If an email is pushing you to act fast, asking for a password, payment, or personal details, and the sender address does not exactly match the real company, you are almost certainly looking at a phishing attempt. Phishing is a scam where a criminal impersonates a trusted business, government agency, or person to trick you into handing over money or information. The good news: most phishing emails fail a few simple tests, and you can run those tests in under a minute before you click anything.
Run This Quick Phishing Checklist Right Now
Before you do anything the email asks, walk through these checks. If even one or two raise a red flag, treat the message as a scam until proven otherwise.
Check the real sender address, not just the display name. Scammers can put "Bank of America" or "PayPal" in the from-name while the actual address is something like service@secure-alerts-paypa1.com. Click or tap the sender name to reveal the full email address and look at the part after the @ sign.
Hover over links before clicking. On a computer, hover your mouse over any button or link (do not click) and read the web address that appears. On a phone, press and hold the link to preview it. If the address does not clearly belong to the real company, do not click.
Watch for false urgency and threats. "Your account will be suspended in 24 hours," "Unusual login detected," "Your payment failed, update now." Scammers create panic so you act before you think.
Notice generic greetings. "Dear Customer" or "Dear User" instead of your name can be a sign, though some legitimate emails do this too.
Look for grammar and formatting that feels off. Odd spacing, broken logos, strange capitalization, or stilted English are common in scam emails.
Be suspicious of unexpected attachments. Invoices, receipts, or "documents" you did not request can carry malware. Do not open them.
Distrust any request for passwords, full account numbers, Social Security numbers, gift cards, wire transfers, or cryptocurrency. Legitimate companies and government agencies do not ask for these by email.
The Single Most Reliable Test
When in doubt, do not use any link, phone number, or attachment inside the email. Instead, go directly to the company using contact details you already trust, such as the phone number on the back of your card, the official app, or the web address you type yourself. Then ask whether the message is real. This one habit defeats the vast majority of phishing because the scammer loses control the moment you leave their email and reach the real company.
Common Phishing Disguises Consumers See
Phishing campaigns tend to imitate organizations you are likely to trust or fear. Knowing the usual costumes makes them easier to spot.
Banks, Card Issuers, and Payment Apps
"We noticed suspicious activity, verify your account." These messages often link to a fake login page that captures your username and password. Real banks will not ask you to confirm your full card number, PIN, or online banking password through an emailed link.
Debt Collectors and "You Owe Money" Threats
Some phishing emails pose as collectors demanding immediate payment, sometimes threatening arrest or lawsuits. Real debt collection in the U.S. is governed by the Fair Debt Collection Practices Act (FDCPA), which is enforced by the Federal Trade Commission (FTC) and the Consumer Financial Protection Bureau (CFPB). Under the FDCPA, a legitimate collector generally must, when asked, send you written validation of the debt, and the law prohibits false threats and harassment. A scammer demanding gift cards, wire transfers, or instant payment to avoid arrest is a classic "phantom debt" scam. You always have the right to request written validation and to verify that a debt and a collector are real before paying a cent. Note that many states add their own debt collection rules and licensing requirements on top of the FDCPA, and these protections vary by state.
Government Impersonators
Emails claiming to be from the IRS, Social Security Administration, or a court are common. As a rule, the IRS does not initiate contact about a tax bill or refund by email. Treat any emailed "government" demand for payment or personal data as suspect.
Package Delivery, Subscriptions, and Refunds
"Your package is held," "Your subscription auto-renewed for $499, call to cancel," or "You are owed a refund, confirm your bank details." These play on curiosity or the fear of being overcharged to get you to call a fake number or enter financial information.
Real answers, made simpleSkip the confusion. Chat with a lawyer online and get guidance you can actually use. Chat With Someone →✓ An ad we trust
What the Law Says and Who Enforces It
Phishing itself is fraud, and several federal bodies work to combat it. The FTC is the primary federal consumer protection agency and runs the national reporting site for fraud and identity theft. The CFPB oversees consumer financial products and handles complaints involving banks, lenders, and debt collectors. When a phishing scam involves your credit reports or someone opening accounts in your name, the Fair Credit Reporting Act (FCRA) gives you rights to dispute inaccurate information and to place fraud alerts and security freezes with the credit bureaus. Your state Attorney General also enforces state consumer protection and anti-fraud laws, and many states have their own data breach and identity theft statutes. The specifics, including some deadlines and remedies, vary by state, so it is worth checking your own state's rules rather than assuming a single national number applies.
This is general information, not legal advice, but the practical takeaway is consistent everywhere: you are never required to pay or share sensitive information based on an unverified email, and you have clear, free channels to report and recover.
