Threatcare

Clear, practical help to spot scams, avoid fraud, and recover if you've been caught out.

Spot the scam, protect your money, recover if it happens.

Phishing Emails and Texts: How to Spot and Stop Them

By David Mercer  |  Reviewed by Dana Whitaker, CFE

Published · Last reviewed

Key takeaways

  • Phishing is a message that impersonates someone you trust (your bank, a delivery firm, a government agency) to trick you into clicking a link, opening a file, or handing over a password or passcode.
  • The tells are consistent: manufactured urgency, a sender address that is close but not quite right, a generic greeting, and a link that does not match the real website.
  • Never click a link or call a number from the message itself; pause and contact the organisation through a number or website you find yourself.
  • If you have already clicked or shared details, change that password, turn on two-factor authentication, and watch for follow-up contact, because one breach invites the next.

Phishing is a fake message, usually an email or a text, that impersonates someone you trust to trick you into clicking a malicious link, opening an attachment, or handing over a password, passcode, or payment. It is the single most common way scams begin, and once you know the shape of it, the fakes get much easier to catch.

How phishing works

Phishing works by borrowing the identity of an organisation you already trust and adding pressure so you act before you think. The message claims to be from your bank, a parcel courier, a streaming service, a tax authority, or even your own employer. It then nudges you toward one of three actions: click a link, open a file, or share a credential.

The economics explain the volume. Phishing is cheap to send in bulk, so scammers play a numbers game; the FBI Internet Crime Complaint Center has repeatedly listed phishing (and its text and voice cousins) as the most-reported cybercrime type by victim count, with hundreds of thousands of complaints in a single year. The mechanics map exactly onto the universal scam pattern: urgency or fear, borrowed trust through impersonation, and a push toward an unusual or hard-to-reverse action. For the bigger picture, see how to spot a scam.

How to spot a fake email

You spot a phishing email by checking the sender, the greeting, the tone, and the link, in that order. No single sign is proof, but they cluster.

  • The sender address. Hover over (or tap and hold) the sender name to reveal the real address. Scammers use look-alikes like “[email protected]” instead of the genuine domain.
  • The greeting. Real organisations that hold your account usually know your name; “Dear Customer” or “Dear User” is a warning sign.
  • The link. Hover over any link without clicking; the status bar shows the true destination. If the visible text says one thing and the real URL says another, stop.
  • The tone. Manufactured urgency (“your account will be suspended in 24 hours”) and threats are designed to short-circuit your judgement.

I learned this the slow, expensive way. The message that started my own loss was not a crude one: it carried the right logo, the right colours, and a line about “unusual activity” on my account. I was tired, I was worried, and I clicked. The login page it opened looked identical to the real one. That single moment is why I now treat every unexpected message, however polished, as a stranger at the door until I have verified it through a channel I chose myself.

How to spot a fake text (smishing)

A phishing text is harder to vet than an email because there is no sender name to inspect, only a number, and links are shortened. Treat the following as red flags: a “missed delivery” needing a small fee, a “bank security” alert asking you to confirm details or move money, a one-time passcode you did not request, or a link to a shortened or unfamiliar web address.

Texts increasingly carry QR codes too, which hide the real destination behind an image. The text variants deserve their own treatment; the dedicated guide to QR code and smishing scams covers them in detail. The rule that holds across both email and text is the house defence: pause and verify independently, using a number or website you find yourself, never the details in the message. Caller ID and sender addresses are spoofable and prove nothing.

What never to click, and what to do instead

Never click a link, open an attachment, or call a number from inside a suspicious message; instead, go to the organisation directly through a channel you control. Those three elements are the only things the scammer fully controls, so removing them removes their advantage.

If a message claims to be from your bank, close it, then open your banking app or type the bank’s address into your browser by hand. If it claims a parcel is held, go to the courier’s official site and check with the tracking number you already have. The reflex to protect is the pause; the entire fraud depends on you not taking it.

If you have already responded

If you clicked or shared details, act in order: stop the money, then secure the account, then report. Contact your bank or card provider immediately if you entered payment or banking details, because speed is the single biggest factor in whether a payment can be stopped. Change the password you exposed, turn on two-factor authentication, and stay alert for follow-up contact, since a fresh victim is often targeted again within days.

Then report it. In the US, report phishing to the Federal Trade Commission at ReportFraud.ftc.gov and forward scam texts to 7726. If your identity may be exposed, the full what to do after being scammed guide walks through the recovery order step by step.

This is general information, not individual legal, financial, or security advice. If you have been targeted, report it to the proper authorities, such as the FTC, the FBI Internet Crime Complaint Center, or Action Fraud in the UK.

References

  1. How To Recognize and Avoid Phishing Scams, US Federal Trade Commission.
  2. Recognize and Report Phishing, Cybersecurity and Infrastructure Security Agency (CISA).
  3. Internet Crime Complaint Center (IC3), Federal Bureau of Investigation.

Frequently asked questions

How do I know if an email or text is phishing?

Look for the same cluster of signs: a sense of urgency or threat, a generic greeting like 'Dear Customer', a sender address that is close to the real one but not exact, spelling or grammar that feels off, and a link whose real destination (shown when you hover over it) does not match the organisation's true website. Any single sign is a reason to pause; several together is almost certainly phishing.

What should I never click in a suspicious message?

Never click links, never open attachments, and never call the phone number printed in the message. All three can be controlled by the scammer: a link can lead to a fake login page, an attachment can install malware, and the number can put you straight through to the fraudster. Instead, contact the organisation using details you find yourself.

What happens if I accidentally clicked a phishing link?

Clicking a link alone is rarely catastrophic, but do not enter any details on the page it opens. If you did enter a password, change it immediately on the real site and turn on two-factor authentication. If you entered card or bank details, contact your bank or card provider straight away. Then run a security scan on your device and watch for follow-up scam contact.

What is the difference between phishing and smishing?

Phishing traditionally means the scam arrives by email; smishing is the same attack delivered by SMS text message, and vishing is the voice-call version. The channel changes but the goal is identical: impersonate a trusted brand and pressure you into clicking, paying, or sharing a code. See our guide to [QR code and smishing scams](/posts/qr-code-and-smishing-scams) for the text-message variants.

Should I reply to a phishing text to opt out or tell them to stop?

No. Replying, even to say 'STOP', confirms to the scammer that your number is live and monitored, which usually leads to more messages. Do not reply or call back. In the US you can forward phishing texts to 7726 (SPAM) and report phishing emails to the Anti-Phishing Working Group at [email protected], then delete the message.

Why am I suddenly getting so many phishing messages?

Your email address or phone number has most likely appeared in a data breach or been bought on a list, so it is now in circulation among scammers. You cannot fully undo that, but you can reduce the damage: never confirm you are a live target by replying, tighten your privacy, and treat every unsolicited message as guilty until you have verified it independently.

Written by David Mercer. Reviewed by Dana Whitaker, CFE.

Our guides are written from personal experience and reviewed by a qualified fraud and security professional for accuracy. Read our editorial policy.

Related articles