
  4. Amazon
  5. Netflix
  6. Spotify
  7. Microsoft
  8. Facebook
  9. Instagram
  10. WhatsApp

Note: When a phishing attack takes place via text message, it’s called smishing. Fraudsters have a greater chance of getting us to slip up because we tend to respond to texts quickly.

TIP: Rather than click on a link in a potentially bogus email or text, use the company’s app or go to its website to get special promotions. That way, you avoid the risk of going to a malicious site.

Think You Can Spot a Phishing Email?

You might be surprised at how hard it is––even those of us who are computer savvy can be fooled.  When phishing scams first hit the web in the late 1990s, the fake emails were crude and easy to spot because of typos and grammatical errors. Not anymore.

“Unlike phishers of the past, many of today’s cybercriminals are artisans,” said digital security expert Adam Levin, author of Swiped: How to Protect Yourself in a World Full of Scammers, Phishers, and Identity Thieves.

“They’re sophisticated and creative,” Levin told Checkbook. “On the surface, their work is almost flawless––the logos, spelling and grammar all look authentic.”

This phishing quiz based on real life attacks was designed by Jigsaw, a subsidiary of Alphabet (Google’s parent company).

The Next Generation of Phishing Email

Always looking to up their game, the fraudsters have taken things to the next level. A surge of phishing email targeting Chase customers was detected in the third quarter of 2019 by Kaspersky Labs, a cybersecurity and anti-virus company. The emails were designed to steal information from credit cards and driver’s licenses by tricking people into sending selfies.

People who clicked the link in the bogus email landed on a website that looked like the real Chase login page. Those who tried to log on received an error message that said their identity needed to be verified by uploading a selfie while holding a document that confirms their identity, such as a driver’s license or credit card.

The image above, provided by Kaspersky Labs, shows directions from a bogus PayPal web page.

“The fake sites looked quite believable, and provided a list of necessary documents with format requirement, link to privacy policy, user agreement, etc.,” the Kaspersky fraud report noted.

How to Protect Yourself

An AARP Fraud Watch Network tip sheet on how to avoid phishing scams lists some common warning signs that an email might be from a criminal imposter:

  • A “Dear Customer” greeting—legitimate communications from companies you do business with usually include your name rather than a generic term
  • Vague or generic language, such as “payment issue” to describe a problem with an account or purchase.
  • Threats of dire consequences, such as legal action or an account being frozen, if you don't act immediately.
  • Requests that you click a link, open an attachment, or reply with personal or financial information to take advantage of an offer or to resolve a problem.
  • Pop-ups on your computer or mobile device that warn of viruses, promise a prize or redirect you automatically to another site.

Never click on links or download files from unexpected emails or texts, even if it looks like it’s from a trusted company or organization, or person you recognize, unless you expected to receive it. Turn on two-factor authentication sign-in options for all your financial accounts. If you're unsure whether an email or text is legitimate. delete it and visit the company's website directly, rather than following links in the email.

More Info

From Checkbook: How to Keep Your Devices Safe from Cyberattacks

AARP Fraud Watch Network

Identity Theft Resource Center


Become a Smarter Consumer Get free, expert advice delivered to your inbox every Wednesday when you sign up for the Weekly Checklist newsletter.

Contributing editor Herb Weisbaum (“The ConsumerMan”) is an Emmy award-winning broadcaster and one of America's top consumer experts. He is also the consumer reporter for KOMO radio in Seattle. You can also find him on Facebook, Twitter, and at