12 Tips for Protecting Yourself Against Phishing Attacks

January 26, 2024
Estimated Reading Time: 6 Minutes

Is your spam folder overflowing? If so, you're not alone. An estimated 3.4 billion spam emails are sent per day, almost all of which are some sort of phishing attack.

Phishing, or a phishing attack, is the most common form of cybercrime, with an attack occurring every 11 seconds. It involves sending deceptive emails or messages that appear to be from a legitimate source, such as a bank or a trusted organization. The goal is to trick recipients into revealing sensitive information like passwords, credit card numbers, or personal information.

Although most people think they can spot a phishing attempt and claim to know not to click on links from unknown senders, these attacks have become more sophisticated over the past few years and now come in a variety of forms. In this article, we outline some common phishing techniques and share 12 tips on how to protect yourself against phishing attacks.

Common Phishing Techniques

Phishing attackers employ a variety of techniques to trick individuals into divulging sensitive information or taking actions that can compromise their security. Here are some common phishing techniques used by cybercriminals.

Email Phishing

Email phishing is one of the most common and widely recognized forms of phishing. In email phishing, phishers send deceptive emails that appear to come from a legitimate source, such as a bank, government agency, or well-known company. These emails often contain links to fake websites that mimic the real ones, and they typically ask recipients to provide sensitive information like login credentials, credit card numbers, or personal details.

Spear Phishing

This type of phishing is highly targeted. Attackers research their victims, often using publicly available information, and create customized emails that appear more convincing. They may reference specific details about the recipient's life or job to increase the likelihood of success.

Vishing (Voice Phishing)

Instead of email, vishing involves phone calls or voicemail messages that impersonate legitimate entities. Attackers might pose as bank representatives, tech support personnel, or government officials, and they'll ask for sensitive information or instruct victims to call back to a fake phone number.

Smishing (SMS Phishing)

Smishing involves sending phishing messages via text (SMS) to mobile devices. These messages may contain links to fraudulent websites or instruct recipients to call a phone number, similar to vishing.


In a pharming attack, cybercriminals compromise DNS (Domain Name System) servers or manipulate routing to redirect users to fake websites without their knowledge. Victims enter their login credentials or personal information, thinking they are on a legitimate site.

Clone Phishing

Attackers take a legitimate email and create a nearly identical clone with malicious links or attachments. The cloned email is sent from a seemingly trusted source, such as a colleague or friend, to trick the recipient into clicking on the malicious content.

Man-in-the-Middle (MitM) Attacks

In MitM attacks, the attacker intercepts communication between the victim and a legitimate website or service. This allows them to eavesdrop on sensitive information or alter the communication to their advantage.

CEO Fraud or Business Email Compromise (BEC)

In these types of attacks, cybercriminals target executives or employees in positions of authority, often impersonating a high-ranking executive. They may request financial transactions, sensitive data, or confidential information from employees.

Search Engine Phishing

Phishers manipulate search engine results to ensure that malicious websites appear at the top of search results for specific keywords. Unsuspecting users may click on these fake sites, thinking they are visiting a legitimate source.

Social Media Phishing

Cybercriminals create fake social media profiles and impersonate trusted individuals or organizations to initiate contact with potential victims. They may send private messages or post malicious links to gather information or distribute malware.

Watering Hole Attacks

Attackers compromise websites frequently visited by their target audience, such as employees of a particular company or members of a specific interest group. Visitors to the compromised site may unknowingly download malware or enter sensitive information.

Credential Stuffing

In these types of attacks, phishers use stolen username and password combinations obtained from previous data breaches to gain unauthorized access to other online accounts, as many individuals reuse passwords across multiple services.

12 Tips for Protecting Yourself Against Phishing Attacks

Protecting yourself from phishing attacks is crucial to avoid falling victim to scams that can compromise your personal information and financial security. Here are some tips to help you stay safe from phishing:

  • Be cautious of unsolicited emails. Don't trust emails from unknown senders, especially if they ask for sensitive information or contain suspicious links or attachments.
  • Verify the sender's email address. Check the sender's email address carefully to ensure it matches the official domain of the organization they claim to represent. Be wary of minor variations or misspellings.
  • Don't click on suspicious links. Hover your cursor over any links in emails to preview the URL before clicking. If the link looks suspicious or doesn't match the claimed destination, avoid clicking it.
  • Look for signs of urgency or pressure. Phishing emails often create a sense of urgency, using phrases like "urgent action required" or "your account will be suspended." Be skeptical of such messages and take your time to verify their legitimacy.
  • Don't trust unsolicited attachments. Avoid opening email attachments from unknown or unexpected sources. Cybercriminals can use attachments to deliver malware.
  • Use multi-factor authentication (MFA). Enable MFA whenever possible for your online accounts. MFA adds an extra layer of security by requiring you to provide more than one form of authentication, such as a password and a one-time code from a mobile app.
  • Verify requests for personal information. Legitimate organizations will not ask you to provide sensitive information like passwords or credit card numbers via email. If you receive such a request, contact the organization directly using trusted contact information to confirm its authenticity.
  • Keep your software and antivirus up to date. Regularly update your operating system, web browsers, and antivirus software to protect against known vulnerabilities that cybercriminals may exploit.
  • Be cautious with pop-up windows. If a website displays pop-up windows asking for personal information, close them and avoid entering any data. Legitimate websites typically won't request sensitive information through pop-ups.
  • Educate yourself and others. Stay up to date on common phishing techniques and educate your friends and family on how to recognize phishing attacks. Awareness is a powerful defense.
  • Report phishing attempts. If you receive a phishing email, report it to your email provider and to the organization(s) the attacker claims to represent. Reporting helps authorities and organizations take action against cybercriminals.

Stay vigilant against phishing attacks.

Phishing is just one of the many forms of cybercrime that exist. As technology evolves, cybercriminals continue to develop new methods and tactics. By staying vigilant and following these tips, you can significantly reduce your risk of falling victim to phishing attacks and protect your personal information and online security.

Important Disclosure Information

Past performance may not be indicative of future results. Different types of investments involve varying degrees of risk, and there can be no assurance that the future performance of any specific investment, investment strategy, or product (including the investments and/or investment strategies recommended or undertaken by Chicago Partners Investment Group LLC (“CP”), or any non-investment related content, made reference to directly or indirectly in this commentary will be profitable, equal any corresponding indicated historical performance level(s), be suitable for your portfolio or individual situation, or prove successful. Due to various factors, including changing market conditions and/or applicable laws, the content may no longer be reflective of current opinions or positions. Moreover, you should not assume that any discussion or information contained in this commentary serves as the receipt of, or as a substitute for, personalized investment advice from CP. Please remember to contact CP, in writing, if there are any changes in your personal/financial situation or investment objectives for the purpose of reviewing/evaluating/revising our previous recommendations and/or services, or if you would like to impose, add, or to modify any reasonable restrictions to our investment advisory services. CP is neither a law firm nor a certified public accounting firm and no portion of the commentary content should be construed as legal or accounting advice. A copy of the CP’s current written disclosure Brochure discussing our advisory services and fees continues to remain available upon request.