Don’t Get Scammed By These Common Phishing Scams

Updated January 2026: This guide includes real phishing patterns from the ScamWarners fraud database, including 665 documented fake payment email cases.

Phishing attacks are getting smarter. Gone are the days of obvious scam emails with broken English. Today’s phishing messages look identical to real communications from banks, employers, and services you actually use. Here’s how to protect yourself.

What Is Phishing?

Phishing is when criminals impersonate trusted entities to steal your information or money. The term comes from “fishing” – scammers cast wide nets hoping someone takes the bait.

Phishing attacks arrive via:

• Email – The most common method
• Text message (SMS) – Called “smishing”
• Phone calls – Called “vishing”
• Social media messages
• Fake websites – Designed to capture login credentials

Most Common Phishing Scams

1. Fake Payment Notifications

Our database includes 665 documented cases of fake payment emails. Common versions:

• “You’ve received a PayPal payment” – But clicking logs you into a fake site
• “Your Zelle transfer is pending” – Links to a credential-stealing page
• “Apple Pay receipt for $499” – Hoping you’ll click “dispute” and enter your info

Protection: Never click links in payment emails. Open a new browser tab and go directly to the service’s website to check your account.

2. Account Security Alerts

“Unusual sign-in detected on your account. Click here to verify your identity.”

These exploit fear. You think someone hacked your account, so you click immediately – and enter your password into a fake login page. Now the attackers actually DO have your credentials.

3. Package Delivery Scams

“Your package could not be delivered. Click to reschedule.”

With everyone ordering online, these are highly effective. Links lead to fake USPS, FedEx, or UPS sites that steal personal information or install malware.

4. CEO/Business Email Compromise

Attackers impersonate company executives to trick employees:

• “I need you to wire $50,000 to this vendor immediately” (from fake CEO email)
• “Please send me all employee W-2s” (identity theft)
• “Buy gift cards for client gifts and send me the codes” (gift card scam)

These target businesses for larger payouts and have cost companies millions.

5. Tech Support Phishing

“Microsoft has detected a virus on your computer. Call this number immediately.”

Pop-ups, emails, or even phone calls claim your computer is infected. They want remote access to your machine or payment for fake “repairs.”

How to Spot Phishing

Check the Sender Address

The display name might say “PayPal” but the actual email address reveals the truth:

• Real: [email protected]
• Fake: [email protected] (note the “1” instead of “l”)
• Fake: [email protected] (real companies don’t use Gmail)

Hover Over Links (Don’t Click)

Before clicking any link, hover your mouse over it. The actual URL appears at the bottom of your browser or in a tooltip. Does it match the supposed sender?

• The link text might say “amazon.com” but actually goes to “amaz0n-verify.com”
• Secure sites start with “https://” – but scam sites can have this too
• Look for misspellings: “arnazon” “paypa1” “app1e”

Recognize Urgency Tactics

Phishing messages create panic:

• “Your account will be closed in 24 hours”
• “Suspicious activity detected – act now”
• “Final notice before legal action”

Real companies don’t threaten customers this aggressively. When you feel rushed, slow down.

Look for Generic Greetings

Phishing emails often use:

• “Dear Customer”
• “Dear User”
• “Dear Account Holder”

Legitimate emails from companies you have accounts with typically use your actual name.

How to Protect Yourself

1. Never click email links for sensitive accounts – Go directly to websites by typing the address
2. Enable two-factor authentication (2FA) – Even if criminals get your password, they can’t log in without the second factor
3. Use a password manager – It won’t auto-fill credentials on fake sites
4. Keep software updated – Security patches protect against known exploits
5. Verify requests through other channels – If your “boss” emails asking for money, call them directly
6. Report phishing – Forward suspicious emails to the real company and to [email protected]

What to Do If You Clicked

1. Don’t panic – Quick action can limit damage
2. Change your password immediately – For the affected account and any accounts using the same password
3. Enable 2FA – If you haven’t already
4. Check for unauthorized activity – Review account transactions and settings
5. Run antivirus scan – If you downloaded anything
6. Monitor your credit – If you entered personal information
7. Report the attack – To the impersonated company and to FTC

Frequently Asked Questions

Can phishing emails contain viruses?

Yes. Attachments can contain malware, and some links download malicious software. Never open unexpected attachments, even from known contacts (their account might be compromised).

How did scammers get my email address?

Data breaches, purchased lists, social media scraping, or random generation. If your email is public anywhere online, assume scammers have it.

Why does phishing still work?

Volume and sophistication. Scammers send millions of messages – even a 0.1% success rate is profitable. Modern phishing uses AI to create convincing messages and clones real websites pixel-for-pixel.

The Bottom Line

The best defense against phishing is healthy skepticism. Never click links in unexpected emails. When in doubt, go directly to the website by typing the address yourself. A few extra seconds of caution can save you from identity theft, financial loss, and hours of recovery work.

Received a phishing attempt? Report the scammer’s details on ScamWarners to help warn others.