What is Phishing? How to Spot Phishing Emails, Texts & Calls

Phishing is cheap to send at massive scale and only needs a tiny success rate to be profitable. Modern kits proxy real login pages so even 2FA codes can be stolen in real time.

• Phishing remained the #1 reported cybercrime by volume at the FBI IC3 in 2023, with nearly 300,000 complaints (FBI IC3 2023).
• Smishing volume (text-message scams) more than doubled in the US between 2021 and 2023 (FCC Consumer Help Center, FTC).
• Adversary-in-the-middle phishing kits (Evilginx, Tycoon) that bypass SMS and app-based 2FA are now sold as a service (CISA advisory).

• Urgency: 'verify in 24 hours or your account is closed.'
• Generic greeting ('Dear customer') from a company that knows your name.
• Sender domain is a near-look-alike: amaz0n-support.com, apple-id.help.
• Link hover preview doesn't match the supposed brand.
• Request for password, full SSN, or 2FA code by message.
• Texts about a package, toll, or delivery you don't remember.

• Never click links in unexpected messages — go to the company's site or app yourself.
• Use a password manager: it will refuse to autofill on a look-alike domain.
• Turn on app-based 2FA or passkeys; avoid SMS-only 2FA where possible.
• Forward suspicious texts to 7726 (SPAM) and report phishing emails to your provider.

• Change the password of any account whose credentials may have been entered.
• Sign out all sessions and review connected apps and email forwarding rules.
• If financial info was shared: alert your bank, freeze the card, and freeze your credit.
• Report the message to the FTC and IC3.