SPUScam Prevention University

Phishing Scam

Fraudsters impersonate trusted entities via email, SMS or websites to steal personal data (passwords, credit card numbers).

Severity: HighPrevalence: Very CommonLast Updated: 2026-02-10
Phishing Scam visual placeholder

Channels

EmailSMS / Text MessagesWebsitesPhone Calls

Target Audiences

EveryoneSeniorsSmall Business Owners

How It Works

Phishing (from "fishing" for victims) is a digital scam where attackers masquerade as legitimate organizations to trick you into revealing sensitive information. It can come via email (a message that looks like it's from your bank or a government agency), SMS/Text (smishing) – e.g. "Your account is locked, click here to verify", or even phone calls (vishing) – a caller pretends to be tech support or a bank officer. The scam message or call creates a sense of urgency or fear – for example, claiming your account will be frozen or you have an outstanding fine. Under pressure, victims click malicious links or divulge passwords, credit card numbers or one-time codes. Often the phishing website is nearly identical to a real one, with only a tiny URL difference. In Israel, for instance, scammers commonly spoof the Tax Authority during tax season or delivery services like the post office with "package waiting" texts. Some advanced phishing even prompts you to download a "security app" that's actually malware, giving the attacker full device access. Once they have what they need, scammers can empty bank accounts, make purchases, or steal your identity. Phishing is extremely widespread and continuously evolving, targeting anyone with an email or phone.

Red Flags

  • Unsolicited urgent request: Message or call claims something like "Act now or your account will be closed," urging immediate action. Legitimate organizations rarely demand instant response under threat.
  • Suspicious sender info: Email address that's off by one letter, or SMS/call from an unknown or overseas number. The message might address you generically ("Dear Customer") and contain odd phrasing or spelling errors.
  • Links and attachments: Hyperlinks that don't match the official website (hover to check URL – slight misspellings or extra words are a danger sign). Unexpected attachments labeled as invoices, etc.
  • Requests for sensitive data: Any email/SMS asking for passwords, full credit card numbers or verification codes is a huge red flag. Banks and government agencies never ask for your password or OTP via email/SMS.
  • Caller asks for codes/passwords: In voice phishing, if a caller claiming to be from your bank or tech support asks for your login credentials or a code that was texted to you – it's a scam. They might even reference a code you just got (which they triggered) – a real rep doesn't need your SMS code.

Protect Yourself

  • Think before you click or reply: If you get a suspicious message, don't click the link. Instead, navigate to the official website yourself or call the organization's verified customer service.
  • Never share login codes or passwords: One-time passcodes (OTP), verification SMS codes, passwords – treat them like your toothbrush: never share them. No legitimate company will ask for those via email, SMS or phone.
  • Check URL and sender: Double-check website addresses – ensure the domain is correct (e.g., gov.il for government or the exact bank domain). Expand sender details on emails to see the full address.
  • Use security measures: Keep your devices and antivirus software updated to catch known phishing pages or malware. Enable two-factor authentication on important accounts.
  • Be cautious with personal info: Avoid giving out personal or financial information unless you initiated the contact. Be skeptical of unsolicited requests for such details.
  • Educate and verify: Discuss phishing tactics with family (especially elderly or teens who may be less aware). At work, follow IT security training and verify suspicious emails with IT department.

Visual Examples

Phishing Scam email placeholder
Channel example: email
Phishing Scam sms placeholder
Channel example: sms
Phishing Scam web placeholder
Channel example: web

What To Do If You've Been Scammed

  1. Cut off communication: If you realize you've been phished, stop interacting. Do not enter any more data or respond further. Close the website or hang up the phone immediately.
  2. Secure your accounts: Change the passwords of the accounts that might be compromised right away. Start with email and any account for which you entered credentials on a suspicious site. Enable two-factor authentication.
  3. Notify relevant parties: If you gave out credit card or bank details, call your bank and credit card company immediately to block the card or freeze the account. Monitor statements for unauthorized charges.
  4. Scan your device: If you downloaded an attachment or app from the phishing attempt, run a full anti-malware scan on your computer or phone. Remove any applications installed during the scam process.
  5. Report the incident: In Israel, report phishing attacks to the National Cyber Directorate's hotline 119 which operates 24/7. Also consider filing an official complaint at your local police station if personal data or money was stolen.
  6. Educate and recover: Learn from the experience and adjust your practices. Inform colleagues or friends if the attack targeted multiple people. Remaining vigilant going forward is the best protection.

Related Scams

Tech Support Scam

Scammers pose as technical support (e.g. Microsoft or service providers) to trick victims into giving remote computer access or paying for fake help.

Business Email Compromise

Attackers impersonate executives to trick employees into transferring funds.

WhatsApp Verification Code Scam

Scammers trick victims into sharing login codes to hijack accounts.