Skip to main content

What is a phishing scam?

minute read

    Have you ever received an email from a company that seems well known and trustworthy, but feel uneasy because you're being asked to provide some very personal info? Trust your gut! You may have just detected a phishing scam.

    According to the Federal Trade Commission, phishing is an online scam where bad actors pose as trusted, reputable entities--internet providers, banks, lenders, etc.--who use email to request sensitive information from unwitting individuals. Scammers steal your identity in order to open credit card accounts, obtain funds and perform other criminal activities, such as selling your information on the dark web. Think of this as an individual "fishing" for information from users who are unaware that they're entering into a scam.

    Phishing scams are so routine and widespread that preventing them has become not just an individual concern, but also an integral part of most modern companies' best practices. You may have been a part of an employee training to be on the lookout for company-wide phishing attacks. Whether you're facing these scams in the workplace or in your personal life, it's essential to understand what they are, how they could cause harm and what you can do about it. You may want to enroll in Chase Credit Journey® to get access to tools like credit monitoring and identity monitoring services to be on the lookout for any fraudulent activity.

    In this article, you will learn about:

    • Types of phishing attacks
    • Targeted audiences
    • How to protect yourself from phishing
    • What to do if you've fallen victim to a phishing scam

    Types of phishing attacks

    Phishing can happen in various ways. Below, we break down some of the most common type of phishing attacks.

    Email phishing

    Have you ever gotten an email from a well-known company containing links and asking you to provide certain personal information? You could be looking at an example of email phishing. This common form of phishing is based on a central deceit: That the company contacting you is legitimate and requires your personal information. In fact, what's really happening is fraudulent activity that mimics the look and feel of a legitimate company. We'll talk more about how to detect this below.

    Spear phishing

    A form of email phishing, spear phishing includes information that targets the user more specifically. For example, the email could be addressed to you, including your first and/or last name. Or perhaps the email includes information about job roles that you could be interested in. Regardless of what it is, don't let the personalized content fool you.


    Combine "SMS" with "phishing" and you get smishing. It's what you think it is—in the same vein as email phishing, smishing involves sending texts from seemingly reputable sources that prompt you to respond and provide specific personal information. For example, you could receive a smishing text from a well known internet service company telling you that you need to update your information.


    Now let's take it to another level—vishing. This occurs exclusively through phone calls. If you're getting calls from phone numbers you don't recognize, it's probably best to let them go to voicemail. If it's from someone you know, they'll likely leave a message. If it's a vishing attempt and you answer, you could be asked to provide sensitive information for various fake reasons that may be hard to detect. That's precisely why it's always a best practice to be careful about who you speak with over the phone and the information you provide. Considering the consequences, it's probably best to ignore phone calls from numbers that you are not familiar with. Your phone may even recognize the number as "spam."

    Angler phishing

    Angler phishing is when a perpetrator attempts to reel you in (like an angler) through social media interaction. If you ever received an unwarranted message or if you've been tagged in a comment by someone you don't know, be warned. This may be an angler phishing attempt.


    If you get a phishing email that has a link or attachment—don't choose it. Oftentimes, phishing attacks can happen when you choose something you think is legitimate, like a file attachment. However, this seemingly innocent activity could open the door to malware or viruses, damaging your computer and leaving sensitive information exposed.

    Targeted audiences

    Phishing can happen to anyone, but some audiences may be more targeted by these attacks than others. For example, whaling, a specifically targeted phishing attack, happens to executive officers like CFOs and CEOs at large companies to get information like tax ID numbers, upcoming plans, employee bank account numbers, forecasting or other bank information.

    According to the U.S. Government Accountability Office, 9% of all information security incidents were attributed to email phishing attacks in the private sector.

    The public sector is even more vulnerable. According to a U.S. government threat report, government employees are more likely to be subject to phishing attacks than their private sector peers. In fact, almost 50% of phishing attacks in 2021 alone sought to steal government credentials from personnel, a 30% jump from 2020.

    Users who are less technologically savvy may be at a higher risk as well. Not being attuned to certain phishing language could put certain people—such as those looking to take out a bank account or apply for their first credit card—at risk.

    Best practices for preventing phishing

    While we can't stop attacks from happening, we can be better equipped to protect ourselves. Below are some steps you can take to help prepare yourself for phishing attacks:

    • Recognize the scam—Look out for clues and don't choose the links/attachments/other prompts. For example, does the email or web page pass the "eye test?" Does it look professional? Are there misspellings or obvious inaccuracies or gaps in information?
    • Protect your software/devices—Implement tools or antivirus software that can help protect your technology.
    • Protect your information—If you use online accounts, ensure your personal information is safeguarded through strong passcodes, etc. You may even want to inquire if state-of-the-art encryption is employed to help protect your information or use a password manager to keep your passwords secured.

    What to do if you've become a victim of a phishing scam

    If you've chosen a link or unwittingly provided information as part of a phishing scam, take a deep breath and then take immediate action. Depending on the specific phishing attack, do the following:

    • Forward phishing texts to SPAM (7726) which works regardless of your phone's carrier
    • Report to

    If you gave out important information like your Social Security number, contact your issuers immediately and report the potential for theft so you can freeze accounts and prevent further consequences.

    Take preventative action with Chase Credit Journey

    Your identity is precious, and you should safeguard it as much as possible. When you enroll in Chase Credit Journey, you can enroll in identity monitoring which includes dark web monitoring services. This service will alert you when your information could be at risk, such as in the event of a data breach at a financial institution. This way you can feel empowered knowing that your personal information is being regularly monitored and that you'll be notified of any potential fraud.

    What to read next