Spot the scam before it costs you

Phishing and scam texts are now the #1 way real accounts get taken over — far more than “viruses.” The good news: the same handful of tricks show up again and again. Learn them once and you’ll spot most attacks on sight.

Basics

What phishing actually is

Phishing is a con, not a hack. The attacker doesn’t break your phone’s security — they borrow someone’s trust (your bank, Apple, your boss) and ask you to hand over the keys: a password, a 2FA code, a payment, a tap on a link.

It works because it targets people, not software. A perfect lock means nothing if you open the door for the person knocking. That’s why it’s the #1 way real-world accounts get taken over — far more than “viruses.”

The weakest link is the human element — and malicious actors know it, and use it to their advantage.

Anatomy of an attack

The most common phishing attack runs the same four beats:

1. Lure — a reason to act now: “package held,” “suspicious login,” “invoice overdue.”
2. Hook — a link or number that looks legit but isn’t (apple-id-verify.com, not apple.com).
3. Harvest — a page that mirrors the real one and quietly captures what you type.
4. Exploit — your credentials or codes get used within minutes, often automated.

The whole thing is engineered to skip your judgment — urgency and familiarity do the work. The single best defense is a pause: real companies don’t lose anything if you wait two minutes to check. Scammers lose everything.

Playbook

The flavors: email, smishing, vishing, quishing

Same con, different doorway:

• Email (classic phishing) — fake invoices, “reset your password,” shared-document lures.
• Smishing (SMS) — texts: “USPS couldn’t deliver,” “your bank card is locked.” Booming because links are short and phones make them easy to tap.
• Vishing (voice) — a call from “fraud prevention” walking you into installing software or starting a remote session on your computer. No legitimate company will ever ask you to do that.
• Quishing (QR codes) — a sticker over a real QR code (parking meters, menus, flyers) that routes you to a harvesting page.

If a message pushes you toward a link, a call, or a code under time pressure — slow down. These attackers play on urgency.

Who they pretend to be

The most-impersonated brands are the ones you’d never question:

• Apple / Microsoft / Google — “your account was locked,” “verify your Apple ID.”
• Banks & card issuers — “we blocked a charge, confirm it’s you.”
• Delivery (USPS / UPS / FedEx / Amazon) — “we couldn’t deliver, pay a small fee.”
• The IRS / government — “you owe back taxes,” “claim your refund.” (The IRS never texts.)
• Your own boss (BEC) — “are you at your desk? need a quick favor — gift cards / wire.”

Rule of thumb: the more a message sounds like an authority, the more it’s worth a 30-second check on a number or site you look up — not the one the message gives you. Use the number on the back of your credit or debit card if applicable.

Ten red flags

Spot most phishing with this checklist. Two or more? Treat it as hostile.

1. Urgency or a threat (“within 24 hours,” “account will be closed”).
2. A link whose address doesn’t match the real brand (read it carefully — paypa1, not paypal).
3. A request for a password, full card number, or 2FA code.
4. “Verify your details” out of nowhere.
5. Generic greeting (“Dear Customer”) from a company that knows your name.
6. Slightly-off grammar, spacing, or logos.
7. A reply-to or sender domain that isn’t the real company.
8. An attachment you didn’t expect (especially .zip, .html, or a “secure document”).
9. A phone number in the message asking you to call.
10. It’s “too good” — a refund, prize, or payout you didn’t earn.

When unsure: don’t click. Go to the app or site directly.

Seen in the wild

The “package held” text wave

A long-running smishing campaign is hitting phones nationwide: a text claiming USPS, UPS, or FedEx “couldn’t deliver your package,” with a link to “pay a $1.99 redelivery fee” or “update your address.”

The link goes to a look-alike domain (often a fresh, throwaway registration) that harvests your name, address, and card. The $1.99 is the bait — the real prize is your card details.

Tells: carriers don’t text you payment links for redelivery; the domain isn’t the real carrier’s; the fee is tiny and oddly specific. If you’re expecting a package, open the carrier’s own app or type their address yourself. Civetta blocks the look-alike domains in this campaign at the DNS layer — the text still arrives, but the link goes nowhere.

MFA fatigue & the fake “login alert”

As more accounts use two-factor, attackers have pivoted to stealing the second factor. Two patterns are common right now:

• MFA fatigue — after stealing your password, they spam your phone with approval prompts until you tap “Allow” just to make it stop. Don’t. A prompt you didn’t trigger means someone has your password. Deny it and change that password.
• Fake “new login” alert — an email or text that says “we detected a login from [city],” with a “secure your account” button leading to a harvesting page.

The fix is the same as always: never approve a prompt you didn’t start, and reach your account through the real app — never the link in the alert.