How do I spot and avoid phishing scams?
Phishing scams impersonate trusted institutions — banks, the IRS, delivery services — to trick you into clicking a malicious link or surrendering credentials. The tells: urgency, mismatched sender addresses, requests for personal information over email or text, and links that don't match the claimed sender's domain.
Phishing is a social engineering attack where fraudsters impersonate a trusted entity — your bank, the IRS, a credit card company, a shipping carrier — to steal your login credentials, account numbers, or Social Security number. The attack typically arrives as an email, text (smishing), or phone call (vishing). The FTC documents phishing tactics and updates its guidance as tactics evolve.
How to recognize a phishing message
- Urgency and threat. 'Your account will be suspended in 24 hours' or 'Immediate action required' — artificial urgency is designed to override your skepticism before you think critically.
- Sender address doesn't match the claimed organization. The display name may say 'Chase Bank' but the actual email address is from a random domain. Hover over or tap to reveal the real sender address before clicking anything.
- Links that don't match the claimed destination. Hover over any link before clicking — the URL in the status bar should match the sender's actual domain (e.g., chase.com, not chase-secure-alert.net). Fraudulent domains misspell or add words to real domains.
- Requests for personal information via email or text. Legitimate banks, the IRS, and credit card companies never ask for your password, full account number, or Social Security number in an email or text message.
- Generic greetings. 'Dear Customer' instead of your name suggests a mass phishing campaign, not a message from your actual bank.
- Attachments you weren't expecting. Malicious attachments may install malware. Don't open unexpected attachments — even from people you know, if the context seems off.
How to verify before you click
If a message claims to be from your bank, the IRS, or another institution, do not click the link in the message. Instead: open a new browser tab and go directly to the institution's official website by typing the address yourself. Log in from there to check whether there's actually a message or alert. Call the institution using the number on the back of your card or their official website — not a number provided in the suspicious message.
If you clicked a link or entered information
- Change the password on the affected account immediately, from a different device if possible.
- Enable two-factor authentication on the compromised account if you haven't already.
- If you entered financial account credentials, contact your bank or card issuer immediately to report potential unauthorized access.
- If you provided your Social Security number, place a credit freeze at all three bureaus and create an identity theft report at IdentityTheft.gov.
- Run a malware scan on the device where you clicked, especially if you opened an attachment.
How to report phishing
Forward phishing emails to [reportphishing@apwg.org](mailto:reportphishing@apwg.org) (the Anti-Phishing Working Group) and to [spam@uce.gov](mailto:spam@uce.gov) (the FTC). For phishing texts, forward the message to 7726 (SPAM) — a shortcode that all major U.S. carriers support. Report phishing attempts claiming to be the IRS to [phishing@irs.gov](mailto:phishing@irs.gov). File a full report with the FTC at ReportFraud.ftc.gov.
What the FTC says
- Phishing emails often look like they're from a company you know — your bank, a package delivery service, or a government agency. They typically tell an urgent story to get you to click a link and provide your information. — FTC Consumer Advice
- The FTC advises consumers never to click links or call numbers in unexpected messages claiming to be from their bank, the IRS, or other institutions — instead, go directly to the institution's website or call the number on your card. — FTC Consumer Advice
- Smishing (SMS phishing) follows the same pattern as email phishing but arrives via text message. The FTC advises forwarding suspicious texts to 7726 (SPAM) and reporting to ReportFraud.ftc.gov. — FTC Consumer Advice
- If you think you've responded to a phishing scam, the FTC recommends visiting IdentityTheft.gov to take steps to protect yourself and your accounts. — FTC — IdentityTheft.gov
Key takeaways
- Urgency, threats, and requests for personal information via email or text are the core phishing tells.
- Never click a link in an unexpected message — open a new browser tab and go directly to the institution's website.
- Check the actual sender address (not just the display name) and hover over links to see the real destination URL.
- If you entered credentials or your SSN, change passwords immediately and freeze your credit at all three bureaus.
- Report phishing to the FTC at ReportFraud.ftc.gov and forward phishing texts to 7726.
Related