How to avoid and prevent phishing

Learn more about different types of phishing—and how to protect yourself from scammers.

Identity theft affects millions of individuals each year. Phishing scams are one way fraudsters can gain access to your personal information. There are different types of phishing attacks—including smishing, vishing, and pharming, to name a few. How do you identify different phishing scams, and how do you protect yourself?

What is phishing?

Phishing scams occur when fraudsters pose as trustworthy sources to obtain sensitive, personal information. They may pretend to be your bank, the electric company, or anyone else you might trust with personal information.

Even if a phone call, email, or text message seems official, always think twice before sharing sensitive information. Keep reading to learn more about the different types of phishing and how you can protect yourself.

What are the different types of phishing?

There are three primary types of phishing attacks: smishing, vishing, and pharming. Each of them uses a different method to acquire your sensitive information.

But they all have one thing in common: The scammer wants to build trust with you in order to access your personal information—things like usernames, passwords, bank account numbers, and credit card numbers.

What is smishing?

According to the Federal Trade Commission (FTC), a smishing scam is when scammers send fake text messages in an attempt to trick you into giving them your personal information. The term smishing is a combination of SMS—short message service—and phishing. In short, it’s phishing via text message.

A common smishing text message might seem like it’s from your bank. The text could include a link or phone number you may be instructed to log on to or call in, and this is where the scammers attempt to collect your information. If you were to share your information, the scammer would have access to your account. Links in the text message could also contain malicious software - commonly referred to as malware - that gives fraudsters access to your device.

The Federal Communications Commission gives 5 tips to avoid smishing:

  • Don’t respond, even if the message says you can “text STOP” to end messages.
  • Never click links or call numbers you don’t recognize. Always contact your financial institution through the number on the back of your card, or login directly through the financial institution’s website.
  • Screenshot suspicious texts and send them to your financial institution, or whatever company it pertains to, when possible. Doing this helps the company help you and others, as well as investigate the issue(s), and potentially remove the resources the scammer is using more quickly.
  • Make sure your devices and security software are up to date.
  • Consider installing anti-malware software for added security.

The FTC also says, “Your phone may have an option to filter and block messages from unknown senders or spam.” You can check how to do it on an iPhone and an Android phone.

What is vishing?

Vishing is a phone scam used to trick or scare you into sending money, handing over financial information, or allowing remote access to your computer. The word is a combination of “voice” and “phishing.”

Vishing scams can take many forms. In one version, scammers could call and ask you to verify your account information or tell you that you need to reactivate your credit or debit card. They could also direct you to call them for similar reasons. 

Another example of vishing could involve a phone call from someone pretending to be from a legitimate software company. They might ask for remote access to your computer to install the latest version of existing software. But what they really want is access to usernames, passwords, or other sensitive information.

Calls may not even come from a live person. Scammers could also use recorded prompts to get you to share your information.

The FBI has a few recommendations to help you avoid vishing attacks:

  • Be skeptical of anyone who calls asking for personal information.
  • If you think the call may be legitimate, you can always hang up and call the number on the back of your credit card or listed on an official website instead.
  • Remember that numbers given to you during a call could be unreliable and just another part of the scam.

In general, be cautious of any caller who wants information, money, or access to your computer.

What is pharming?

Pharming is a scam used to direct users to a phony website to get them to divulge personal information. One of the latest evolutions in internet scamming, pharming has been called “phishing without a lure.”

In a pharming scam, your browser or computer could be affected without you knowing. You could reach the site through an email or a bad link. 

But some pharming attacks are sophisticated enough that they can redirect you to fraudulent sites. When you try to access it, a hacker or piece of malware may direct you to a site with a similar address. The site might be just one letter off, or it might use similar-looking characters to try to fool you, such as replacing a lowercase “l” with the number “1.”

Once you’re on an imposter site, you could unknowingly submit bank passwords or credit card numbers to someone who is out to steal your identity.

Pharming can be harder to detect than other types of phishing, but there are still ways to protect yourself from pharming attempts: 

  • Be careful what you download 
  • Be careful with what information you share online
  • Ensure your security software is up to date
  • Set up your Wi-Fi router with a custom password

How to identify phishing emails & scams

Smishing, vishing, and pharming are all similar versions of the same scam. The goal is to steal your information and/or money by taking advantage of the trust you have with an institution, friend, or family member. This is also referred to as social engineering, a tactic often used by scammers. But you can help protect yourself by being skeptical and learning how to recognize phishing attempts. The FTC offers a few general phishing red flags to keep an eye out for:

  • If emails or texts sound overly urgent and ask you to respond right away. 
  • If emails or texts use generic titles (Mr., Mrs., Sir, Madam) instead of your legal name.
  • If a caller asks you to validate information with a Social Security number or account number.
  • If emails come from addresses that don’t match the names of the companies supposedly sending you the emails. Keep in mind, phishing emails may use official logos and headers.
  • If emails or texts invite you to click links to update payment or access account information. 
  • If emails or texts contain links asking you to provide information without signing in through the secure site you typically use to access your account. Or if links lead to a site that looks familiar but the web address is incorrect or has subtle differences.

If you experience any of these phishing scam techniques, don’t risk responding directly—and avoid clicking on any links in the email or text you received. If you have questions or concerns, contact the company through its official website or phone number to ask about the suspicious message.

Check your credit report regularly

Checking your credit report is one way to monitor for identity theft and fraud that can result from phishing scams. You can obtain free credit reports at AnnualCreditReport.com. Requesting your reports through this service will not impact your score.

Once you receive your reports, review them for suspicious activity, such as account inquiries, new accounts, or debts you don’t recognize. You’ll also want to verify your personal information.

If any information is incorrect, notify the credit bureaus to have it corrected or deleted. 

You can also use CreditWise from Capital One to monitor your credit. It’s free for everyone, and it won’t hurt your credit score

Review all bills and account statements for unusual activity

If you suspect that you may have been the victim of a phishing scam or that fraudsters may have obtained your personal information, you should also review all your account statements thoroughly and promptly.

Even if you don’t suspect fraud, it’s a good practice to make sure you recognize all charges, checks, and withdrawals. Identity thieves often start with small transactions, with the hope of going undetected. 

If you believe you may be a victim of identity fraud, contact your bank and credit card companies. And the FBI says to report complaints to its Internet Crime Complaint Center. The FTC also has a site to report phishing attacks.

Capital One and phishing

Identity theft affects millions of individuals each year. And government agencies, including the Department of Homeland Security, are warning that cybercriminals are using the spread of the coronavirus as an opportunity to target consumers. 

If you believe a phone call could be phishing, hang up. If you think you’ve received a fraudulent email or text message that claims to be from Capital One, follow these tips:

  • Don’t reply to the email.
  • Don’t click on any of the links embedded in the email.
  • Forward the email or screenshot of the text message to abuse@capitalone.com.
  • After forwarding the email to Capital One for investigation, delete it.
  • Be sure to monitor your account and call Capital One if you notice any unusual activity.

If you suspect you've been a victim of a scam, report the scam to the BBB Scam Tracker and the government via the FTC ReportFraud site. You may also want to report scammers directly to the FBI.

And if you’re concerned about your account, contact Capital One directly. You can also learn about other common scams and ways you can protect yourself on Capital One Learn & Grow.

Related Content

Article | February 28, 2019 |7 min read
A person talks to their bank after suspecting identity theft.
Article | July 11, 2023 |5 min read
A person uses their laptop to go online and freeze their credit at all three major credit bureaus.
Article | February 20, 2024 |6 min read