How to Protect Yourself from Phishing

A friend of mine got a text on a Tuesday afternoon. It said her M-Pesa account had been flagged for suspicious activity, and to call a number to "secure" it. She called. A calm, professional voice walked her through "verifying" her details. Twenty minutes later, her account was empty.

She is not foolish. She runs a small business and manages money every day. She got caught because the attacker did everything right: he sounded official, he created urgency, and he caught her between meetings when she wasn't thinking carefully.

That is phishing. And almost everyone who tells me "that would never happen to me" is exactly the person it happens to.

What phishing actually is

Phishing is when someone pretends to be a person or organization you trust, to trick you into handing over something valuable — a password, a PIN, a verification code, or money.

That's the whole thing. There's no hacking in the Hollywood sense. No green code scrolling down a screen. The attacker doesn't break your lock. They convince you to open the door yourself.

This is why phishing is the single most successful attack on the internet. It doesn't target your software. It targets you — your attention, your trust, your fear of getting in trouble. And those don't get patched by an update.

Why it works (and it works on everyone)

People assume the people who fall for scams are careless or gullible. They aren't. The scam is engineered to bypass careful thinking. Two levers do most of the work.

Urgency. "Your account will be closed in 24 hours." "Suspicious login detected — act now." "Your parcel is held at customs, pay the fee today." Urgency is the whole game. When you feel rushed, the slow, skeptical part of your brain goes quiet and the fast, obedient part takes over. Every real organization knows this — which is why real organizations almost never rush you.

Authority. A message from "your bank," "the tax office," "your boss," "Microsoft." We are trained from childhood to comply with authority quickly. Attackers borrow that authority by copying logos, spoofing sender names, and using the exact phrasing a real institution would use.

Put urgency and authority together — "This is the bank, your account is compromised, verify immediately" — and you have a tool that works on professors, accountants, and yes, people who write about cybersecurity for a living.

The main flavors you'll actually meet

Phishing wears different clothes depending on the channel. The trick is the same; the surface changes.

Email phishing. The classic. A message that looks like it's from a service you use, with a link to a fake login page or an attachment carrying malware. Watch the sender address, not the display name — anyone can set the display name to "PayPal Support."

SMS phishing (smishing). A text message, usually short and urgent. "DHL: your package is held, confirm details here." Or, in our part of the world, the fake mobile-money message. SMS is dangerous because the links are shortened, the screen is small, and people read texts in seconds while doing something else.

Voice phishing (vishing). A phone call. This is what got my friend. The caller poses as your bank, your network provider, or a government office. Voice is powerful because it's live — you can't pause to think the way you can with an email, and a confident human voice is hard to doubt in the moment.

Fake login pages. You click a link and land on a page that looks exactly like Gmail, your bank, or Instagram. You type your password. It goes straight to the attacker. The page may even forward you to the real site afterward, so you never notice.

Mobile-money scams. Here in Tanzania and across East Africa, this is the everyday version. "You've received Tsh 50,000 by mistake, please send it back." "I'm the agent, confirm your PIN to complete the transaction." A real M-Pesa or Tigo Pesa agent will never ask for your PIN. Ever. Your PIN is yours alone — no staff member, no customer-care line, no SMS prompt has any business asking for it.

The red flags, plainly

You don't need to memorize attack types. You need a short list of things that should make you stop. If a message has even one of these, slow down.

• It rushes you. Deadlines, countdowns, "act now," "final warning." Real institutions move slowly and give you time.
• The sender doesn't match. support@paypa1.com (with a "1") is not PayPal. service@amaz0n-security.net is not Amazon. Look closely at the actual address and domain.
• It asks for something it shouldn't. Your full password, your PIN, your one-time verification code, your card's CVV. No legitimate organization asks for these.
• The link doesn't go where it claims. The text says one thing; the actual address is something else entirely.
• It's generic. "Dear Customer" instead of your name, from a service that knows your name.
• It's too good or too scary. You won a prize you didn't enter. You owe money you don't recognize. Both are bait.
• Something just feels off. Odd grammar, slightly wrong logo, a tone your bank wouldn't use. Trust that instinct. It's pattern-matching faster than you can explain.

The habits that protect 99% of people

You can't out-clever every scam. But you can build a handful of habits so the scams that slip past your attention still fail to hurt you.

1. Use a password manager. A password manager generates a unique, random password for every site and fills it in for you. Here's the underrated security benefit: it only fills your password into the real website. If you land on a fake login page, the manager stays silent — because the address doesn't match. That silence is a warning. I use Bitwarden; 1Password is excellent too. The one you actually use beats the one you don't.