What to Do If You Are Not Sure
Do not click, reply, or call the number in the email. Pause and verify through a channel you trust.
Contact the company directly using the official app, website you type yourself, or the number on your card or statement.
Report the message. Most email providers have a "Report phishing" or "Report spam" option that helps protect others.
Delete it once you have reported it, and do not keep clicking through out of curiosity.
What to Do If You Already Clicked or Shared Information
Acting quickly limits the damage. Take these steps in order of what you exposed.
If you entered a password, change it immediately on the real site, and change it anywhere else you reused the same password. Turn on two-factor authentication where available.
If you shared card or bank details, call your bank or card issuer right away using the number on your card. Ask them to watch for or stop fraudulent charges and, if needed, issue a new card.
If you sent money by gift card, wire, payment app, or cryptocurrency, contact the company you used as fast as possible; some transfers can occasionally be stopped or reversed if you act quickly.
If you gave out your Social Security number, consider placing a free fraud alert or a security freeze with the three nationwide credit bureaus. Under the FCRA you have the right to do this and to get free copies of your credit reports to check for accounts you did not open.
If your device may be infected, run a security scan and keep your software and operating system updated.
Document Everything and Report It
Good records make recovery and any dispute far easier. Save the original email, including the full sender address and any web addresses it contained, take screenshots, and write down dates, dollar amounts, and the names of anyone you spoke with. Then report the scam through these channels:
The FTC at its official fraud reporting site, which also generates a recovery plan if your identity was stolen.
The FBI's Internet Crime Complaint Center (IC3) for internet-based fraud, especially if you lost money.
The CFPB if the scam involved a bank, lender, or debt collector.
Your state Attorney General's consumer protection office, which may offer additional help and enforce state-specific protections.
The real company being impersonated, so it can warn other customers.
Reporting will not always recover lost funds, but it builds the record that investigators, your bank, and the credit bureaus rely on, and it helps stop the scammer from reaching the next person.
Build Habits That Keep You Safe
You do not need to be a security expert to stay ahead of phishing. Slow down when a message creates urgency, verify through trusted channels, never reuse passwords, turn on two-factor authentication, and keep your devices updated. Treat unexpected requests for money or personal information as guilty until proven innocent. Scammers count on speed and fear; your calm, deliberate checks are exactly what break their plan.
Know the law
The FTC enforces the ban on unfair and deceptive practices; report fraud to recover money and stop the scammer.
Your state matters too. Federal law is the floor — your state sets the statute of limitations on debt, garnishment and exemption limits, payday and repossession rules, and has its own Attorney General and consumer-protection laws. Always check your state’s rules. This is general legal information, not legal advice.
Frequently asked questions
Is this a scammer email if it has my name and looks official?
Possibly. Scammers can buy or steal personal details, copy real logos, and spoof a company's display name, so a personalized, professional-looking email can still be phishing. Judge it by the actual sender address, where its links really go, and whether it pressures you to act fast or share sensitive information. When in doubt, verify directly with the company using contact details you already trust, not anything inside the email.
How can I check if an email link is safe without clicking it?
On a computer, hover your mouse over the link or button without clicking and read the web address that appears in the corner of the screen. On a phone, press and hold the link to preview the destination. If the address does not clearly belong to the official company, or it uses odd spellings and extra words, do not click. Instead, type the company's known web address yourself or use its official app.
What should I do right after clicking a phishing link?
Do not enter any information on the page. If you already entered a password, change it immediately on the real site and anywhere you reused it, and enable two-factor authentication. If you shared card or bank details, call your bank using the number on your card. If you gave out your Social Security number, consider a free fraud alert or security freeze with the credit bureaus, which is your right under the Fair Credit Reporting Act.
Where do I report a phishing email?
Report it to the FTC at its official fraud reporting site, and use your email provider's built-in 'Report phishing' option. If you lost money, also file with the FBI's Internet Crime Complaint Center (IC3). If a bank, lender, or debt collector was involved, file with the CFPB, and consider notifying your state Attorney General's consumer protection office.
Can a debt collector legally demand payment by email and threaten arrest?
No. Under the federal Fair Debt Collection Practices Act, real collectors cannot make false threats such as claiming you will be arrested, and they generally must provide written validation of a debt when you request it. Demands for gift cards, wire transfers, or instant payment to avoid arrest are hallmarks of a phantom debt scam. You can always ask for written validation and verify the collector before paying. State debt collection rules and licensing add further protections that vary by state.
This article is general legal information, not legal advice, and may not reflect the most current law or the law in your jurisdiction. Laws vary by state and change over time. For advice about your specific situation, consult a licensed attorney.
Knowing your rights is the first step
Join thousands committing to calmly and consistently exercise their constitutional rights.
