Consumer Advisory

How to Recognize a Phishing Email or Text

Digital Privacy & Online ScamsEditorial Team·November 21, 2025·8 min read·Updated Apr 2026
This article is for informational purposes only and does not constitute legal, financial, or professional advice. Information may be outdated or inaccurate. Always consult a qualified professional or government agency before acting on anything you read here. If you find any inaccuracies, please contact us so we can update it.

Quick Answer

The clearest signs of a phishing message are urgency, a request for personal information, a sender address that does not match the company it claims to be from, and links that go somewhere other than the official website. When in doubt, go directly to the company's website by typing the address yourself rather than clicking any link.

Phishing attacks are the most common form of online fraud in the United States. They work because they look like messages from real companies: your bank, Amazon, the IRS, a shipping carrier. Recognizing the warning signs before you click or respond is the most effective protection available.

The 10 Most Common Signs of a Phishing Message

1. You were not expecting it

The most reliable signal: you received a message about an account, package, payment, or problem you had no reason to expect. Scammers send millions of messages hoping to hit people who actually do have an Amazon order pending or a bank account that could use verification.

2. Generic greeting

The message opens with "Dear Customer," "Dear Account Holder," or "Valued Member" rather than your name. Legitimate companies typically have your name on file and use it in official communications.

3. Urgency or threats

Phrases like "Your account will be suspended in 24 hours," "Immediate action required," "Verify now to avoid closure," or "Unusual activity detected" are designed to make you act before you think. Legitimate companies give customers reasonable time to respond.

4. Requests for personal information

The message asks you to confirm your Social Security number, password, PIN, credit card number, or account details. Legitimate companies never ask for this information by email or text. They already have what they need, or they direct you to log in securely through their official website.

5. Suspicious sender address

The display name may say "Apple Support" or "Chase Bank," but check the actual email address. Phishing emails often use addresses like [email protected] or [email protected]. Real Apple emails come from @apple.com. Real Chase emails come from @chase.com.

On a phone, tap the sender's name in the email app to reveal the actual address.

Hover over any link before clicking (on desktop, hold the cursor over it without clicking). The address that appears at the bottom of the screen should match the company's official domain.

Common tricks used by phishers:

  • Misspelled domains: paypa1.com, amaz0n.com
  • Extra words added: amazon-account-verify.com, secure-apple.support.com
  • Completely unrelated domains: your-bank.secure-login.xyz
  • URL shorteners that hide the destination entirely

When in doubt, go directly to the company's website by typing the address into your browser yourself.

7. Unexpected attachments

A legitimate company rarely sends unexpected attachments. Be especially cautious with files ending in .exe, .zip, .docm, or any attachment you were not expecting, even from a sender that appears familiar. Malicious attachments can install malware, ransomware, or keyloggers without any further action on your part.

8. The offer is too good to be true

Messages claiming you won a prize, are owed a refund, or qualify for a government benefit you did not apply for are almost always scams. The IRS does not notify people of refunds by email. Lottery winnings do not arrive by text.

9. Poor spelling or unusual formatting

Professional companies have communications teams. Typos, awkward phrasing, inconsistent fonts, and strange formatting are signals something is off. Note: well-funded phishing operations produce polished messages, so the absence of errors does not guarantee legitimacy.

10. The message came through an unusual channel

Your bank communicates through its app and official email domain, not through a random text from a 10-digit number. Government agencies like the IRS initiate contact by mail, not by email, text, or phone call.

What Real Companies Will Never Do

This list is worth memorizing.

  • The IRS will never call, email, or text you demanding immediate payment
  • Your bank will never ask for your full password or PIN by email
  • Amazon will never ask you to pay for an order through gift cards
  • A government agency will never demand payment through wire transfer
  • No legitimate prize requires you to pay fees upfront to collect your winnings
  • Medicare and Social Security will never call to say your benefits are suspended unless you pay immediately

What to Do If You Receive a Suspicious Message

Do not click any links. Do not open attachments. Do not reply with personal information.

If you want to check whether the message is legitimate, go directly to the company's official website by typing the address yourself, then log in to see if there are any actual alerts on your account.

To report phishing:

Frequently Asked Questions

Related Articles

Digital Privacy & Online Scams

Protecting Your Personal Info on Public Wi-Fi

7 min readDigital Privacy & Online Scams

What To Do If You Clicked a Suspicious Link

9 min readDigital Privacy & Online Scams

Is This Website Legit? How to Check Before You Buy

7 min read

Explore all topics

Digital PrivacyGovernment SupportProduct SafetyFinancial SafetyConsumer RightsScam TypesSmart Shopping