What is a common indicator of phishing?

Chances are fairly high that you know someone who has been the victim of a phishing attack. As an internet user, it is likely you may have also been the target of phishing. As you think about how to avoid future phishing attacks, you may find yourself wondering: “what is a common indicator of phishing?”

Below, we define phishing, discuss some recent statistics pertinent to understanding phishing attacks, share tips to help identify phishing attacks, and end with some strategies for protecting your data - such as utilizing a password manager. 

Before answering this question, it would be helpful to back up slightly and define phishing. In a nutshell, phishing consists of fake reach-outs that seek to exploit users’ fears, curiosity, or helpfulness, sometimes with an element of urgency intended to prompt an immediate interaction. Phishing operations often seek to compel people to divulge personally identifiable information (PII) such as passwords, financial information, or social security numbers. Some operations may drive people to click on websites that contain malware, so cyber criminals can infect computers and steal even more sensitive data. 

Check out this ebook by hacker Rachel Tobac to learn more about how to stay safe online.

Phishing operations often mask their malicious intent by posing as reputable institutions. So, what is a common indicator of phishing? According to the 2023 Bitwarden Password Decisions Survey, close to half (41%) of phishing attacks come from fake financial institutions. Twenty-two percent come from purported bosses or executives and 21% from fake government agencies. 

Now that you understand the definition of phishing attacks and have some context about the strategy behind them, it’s helpful to know how to identify phishing attacks. While phishing attacks are unfortunately becoming increasingly sophisticated, there are still some tell-tale signs an email or attachment may be amiss that can reveal what might be a common indicator of phishing. 

To start, phishing-oriented emails purporting to come from reputable institutions might show a suspicious email sender name and email address. For example, an email that is supposedly from Chase Bank could be missing a letter or include a nonsensical symbol (ch$se.com).

Links that are purportedly sending you to say, the IRS, DMV, or your local bank may also be problematic. It’s worth taking an extra few seconds to hover over links to confirm they go to the proper website. If you’re unsure, log in directly to the account in question or pick up the phone and speak with an official customer service representative to verify the correspondence is legitimate. 

It’s also important to avoid opening attachments from people you don’t know. Receiving attachments you didn’t expect, from names you don’t recognize, is a sign the sender may be trying to scam you or entice you to download malware. 

Another telltale sign is correspondence riddled with spelling and grammatical errors, messages that claim there’s a problem you need to urgently address, and messages alerting you to “suspicious activity.” Although, as the use of generative AI spreads, these spelling errors are likely to become less common.

For a more exhaustive list of signs that will help you determine what is a common indicator of phishing, the Federal Trade Commission (FTC) informative web page devoted to spotting phishing scams. 

Among other insights, the FTC notes: “While real companies might communicate with you by email, legitimate companies won’t email or text with a link to update your payment information. Phishing emails can often have real consequences for people who give scammers their information, including identity theft. And they might harm the reputation of the companies they’re spoofing.”

The FTC provides four solid recommendations for protecting data from phishing attacks. They include:

• Using security software to protect your computer (and remembering to run software updates!).

• Protecting your mobile phone by setting software to update automatically.

• Leveraging multi-factor authentication (also known as two-factor authentication and two-step login) to provide an extra layer of protection in the event a cyber-criminal gets a hold of your login credentials).

• Backing up computer data to a hard drive or the cloud and backing up mobile phone data, as well.

Password managers are also a very important tool to protect against common indicators of phishing. As outlined in this blog, password managers help users keep track of website URLs, retain known and confirmed URLs, and confirm when a user is landing on a known site. All this is in addition to their primary, fundamental mission of enabling users to generate, store, and secure strong and unique passwords in an end-to-end encrypted vault. 

Ready to level up your cybersecurity with Bitwarden? Sign up today for a free Bitwarden account, or start a 7-day free trial of our business plans so your team and company colleagues can stay safe online. Still have questions? Check out the live weekly demo to speak directly with the Bitwarden team.