How to Recognize a Phishing Site and What to Do If You Gave Away Your Credentials

Thousands of online accounts get compromised every day, and hackers use multiple methods to hack accounts and steal information. One of the most notorious methods of stealing information is a phishing attack. Hackers can create a copy of a legit website’s login page and trick you into logging into the website using this page. Once you enter the information, it will be sent to the hacker instead of the original website.

The matter gets worse when you find out how easy it is to create a phishing site and execute the attack. It is just a matter of copying some website code and merging it with malicious code. Anyone with basic technical knowledge can successfully execute a phishing attack. In this article we will show you how to recognize and protect yourself against a phishing attack.

There are two stages in the process of recognizing a phishing attack. You can get some clues when the phishing link is given to you by any text communication means or by finding clues on the phishing website itself. Below you will see some handy ways to identify a phishing attack.

Phishing site links are mostly offered in emails, so we are going to provide instructions for identifying a phishing link in an email. However, many of these instructions also work fine for most text communication methods. Below are some clues you should look for:

1. Sender’s Email ID

First check the sender’s email ID as it will not be the same as the company’s official email ID. Like instead of “,” it will be “” Make sure all the spellings are correct, and match the actual support ID of the company.

2. Misspelling and Grammar Mistakes

Most scam and phishing emails have misspelled words that sneak through the filters set up by email services. Misspelled words are mostly added in the subject of the email, but you may find them in the email body as well. Furthermore, some of these words are hard to detect – like “Customer” written as “Costomer” – so check thoroughly. Additionally, you may also find many grammar mistakes, as the email may be written by someone who doesn’t speak English natively. A legit company will revise the email multiple times as their name is at stake.

3. Scammy and Forcing Language

The message will mostly contain attractive offers and buttons to act urgently. For example, “PayPal $100 giveaway will expire in three hours; sign in now using the below link and get it before it expires!” There will also be more focus on logging in using the link given in the email to prevent you from logging in using the actual website address.

4. Shady Attachments


The last thing you want to do with a suspicious email is click on the attachment that came with it. A legit company will never send you attachments unless specified. Any malware inside an opened attachment could easily steal your information if you are not careful.

5. The Email Is in Your Spam Folder


If you are suspicious about an email and are browsing it in your Spam folder, then why are you even bothering? The filter is there for a reason; just press the Back button and carry on with your work.

6. Phishing Ads

Phishing links may also be provided in an advertisement that you see on websites (not sure how this is overlooked). A few years back I lost over $1000 when I accidentally clicked on an ad in Google Search instead of the home page of an online payments company. So be careful while clicking on such ads, and follow the instructions below to identify a phishing website even if you access it.

Note: try to avoid clicking on a phishing link if possible, as it may contain ransomeware as well that could seize your system.

Okay, so you have decided to click on the link, and now you are on the website. Below are some ways to further confirm whether the website is legit or just a phishing attempt:

1. Check the URL


The website design will be almost the same as the original one, so there is no point in finding a difference there. However, they cannot copy the official URL of the website, so there must be some difference there. The name of the website will be misspelled, like “” written as “” or “” The “HTTPS” connection will also be missing. See if the “Lock icon” at the start of the address bar is “Green” or “Gray.” A secured website like your bank’s website, online payments website or a social media website will always have a secure connection (green lock).

2. Browser Alert


All popular browsers are good at detecting most phishing websites. If a browser gives a warning, listen to it and back out.

3. Avoid the Pop-Up

Some phishing links may direct you to the original website, but a fake pop-up may show up after a short delay asking for personal information. If this happens, just back out.

4. Give a Wrong Password

Phishing websites don’t have any means to identify if a password is correct or wrong. If you give a wrong password, most probably you will be able to log in (or at least be redirected to something). However, hackers already know this trick and sometimes may just say “Wrong password” so that you will make multiple attempts, and they will get all your known passwords.

So you fell for the trap and gave up your information. There is no point in tracking down the hacker using the IP address you got; it will be a waste of time (been there, done that). Instead you should focus on recovering your account and information you have given up. If it was an online payments account or your bank’s account, then immediately call them and tell them about the situation.

Most probably the hacker will get in your account and change the password, so immediately go to the original website and use the “Forget Password” button to reset the password using your email. Popular services like Google or Facebook also offer additional measures to fight such a situation. Do an online search to see if you can get further help securing your account. Once inside, try to see all the settings and privacy options to see what the hacker has changed. If the account had money in it, then see if the transaction can be rolled back by any means (contact support); otherwise, it’s gone. One of the best protections against phishing attacks and other scams and hacks is Two-factor authentication. Make sure you enable it if it is provided by the website you are using.

It should be kept in mind that phishing attacks are not only limited to stealing your information. These links may show you ads or download malware to your PC to damage it or extract information. Along with the above tips, use a good antivirus program to protect yourself.

Phishing websites can be a little hard to detect, especially if a professional hacker has set it up. The rule of thumb is to avoid all the links requiring information of any kind, and always log in to a website by manually entering the website address in the address bar. Do you know any other ways to identify a phishing website? Share with us in the comments.

Leave a Reply

Yeah! You've decided to leave a comment. That's fantastic! Check out our comment policy here. Let's have a personal and meaningful conversation.