How to Spot a Phishing Attack

Phishing is the art of tricking you into handing over your credentials or personal information, usually by impersonating someone you trust. It is behind a huge share of account takeovers, precisely because it targets the human rather than the technology. The good news: once you know the tells, most phishing attempts become obvious. Here is how to spot them.

What phishing looks like

A phishing attack is typically a message — email, text, or DM — that appears to come from a legitimate source: your bank, Apple, a delivery company, your employer, or a service you use. It creates a reason to act and directs you to a fake login page or asks for sensitive details. When you enter your password on the fake page, the attacker captures it.

The warning signs

Learn to scan for these:

• Urgency and fear. "Your account will be suspended in 24 hours," "Unusual login detected, verify now." Pressure is designed to stop you thinking.
• Mismatched or odd sender addresses. The display name may say "Apple," but the actual email address is a jumble or a look-alike domain.
• Suspicious links. Hover over a link (without clicking) to preview the real destination. Watch for look-alike domains with extra words, hyphens, or odd endings.
• Requests for credentials or codes. Legitimate companies do not email asking you to confirm your password or read out a 2FA code.
• Generic greetings. "Dear Customer" instead of your name can be a sign, though sophisticated attacks personalize.
• Spelling and formatting errors, though these are getting rarer as attacks improve.
• Unexpected attachments, which may carry malware.

Common phishing scenarios

• A "failed delivery" text with a link to "reschedule."
• An "account security alert" urging you to log in via a provided link.
• A fake invoice or receipt prompting you to dispute a charge.
• A message impersonating your boss asking for gift cards or a wire transfer.

How to protect yourself

1. Never log in through links in messages. Go to the site directly by typing the address or using a bookmark.
2. Check the URL carefully before entering anything. Look-alike domains are the core trick.
3. Use a password manager. This is an underrated defense: a manager only autofills credentials on the genuine domain it has saved. If you are on a fake look-alike site, your manager will not offer to fill the password — a strong, automatic hint that something is wrong.
4. Prefer phishing-resistant logins. Passkeys and hardware keys are bound to the real site and cannot be handed to a fake one. See passkeys explained.
5. Slow down. Urgency is the attacker's main weapon. Pausing to verify defeats most attempts.

Where Passlock helps

Because Passlock stores your passwords tied to their real sites and fills them deliberately, it adds the same protective friction: it will not autofill on a domain it does not recognize. And since your passwords stay offline in the macOS Keychain, there is no cloud account for an attacker to phish their way into. No tool replaces awareness, but a password manager quietly backstops you against the most common phishing trap.

If a message makes you feel rushed or scared, treat that feeling as a red flag itself. Verify independently, and you will sidestep the vast majority of phishing attacks.