Phishing scams

How it works

You get a text or email that looks like it came from a real company:

"USPS: Your package can't be delivered. Update your address: usps-update.example/track"

"Chase Bank: Suspicious activity on your account. Verify now or it will be locked."

You click. You land on a page that looks just like the real Chase or USPS site. You enter your login. The scammer now has your password.

Or you "verify" by entering your card number, your address, your Social Security number. Now they have everything.

Why people fall for it

• Urgency — "act in the next 24 hours."
• Authority — the message looks official.
• Realism — the fake page is a near-perfect copy.
• You actually were expecting a package, so the timing feels right.

Red flags

• The URL is not the real domain (usps-update.example ≠ usps.com).
• You weren't expecting an account problem.
• The message creates pressure to click right now.
• Spelling errors or weird grammar.
• It came as a text from an unknown number.

How to stay safe

1. Never click links in unexpected texts or emails about your accounts. Type the URL yourself.
2. Check the sender. Real banks email from bank.com, not bank-secure-update.example.
3. Use multi-factor authentication (MFA) on every account that supports it. Even if scammers get your password, MFA stops most of them.
4. If you slipped and entered something — change that password immediately on the real site, and warn your bank if it was banking info.

Related lessons

• Spotting money scams online
• Glossary: Phishing

Sources & further reading

• Better Business Bureau — Scam tips: phishing
• Federal Trade Commission — How to recognize phishing
• FBI Internet Crime Complaint Center — IC3.gov

Educational only — not financial, legal, tax, or investment advice. If you think you've been scammed, tell a trusted adult immediately and report it to the FTC and the BBB Scam Tracker.