2. Turn on two-factor authentication — and prefer passkeys. Even if an attacker steals your password, 2FA means they still can't get in without a second factor. Use an authenticator app rather than SMS codes where you can; SMS can be intercepted. Better still, use passkeys where they're offered. A passkey is tied to your device and the real website, so it simply cannot be phished — there's no code to read out, nothing to type into a fake page.

3. Verify out-of-band. This is the single most powerful habit. If a message claims to be from your bank, don't reply, don't call the number in the message, don't click the link. Go to the source through a channel you already trust — type the bank's website yourself, or call the number printed on the back of your card. The scam depends on you staying inside the channel they control. Step outside it and the whole thing collapses.

4. Hover before you click. On a computer, hover your mouse over a link and look at where it actually points, shown at the bottom of the screen. On a phone, press and hold the link to preview the real address. If the displayed link and the real destination disagree, that disagreement is the scam.

5. Never share PINs or one-time codes. Treat your PIN and any verification code like the key to your house. No agent, no support line, no "verification" process needs it. The moment someone asks, the conversation is over.

How-to

How to verify a suspicious message

A simple, repeatable process to check whether a message is a phishing attempt before you act on it.

Estimated time: PT3M

You'll need

• — A phone or computer
• — The official contact details for the organization

1. 01

   Stop and breathe

   Notice the urgency. If a message is rushing you, that's a reason to slow down, not speed up. Nothing legitimate gets worse because you took three minutes.

2. 02

   Check the sender

   Look at the actual email address or phone number, not just the display name. Watch for misspelled domains, swapped letters and numbers, and odd extensions.

3. 03

   Inspect the link without clicking

   Hover over the link on a computer, or press and hold on a phone, to preview the real destination. If it doesn't match the organization, don't click.

4. 04

   Verify through a trusted channel

   Open the organization's official app or website yourself, or call the number on your bank card. Never use contact details supplied by the suspicious message.

5. 05

   Never give a PIN or one-time code

   If the message or caller asks for your PIN, password, or verification code, stop. No legitimate organization needs these.

6. 06

   Report and delete

   Report the message to the real organization or your provider, then delete it. Reporting helps protect others, including people less prepared than you.

If you think you've already been caught

It happens. What matters is what you do in the next ten minutes.

Change the password on the affected account immediately — and change it anywhere you reused that same password. Turn on two-factor authentication if it wasn't already. If money or mobile-money was involved, call your bank or provider through their official line right away; speed matters for freezing transactions. And tell someone. The shame people feel keeps them quiet, and quiet is exactly what the attacker is counting on.

Frequently asked questions

Will my bank ever ask for my PIN or password?

No. Real banks and mobile-money providers never ask for your full PIN, password, or one-time code — not by phone, SMS, email, or in person. Any request for these is a scam, full stop.

Is it safe to click a link if the message looks official?

Looking official means nothing — logos and sender names are trivial to fake. Don't judge by appearance. Instead, verify through a channel you already trust: type the website yourself or call the number on your card.

What's the difference between phishing, smishing, and vishing?

They're the same trick on different channels. Phishing is usually email, smishing is SMS text messages, and vishing is voice phone calls. The defense is identical: slow down, verify out-of-band, and never share secrets.

Are passkeys really safer than passwords?

Yes, meaningfully. A passkey is tied to your device and the real website, so there's no code or password to type into a fake login page. That makes passkeys effectively impossible to phish. Use them wherever they're offered.

I shared my details with a scammer. What do I do now?

Act fast. Change the password on that account and anywhere you reused it, enable two-factor authentication, and if money was involved call your bank or provider's official line immediately to freeze activity. Then report it. Speed limits the damage.

The quiet conclusion

Phishing isn't a technology problem you can buy your way out of. It's a habits problem. The people who stay safe aren't smarter or more paranoid — they've just made a few moves automatic. They pause when rushed. They verify through their own channels. They never read a PIN out loud.

Build those habits while it's calm, and they'll hold on the bad Tuesday afternoon when a confident voice tells you your account is in danger.

Further reading on this site

• What is Cybersecurity? A Plain-English Guide — the bigger picture that phishing fits inside.
• Browse the Technology category.

If this was useful, subscribe to the newsletter for a calm essay each Sunday — and the occasional security alert that's actually worth knowing about.

Sources

1. 1.How to Recognize and Avoid Phishing Scams— U.S. Federal Trade Commission
2. 2.Phishing: Spot and report scam emails, texts, websites and calls— UK National Cyber Security Centre
3. 3.Avoid and report phishing emails— Google Safety
4. 4.Recognize and Report Phishing— CISA