man receiving suspicious phishing email

Everything You Need to Know About Phishing Scams

By Dan Ketchum

Phishing has been around just about as long as email and the internet have, which just goes to prove the old adage true: if you build it, they will scam. While both the platforms and the scammers have gotten more advanced (and more nuanced) over the decades, the basics remain the same and they’re still rotten to the core.

Basically, phishers aim to lure you in by posing as someone else, and they use that ruse to get their hands on private – and potentially valuable – information such as your passwords and bank account credentials. Typically, the goal here is to get to your money, but the age-old scam takes many forms – so let’s take a look at some of the most prominent phish in the sea, and learn how to avoid getting reeled in. 

So What Is Phishing? 

When it comes to phishing, it’s (almost) all in the name. Like IRL fishermen, phishers cast a line out into the sea, but in this case, the sea is your phone or inbox and the bait is a message from a person or organization that you trust or that you may be likely to communicate with. Con artists might pose as a trusted business or organization – often complete with official-looking branding – or an individual, like a person in need or a match on a dating site, and show up in your inbox, texts, or DMs. 

More on that variety later, but in any case, the bait will typically do one of two things: prompt you to provide your private information – sometimes immediately, or sometimes through the process of a longer con –  or lead you to malware that can infect your device and directly mine that info. 

Oh, and what’s the deal with the “ph” part? Back when phishing scams first popped up in the early days of the net (you know, when people called it “the net”), “phreaks” was slang for old-school hackers. And, trust us, this fun fact is just about as fun as phishing gets.

person receiving phishing scam text message on their phone while outside

Why You Should Care

Phishing might come from the ‘90s, but like Pokémon, mom jeans, and EDM, it’s still very relevant today. Phishing is still the most popular cybercrime out there, with about 3.4 billion spam messages sent per day via email alone (that’s up to 48% of all emails). Individuals and companies alike are targeted by phishing attacks, with about 16% of all company data breaches – which happened across 1,339 brands in 2023 – directly resulting from phishing. And in 2023, phishing was actually on the rise.

Those extreme numbers come at an extreme cost, too. According to the FBI’s Internet Crime Complaint Center, the 800,944 reports of phishing they received in 2022 amount to more than $10.3 billion in financial losses. For individuals, the average cost of an attack is $173, though that number can easily see the addition of a few zeros depending on the severity of the scam.

Phishy Flavors

Phishers rely on generating trust, so they’ll often use the cover of popular brand names and companies. In 2024, some of the most impersonated brands include Microsoft, Adobe, DHL, Google, Amazon, and DocuSign. And just as the sneaky brand-name disguises vary, so do the platforms scam artists use to make their phishing attacks. 

For instance, phishing via text is called smishing (a reference to the SMS texting platform) while phishing by voice calls or voicemail – the latter of which has gotten even more dangerous with the rise of convincing generative AI imposters – is vishing. There’s not a specific name for email phishing, probably because “emishing” just isn’t as catchy. 

Types of Phishing

Beyond the communication platforms, phishing scams generally fall into a handful of common categories:  

  • Angler phishing uses social media to dupe victims into doling out their info. 
  • Spear phishing goes after a specific individual by using personal information, such as their name or employer, to appeal directly to them and foster a deeper sense of trust.
  • Whaling attacks target large groups or high-profile targets with potentially huge payouts, like CEOs or corporations.  

The State of the Game: Phishing Examples

Unfortunately, phishing phreaks are very creative, so phishing scams can span an extremely wide spectrum. While these are some of the most common and contemporary phishing examples, remember that they can be mixed and matched, they can happen across all kinds of different platforms – from DMs to emails to texts –  and that bad actors are cooking up new varieties every day. 

Account Notices 

These often come in the guise of social media platforms like LinkedIn or TikTok, or take the phony form of tech companies that provide services, like Google or Apple. An official-looking message claims that you need to take some sort of account action, like resetting your password, confirming your credentials, checking on “suspicious activity,” or “upgrading” your service, sometimes even warning you of pending account deletion. A link will prompt you to input those credentials – and that’s how they get you. Think of this as the platonic ideal of a phishing example: a legit-looking impersonator reaches out to you unprompted, asks you for private or financial information, and then commits identity theft to steal your money.

Fake Receipts

This one’s really taken off in recent years. Here, you’ll get a message with what appears to be an invoice for a purchase from a reputable company, like Amazon or McAfee, for some common phishing examples. When you reply to dispute the purchase that you definitely didn’t make, the poseur on the other side will need to “confirm” some of your personal details. You can guess what happens from there.

person receiving phishing scam text message on their phone while outside

Gift Card Phishing 

In this popular form of fraud, cybercriminals will either offer you some form of incentive or they’ll pose as a person in need and claim that they can only be paid via gift cards. Whatever the pretext, they want gift cards simply because they’re difficult to trace, so by the time you get them the money, they’re long gone and nigh impossible to track down.

