💬 Email & Text Phishing (Smishing)

Phishing messages try to trick you into clicking links, entering passwords, or sharing codes.

They copy real logos and wording, create urgency, and route you to fake sign-in pages or malware.

Use this page when you receive an email or text asking you to click a link, confirm or update your account, or act urgently — especially if it looks official but doesn’t feel right.

🔗 Trusted Resources

FTC — How to Recognize and Avoid Phishing Scams — Spot the red flags and what to do if you clicked
🌐 https://consumer.ftc.gov/articles/how-recognize-and-avoid-phishing-scams ↗️

FTC — How To Recognize and Report Spam Text Messages — Forward spam texts to 7726 (SPAM)
🌐 https://consumer.ftc.gov/articles/how-recognize-report-spam-text-messages ↗️

FCC — Unwanted Calls & Texts — Blocking tools, robocalls, spoofing, and complaints
🌐 https://www.fcc.gov/consumers/guides/stop-unwanted-robocalls-and-texts#call-blocking-resources ↗️

USA.gov — Phishing — Federal overview and where to report
🌐 https://www.usa.gov/where-report-scams ↗️

🧭 Recognizing & Responding Safely

Don’t tap — type. Open a new tab and type the company’s website or use the official app.

Never share codes. One-time passcodes (2FA) are private — real companies will never ask for them.

Verify independently. Call the number on your card or statement, not the message.

If you clicked or entered info: Change that password, enable 2FA, review recent activity, and run an antivirus scan.

Report it: Forward phishing emails to reportphishing@apwg.org, spam texts to 7726, and file at the FTC and FCC.

📌 Sam’s Tips

Urgency = red flag. “Act now or lose access” is classic phishing pressure.

Mismatched links. Hover (or long-press) to preview before you click — if the domain looks odd, don’t touch it.

Trust your 2FA. A surprise login alert usually means your second factor protected you. Keep 2FA on, and change your password only if you actually entered it on a suspicious page.

💬 Quick example

A text message says: “⚠️ Bank Alert: Your account is locked. Verify immediately: secure-bank-help.com.”

Stop — real banks don’t send account alerts from random phone numbers.
Investigate — typing your bank’s website manually shows no alerts on your account.
Find better coverage — searching the text verbatim reveals identical phishing attempts reported on FTC complaint boards.
Trace — the link preview shows a domain created five days ago, not affiliated with your bank.

Conclusion

This fails verification. The unsolicited alert, off-domain URL, recycled script, and urgency cue indicate a phishing attempt.

Why

• Real institutions don't text clickable links for login.
• Scammers reuse identical wording across thousands of messages.
• Newly registered domains are common for credential-theft pages.
• Separate verification (manual login or app) disproves the claim.

Bottom line:
If a message wants you to tap a link to “verify,” don’t tap — type the official site yourself.