What is phishing or spoofing, and how can you protect your business?

Fraud surged by 25% in 2024 compared to the previous year, showing just how much craftier fraudsters are getting.¹ Empowered by technologies like AI, scammers will pose as trusted partners, vendors, or even colleagues to trick businesses into handing over money or sensitive information.

Given the financial stakes involved, protecting your business from common scams is essential. But what is phishing? What is spoofing? And how do you recognize their red flags before it’s too late?

If you suspect fraud or a security issue associated with your PayPal account, visit our Security Center for help. Otherwise, keep reading to learn how to strengthen your defenses against phishing and spoofing attacks.

What is phishing?

Phishing is a type of online fraud where scammers attempt to trick you into revealing information such as your login credentials, credit card information, or other sensitive data.

But how does phishing work? A phishing attack often relies on social engineering tactics, such as creating a sense of urgency to get someone to take action. This could mean tricking you into clicking a link that goes to a spoofed website, downloading malware, or responding with confidential information.

To strengthen your phishing defense, watch out for messages that ask for personal information like credit or debit card numbers, bank account information, driver's license numbers, passwords, or your full name.

And when you suspect an email is fake, don't open it, reply to it, click on any links, or download any attachments. Instead, report the email to your IT security team or directly to the service the scammer is impersonating.

Tip: If you receive an unexpected PayPal notification via email, proceed with caution. PayPal will never ask for sensitive information in an email. Always verify every payment notification by logging in to your account and locating the corresponding transaction. All transactions (even pending ones) sent by you or to you will show up in your transaction history.

What is spoofing?

Spoofing is a deceptive tactic where fraudsters disguise their email address, name, phone number, URL, or other identifying information to make you think you're interacting with someone else. Essentially, they “spoof” their identity — much like an impersonator — so their messages look authentic.

Phishing attacks often use spoofing to appear to be from a legitimate organization. Oftentimes, it comes in the form of an email or text message from someone you're likely to trust, such as your bank. It then asks you to click a link to take action.

For example, you may be prompted to update information or check on a transaction. However, the link actually directs to a fake website that collects your login information, which the fraudsters then use to access your account.

Types of phishing attacks

While you may now be familiar with the answer to questions like “What is phishing?” and “What is spoofing?”, it’s important to note that these aren’t one-size-fits-all scams. Cybercriminals use different tactics depending on their target, the platform, and their end goal. Some attacks cast a wide net, while others are highly targeted and personalized.

Here are the most common types of phishing attacks to familiarize yourself with.

What is spear phishing?

Spear phishing is a targeted form of phishing where scammers focus on specific individuals rather than sending mass phishing emails. Unlike traditional phishing, which casts a wide net hoping for any victim, spear phishing is more precise — like a spear hunter targeting a single fish.

For example, a spear phishing attack might send a fake email to your accountant that appears to come from the business owner. The email might ask for a login password or perhaps include an invoice with instructions to pay it immediately. Since it appears to be coming from the boss, the accounting department may be more likely to fall for the scam, especially if it includes personalized information that can be easily gleaned from social media or an online search.

By tailoring their approach, they increase the chances of deceiving their target, making these cams harder to detect and more dangerous for businesses.

What is whaling?

Whaling is a subset of spear phishing that targets high-level people in your organization, such as the owner, CEO, CFO, or other senior executives. Just as spear phishing refers to targeting specific individuals, whaling takes it a step further by going after the "big fish."

These attacks can be particularly damaging since executives have access to critical company assets. An example of a whaling attack may be someone impersonating the CEO, asking the CFO for sensitive login information or trade secret information. Because executives are busy and often respond to emails on their phones between meetings, they may not give the email the scrutiny it deserves.

To defend against spear phishing and whaling attacks, train employees with access to sensitive information to be especially on guard. Any urgent or unusual requests should be followed up with the person requesting the information.

What is smishing?

Smishing is a form of SMS phishing where scammers use text messages to steal personal information, such as login credentials or financial details. The term, as you might guess, comes from combining "SMS" and "phishing.”

These messages often impersonate financial providers, delivery services, or government agencies to create a sense of urgency and pressure the recipient into clicking a malicious link. For example, a smishing attack might involve receiving a text from your bank asking you to review a transaction by clicking a link, which then sends you to a spoofed website that harvests your login information.

To defend against smishing, don't click on any links that come from an unidentified source or number. If you think the request may be legitimate, contact the purported sender directly through a known phone number to confirm.

What is vishing?

Vishing (or voice phishing) combines “voice” and “phishing,” and is a type of scam where a fraudster uses phone calls — either automated robocalls or live callers — to trick people into revealing sensitive information, such as account details or PINs.

