Of all the scams a person can fall victim to online, phishing is one of the most insidious and successful. According to statistics, the first quarter of 2022 was the worst period for phishing in history, with more malicious sites active, more scam emails sent out and more targets attacked than ever before.

Phishing is a type of social engineering, a broad family of scams that rely on assuming a false identity to exploit the target’s trust. In contrast to the popular image of high-tech hacking, phishing and other social engineering attacks work the same as any old-fashioned con — gain the mark’s confidence as a way inside.

In a typical phishing attack, a scammer sends an email to several thousand addresses. The email might contain a link to a website that automatically downloads malware onto each visitor’s computer. If you click the link, you might find your files held hostage by ransomware, or your keystrokes logged to learn your bank account information.

Some phishing scammers don’t bother with the malware, and simply request their victims’ login credentials directly. This works more often than you might think. Surveys show almost half of employees open suspicious emails, especially when the emails impersonate the victim’s bosses. 

Phishing emails want to create a sense of urgency in their targets, making victims act hastily and bypassing their better judgment. They often claim the target’s passwords have been compromised, that their employer has made an urgent policy update, or something equally frightening. They might also say the target has won a large monetary prize.

As phishing grows more sophisticated, new varieties are popping up every year. “Spear phishing” eschews the usual email blast for a directed approach, using information about the target to bolster the illusion of legitimacy. “Whaling” aims to capture the passwords of powerful decision-makers, especially executives at Fortune 500 companies.

Nor are emails the only medium for attacks. “Smishing” scams send text messages instead, while “vishing” attacks use deepfakes to leave legit-sounding voicemails demanding login credentials. The whole thing is startlingly effective, and still on the rise: 1,900 companies were targeted in the first quarter of 2022 alone.

Much like the scams, our options for defending ourselves run the gamut from high-tech to common sense.

In the (relatively) high-tech camp, we’ve got antivirus systems, ad blockers and VPNs, all of which keep lists of websites and email addresses known to be associated with phishing scammers and malware. Some antiviruses are now using machine learning to spot these sites before they target anybody.

The other camp relies on education. It’s absolutely vital to teach yourself, your family and your co-workers to recognize phishing scams and refuse to engage. Basic habits can protect you from most attacks. If you maintain a policy of never sending your login credentials to anybody you don’t know in person, you’ll foil a lot of attacks.

Privacy Journal’s phishing articles cover this ever-evolving threat and arm you with the tools to protect yourself. Dive in and start learning below.