Don’t Take The Bait: How To Spot A Phishing Scam Before It’s Too Late

Phishing is the most reported type of cyber scam in the United States and worldwide, and these attacks continue to rise and evolve every day. In 2024, the Better Business Bureau established National Scam Survivor Day, observed on the second Thursday in May. Throughout the month, the BBB, FBI, and National Cybersecurity Alliance lead awareness campaigns focused on common scams and prevention strategies. Here’s what to know as phishing scams become increasingly sophisticated in the United States and around the world.

Phishing 101: The basics

Phishing gets its name from the idea that attackers are “fishing” for victims by using spoofed or fraudulent messaging as bait. It’s a type of online scam where someone pretends to be a trusted source to trick you into sharing your personal details, login credentials, or payment information. These attacks can come through email, text, phone calls, or anywhere online and can result in identity theft, hacked accounts, and lost funds.

Common types of phishing attacks

• Email phishing (Mass-market impersonation): The most common form of phishing, where attackers send fake emails posing as trusted organizations (such as government agencies or regulators) to trick recipients into clicking links, opening attachments, or sharing sensitive information. Recent examples include IRS tax-season refund or return scams and fake “past-due invoice” emails impersonating the National Insurance Producer Registry (NIPR) targeting insurance professionals.
• Spear phishing (Targeting): Attackers target high-value individuals and organizations with personalized details to make messages appear legitimate, often referencing recent events, conferences, or relevant files to increase credibility.
• Vishing (Voice phishing): Scammers use phone calls to impersonate legitimate individuals or organizations, often claiming urgent issues to pressure victims into providing sensitive information. Recent attacks increasingly use AI-generated voices to mimic real people and sound more convincing.
• Smishing (SMS/text phishing): Similar to email phishing but conducted through text messages. If your phone number has been exposed after a data breach, you may find yourself on the receiving end of more smishing attacks. USPS scam texts are a common example, where fake delivery or purchase notifications urge you to tap a link to confirm or resolve an issue.
• And other tactics: Fake public Wi-Fi networks, lookalike website domains, pop-up internet ads, and various other methods.

Hook, line, and sinker: Red flags to watch for

Phishing emails and messages often rely on familiar names and urgent language to prompt quick action. Be cautious of emails or messages that appear to come from well-known, trusted organizations like LinkedIn, Amazon, or the IRS.

• Always check for misspellings or added/substituted characters in the sender’s address. Legitimate companies use official domains (Amazon emails come from “@amazon.com,” not variations like “@amazon-support.com”).
• The IRS, SSA, and other official U.S. government agencies will never initiate contact through email, text, or social media.
• Watch for generic or suspicious subject lines, such as “Mail Notification: You have 5 Encrypted Messages,” “Undelivered Mail Returned to Sender,” or “Action required: Your payment was declined.”

Other common red flags can include:

• Poor grammar, generic greetings, unexpected prizes and offers, and requests for personal information.
• Urgent threats such as account suspension or limited-time demands to act.
• Subtle changes like “rn” instead of “m” in links and URLs.
• Unusual attachments or file names from unknown senders.
• Poorly formatted emails, broken links, or colors and logos that don’t match the company’s official branding.

Additionally, the Department of Social Security Administration (SSA) has identified four key warning signs to help recognize and avoid scams, known as the four Ps:

1. Pretend: Scammers pretend to be a trusted source
2. Problem: Scammers will fabricate an issue to intimidate recipients
3. Pressure: Scammers will pressure recipients to act immediately
4. Pay: Scammers will request payment via gift cards, online transfers, or money orders.

How to protect yourself

• Think before you click: If you receive a suspicious invoice or request, do not open any attachments, click links, or submit payment. Verify directly with the organization using an official email address, phone number, or secure message center.
• Use strong, unique passwords: Use long, complex passwords (16+ characters) with a mix of letters, numbers, and symbols. Avoid personal details like birthdays or pet names.
• Multi-factor authentication (2FA): Many sites and apps now offer two-factor authentication, adding an extra layer of security beyond a username and password and making it harder for cybercriminals to access your account.
• Antivirus security software: Install reputable antivirus software and keep devices and apps updated to help detect and block phishing threats in real time. Top-rated options for 2026 include Norton, TotalAV, Avast, Aura, and McAfee.

You’ve worked hard to build and preserve your financial security. Don’t let it be compromised by a moment of uncertainty. Always verify before responding. If something doesn’t look right, trust your instincts!

As licensed financial professionals, we are committed to helping you protect and preserve your wealth in every way we can. If you ever receive a suspicious message, our team is here as a resource to provide a second opinion before you take action.