Phishing Defense Checklist — Cyber Secure Your Digital Life

🎯 Phishing is the #1 attack vector. Master all four types: phishing, smishing, vishing, and quishing.

🎯 Phishing (Email)

Email-based attacks that impersonate trusted organizations to steal credentials or click malicious links.

Never click links in emails from banks, payment services, or tax agenciesGo directly to their website by typing the URL in your browser, or call their phone number. Criminals spoof email headers perfectly. Hover over sender email addresses to see the real addressPhishing emails use "Display Names" that look legitimate but hide the real sender. Right-click and inspect the actual email address. Look for urgency and threats in the email language"Your account will be closed!" "Verify immediately!" "Suspicious activity detected!" These are red flags. Real banks contact you by phone first. Report phishing emails to the organization and your email providerForward phishing emails to the real organization's abuse address (e.g., abuse@bank.com). Also mark as spam/phishing in your email client.

📱 Smishing (SMS)

Phishing via text message. Criminals send fake SMS texts to steal credentials or enable SIM swaps.

Never click links in unsolicited text messagesIf you didn't request a password reset or verification, don't click. Go directly to the app or website instead. Be suspicious of unexpected SMS with short URLs (bit.ly, tinyurl)These hide the real destination. Banks and services use full URLs or no URL at all. Short URLs = phishing. Don't reply to SMS with passwords or verification codesNo legitimate service asks you to reply with a code via SMS. These are always phishing attempts. Report smishing texts to your mobile carrierForward smishing texts to 7726 (SPAM). Most carriers will filter the number and investigate.

📞 Vishing (Voice)

Phone-based phishing. Criminals impersonate tech support, banks, or government agencies to extract information.

Never give passwords, PINs, or SSNs over the phoneNo legitimate service ever asks for these. If someone calls claiming to be your bank, hang up and call the bank directly using the number on your card. Use the family passphrase system when someone callsEstablish a code word that only your family knows. When someone calls claiming to be a family member, ask them the code word before doing anything. Verify caller identity by calling back on a known numberIf someone claims to be from your bank, hang up and call the main customer service number on your card or statement. Don't use numbers they provide. Be suspicious of callers creating urgency or threats"Your Social Security number has been compromised!" "Your account is frozen!" "The IRS is suing you!" Real agencies give you time to respond. Report vishing calls to the FTC at reportfraud.ftc.govAlso report to your state's attorney general. The more reports, the faster they track down criminal call centers.

🕺 Quishing (QR Code)

Phishing via fraudulent QR codes. Criminals place fake QR codes on ads, parking meters, or even replace legitimate ones with their own.

Never scan QR codes from unsolicited emails or textsQR codes in unexpected messages are almost always phishing. If it seems legitimate, go to the website directly instead. Check where QR codes take you before clicking linksMost phones let you preview the URL before opening it. Look at where the QR code takes you. If it's suspicious, don't open it. Be suspicious of QR codes on public surfacesCriminals replace legitimate QR codes on parking meters, ads, and signs with their own. If a QR code looks different or damaged, skip it. Verify payment apps before scanning payment QR codesAlways confirm which app will be used before scanning a QR code for payment. Don't let the app choice surprise you.

This checklist is from Cyber Secure Your Digital Life by Corey White.

Take the Security Scorecard → Back to Master Checklist →