Scammers use phishing attacks to try and trick people into sharing personal or financial information. Phishing can happen through various means, including email, over the phone, or via text. But if you know the red flags — like blurry images, typos, and unsolicited requests to “act now!” — you’ll be ready for the hook when it comes.
Have you ever received a suspicious email asking you to click a link or share personal information?
If so, it was probably a phishing attempt. Scammers can create fraudulent messages designed to capture your sensitive details, a tactic known as phishing. Some experts estimate that up to 3 billion bogus phishing emails are sent every day.
Phishing attacks can play out over the phone and through text messages, too.
The good news is that when it comes to phishing, criminals often follow a similar playbook — so if you know how these scams typically work, you'll have a leg up.
How do phishing emails work?
In a phishing email, a fraudster may pose as a reputable institution like a bank, subscription service, popular retailer, or government agency. Or, they may pretend to be a friend or a stranger in need.
Once the scammer makes contact, they prompt you to share personally identifiable information (PII), like your Social Security number, account password, or credit card number.
Here’s how phishing emails may capture your information:
The email includes a link to a phony but legitimate-looking website. The bogus site allows a scammer to capture any sensitive personal or payment information that you enter.
The email prompts you to download a file that harbors malicious software. This is also known as malware, and it’s designed to steal data or otherwise damage or spy on your computer system.
What is vishing?
When phishing happens over the phone, it may be referred to as “vishing” — short for voice phishing.
Phone scams like these are common. In fact, the Federal Communications Commission (FCC) reports that unwanted calls are the top complaint that they receive from consumers.
Voice phishing can take the form of a robocall (also known as automated recordings), or a live call from a fraudster.
However they ring in, the scammer finds an excuse to ask for personal information or financial details — or they may even ask for medical information in order to obtain medical services, prescription drugs, or other health care in someone else’s name.
Once they have you on the line, the fraudster may try to scare or pressure you into giving them what they want. See below for quick tips to help you recognize and avoid this type of phone scam.
3 ways to avoid phone scams
Register your phone number on the National Do Not Call list at donotcall.gov.
Robocalls can populate with a number that looks similar to your own. Don’t pick up: doing so will mark your number as “active,” encouraging future robocalls.
Know the red flags of a scam call — such as urgent and emotional pleas to wire money.
How does phishing via text message work?
When phishing happens via text message, it’s called smishing — also known as SMS phishing.
Scam texts are on the rise, partly because consumers have increasingly turned to text messaging as a form of communication — and scammers have taken note.
The Federal Trade Commission (FTC) shows that Americans lost at least $131 million to fraud initiated by text messages in 2021 — a 50 percent increase from the year prior.
This year, losses continue to rise. As of October 2022, Americans reported losing at least $231 million to scams that began with a text message, according to the FTC. In many cases, the financial stakes are high: the median loss reported was $1,000.
While some scam texts target your wallet, others probe for personal information, which can be used to steal your identity or commit other fraud.
In most cases, scam texts follow a similar blueprint to phishing emails: The attacker sends a text pretending to be someone else, and they typically ask you to click a link that leads to a fake or malicious website.
Here are some common scam texts we’ve seen:
“Congratulations! You’ve won a prize.”
“Your account is temporarily locked. Please verify your information.”
“You’re eligible to register for a government refund.”
“Your package is out for delivery. Set your delivery preferences.”
To stay safe, make it a rule not to share sensitive details or send payment via text. If you suspect that a text is a scam, feel empowered to delete it and move on.
Be wary of phishing on social media, too
Phishing attacks can be incredibly targeted. When a phishing attempt specifically targets an individual, that’s known as “spear phishing”.
Criminals can mine your social media accounts for your interests and contacts, and use that information to craft a highly targeted phishing attack — so be careful what you share online.
In addition, be aware that more than one in four people who reported fraud losses to the FTC’s Consumer Sentinel Network in 2021 said the scam began with an ad, post, or direct message on social media.
We recommend approaching social media with the same caution as your email inbox or text messages. Keep in mind that there are many ways that scammers might use social media to steal your information.
In general, you should approach any online request that involves sending payments or sharing personal information with suspicion. It's smart to ignore friend requests or direct messages from strangers — but also keep in mind that even close friends and verified public accounts can be hacked.
How to identify phishing scams
Regardless of how a scammer approaches you, there are some general clues that may indicate a phishing scam:
Misspellings, grammatical errors, and blurry images or logos can all signal that a message is fake.
Urgent requests for money should be regarded with suspicion. Legit institutions won’t sound desperate for payment, and it’s unlikely that a real friend would ask for help this way.
“Corporate” messages deployed from a non-corporate email provider, such as an @gmail or @yahoo address, can be another red flag.
Requests that money be wired or sent via gift card should be ignored. These modes of payment are hard to recoup should fraud occur.
What to do if you’ve fallen for a phishing scam
If you’ve already engaged with a message or website that seems suspicious, don’t panic — and don’t ignore it. Here’s what to do next:
Immediately disconnect from Wi-Fi, which can help prevent the spread of malware.
Change your passwords for key accounts, including your email and online banking accounts.
Monitor for signs of identity theft, such as suddenly being locked out of one of your accounts.
If you’re an Allstate Identity Protection member and you think you’re experiencing identity theft, you can give us a call at any time. Our identity specialists are standing by to help you determine if something’s a scam, and guide you on what to do next.