Scammers Try to Catch Victims Through Phishing

By on January 22, 2026

fishing hook pulls credit card across computer keyboard

Learn how to tell if a text, email or phone call is an attempt to steal your cash or identity

by Andy Markowitz for AARP

Phishing is a tactic that scammers use to acquire valuable personal and financial data, such as your Social Security number, credit card details, or passwords for online accounts, and to steal your identity, your money, or both. They are mostly associated with email but can come in many forms, including social media messages, pop-up ads, vishing (phishing by phone), smishing (phishing by text message), pharming (phishing by drawing victims to bogus websites).​​

By digital-age standards, phishing is an old-school tool, dating to the mid-1990s, but it continues to grow in use and sophistication. The FBI’s latest Internet Crime Report says the most frequently reported crimes in 2024 were phishing-related; it received more than 193,000 such reports last year, citing more than $70 million in total losses (though scams are notoriously underreported, so the actual numbers are likely to be far higher).   ​​

The scam often relies on impersonation, and phishers can be very good at it. They sound authoritative on the phone, change caller IDs to show a real corporate or government number, and use well-known logos to make their emails and websites look genuine.​​

They bait the hook by promising goodies — free products or services, a big lottery prize, a government grant — or threatening legal or financial harm over a supposed unpaid tax or utility bill, for example. You might get a call or an official-looking email from your bank or from a tech company like Apple or Netflix, claiming that there’s a problem with your account.​​

Another common version:  fake package delivery messages, seemingly from the U.S. Postal Service, FedEx, or UPS, warning about some sort of delivery problem.

Some scammers hack accounts and gather personal details on victims to launch highly targeted attacks, a practice called spear-phishing. Global crime gangs use phishing emails to penetrate companies’ computer networks or convince employees to pay phony invoices. ​

Wherever their apparent source, phishing messages feign urgency (act now or you’ll risk arrest/have your account frozen/miss out on this special offer). You’ll be asked to quickly provide or “confirm” key pieces of personal or business information or be directed to click on a link, which might launch malware that harvests data from your computer or ransomware that takes over the machine and locks you out.

Take these precautions to help spot phishers and avoid their scams.

Warning signs​

Emails that contain one or more of the following:​

  • Offers of free products or services, supercheap travel deals, or a sweepstakes prize or other financial windfall​
  • Vague or generic language, such as “payment issue,” to describe a problem with an account or purchase​
  • Threats of dire consequences, such as legal action or an account being frozen, if you don’t act immediately​
  • Requests that you click a link, open an attachment, or reply with personal or financial information to take advantage of an offer or to resolve a problem
  • Spelling and grammar errors — many phishing scams originate abroad​
  • Pop-ups on your computer or mobile device that warn of viruses, promise a prize, or redirect you automatically to another site
  • Unsolicited messages that claim to be from a government agency, public utility, bank, or major company ​

How to protect yourself from this scam​

  • Check the “From” address. If an email says it’s from Apple or Bank of America but comes from, say, a Gmail account or an address with a foreign domain, it’s phony.​
  • Hover your cursor over links in suspicious emails to reveal the true destination or source. Pasting the URL into a safety checker such as VirusTotal or Google Safe Browsing can tell you if it presents a phishing or malware risk.​
  • Use antivirus software and keep it up to date. Activate firewalls and other settings that block malicious files.​
  • Vary the passwords on your online accounts, which can minimize the damage if you are phished or hacked. Change passwords immediately if you suspect a breach.​
  • Don’t give out personal or financial data such as your Social Security number or account numbers in response to an email or an unsolicited call. A company or government office contacting you on legitimate business will not ask you for such information.​
  • Never click on a link or open an attachment unless you are certain the email comes from a trusted source. To check whether a business or government agency is really trying to contact you, use its legitimate customer-service email or hotline, which you can find online or on account statements.​​​

More resources

  • Forward phishing emails to the Federal Trade Commission (FTC) at reportphishing@apwg.org and phishing text messages to the FTC at SPAM (7726), as well as to the business or organization the sender claims to represent. Many companies have dedicated email addresses to report phishing, which you can find online.​
  • You can also report phishing attempts to the FBI’s Internet Crime Complaint Center at www.ic3.gov.
JCA Blog