Phishing - how not to get hooked by online scammers
In a world where almost everything we do is supported by the internet, we’ve also become a target of increasingly sophisticated attacks. One of the most common is phishing - a technique where criminals impersonate trusted people, institutions, or services to steal sensitive information or infect your device. In this article, we’ll explain how phishing works, cover its most popular variants, and share practical ways to stay safe.
How does phishing work?
A phishing attack usually starts with “bait”, such as:
- An email pretending to be a message from a bank, a service provider, or a delivery company.
- An SMS with an alarming note asking you to “verify” something or “extend” a service.
- A social media message with a link and a request for “urgent” action.
These messages are often characterized by:
- A cloned look and logo of the original website or app.
- A look‑alike domain (“pk0bp.pl” instead of “pkobp.pl”).
- A sense of urgency (“Your account is locked!”, “You have 10 minutes to confirm your details!”).
Clicking the link takes you to a fake page designed to steal credentials - or triggers malicious code via an attachment.
Common phishing variants
- E-mail phishing
Standard fake emails. - Spear phishing
Targeted attacks aimed at specific people or teams. - Smishing
Phishing delivered via SMS. - Vishing
Phone‑based scams (often impersonating a bank employee). - Pharming
Redirecting you to a fake site (e.g., via hosts file tampering or DNS attacks).
Attachments and links - common traps
Phishing most often uses:
- PDF, DOCX, XLSX documents that may contain macros launching malicious scripts.
- .exe, .scr files that install malware or ransomware.
- ZIP/RAR archives hiding malicious payloads.
- HTML/JS files that open in a browser and redirect to credential‑stealing pages.
The role of social engineering
Phishing isn’t just technology - it’s also manipulation. Attackers exploit emotions to make you act out of fear or urgency:
- Fear: “Your account has been locked!”
- Urgency: “You have 15 minutes to respond!”
- Greed: “You’ve won a prize - claim it now!”
Phishing and AI
More and more often, criminals use AI to generate more convincing messages:
- They craft content based on your public profiles.
- They mimic the writing style of colleagues or friends.
How can you validate the sender? Ask a non‑obvious question that only the real person would know (e.g., “What was the name of our project team in 2019?”). A scammer’s answer is likely to be generic or incorrect.
Typosquatting examples
Scammers often use addresses that look very similar to the real ones:
| Real address | Fake address |
|---|---|
| allegro.pl | aIlegro.pl |
| mbank.pl | mbarnk.pl |
| netflix.com | netfIix.com |
| poczta.onet.pl | pocztaa.onet.pl |
| paypal.com | paypaI.com |
| apple.com | app1e.com |
How to protect yourself
- Verify the sender
Check the domain carefully - even a small typo is a red flag. - Don’t click impulsively
Hover over links to see where they really lead. - Treat attachments with caution
Avoid opening.exe,.scr, or ZIP files from unknown senders. - Remember: a bank will never ask for your password
Legitimate institutions do not request full passwords or PIN codes via email or SMS. - Enable 2FA (two‑factor authentication)
Even if someone gets your password, they can’t log in without the second factor.
What to do if you become a victim
- Change your passwords - especially for email and banking.
- Contact your bank - they can block suspicious transactions.
- Report the incident - to your national CERT or local authorities.
Summary
Online safety starts with awareness. Don’t get hooked - stay alert.