Consumer Advisory

Phishing Scams: A Complete Guide to Recognizing and Avoiding Them

Scam Types & Fraud PreventionEditorial Team·April 10, 2026·8 min read
This article is for informational purposes only and does not constitute legal, financial, or professional advice. Information may be outdated or inaccurate. Always consult a qualified professional or government agency before acting on anything you read here. If you find any inaccuracies, please contact us so we can update it.

Quick Answer

Phishing is the use of deceptive messages, by email, text, phone, or social media, to trick you into revealing personal information, clicking malicious links, or making payments. It is the most common entry point for fraud and identity theft. The core protection: never provide personal information, passwords, or payment details in response to a message you did not initiate. Verify requests through official channels you look up yourself.

Phishing is behind the majority of data breaches, account takeovers, and online fraud cases in the United States. The FTC, FBI, and CISA all identify phishing as the most prevalent cybercrime threat consumers face. Understanding how it works across different channels is the most fundamental digital safety skill available.

What Phishing Is

Phishing is any attempt to deceive someone into revealing information or taking action by impersonating a trusted entity. The name comes from "fishing", casting a deceptive lure and waiting for victims to bite.

The trusted entity being impersonated can be:

  • A bank or financial institution
  • A government agency (IRS, SSA, USPS, Medicare)
  • A technology company (Microsoft, Apple, Google, Amazon)
  • An employer or colleague
  • A friend whose account has been compromised
  • A retailer, shipping company, or utility provider

The Four Main Types of Phishing

Email phishing. The most common form. A fraudulent email mimics a trusted sender and contains a malicious link, an attachment, or a request to provide information. Volume-based: scammers send millions of emails hoping a fraction will be effective.

Smishing (SMS phishing). Fraudulent text messages. Common variants include fake package delivery notices, bank fraud alerts, toll notices, and prize notifications. See the dedicated smishing article for full details.

Vishing (voice phishing). Phone calls impersonating banks, government agencies, or tech support. The caller creates urgency and asks for information or payment. See the government impostor scams and tech support scams articles.

Spear phishing. Targeted phishing using personalised information about the victim. An attacker who knows your name, employer, and recent purchase history can craft a convincing message. More sophisticated and harder to detect than mass phishing.

Universal Warning Signs

Regardless of the channel or who is being impersonated:

  • Urgency and threats. "Your account will be closed in 24 hours," "You will be arrested," "Act now before the offer expires." Urgency is manufactured to prevent rational evaluation.
  • Requests for sensitive information. Banks, government agencies, and technology companies do not ask for passwords, PINs, or full Social Security numbers through unsolicited contact.
  • Links that do not match. Hover over links before clicking (on desktop) to see the actual URL. Mismatches between display text and actual destination are a clear signal.
  • Sender mismatch. The display name may say "Chase Bank" but the actual email address is from a different domain. Always check the actual sending address.
  • Unexpected contact about a problem. If you did not initiate the interaction, treat any claim about a problem with your account, a package, or a legal matter with high scepticism.

What Phishing Leads To

Phishing is rarely the end goal, it is the entry point for:

  • Account takeover: Stolen credentials used to access banking, email, or retail accounts
  • Identity theft: Personal information used to open fraudulent accounts or file false tax returns
  • Malware installation: Clicking a link or opening an attachment delivers malicious software
  • Financial fraud: Direct theft through fake payment pages or social engineering

The Core Protection Principle

Never provide personal information, passwords, or payment details in response to contact you did not initiate. If you receive a message claiming to be from your bank, the IRS, or any other organisation and you are unsure, hang up or close the message and contact the organisation directly using a number or address you look up yourself.

This single practice eliminates the effectiveness of virtually all phishing attempts.

What to Do If You Responded to a Phishing Attempt

  • If you clicked a link but entered nothing: Close the browser, run a security scan, and monitor for suspicious account activity
  • If you entered a password: Change it immediately on a trusted device, and on every other account where you use the same password. Enable two-factor authentication.
  • If you provided financial information: Contact your bank or card issuer immediately
  • If you provided your Social Security number: Place a credit freeze and fraud alert, and file a report at IdentityTheft.gov

Where to Report

AgencyWebsite / How to File
FTCReportFraud.ftc.gov, 1-877-382-4357
CISA (for government-targeted phishing)CISA.gov/report
Forward phishing emails[email protected] and [email protected]
Report smishing textsForward to 7726

Frequently Asked Questions

Related Articles

Scam Types & Fraud Prevention

How to Recognize and Avoid Tech Support Scams

7 min readScam Types & Fraud Prevention

Government Impostor Scams: How to Spot Them and What to Do

7 min readScam Types & Fraud Prevention

How to Recognize Investment Fraud and Avoid It

8 min read

Explore all topics

Digital PrivacyGovernment SupportProduct SafetyFinancial SafetyConsumer RightsScam TypesSmart Shopping