Please enable JavaScript to use CodeHS

Don't Fall for a Phishing Email!

Phishing is a method used to gather personal information such as usernames and passwords using deceptive emails and websites. Learn how to recognize and avoid these types of malicious emails in this tutorial!

By Jennifer Campbell

Phishing is a method used to gather personal information such as usernames and passwords using deceptive emails and websites. Attackers attempt to lure you into entering password information or account information onto a site that looks like a real site. This can then be used to compromise and steal your accounts!


The goal is to trick the email recipient into believing that the message is something they want or need so that they will click a link or download an attachment.


Phishing is a play on the word “fishing”, as it is a way of “throwing out bait” to see who bites. The best way to protect yourself from phishing is to learn how to recognize it.



How to Identify Phishing Emails:

1. The email asks you to confirm or reset personal information. Companies do not request personal information over email since email is insecure. If an email is asking for personal information, it is most likely a phishing email.


2. There is a generic greeting or message. Phishing emails are sent in large quantities in hopes that a percentage of recipients will not realize it is fraudulent. Do a quick check of how the sender addressed you! 



3. The web and email addresses do not look genuine. Many phishing emails do not send the email from an email address with the correct domain (i.e. from the correct company). Some sender emails will try to trick you by having the correct subdomain, but not the correct domain (i.e. @am.amazon.com instead of @amazon.com). Senders can mask website links as well. You can hover over a link (don't click!) to see its real destination.  



4. It’s poorly written. An email from a legitimate organization should be well written. Any email with poor grammar should be enough to cause you to pause and evaluate the email.


5. There’s a suspicious attachment.


6. The message is designed to make you panic with a sense of urgency. Phishing emails normally make you think that something needs to happen fast to fix the situation. If an email is asking you to act fast, don’t! Slow down and assess the situation.



Think you are ready to spot of few of these phishing emails on your own? Play the game below to see how well you can identify the clues that the emails are not legitimate emails.


Spear phishing takes this a step further. Instead of sending out a generic email to masses of people, spear phishing actually targets a specific person or group of people by using personal details. This makes the emails appear more legitimate. Spear phishing emails may include details like the name of an employer, a friend or family member, or a trusted business to trick victims into clicking on links, downloading malware, or sharing their credentials.


It's your turn to go through your work inbox! See if you can correctly identify each email as a legitimate email or a phishing email.


I’ve spotted a phishing email! Now what?

  • Do not click on any links or open any attachments.
  • Do not reply to the sender.
  • Report the scam (forward the email to the FTC - spam@uce.gov)
  • If you do legitimate business with the spoofed company, you may inform the company of the phishing email in circulation.
  • Delete the email.


Uh oh. I fell for a phish! What now?

  • Don’t panic! 
  • Change passwords to any website you have logged into since the phish.
  • Scan your computer for viruses. 
  • Contact the company who has been spoofed so they can alert other people!
  • If this happened on a school or work computer, let an administrator know as soon as possible.