← Fraud & Scams

Phishing Emails and Texts: How to Spot a Fake Message

Phishing is the workhorse of online scams. It is the fake email or text, dressed up to look like your bank, a delivery company, or a familiar brand, that tries to get you to click a link, share a password, or hand over personal details. Most of the other scams in this library begin with a phishing message of some kind.

The good news is that phishing follows recognizable patterns. Once you learn them, you can spot the fakes quickly. This guide explains how phishing works, shows a real example, and gives you simple habits to stay safe.

What it is

Phishing is a scam message designed to trick you into revealing information or installing malware. By email it is called phishing, by text it is smishing, and by phone it is vishing. The message impersonates a trusted source and creates a reason to act, such as a problem with your account, a package, or a payment.

The goal is almost always one of three things: your login credentials, your money, or enough personal details to commit identity theft.

How it works

  1. A message arrives that looks like it is from a company or person you trust.
  2. It creates urgency or curiosity: a locked account, a suspicious charge, a missed delivery, or a prize.
  3. It pushes you to click a link, open an attachment, or reply with information.
  4. The link leads to a fake login page that captures your password, or the attachment installs malware.

Modern phishing is polished. Scammers copy real logos, spoof sender names, and use AI to write clean, convincing text without the obvious spelling errors of years past.

A real example

Sam, 69, gets an email that looks exactly like his email provider, warning that his mailbox is full and will be shut down within 24 hours unless he “verifies” his account. He clicks the link and lands on a page that looks just like his provider’s login screen, then types his email and password. Nothing seems to happen, so he forgets about it. In reality, he just handed his login to a scammer, who uses it to read his messages, reset his other accounts, and send phishing emails to everyone in his contacts.

By the numbers

  • Phishing and spoofing is the most reported crime type to the FBI’s IC3 by number of complaints (FBI).
  • Phishing and related messages are the most common way older adults are first contacted by scammers (FBI/FTC).
  • AI tools now help scammers write cleaner, more convincing phishing messages, removing the old spelling-error tell (FBI).

Red flags to watch for

  • Urgency: act now or lose your account, your money, or a prize.
  • A link or attachment you did not expect.
  • A request to confirm a password, code, or personal details.
  • A sender address or link that looks slightly off.
  • A greeting that is generic, like “Dear Customer,” on an account they should know.

How to protect yourself

  1. Do not click links or open attachments in unexpected messages.
  2. Go direct instead. Type the company’s website yourself, or use its official app, to check your account.
  3. Never enter a password or code on a page you reached from a message link.
  4. Turn on two-step verification, so a stolen password alone cannot open your accounts.
  5. Reduce the flood. Scammers blast phishing to addresses and numbers harvested from data breaches and data-broker sites. Removing your information from those sites, which a privacy or data-removal service can do for you, helps cut the volume.
  6. When unsure, ask a trusted person before clicking. A second look catches most fakes.

If you’ve already responded

Change the password for that account and any other account where you used the same one, and turn on two-step verification. If you entered payment details, contact your bank or card company. If you downloaded an attachment, have your device checked, and report the message to the FTC at ReportFraud.ftc.gov.

In the news

Sources

Frequently asked questions

What is phishing?

A fake message, by email, text, or phone, that impersonates a trusted source to steal your information, money, or logins.

How can I tell a phishing message from a real one?

Watch for urgency, unexpected links, and requests for passwords or codes. When unsure, contact the company directly rather than using the message.

I clicked a link but did not enter anything. Am I in trouble?

Usually you are fine, but do not enter any details, and run a security check if anything downloaded. Change passwords if you are unsure.

See if KinKeeper is right for your family

Daily check-ins by call or text. Free to start, no credit card.

Get Started