Stop the Click: Your Ultimate Guide to Avoiding Phishing Scams (Email, Text, and WhatsApp)

Phishing is the oldest trick in the cybercriminal book, yet it remains the most successful form of attack. Why? Because it preys on human nature—our curiosity, our fear, and our willingness to help.

Today, phishing isn’t just a dodgy email in your spam folder. It’s sophisticated, personalized, and lurking in your text messages (Smishing) and even in your WhatsApp chats (part of a wider social engineering scheme).

Here is your essential guide to becoming a human firewall and keeping your personal and financial data safe across all your communication channels.

📧 Email Phishing: The Classic Con

Email phishing is where criminals impersonate a trusted entity (your bank, Amazon, Netflix, or even your boss) to trick you into clicking a link or downloading an attachment.

Key Red Flags in Your Inbox:

• Sense of Urgency or Threat: Look for phrases like “Account will be closed,” “Immediate action required,” or “Unauthorized login detected.” This is designed to make you panic and skip verification steps.

• The Sender’s Email Address: ALWAYS check the full email address, not just the sender’s name. Scammers often use domains that are slightly misspelled (e.g., amaz0n.com instead of amazon.com) or use a public domain for a major company (e.g., paypal-support@gmail.com).

• Generic Greetings: A real company that manages your account will use your name. Phishing emails often use impersonal greetings like “Dear Customer,” “Account Holder,” or “Valued User.”

• Suspicious Links: Never click a link blindly. On a computer, hover your mouse over the link to see the destination URL displayed in the bottom corner of your browser. If the address doesn’t match the company’s official website, delete the email.

• Unexpected Attachments: Never open unexpected attachments, especially those with odd extensions like .zip, .exe, or documents you didn’t request (e.g., “Invoice for Order #1234”).

📱 Smishing (Text) and WhatsApp Scams

Scammers are moving to platforms like SMS and WhatsApp because people are often less suspicious of text messages and check them with less scrutiny than email.

The Tactics You’ll See:

1. Fake Delivery Notifications (Smishing): You get a text saying your package delivery has failed and you need to click a link to reschedule or pay a small fee. Tip: Real couriers rarely ask you to pay or input credentials via an unsolicited text. Always track your order directly on the official website.

2. Impersonation Scams (“Hi Mom”): A message from an unknown number claims to be a family member (often a parent or child) who has a “new number” or whose phone is “lost/broken.” They urgently ask for money or for you to pay an urgent bill. Tip: Stop and verify. Call the person’s old number or ask a personal question only they would know.

3. The Six-Digit Code Scam (WhatsApp): You receive an unsolicited text with a WhatsApp verification code, immediately followed by a message from a stranger asking you to forward the code to them, claiming it was sent by mistake. Tip: This is how they hijack your account! NEVER share a security code with anyone. Delete the message and block the number.

4. Job Offers and Prizes: Messages offering incredibly high-paying, remote jobs or notifying you that you’ve won a lottery or contest you never entered. Tip: If it sounds too good to be true, it is. Legitimate companies don’t recruit via unsolicited WhatsApp texts.

✅ Your 5 Ironclad Rules to Phishing Prevention

To stay safe, follow these steps before you ever click, share, or reply:

1. Pause, Question, Verify (The Golden Rule)

Before taking any action, stop and ask yourself:

• Was I expecting this? (A delivery, a bill, a message from this person?)

• Is this request normal? (Would my bank ever ask me for my password in an email?)

• Does it create panic? (If the message demands “ACT NOW or lose your account,” it’s highly suspect.)

2. Never Use the Link Provided

If you receive an urgent message from a company you use (like your bank or utility provider), do not click the link. Instead:

• Open a new browser window.

• Type the company’s official website address yourself (or use a saved bookmark).

• Log in as you normally would to check for any alerts or messages in your official account dashboard.

3. Enable Multi-Factor Authentication (MFA)

This is your single best defense. Enabling MFA means that even if a criminal steals your username and password, they still need a second factor (a code from your phone or a security key) to log in. Use it on every account that offers it (email, bank, social media).

4. Check the Spelling and Grammar

While sophisticated scams are improving, many phishing attempts still contain obvious spelling, punctuation, or grammatical errors that a major company would never overlook.

5. Don’t Send Money or Information Based on a Message

If someone you know sends an urgent request for money via text or chat, call them on a number you know is real to verify their identity. Criminals can easily spoof caller IDs and profile pictures. Never transfer funds or purchase gift cards based solely on a message.