How do I spot and avoid phishing scams?

Phishing scams impersonate trusted institutions — banks, the IRS, delivery services — to trick you into clicking a malicious link or surrendering credentials. The tells: urgency, mismatched sender addresses, requests for personal information over email or text, and links that don't match the claimed sender's domain.

Phishing is a social engineering attack where fraudsters impersonate a trusted entity — your bank, the IRS, a credit card company, a shipping carrier — to steal your login credentials, account numbers, or Social Security number. The attack typically arrives as an email, text (smishing), or phone call (vishing). The FTC documents phishing tactics and updates its guidance as tactics evolve.

How to recognize a phishing message

How to verify before you click

If a message claims to be from your bank, the IRS, or another institution, do not click the link in the message. Instead: open a new browser tab and go directly to the institution's official website by typing the address yourself. Log in from there to check whether there's actually a message or alert. Call the institution using the number on the back of your card or their official website — not a number provided in the suspicious message.

If you clicked a link or entered information

How to report phishing

Forward phishing emails to [reportphishing@apwg.org](mailto:reportphishing@apwg.org) (the Anti-Phishing Working Group) and to [spam@uce.gov](mailto:spam@uce.gov) (the FTC). For phishing texts, forward the message to 7726 (SPAM) — a shortcode that all major U.S. carriers support. Report phishing attempts claiming to be the IRS to [phishing@irs.gov](mailto:phishing@irs.gov). File a full report with the FTC at ReportFraud.ftc.gov.

What the FTC says

Key takeaways

Related