You’ll find phishing scams just about everywhere online. They crop up in all kinds of everyday places, ranging from emails, texts, social media, phone calls, to QR codes. What’s more, they take dozens of different forms. The scammers behind them impersonate banks, utility companies, government agencies, big brands, parking lot operators, restaurants, and so on. Whatever ruse they use, the scammer’s aim remains the same — they want to steal your personal info, money, or both.

Types of Phishing Scams

From email phishing to smishing and spear phishing, it’s important to understand the different tactics scammers use—so you can recognize the danger before it’s too late. Depending on the type of phishing scam, the fraudsters might:

Create a sense of urgency

They pressure you to “act now.” Examples include account phishing scams, where scammers impersonate banks or credit card companies. They tell victims that they’ve spotted unusual account activity, then they urge victims to get in touch right away to prevent identity theft. Whether by phone or on a website, scammers steal enough info from their victims to hijack their accounts.

Urge you to take advantage of scarcity

Here, scammers build the phishing scam around hard-to-get gifts such as in holiday shopping opportunities. They’ll cook up phony ads and post them on social media, all which lead to phishing sites that sell items they’ll never deliver — and steal personal info to boot.

Blend in with the surroundings

This type usually takes the form of QR codes. You’ll find them in paid parking lots, tabletops in outdoor cafes, and on posters for in-store coupons, to name a few places. In these scams, fraudsters swap out the legitimate QR code for theirs, and with a scan of your phone’s camera, the QR codes will readily load up and send victims to a phishing website.

Promote a “big offer”

This type of phishing usually covers offers on smartphones, trips, gaming consoles, handbags, clothing, and more. The idea here is to tempt people with a deal that’s seemingly too good to pass up, maybe in an email or ad. The scammers then send victims to a phony site that asks them to provide personal info for “verification” and maybe to provide payment for a “handling fee.” Just like in the shopping scam above, the scammers never deliver, and victims have their identity compromised.

Make flat-out threats

This is a classic scammer move. Whether scammers pose as the Internal Revenue Service (IRS), a debt collector, or a utility company, they’ll level threats — like the promise of jail time or turning off power for non-payment to — get the personal info and money they want.

More signs of a phishing scam

Beyond obvious red flags like urgent requests or suspicious links, scammers often use more subtle tactics to trick you into handing over sensitive information. Being aware of these lesser-known warning signs can give you an extra layer of protection and help you stay one step ahead of cybercriminals.

Someone wants you to pay for something a certain way

Gift cards, cryptocurrency, money orders, and wire transfers — these forms of payment are another sign that you might be looking at a phishing attack. Scammers prefer these methods of payment because they’re difficult to trace and offer people little to no way of recovering lost funds once they’re sent. Legitimate businesses and organizations won’t ask you to pay in any of those ways. If you get a message asking for payment in one of those forms, you can bet it’s a scam.

The URL doesn’t match

Email scams always center around links that you’re supposed to click or tap. Here are a few ways to check whether a link someone sent you is legitimate:

  • On computers and laptops, you can hover your cursor over links without clicking on them to see the web address. On mobile devices, you can carefully check the address by holding down on the link instead of tapping it.
  • Take a close look at the addresses the message is using. Often, phishing URLs contain intentional misspellings designed to trick victims. For example, a scammer impersonating the major retailer Target might use a mashed up URL like “Targetscoupon” and have one of the more obscure domain names after it, like .ga, .tk, .ml, .shop, or .buzz.
  • Scammers also use the common tactic of a link shortener, which creates links that almost look like strings of indecipherable text. These shortened links mask the true address, which might indeed be a link to a scam site.

The phisher makes a demand through a direct message on social media

Some phishing attacks occur in social media messengers. When you get direct messages, consider the source, like with the tax scam we mentioned above. Would the IRS really contact you on social media? The answer is no. For example, in the U.S., the IRS makes it clear that they will never contact taxpayers via social media, let alone send angry, threatening messages. The same goes for utility companies, banks, and other legitimate businesses.

Avoiding phishing scams

Recognizing the signs of phishing and knowing how to respond can help you protect your identity, finances, and digital security.

Go with whom you know

On social media and messaging platforms, stick to following, friending, and messaging people whom you really know. As for those people who contact you out of the blue, be suspicious. Sad to say, they’re often scammers canvassing these platforms for victims. Better yet, set your profile to private, to make it more difficult for scammers to target you. Our Social Privacy Manager can do that work for you.

Deal directly with the company or organization in question

Some phishing scams can look and sound rather convincing that you’ll want to follow up on them, like if your bank reports irregular activity on your account or a bill appears to be past due. In these cases, don’t click on the link in the message. Go straight to the website of the business or organization involved and access your account from there. Likewise, if you have questions, you can always reach out to their customer service number or web page.

Remove your personal info from sketchy data broker sites

Scams over email, phone, and text all require something — your contact info. In many cases, scammers get it from data broker sites. Data brokers buy, collect, and sell detailed personal info, which they compile from several public and private sources, such as local, state, and federal records, plus third parties like supermarket shoppers’ cards and mobile apps that share and sell user data. Moreover, they’ll sell it to anyone who pays for it, including people who’ll use that info for scams. You can help reduce those scam texts and calls by removing your info from those sites. Our Personal Data Cleanup scans some of the riskiest data broker sites and shows you which ones are selling your personal info.

Watch out for tampered QR codes

In physical spaces, like parking lots, scammers have been known to stick their own QR codes over legitimate ones. If you see any sign of altering or a placement that looks slapdash, don’t give that code a scan.

Get a scam detector

You can combine your healthy skepticism and awareness with the right technology, like our Web Protection and Scam Detector. Both will alert you if a link you received might take you to a sketchy site. It’ll also block those sites if you accidentally tap or click on a bad link.