You get an email that looks like it's from your bank. The logo is right, the language sounds official, and it says there's a problem with your account that needs immediate attention. There's a handy link to fix it. You click, enter your login info, and just like that — someone else has your credentials.
That's phishing, and it's the most common way people get hacked in 2025. Not through some sophisticated zero-day exploit — just a well-crafted fake message that tricks you into giving up your information. Here's how to spot it and protect yourself.
What Phishing Actually Looks Like
Phishing used to be easy to spot — broken English, obvious fake addresses, absurd claims about Nigerian princes. Those still exist, but modern phishing is much more convincing. Attackers now send emails that closely mimic real companies like Amazon, Microsoft, your bank, or even your own employer.
Common phishing scenarios include emails claiming your account has been locked or compromised, fake shipping notifications from UPS or FedEx, invoices for things you didn't buy, password reset requests you didn't initiate, and messages from "IT" asking you to verify your credentials. The goal is always the same: get you to click a link and enter sensitive information on a fake website, or download an attachment that installs malware.
How to Spot a Phishing Email
Check the Sender's Actual Email Address
The display name might say "Bank of America" but the actual email address could be something like support@bankofamerica-secure-login.com. Always look at the full email address, not just the name. Legitimate companies send from their actual domain — not a lookalike.
Hover Over Links Before Clicking
Before you click any link in an email, hover your mouse over it. A small preview should show you where the link actually goes. If the email claims to be from PayPal but the link points to paypal-secure.sketchy-domain.com, that's a phishing link. When in doubt, don't click the link at all — go directly to the company's website by typing the address into your browser yourself.
Watch for Urgency and Threats
Phishing emails almost always try to create a sense of panic. "Your account will be closed in 24 hours," "Unauthorized login detected," "Immediate action required." Real companies don't usually threaten you via email with tight deadlines. If a message is trying to rush you into clicking something, slow down and verify it through other channels.
Look for Generic Greetings
Your bank knows your name. If an email starts with "Dear Customer" or "Dear User" instead of your actual name, that's a yellow flag. It's not definitive proof on its own — some legitimate emails use generic greetings — but combined with other warning signs, it adds up.
Be Suspicious of Attachments
Unexpected attachments are one of the most dangerous elements of phishing emails. A fake invoice PDF, a Word document with macros, or a zip file can all contain malware. If you weren't expecting an attachment from someone, don't open it. If it's supposedly from a coworker or vendor, verify with them directly before opening.
Phishing Isn't Just Email
Phishing has expanded well beyond your inbox. Text message phishing ("smishing") uses fake texts claiming to be from your bank, a delivery service, or the IRS. Voice phishing ("vishing") involves phone calls from people pretending to be tech support, government agencies, or your credit card company. You'll even see phishing links in social media messages and ads.
The same principles apply everywhere: verify the source, don't click links from unexpected messages, and never give out personal information to someone who contacted you first.
What to Do If You Clicked a Phishing Link
If you think you've fallen for a phishing attack, act fast. Change the password for any account you may have exposed — do it from a different device if possible. If you entered financial information, call your bank immediately and let them know. Enable two-factor authentication on every account that supports it if you haven't already.
Run a full malware scan on your computer, especially if you downloaded an attachment. Monitor your accounts over the next few weeks for any unauthorized activity. And don't beat yourself up — phishing attacks are designed by professionals to trick people, and even tech-savvy users fall for them sometimes.
The Best Defense
No software can fully protect you from phishing because the attack targets your judgment, not your computer. The single best thing you can do is build a habit of pausing before you click. Every time you get an unexpected email asking you to take action, take ten seconds to ask: did I expect this? Does the sender address look right? Does this link go where it should?
Beyond that, use a password manager so you have unique passwords for every account, turn on two-factor authentication everywhere you can, and keep your browser and operating system updated. These layers won't prevent you from clicking a bad link, but they limit the damage if you do.
Worried you might have clicked something you shouldn't have? Bring your computer to FlexTech and we'll check it over. We can scan for malware, help you secure your accounts, and make sure nothing is lurking on your system.