What is phishing?

In a phishing email, a fraudster may pose as a reputable institution like a bank, subscription service, popular retailer, or government agency. Or, they may pretend to be a friend or a stranger in need.

Once the scammer makes contact, they prompt you to share personally identifiable information (PII), like your Social Security number, account password, or credit card number.

Here’s how phishing emails may capture your information:

• The email includes a link to a phony but legitimate-looking website. The bogus site allows a scammer to capture any sensitive personal or payment information that you enter.
• The email prompts you to download a file that harbors malicious software. This is also known as malware, and it’s designed to steal data or otherwise damage or spy on your computer system.

When phishing happens over the phone, it may be referred to as “vishing” — short for voice phishing.

Phone scams like these are common. In fact, the Federal Communications Commission (FCC) reports that unwanted calls are the top complaint that they receive from consumers.

Voice phishing can take the form of a robocall (also known as automated recordings), or a live call from a fraudster.

However they ring in, the scammer finds an excuse to ask for personal information or financial details — or they may even ask for medical information in order to obtain medical services, prescription drugs, or other health care in someone else’s name.

Once they have you on the line, the fraudster may try to scare or pressure you into giving them what they want. See below for quick tips to help you recognize and avoid this type of phone scam.

Three quick tips for avoiding phone scams

1. Register your phone number on the National Do Not Call list at donotcall.gov.
2. Robocalls can populate with a number that looks similar to your own. Don’t pick up: doing so will mark your number as “active,” encouraging future robocalls.
3. Know the red flags of a scam call—such as urgent and emotional pleas to wire money.

When phishing happens via text message, it’s called smishing — also known as SMS phishing.

Scam texts are on the rise, partly because consumers have increasingly turned to text messaging as a form of communication — and scammers have taken note.

The Federal Trade Commission (FTC) reported that Americans lost $470 million from scam texts in 2024 — more than doubling the number of scams that started from a text message in 2021. In many cases, the financial stakes are high: the median loss reported was $1,000.

While some scam texts target your wallet, others probe for personal information, which can be used to steal your identity or commit other fraud.

In most cases, scam texts follow a similar blueprint to phishing emails: The attacker sends a text pretending to be someone else, and they typically ask you to click a link that leads to a fake or malicious website.

Here are some common scam texts we’ve seen:

• “Congratulations! You’ve won a prize.”
• “Your account is temporarily locked. Please verify your information.”
• “You’re eligible to register for a government refund.”
• “Your package is out for delivery. Set your delivery preferences.”

To stay safe, make it a rule not to share sensitive details or send payment via text. If you suspect that a text is a scam, feel empowered to delete it and move on.

Phishing attacks can be incredibly targeted. When a phishing attempt specifically targets an individual, that’s known as “spear phishing”.

Criminals can mine your social media accounts for your interests and contacts, and use that information to craft a highly targeted phishing attack — so be careful what you share online.

— $2.7B in losses between January 2021 and June 2023, reported the FTC. Scams began with an ad, post, or direct message (DM) on social media. In the first 6 months of 2023, people reported undelivered merchandise in 61% of loss reports about online shopping fraud originating on social media.

We recommend approaching social media with the same caution as your email inbox or text messages. Keep in mind that there are many ways that scammers might use social media to steal your information.

In general, you should approach any online request that involves sending payments or sharing personal information with suspicion. It's smart to ignore friend requests or direct messages from strangers — but also keep in mind that even close friends and verified public accounts can be hacked.

Regardless of how a scammer approaches you, there are some general clues that may indicate a phishing scam:

• Misspellings, grammatical errors, and blurry images or logos can all signal that a message is fake.
• Urgent requests for money should be regarded with suspicion. Legit institutions won’t sound desperate for payment, and it’s unlikely that a real friend would ask for help this way.
• “Corporate” messages deployed from a non-corporate email provider, such as an @gmail or @yahoo address, can be another red flag.
• Requests that money be wired or sent via gift card should be ignored. These modes of payment are hard to recoup should fraud occur.

If you’ve already engaged with a message or website that seems suspicious, don’t panic — and don’t ignore it. Here’s what to do next:

• Immediately disconnect from Wi-Fi, which can help prevent the spread of malware.
• Change your passwords for key accounts, including your email and online banking accounts.
• Monitor for signs of identity theft, such as suddenly being locked out of one of your accounts.

If you have identity theft protection and you think you’ve experienced identity theft, contact them ASAP. An identity theft expert may be able to help you determine if something is a scam and guide you on what to do next.