Whether conducted over email, social media, SMS, or another vector, all phishing attacks follow the same basic principles. The attacker sends a targeted pitch aimed at persuading the victim to click a link, download an attachment, send requested information, or even complete an actual payment.

As for what phishing can do, that’s left up to the imagination and skill of the phisher. The ubiquity of social media means that phishers have access to more personal info on their targets than ever before. Armed with all this data, phishers can precisely tailor their attacks to the needs, wants, and life circumstances of their targets, resulting in a much more attractive proposition. Social media, in these cases, fuels more powerful social engineering.

Most phishing can lead to identity or financial theft, and it’s also an effective technique for corporate espionage or data theft. Some hackers will go so far as to create fake social media profiles and invest time into building a rapport with potential victims, only springing the trap after establishing trust.

What’s the cost of phishing? Not just financial damages, but in these cases, a loss of trust. It hurts to get scammed by someone you thought you could count on, and recovery can take a long time.

Scammers use three main social engineering techniques to try to trick people into disclosing personal information. Protect yourself by learning how to spot them:

Phishing: An email message that asks you to click on a link, download a file or reply with confidential information.

Red flags to look for:

• Spelling and grammatical errors
• Apparent typos in the sender’s address, such as accounts@bankoofamerica.com
• An unusual URL or a link that points to a different site than the one mentioned in the message
• A request not to call the sender

Smart tip

Don’t click the link or give out your information if anything looks suspicious. To verify a message, visit your bank or company’s website by entering their address directly into your browser or by using a bookmark you made for yourself. Turn on your email spam filter to prevent some suspicious emails from getting to you. If you believe an email is a phishing attempt, use your email service’s junk, report or block feature.

Vishing: A phone call or voice message from a person requesting confidential information.

Red flags to look for:

1. An unfamiliar or unknown caller ID
2. Caller who claims to be a company employee or government official, saying there’s a problem with your account, Social Security number or taxes
3. A person (such as an unidentified “nephew”) in an emergency situation who needs money immediately
4. Caller doesn’t answer questions or provide details about the situation

Smart tip

Ask for their organization, full name, position and callback number. Then contact the organization yourself directly, using information provided on its own website to determine whether the call was legitimate.

Smishing: A text message asking you to click on a link or reply with confidential information.

Red flags to look for:

• Sent from an unfamiliar number
• Spelling and grammatical errors
• A link promising a video, shopping deal or website

Smart tip

Be aware of text messages from unknown senders. No legitimate organization will request you to reply with personal information via text message.

• If you suspect that you have fallen victim to a phishing scam, you can do the following to minimize damage to your accounts:
• Change the passwords and PINs immediately. If you use the same password on multiple sites, access to these accounts can more quickly be gained based on one successful entry. Change these passwords immediately following news of a data breach. Choose strong, complex passwords that are hard for cybercriminals to guess.
• Protect your devices. Update your computer or smartphone software to the newest version and run a comprehensive virus scan. Use encryption, ensure you have a firewall enabled and use secure, password-protected Wi-Fi or VPN. And turn off your computer when you’re not using it, since it’s inaccessible to hackers when powered down.
• Notify your bank, credit card companies and all credit agencies. Consider freezing or canceling credit cards if you believe your data was compromised. Check your credit reports regularly to identify any suspicious activity.
• Report the scam to the Federal Trade Commission or the FBI’s IC3 unit.