Typically, the calls mention an “urgent account problem” with a bank account, credit card, or other service and ask you to share account information to remedy it. An example of a vishing attempt is if you receive a call about a possible fraudulent transaction on your account that asks you to enter your PIN to hear the transaction details. In reality, the scammer is harvesting your information for fraudulent use.

To protect against vishing, never provide any account information unless you initiate the phone call yourself. Caller IDs are also easily masked, so don't rely on them to verify the call is authentic.

What is search engine phishing?

With search engine phishing, fraudsters will create fake websites that copy a financial institution or retailer, and then use search engine optimization to trick a search engine (like Google or Bing) into displaying the spoofed website instead of the real site in their search results.

For example, an employee searching for the company's bank might get the fake site instead. Once they try to enter their login information into the fake site, the scammers capture that information and use it to log into the searcher's real account.

Protect against search engine phishing by teaching employees to type in the website URL directly instead of clicking on a search result.

Outside the office, individuals can stay safe by bookmarking frequently used websites and verifying URLs before entering login credentials. Additionally, enabling two-factor authentication (2FA) on sensitive accounts can help prevent unauthorized access, even if login details are compromised.

How to help protect yourself from phishing and spoofing

If you think you’ve clicked on a bad link, don’t panic. That said, you’ll want to act quickly to minimize potential damage from malware — malicious software designed to steal data, spy on activity, or even lock you out of your own system. Some types of malware can silently track your keystrokes, capturing passwords and financial details, while others can install ransomware or unwanted programs without your knowledge.

Take these steps as soon as possible:

1. Close the webpage immediately: If you haven’t entered any personal information yet, exiting the page right away may help prevent further risks. If the webpage starts auto-downloading a file, delete it from your computer without opening it.
2. Run an antivirus check: Use a reputable antivirus software. Open your antivirus software and select a full scan to check all files, programs, and settings. If it detects malware, follow its instructions to remove it safely. Some antivirus programs may require a restart to complete malware removal.
3. Change your password and security questions: If you enter any login details on a spoofed website, assume that scammers now have your credentials. Remember, it’s important you run an antivirus check first because you might’ve gotten malware from clicking the link, and the malware can still pick up your new password.
4. Contact your bank or card issuer: They can help monitor your account for suspicious activity, issue a new card if necessary, and implement additional security measures.
5. Review your transaction history over the next few weeks: Fraudsters don’t always strike immediately. Ensure there are no unauthorized transactions on your account, and if there are, report them immediately to your financial institution to dispute the charge.

For effective risk management and phishing protection, schedule regular antivirus scanning to detect threats before they become serious. Most antivirus programs allow you to set up automatic scans on a daily or weekly basis.

How do you know when the communication you've received is actually from PayPal?

Scammers often try to impersonate PayPal through phishing emails, spoofed websites, and fake text messages, making it crucial to verify the legitimacy of any communication. Fortunately, PayPal has strict security measures in place to protect our customers and ensure safe interactions:

• No email requests for sensitive information: PayPal will never ask for personal details like passwords, Social Security numbers, or bank account information via email. Instead, account-related issues will be addressed in the Resolution Center, accessible only by logging in directly at www.paypal.com.
• Secure website URLs: If you're directed to a website claiming to be PayPal, always check the URL. Legitimate PayPal pages will always begin with https://www.paypal.com. Be wary of slight misspellings or extra characters in the address, which are common signs of spoofed websites.
• Authenticated transactions and emails: When PayPal sends an email, it will always address you by your full name rather than generic greetings like “Dear Customer.” Additionally, our emails will never contain attachments or ask you to download files.
• Official notifications in your account: If PayPal needs to reach you about an issue, we will post a secure message within your PayPal account. You can verify any suspicious message by logging in and checking your notifications.

Seems phishy?

If you receive an email that looks like it’s from us but seems suspicious, follow these steps immediately to report to PayPal:

1. Do not click any links, open any attachments, or respond in any way.
2. Forward the email to phishing@paypal.com. Do not change the subject line or send the suspicious email as an attachment
3. Delete the email from your inbox to avoid accidentally clicking on any links.

Stay vigilant and protect your business

If you're running an online business, keep in mind that there are other types of fraud you need to watch for. Cybercriminals are constantly refining their tactics, targeting businesses through chargeback fraud, fake invoices, and account takeovers.

That said, phishing and spoofing remain among the most deceptive and damaging fraud tactics. Luckily, using antivirus software, investing in risk management services, and training employees to spot red flags can make all the difference in keeping your accounts and data safe.

Most importantly, when in doubt, always verify before you click, respond, or share information. A cautious approach can be the key to avoiding scams altogether.

Check out more fraud prevention best practices.