Phishing Texts, Emails, and Fake Websites

Real-world analogy

What is it?

Phishing is the practice of sending fraudulent emails, text messages, or creating fake websites that impersonate trusted companies to trick people into revealing passwords, credit card numbers, Social Security numbers, and other sensitive information. The term comes from 'fishing' -- scammers cast a wide net of fake messages hoping enough people will 'bite.' It is the single most common method of stealing personal information online, and AI has made phishing emails nearly indistinguishable from real corporate communications.

Real-world relevance

A longtime Amazon customer received an email about a canceled order. The link took him to a site that looked exactly like Amazon -- same logos, same layout, his email pre-filled at the top. He entered his password and credit card information. Days later, his bank called about fraudulent purchases. The scammer had also logged into his real Amazon account and changed delivery addresses. It took weeks, multiple phone calls, and a police report to sort out the mess. All because he clicked one link instead of going to amazon.com directly.

Key points

• Phishing Is the #1 Way Passwords Are Stolen — Phishing accounts for 90% of all data breaches according to Verizon's 2024 Data Breach Report. Americans lose over $3.1 billion annually to phishing scams (FBI data). Unlike elaborate scams that require weeks of relationship-building, phishing works through a brutally simple mechanism: look like a trusted company, create urgency, and direct people to enter credentials on a fake site. Most victims don't realize they've been compromised for several weeks.
• The Package Delivery Scam — Your parent receives a text: 'USPS: Your package could not be delivered. Please reschedule delivery: [link].' The link leads to a fake USPS, FedEx, or UPS website that looks nearly identical to the real thing. It asks them to enter their home address to 'reschedule delivery' or to 'verify their account' with email and password. These are sent in massive batches to millions of phone numbers -- statistically, many recipients actually do have a package coming, making the scam more effective.
• The Bank Account Alert Scam — Your parent receives an email that looks like it's from their bank: 'Alert: Unusual activity detected on your checking account. Your account may be compromised. Please verify your identity immediately.' These create urgency and fear. The fake site looks like their bank's login page. They enter their username, password, and possibly security questions. By the time they realize something is wrong, the scammer has their banking credentials and may have already transferred money or applied for credit in their name.
• AI Has Made Phishing Emails Perfect — For years, poor grammar and spelling were reliable ways to spot phishing. That no longer works. Scammers now use AI language models to generate emails that are grammatically perfect, match the company's exact tone and style, use appropriate technical terminology, reference real products and services, and include correct corporate department names. Your parent cannot rely on 'looks professional' or 'no spelling errors' as signals that an email is legitimate.
• The 4 Stages of Every Phishing Attack — Stage 1 -- The Bait: A convincing email or text arrives mimicking a trusted company, creating a reason to act. Stage 2 -- The Fake Site: The link leads to a nearly identical copy of the real website, often with a similar domain name like amazon-verify.com. Stage 3 -- Credential Theft: The fake site collects passwords, credit card numbers, SSNs, or security questions, then shows an error or redirects to the real site. Stage 4 -- Exploitation: The scammer uses stolen credentials to access accounts, change passwords, make purchases, or commit identity theft.
• Why Older Adults Are Especially Vulnerable — Research from Stanford University and Pew Research Center shows older adults are more likely to fall for phishing. Why? Trust in institutions -- their generation defaulted to trusting banks, government, and large companies. Less familiarity with how websites work -- they may not understand that anyone can create a site that looks exactly like Amazon. They respond to emotional triggers -- urgency about locked accounts or missed packages causes quick decisions. They don't check sender email addresses -- an email from 'support@amaz0n.com' (zero instead of O) slips past them.
• The Lock Icon Doesn't Mean a Site Is Safe — Many people believe the padlock icon in the browser address bar means a website is trustworthy. This is a dangerous misconception. A security certificate (the lock icon) only means the connection between your browser and that site is encrypted -- it says nothing about whether the site is legitimate. Scammers routinely obtain security certificates for their fake sites. A phishing site at 'amazon-verify.com' can have a valid lock icon while stealing every password you type.
• How to Spot Phishing: The 3 Checks — Check 1 -- The sender's email address: Hover over the sender's name to see the real address. Real Amazon emails come from @amazon.com, not @amazon-support-verify.com. Check 2 -- Hover over links before clicking: The actual URL appears in a tooltip or the bottom corner of the browser. If it doesn't match the company's real domain, it's phishing. Check 3 -- Watch for urgency language: 'Act now,' 'Verify immediately,' 'Your account will be suspended.' Real companies address you by name and reference specific account details, not vague 'unusual activity.'
• The 'Go Direct' Rule Is Your Best Defense — The single most important anti-phishing rule: Never click a link in a suspicious email. Instead, open a new browser tab, type the company's URL yourself (amazon.com, chase.com, etc.) or use a saved bookmark, log into your account, and check for any alerts. If the email was real, the issue will appear in your actual account. If it doesn't appear, it was phishing. This rule alone prevents the vast majority of successful phishing attacks.
• What to Do If Your Parent Already Clicked — If your parent clicked a phishing link and entered their password, act immediately. Step 1: Change the password on the compromised account using a strong unique password (12+ characters). Step 2: Change the email password -- email is the master key to all other accounts. Step 3: Check for account changes (changed delivery addresses, added payment methods, altered recovery emails). Step 4: Monitor financial accounts for unauthorized transactions. Step 5: Consider a credit freeze with Equifax, Experian, and TransUnion. Step 6: Report to the FTC at reportfraud.ftc.gov.

