Many people are confident in their ability to recognize phishing scams a mile away. In a recent survey, however, only 5% of the respondents had a 100-percent success rate in spotting simulated attacks aimed at stealing their sensitive information. This may ultimately help explain why this type of fraud continues to pay dividends for ne'er-do-wells.

The survey and quiz of over 900 Americans, conducted by, also found that 9 out of 10 respondents could match phishing with its definition fairly accurately. The vast majority also knew that such attacks often begin with an email. On the other hand, not all the respondents were well versed in other forms that phishing could take.

Here’s a quick refresher: At its simplest, phishing is an unsolicited email, text or any other form of electronic communication where attackers impersonate a trusted institution and attempt to purloin your data. The information, such as your login credentials, can then be misused or sold by the attackers for nefarious purposes, usually fraud and identity theft. According to the FBI’s latest Internet Crime Report, the number of victims of phishing attacks increased by 59% between 2015 and 2018. It’s also safe to say that many cases of online fraud go unreported.

Back to the survey, however. Almost one-half of the respondents didn’t associate phishing with malware campaigns, whereas a similar proportion were unaware of possible links between the scams and malvertising. Meanwhile, one-third didn’t think phishing could happen through social media. As ESET researchers have documented numerous times, social media are increasingly abused for phishing attacks.

There is a generational divide present as well. Whereas millennials were more likely to think that phishing campaigns can take place through social media, baby boomers were more skeptical. By contrast, when it came the question of whether an email could be used for phishing, baby boomers were particularly amenable to the idea.

Even if you’re aware of this pervasive online con, it doesn’t necessarily mean that you're immune to taking the bait. Indeed, academics have devised a test that gauges people's susceptibility to falling for scams based on a number of personality traits.

At any rate, there are several easy-to-follow practical steps you can take to protect yourself against phishing attacks:

  • Never click on links, download files or open attachments in messages even if they appear to be from a known, trusted source – unless you are absolutely sure that the message is authentic.
  • Always scrutinize the email address, established institutions usually use their own domain and not, say, a Gmail address.
  • Look out for shoddy spelling and grammar mistakes, as phishing emails are often ridden with them.
  • Watch out for domains that are often slightly altered to resemble the domains of legitimate service providers.
  • Be wary of a sense of urgency or threat that the messages typically seek to evoke.

For a more detailed treatment of tell-tale signs of phishing, please refer to Phish Allergy – Recognizing Phishing Messages.

The quiz is available on, but if you're up for more testing, you can always take Google's test we wrote about recently.

Indeed, why not take ESET’s free cybersecurity awareness training?