How to Recognize and Resist Phishing Scams

You’ve probably heard the term “phishing” before. It’s that sneaky feeling when an email from your “bank” asks you to click a link to verify your account, or when a text message about a missed package delivery seems just a bit off. At its core, phishing is a type of online scam where criminals pretend to be a trusted person or organization to trick you into giving up sensitive information—like passwords, credit card numbers, or Social Security details—or into installing malicious software on your device.

While the concept isn’t new, the tactics are constantly evolving, making it a persistent and growing threat for anyone who uses email, text messages, or social media.

What’s Happening: Phishing Is Getting More Personal and Persistent

Recent reports highlight how these scams are adapting and targeting people in very specific situations. For instance, in April 2026, the City of Burlington, Vermont, issued a public alert warning residents about a phishing scam targeting people applying for permits. Scammers were sending deceptive emails or messages, likely posing as city officials, to steal personal data or money from applicants.

This is a classic example of a more targeted approach called “spear-phishing,” where the attack is tailored to a specific individual or group. It’s not just broad, generic spam anymore.

Similarly, other reports show scams are exploiting popular platforms. ABC7 New York recently covered a phishing scam circulating on WhatsApp, where fraudsters use the messaging app to lure victims. Businesses are also in the crosshairs, with local news outlets like KTXS reporting on fraudulent emails specifically designed to compromise company accounts and finances.

These incidents aren’t isolated. They’re part of a broader trend where cybercriminals leverage current events, local issues, and trusted communication channels to make their traps more convincing.

Why This Matters to You

The consequences of falling for a phishing attempt can be severe. It can lead to direct financial theft, identity theft, or a compromised email account that’s then used to scam your friends and family. For a small business, a successful phishing attack can mean lost funds, a data breach involving customer information, or a crippling ransomware infection.

The reason phishing remains so effective is that it exploits human psychology—our tendency to trust, our fear of missing out, or our desire to resolve a problem quickly. The scams work because they look legitimate at a hurried glance.

What You Can Do: Spot, Stop, and Respond

Protecting yourself comes down to a mix of healthy skepticism, knowing the red flags, and having good digital habits.

How to Spot a Phishing Attempt:

  • Scrutinize the Sender: Look closely at the email address or phone number. Is it from a legitimate domain (e.g., @yourbank.com), or a slight misspelling (e.g., @yourbànk.com or @yourbank-security.com)?
  • Check for Urgency or Threats: Phishing messages often create a false sense of urgency (“Your account will be closed in 24 hours!”) or use scare tactics (“Unauthorized login detected!”) to pressure you into acting without thinking.
  • Hover Before You Click: On a computer, hover your mouse cursor over any link without clicking. The true destination URL will appear, often revealing a suspicious or mismatched website address.
  • Look for Poor Grammar and Spelling: While some scams are sophisticated, many still contain awkward phrasing, odd formatting, or spelling errors.
  • Be Wary of Unexpected Attachments: Don’t open attachments you weren’t expecting, even from known contacts—their account might be compromised.

How to Prevent an Attack:

  • Enable Multi-Factor Authentication (MFA): This adds a critical second step (like a code from an app) to logging in. Even if a phisher gets your password, they likely won’t have this second factor.
  • Keep Software Updated: Regularly update your operating system, browser, and apps. These updates often include security patches for vulnerabilities that phishers might exploit.
  • Use a Password Manager: A password manager can help you create and store strong, unique passwords for every account, so a breach on one site doesn’t compromise others.
  • Verify Independently: If a message seems suspicious, contact the organization directly using a phone number or website you know is genuine—not the contact information provided in the suspicious message.

What to Do If You Think You’ve Been Phished:

  1. Don’t Panic. Disconnect from the internet if you’ve downloaded a suspicious file.
  2. Change Passwords Immediately. If you entered a password on a phishing site, change that password on the real site immediately. If you use that same password elsewhere, change it on those accounts too.
  3. Report It. Forward phishing emails to [email protected] (the Anti-Phishing Working Group) and to the organization being impersonated (e.g., [email protected]). In the U.S., you can also file a report with the FTC at ReportFraud.ftc.gov.
  4. Monitor Your Accounts. Keep a close eye on your bank and credit card statements for any unauthorized transactions. Consider placing a fraud alert on your credit reports.

Staying safe from phishing is an ongoing practice, not a one-time fix. It requires staying informed about current tactics, which is why organizations like UH Maui College host cybersecurity workshops focused on real-life phishing stories. By adopting a cautious mindset and these practical steps, you can significantly reduce your risk and navigate the digital world with more confidence.

Sources & Further Reading:

  • City of Burlington, VT Alert on Permit Phishing Scams (April 2026)
  • Verizon: “What Is Phishing, and How Do I Prevent Attacks?” (February 2026)
  • ABC7 New York: WhatsApp Phishing Scam Report (April 2026)
  • KTXS Report on Business Email Phishing Scams (April 2026)