Skip to main content

What is phishing?

Phishing occurs when cybercriminals use deceptive messaging to trick you into divulging personal identifying information, such as passwords, credit card numbers, or financial information. They then use this information to open new accounts or steal from your existing account. Phishing can take the form of phone calls, emails, texts, social media platforms, or websites.

How common is it?

Very. It is the most common form of cybercrime. According to the Federal Trade Commission, imposter scams (such as phishing) were the most frequent and widespread type of consumer fraud in 2023.

Why do people fall for phishing?

Cybercriminals are good at making messaging sound and look authentic. They have a few common tricks up their sleeves. The good news is that if you know what red flags to look for, you’ll be better equipped to avoid phishing attempts.

Here are some common tactics cybercriminals employ:

First, the sender. Cybercriminals are skilled at making it sound or look like the correspondence is from a legitimate source. They will often impersonate a reputable organization—your bank, credit union, or workplace; a social media, software, or online shopping site; a streaming service; or even a government agency. They may even use artificial intelligence (AI) to impersonate someone you know, like a family member, friend, or coworker. What does that mean for you? Make skepticism your default. If a message knocks you off balance, be sure to stop, look, and think before taking the action requested.

Second, the content. Cybercriminals are good at making a message sound or look exactly like a message you might receive from a person or organization you trust. But there are a few red flags to be aware of:

  • Is the message urgent? Does it require an immediate response? RED FLAG.
    • Note: Urgency might be driven by fear (you’ll lose something) OR opportunity (you’ll win something but you have to act now). In both cases: RED FLAG.
  • Does it ask for your personal or financial information? RED FLAG.
  • Does it ask you to click links or download software? RED FLAG.

What should I do if a message has red flags?

DO NOT: Respond to the message directly.

DO NOT: Click any links or download any software.

DO: Stop, look, and think before taking the action requested.

DO: Take charge of the communication channel. Reach out to the person or organization using an established communication channel that you already know and trust to verify the legitimacy of the message in question.

Here’s a phishing email example with notes on RED FLAGS to look for.

phishing scam email example


  • The Subject Line. Cybercriminals emphasize urgency. Be wary of words like urgent, act now, immediate attention required, and other variations thereof.
  • The From Line. Slight variations of trusted email addresses can be used to trick you. Did you notice the email from [email protected] is missing the e in Verve? It’s subtle, but it’s different.
  • The Reply-to Line. This should match the from line. If you receive an email from an unknown sender or the email addresses don’t match, that’s a red flag.
  • The Date Line. You receive an email outside of normal business hours. Did you notice the email was sent at 2:33 AM?
  • The Content of the Email. You receive an email that is unsolicited, oddly worded, claims that you have unpaid bills or that your account information is outdated, and is extremely urgent. The sentence “Failure to update your account details within 24 hours will result in the termination of your account” is a red flag.
  • Links or Attachments: Hover your mouse over the links WITHOUT CLICKING. If the link address is for a different website, this is a huge red flag. Also, if you weren’t expecting to receive an attachment or if it seems at odds with the rest of the message, that’s also a red flag.

Here’s a phishing text message example with notes on RED FLAGS to look for.

example of phishing scam text message


  • The Content of the Text Message. Government agencies, banks, and other legitimate companies will never ask you to verify personal or financial information via text message.
  • The Content of the Text Message. Cybercriminals prey on fear. The phrase to prevent unauthorized purchases is a red flag.
  • Links or Attachments. You don’t even need to hover over this one to see it’s suspicious. This text message’s domain is—and that’s a huge red flag. Don’t be misled by the /verveacu. The domain name is where the link will take you.


If you think you may have been a victim of phishing:

Act quickly to contact your financial institution and the following credit bureaus to freeze your account and protect yourself from identity theft.


Want to learn more? Stay safe against scams by reviewing these security and fraud blog posts.