What you need to know to keep yourself safe from phishing scams


A phishing scam is a kind of identity theft in which hackers use fraudulent websites and fake emails, or assume a false identity over the phone, in an attempt to steal personal data such as passwords and credit card information.

Americans lost nearly $50 million last year to phishing schemes, according to the 2018 FBI Internet Crime Report. So far this year, more than 2,700 phishing scams have been reported to the Better Business Bureau's Scam Tracker.

How phishing works

"These scams pretend to be someone that you know, like a familiar company," says Katherine Hutt, a national spokesperson for the Better Business Bureau. The carefully crafted messages are meant to catch your attention, with warnings about suspicious activity on your online accounts or a potentially dire situation like an unpaid tax bill, missed jury duty, or a deactivated bank account.

One this year has targeted colleges professors by seeming to come from university deans.

The aim is to provoke you to react without thinking and click a link, share information, or download an attachment that likely contains malware.

How to spot a phishing scam

How to protect yourself

Phishing scams tend to follow the same pattern, so understanding common tactics can protect you, says Hutt: "It's the technique you need to worry about, not the message." Here are three red flags to watch out for:

  1. Generic wording: "You have to be careful about anything that comes to you unsolicited," says Hutt. Don't trust messages related to your bank or credit cards that don't include your name or account details. "Be careful of generic language such as 'Dear friend,' or 'Dear customer,'" she says. "If it's not addressed to you personally, that's a red flag." Grammar and spelling errors are another warning sign. Reputable companies rarely ever have typos in their correspondence to you.
  2. Not-quite-right emails and web sites: Often times, phishing emails are sent from what look like reputable brands but are, on closer inspection, from phony email addresses. For instance, Amazon says that if an email comes from an internet service provider (ISP) other than, it is fraudulent. Hovering over links with your cursor — to see if there are random numbers or symbols rather than the company's proper name — can help you discover whether you're being led astray.
  3. Unsolicited phone calls: Scammers can phish over the phone as well. If someone claiming to be your service provider or financial institution calls you asking to verify information, ask if you can call them back. Then look up the number to make sure it was the actual company trying to reach you.

Your best option if you get a concerning email or call? Verify it. Find contact information you know to be legit for that company — for example, the toll-free number on the back of your credit card, or on the retailer's customer service page — and reach out. If there is an issue, authorized representatives will be able to confirm it and walk you through what to do next.

More from Grow: