Our inboxes get spammed every day, and most of us discard those pesky emails without a second thought.

But what happens when you see a message from your bank asking for sensitive information? It might seem a little odd—they’re threatening to close your account unless you confirm your social security number or account number—but it’s from your bank, so it must be legitimate, right?

Emails from banks, credit card companies, the IRS, or prominent businesses like Target, eBay, or Amazon asking for sensitive information are usually phishing scams: a way to steal your identity online. Phishers send emails designed to mimic (or “spoof”) emails from companies or banks you use frequently and trust. They prey on this trust by creating authentic-looking emails that persuade you to reveal important personal information.

The word phishing, which originated in 1996, is likely a play on the word “fishing”—phishers are fishing for your information by baiting you with seemingly legitimate emails.

Read on to learn more about how phishing works and how to safeguard your identity from phishers.

Phishing Trends and Statistics

The Anti-Phishing Working Group (APWG) is an international anti-phishing group that collects data on phishing statistics, publishes reports, and offers advice on how to avoid phishing scams and identity theft. According to its data from 2014’s first quarter:

  • From 2013’s fourth quarter to 2014’s first quarter, the number of phishing sites increased 10.7%.
  • Phishers were targeted 557 brands this quarter, as opposed to 525 in 2013’s fourth quarter.
  • Consumers and companies reported 121,215 phishing attacks this quarter.
  • Spyware, malware, or aware infected at least 32.7% of PCs worldwide.

By these accounts, phishing attacks are increasing, and phishers are constantly expanded their market the scope of their attacks. So how does phishing work?

First, phishers choose a business to target and access its customers’ email addresses (this technique is fairly similar to that of most spammers). Next, they set up their system for delivering their message and receiving personal information, usually by creating an email address and web page.

The third step—the one that affects you the most directly—is their coordinated attack: sending out fake messages spoofing a legitimate message from a trustworthy company. Fourth, they collect personal information their victims enter into their website.

If you fall for their scams, phishers will use your information to make fraudulent or illegal purchases in your name. Up to a fourth of phishing victims can never recover from this type of identity theft.

Protecting Your Identity: Don’t Take the Bait

Now that you’ve heard the bad news, what can you do to protect yourself? Here are a few basics from the experts at APWG.

1. If you receive an email from what you thought was a trustworthy source, check these few things to verify its accuracy:

  • Does it have a digital signature? If not, there’s no way for you to know it wasn’t spoofed.
  • Is the email full of exciting, urgent, or upsetting statements? If the email is more emotional than factual, chances are it’s not from a professional organization.
  • Do they ask for personal information, including your credit card numbers, date of birth, social security number, passwords, or usernames? Most trustworthy companies will never ask for this information in an email.

Even if the email is directly addressed to you, it’s still not from your bank—phishers who do their research use your name to sound credible.

2. If you’re ever in doubt, call your bank or the company directly—they can verify if they sent the email.

3. Never click on the links included in an email if you’re unsure of the email’s veracity. The same applies to instant messages and website chats: unless you know the user’s handle or are sure this is a verified, secure website, don’t trust the links they send you.

4.  If you’re submitting personal or financial information online, make sure you’re using a secure site. Generally, you can tell a site is secure when there’s a yellow lock on the screen—but phishers are now able to mimic that lock on their own sites.

To check, double click on the lock to display the site’s security certificate. If you get any indicators that the site’s URL doesn’t match the certificate, stop immediately.

5. According to APWG, the most common industry targeted by phishers is the payment services industry. If you receive suspicious emails that may not be from PayPal, verify the URL.

Some phishers are obvious and to link to URLs like: hxxp://www.gotyouscammed.com/paypal/login.htm. They assume you won’t take the time to look at the URL on top of your screen.

Be especially careful when you’re using internet payment services, and always check the URL of a site you’re being linked to—something as easy as checking the URL can save you years of hassle and pain.

Need More Help?

A variety of external sources are eager and willing to help you protect your identity. The AWPG has created a program called “Stop. Think. Connect.” that helps consumers stay safe on the internet. They recommend that when you get online you:

  • Stop: understand the risks involved with using the internet before you even open your browser.
  • Think: look out for warning signs when you encounter risky sites.
  • Connect: feel safer on the internet and enjoy its positive benefits by being aware of how you can stay safe online.

Their website http://stopthinkconnect.org/ can help you do just that.

The FBI also offers a useful page on how to protect yourself from fraud.

Take the time to do the research and protect yourself from phishing scams. When you encounter something that seems dangerous, remember that it’s better to be safe than sorry!