Scammers use phishing attacks to trick people into sharing personal or financial information. Phishing can happen through email, over the phone, by text message, or even via social media. But if you know the red flags—like blurry images, typos, odd sender addresses, and unsolicited requests to “act now!”—you’ll be ready for the hook when it comes.
Have you ever opened an email that looked like it was from your bank, only to freeze when you realized the greeting was generic and the link suspicious? Or gotten a text about a package you never ordered, pressuring you to “confirm” your account or delivery info?
Welcome to the world of phishing: one of the most widespread tricks scammers use to steal your personal data or money. Every day, fraudsters cast millions of baited lines—through email, phone calls, texts, or even social media—hoping someone will bite.
The good news is that when it comes to phishing, criminals often follow a similar playbook. So, if you know how these scams typically work, you'll have a leg up.
How phishing emails work
In a phishing email, a fraudster may pose as a reputable institution such as a bank, subscription service, online retailer, or government agency. In some cases, they may impersonate a coworker or friend.
Once the scammer makes contact, they typically prompt you to share personal information like your Social Security number, account password, or credit card number.
Here’s how phishing emails may capture your information:
The email includes a link to a phony but legitimate-looking website. The bogus site allows a scammer to capture any sensitive personal or payment information that you enter.
The email prompts you to download a file that harbors malicious software. This is also known as malware, and it’s designed to steal data or otherwise damage or spy on your computer system.
What’s worse, phishing emails are increasingly being written with the help of artificial intelligence (AI), making them more convincing than ever. They may even include QR codes or other elements that lead to malicious sites.
Smishing: phishing by text message
When phishing happens via text message, it’s called smishing—also known as SMS phishing.
Text-based scams have spiked in recent years. The Federal Trade Commission reports that fraud initiated by text message continues to cause significant losses, with consumers reporting millions of dollars lost annually, often through fake delivery texts, bank alerts, or prize notifications.
In most cases, scam texts follow a similar blueprint to phishing emails: The attacker sends a text pretending to be someone else, and they typically ask you to click a link that leads to a fake or malicious website. Common scam texts include:
“Congratulations! You’ve won a prize.”
“Your account is locked. Verify your information.”
“You’re eligible for a government refund.”
“Your package is out for delivery. Update your preferences.”
To stay safe, make it a rule not to share sensitive details or send payment via text. If you suspect that a text is a scam, feel empowered to delete it and move on.
Vishing: phishing by phone call
When phishing happens over the phone, it’s referred to as “vishing”—short for voice phishing.
The Federal Communications Commission (FCC) continues to report that unwanted calls and texts are among the top consumer complaints they receive, highlighting how common phone-based scams have become.
However they ring in, the scammer finds an excuse to ask for personal information or financial details. A vishing attempt might involve:
A robocall or automated recording
A live caller pretending to be from a bank, government agency, insurance provider, or even a family member
Urgent threats (“Your account will be closed!”) or emotional pressure (“Your grandchild needs help right now!”)
Once they have you on the line, scammers typically ask for personal information, financial details, or even medical information—which may be used to obtain health services or prescription drugs in someone else’s name.
3 ways to avoid phone scams
Register your phone number on the National Do Not Call Registry at donotcall.gov.
Don’t answer calls from numbers that look suspiciously similar to your own. (Picking up may confirm your number as “active,” leading to more robocalls.)
Know the red flags of a scam call, such as urgent and emotional pleas to wire money.
Phishing on social media
Phishing attempts can be incredibly targeted. When a scammer tailors an attack to a specific person, it’s known as spear phishing.
Criminals may use details from your social media profiles—like your employer, interests, relationships, or recent posts—to craft convincing messages.
The FTC reports that social media remains one of the most common contact methods for scammers, often through advertisements, messages, or fake profiles.
We recommend approaching social media with the same caution as your email inbox or text messages. To protect yourself:
Treat unexpected direct messages with caution.
Limit how much personal information you share publicly.
Remember that even verified accounts can be hacked.
Approach social media interactions with the same caution you’d apply to your email inbox or text messages.
How to spot phishing attempts
Regardless of how a scammer approaches you, there are some general clues that may indicate a phishing scam:
Misspellings, grammatical errors, and blurry images or logos can all signal that a message is fake. Professional organizations typically maintain high standards for communication and branding.
Urgent requests for money or personal information should be regarded with suspicion. Legitimate institutions won’t sound desperate for payment, and it’s unlikely that a real friend would ask for help this way without prior context.
“Corporate” messages sent from a non-corporate email provider (such as an @gmail or @yahoo address) can be another red flag. Official communications usually come from verified domains.
Requests to wire money or send gift cards should be ignored. These payment methods are difficult to trace and nearly impossible to recover if fraud occurs.
Generic greetings like “Dear Customer” or “Dear User” instead of your actual name often indicate mass phishing attempts rather than legitimate correspondence.
What to do if you’ve responded to a phishing scam
If you’ve already engaged with a suspicious message, don’t panic and don’t ignore it. Here’s what to do:
Disconnect from Wi-Fi or the internet to help prevent malware from spreading or additional data from being transmitted.
Change passwords immediately for key accounts, including email, online banking, and any accounts that share the same credentials. Enable multi-factor authentication (MFA) wherever possible.
Check for signs of identity theft, such as locked accounts, unfamiliar transactions, or notifications about account changes you didn’t make.
Notify your financial institutions if you shared banking details or suspect fraudulent activity. They can monitor for suspicious transactions and help secure your accounts.
Report the phishing attempt to the appropriate authorities: Forward the email to reportphishing@apwg.org and report to the FTC at reportfraud.ftc.gov. If it involves your workplace, alert your IT or security team immediately.
If you’re an Allstate Identity Protection member, you can also call us anytime. Our specialists can help determine whether a message is a scam and guide you through the next steps.
Phishing may evolve, but many attacks share the same underlying tactics. Stay cautious across email, text, phone, and social media. And remember: if something doesn’t look or feel right, trust your instincts.
