‘Phishing’ attacks use carefully crafted emails, text messages and fake websites to ‘phish’ for your personal information. If someone calls you and tries to fool you by pretending to be a business, that’s a similar scam called ‘vishing,’ or voice phishing.

They work! In a recent AT&T consumer survey, more than 37 percent of people admitted to sending personal information in an email. That number is even higher – 56 percent – for millennials. Our survey also found one out of four people incorrectly believes their web browser will keep them from going to unsafe web sites.

Those are the kinds of numbers that keep bad guys in business.

Phishing and vishing attacks can also be more subtle than a straightforward request for information. An example could involve an email or text message that appears to come from your bank. The fake message asks you to click a link to confirm account information. However, when you click, that link secretly installs a program that tracks everything you type – like passwords.

Or it could be a message saying there’s a “problem with your account.” It asks you to confirm your payment source or account status by calling and entering information. If you call that number and enter information, you are giving it right to the bad guy.

The best defense for these types of attacks may not involve state-of the-art-software. You may be the best defense with a simple combination of knowledge, vigilance and a little skepticism. Remember – most companies, including us, will not send you an unsolicited email or text asking you for personal or account information.

Here are some things that should raise a red flag:

Incorrect URL (the website address) – Double-check the address for every link to make sure the email and the website domain matches. That means the highlighted elements in the following email and website examples should match:

  Email Website
Correct john.doe@X.com www.X.com
Correct (name)@THECOMPANY.com www.THECOMPANY.com
Wrong (name)@samplemail.com www.mailsample.com
Wrong customerservice@internetmail.com www.companyname.com

On a computer, you can check this by hovering over the link with your mouse to verify that the link directs to the same site the email came from.

Spelling errors – Hackers might not have a budget for proofreaders. Most companies do.

Low Resolution Images – Scammers usually create fake sites quickly with stolen images. If the logo or text is not crisp and clean, this is an important clue that the site could be phony.

Numerous Recipients – If the email went to other people on the “to” line, watch out. Most companies, including AT&T, send your emails to you and nobody else. And if you cannot see who the email went to at all – or the “to” and “from” are the same – that is also a warning flag.

These things don’t automatically mean the message is a ‘phishing’ attempt, and not all phishing attempts will have these signs. That’s why it’s important to keep your eyes open and be careful any time you get an email, text or phone call asking for information, or instructing you to click or go to another web site.