Coworker Scams

Whether they insert themselves into email threads or you get what appears to be a notice from Google Docs or a message from a coworker you don’t recognize, phishers love to use phony workplace credentials to bait you into revealing those tasty login credentials.

IRS Shams

While phishing examples come in countless wrappers, IRS scams are so prevalent that they deserve their own category. Whether by text, email, or phone call, phishers posing as the IRS will try tactics like threatening you about owed taxes, promising a big payment, or directing you to a website to enter crucial info. Remember: this IRS only emails, calls, or texts you with your permission first, and they typically start with physical mail.

The Personal Long Con

A more subtle and involved form of phishing attack involves cyber criminals making a personal or emotional appeal, usually in a long-form format like ongoing texts, social DMs, or dating app messages. Often under the guise of a dramatic emergency, sexual encounter, or romance, the scammer will establish a personal rapport before asking for personal info that they can use to commit identity theft.

How to Prevent Getting Scammed

Google blocks about 100 million phishing emails every day, but it’s hard to fathom how many scammy messages still wriggle their way through. And if you think scams are the exclusive domain of the elderly, think again. More Millennials and Gen-Z find themselves on the receiving end of phishing attacks than baby boomers, with the most common age range for phishees hovering around 30 through 39. 

Still, you can stay on the safe side by spotting some of these tell-tale signs, and making smart moves before you become phish food:

  • Keep an eye out for poor grammar, typos, and generic greetings.
  • Likewise, look for low-quality assets like blurry, low-resolution logos or poor formatting of “official” company logos and the like. They’re often signs of impersonation. 
  • Always check email addresses. Misspelled domain names (like “@googel.com” rather than “@google.com”) or senders that claim to be from a company but don’t have a company email address are red flags. Likewise, email addresses that are just a gaggle of alphanumeric nonsense are often sus. The same rules apply to URLs, too – shortened links or links that don’t lead to official company websites should set off alarm bells. 
  • Take note of generic greetings from organizations that would definitely have your name on file.
  • When it comes to social media phishing examples, be wary of accounts that are brand-new and have few or no followers, especially if they have sexy profile pics or message you with anything that seems too good to be true (as the saying goes, it probably is).
  • Never, never click suspicious links. While many phishing links will take you to some sort of bogus form to input personal credentials that’ll go right to criminals, other links might download malware directly to your device. Steer clear of phishy-looking attachments, too. 

PeopleWin

So let’s say your scammer senses are tingling on an email, text, or DM that has a somewhat phishy vibe. Good news, you don’t have to rely solely on your instincts and what you’ve learned here – PeopleWin’s got your back.

With PeopleWin’s People Search, you can look up any email address, phone number, or even name, and our search algorithm will instantly comb through more than 12 billion public records ranging from government files to social media sites, providing you with social profiles, criminal records (additional fees may apply), additional phone numbers, and addresses, and even more public identifying info associated with the person you’re searching. We’ll help you find out if the person behind that message really is who they say they are. And if they’re not, congratulations – you may have just dodged a potential phishing attack.

Who's Calling Me?

Search any phone number to learn more about the owner!

Phish Happens 

With the sheer amount of phishing activity flooding the zone, even the most savvy among us take the bait sometimes. But not all hope is lost. 

If you’ve been phished, make a record of your correspondence, back up your data, and block the scammer’s number, email address, or social profile ASAP. If transactions have already been made, contact your bank immediately. In most cases, your institution will be willing to reverse the charges and block further transactions from the sketchy account upon being informed, especially if you’re in good standing. If the cyberattack went down in a company setting, make sure that you follow your company guidelines, inform fellow staff members and, if applicable, notify customers. 

Finally, be a good online samaritan and report the phishing attack to the Federal Trade Commission via their fraud reporting website or by emailing the FTC’s Anti-Phishing Working Group at reportphishing@apwg.com. The more phishing examples the FTC has to work with, the more they can do to help keep others informed and prevent phishing in the future (or…the phuture?). 

Because every scammer that gets shut down makes our world just a little bit nicer.

As a freelance writer, small business owner, and consultant with more than a decade of experience, Dan has been fortunate enough to collaborate with leading brands including Microsoft, Fortune, Verizon, Discover, Office Depot, The Motley Fool, and more. He currently resides in Dallas, TX.