Code example

COMPLETE ANTI-PHISHING SETUP CHECKLIST FOR YOUR PARENT
=====================================================

EMAIL PROTECTIONS:
□ Enable spam/phishing filters
  - Gmail: Settings > Filters > enable spam detection
  - Outlook: Settings > Junk Email > set to 'Standard' or 'Strict'
  - Yahoo: Settings > Security and Privacy > enable protections

□ Set up email rules to flag suspicious keywords:
  - 'verify your account'
  - 'confirm your identity'
  - 'account suspended'
  - 'unusual activity detected'

BROWSER PROTECTIONS:
□ Bookmark key websites (bank, Amazon, PayPal, email)
□ Show them how to hover over links to see real URLs
□ Show them how to check sender email addresses

ACCOUNT PROTECTIONS:
□ Enable email/text alerts for account changes
□ Turn on two-factor authentication where available
□ Use unique passwords for every important account

FAMILY AGREEMENT:
□ Parent will NEVER click links in suspicious emails
□ Parent will ALWAYS go to websites directly
□ Parent will forward suspicious emails to you before acting
□ Parent knows: 'Legitimate companies never ask for passwords via email'

Line-by-line walkthrough

1. 1. EMAIL PROTECTIONS: Start by turning on spam and phishing filters in your parent's email provider -- Gmail, Outlook, or Yahoo all have these built in. They catch many phishing emails automatically, but not all.
2. 2. Set up email rules that flag messages containing suspicious keywords like 'verify your account,' 'confirm your identity,' or 'account suspended.' These get sorted into a review folder instead of sitting in the inbox looking legitimate.
3. 3. BROWSER PROTECTIONS: Bookmark their most important websites -- bank, Amazon, PayPal, email. This gives them one-click access to the real site, eliminating any need to click links in emails.
4. 4. Show them how to hover over links to see the real URL destination. This takes 2 seconds and catches most phishing attempts instantly.
5. 5. Show them how to check sender email addresses. The display name might say 'Amazon' but the actual address could be support@amaz0n-verify.com -- one character off from the real thing.
6. 6. ACCOUNT PROTECTIONS: Enable alerts for account changes on banking and important accounts. If someone tries to change a password or add a payment method, your parent will know immediately.
7. 7. Turn on two-factor authentication wherever available. Even if a scammer gets the password, they can't log in without the second factor.
8. 8. FAMILY AGREEMENT: Establish clear rules -- never click suspicious links, always go to websites directly, and forward any questionable emails to you before taking action. Give them permission to ask you: it takes 30 seconds for you to check and could save thousands.

Spot the bug

Your mother forwards you this email she received:

From: Amazon Customer Service <orders@amazn-support.com>
Subject: Action Required: Your Account Has Been Locked

Dear Valued Customer,

We detected unusual sign-in activity on your Amazon account. For your protection, we have temporarily locked your account.

Please verify your identity by clicking the secure link below within 24 hours to restore access:

[Verify My Account]

If you do not verify within 24 hours, your account will be permanently suspended.

Thank you,
Amazon Security Team

Explain like I'm 5

Fun fact

Hands-on challenge

More resources

• How to Recognize and Avoid Phishing Scams (Federal Trade Commission)
• Report Phishing Emails (FTC Report Fraud)
• Free Credit Freeze Information (USA.gov)
• Phishing Protection for Seniors (AARP)