AI voice-cloning scams: how to protect your family with a safe word
A plain-English guide to AI voice-cloning scams, how family emergency calls get faked, and the one shared safe-word rule that stops many panic-driven losses.
Read articlePersonal Security
Phishing explained: how to recognize a scam email or text in 30 seconds
A plain-English guide to spotting phishing emails and texts fast, what the common red flags actually look like, and what to do next without making the mistake worse.
Individuals
If you want the 30-second version, use this rule: if the message was unexpected, wants urgency, and pushes you to click, log in, pay, or share information, treat it as phishing until you prove otherwise through a contact path you already trust.
That is not paranoia. It is how phishing works in practice. The FTC says email was the top contact method scammers used in 2024, and the FBI warns that phishing messages often pretend to be legitimate businesses so you will update information or visit a fake site that looks real.
Sources: FTC phishing alert, FBI spoofing and phishing guidance
The 30-second phishing test
When I teach normal people how to spot phishing, I do not start with email headers or domain forensics. I start with three questions:
- Was I expecting this?
- Is it trying to rush me?
- Is it trying to make me click, open, log in, pay, or hand over information?
If the answer is yes to two or three of those, slow the interaction down immediately.
That catches most of the real-world lures people see:
- fake package-delivery notices
- fake bank fraud alerts
- fake invoices
- fake account-lock or password-reset warnings
- fake tax or refund messages
- fake party invites and shared-document notices
The FTC's consumer guidance on spam texts says scammers often claim there is suspicious account activity, a payment problem, or an unauthorized purchase so they can push you toward a link or a callback.
Source: FTC spam text guidance
What phishing usually looks like now
People still imagine phishing as a badly written email from a prince. That is outdated.
Modern phishing often looks ordinary. The FBI says the message may appear to come from a legitimate business and may use a web address that looks similar to one you have used before. The language may be clean. The logo may be correct. The timing may make sense.
What usually gives it away is not the design. It is the behavior the message wants from you.
Common examples:
- "We noticed suspicious activity. Verify now."
- "Your package cannot be delivered. Update details here."
- "You were charged for this purchase. Click to cancel."
- "Your account will be disabled unless you sign in."
- "Open this attachment to view the invoice."
If the message is trying to keep you inside the message thread to solve the problem, that is a warning sign.
The red flags that matter more than spelling mistakes
The most useful red flags are behavioral:
- the message was unexpected
- it creates urgency or fear
- it asks you to use the link or phone number inside the message
- it asks for a password, one-time code, bank detail, or Social Security number
- it wants secrecy, fast payment, or immediate account action
The FTC's plain-English advice is the right one here: do not click links or download attachments in unexpected messages, and if the message might be legitimate, contact the company using a phone number, email, or website you already know is real.
Source: FTC phishing alert
Scam texts deserve the same skepticism
Many people are more cautious with email than with text messages. That is backwards.
Texts work because they feel personal and immediate. The FTC warns that scam texts often claim account trouble, fake invoices, or delivery issues, and may lead to spoofed websites that steal usernames and passwords. If you get a text asking for personal or financial information, the FTC says not to click the link and not to trust the contact details inside the text.
Source: FTC spam text guidance
The same rule applies: if it matters, open the real app yourself or type the real website yourself.
What to do instead of clicking
If the message might be real, do this:
- Close the message.
- Open the company app or type the known website yourself.
- Check for alerts there.
- If needed, call the company using a number from your card, statement, or saved contact.
That one habit breaks a lot of phishing chains.
It also fits with the broader approach in our complete family cybersecurity guide: remove unnecessary decisions under pressure instead of expecting perfect judgment every time.
What if you already clicked?
Do not spiral. Move in order.
If you only opened the message and did not click anything, report it and delete it.
If you clicked a link but did not enter anything, close the page, then go directly to the real service and check whether the account shows suspicious activity.
If you entered a password:
- change that password immediately on the real site
- change it anywhere else it was reused
- turn on MFA if it is not already on
- check recovery methods, forwarding rules, and recent sign-ins for your email account first
If you want the breach-cleanup version of this playbook, the next stop is checking whether your email or password was leaked in a data breach.
Why MFA still belongs in a phishing article
MFA is not a reason to click carelessly, but it does reduce damage from a stolen password. The FTC says two-factor authentication makes it harder for scammers to get into your account even if they get your username and password.
That is why the practical sequence is:
- avoid the phishing page
- use a password manager
- turn on MFA on important accounts
If you want the full explainer, pair this with a plain-English MFA guide that explains why a second factor stops most ordinary account takeovers.
Source: FTC two-factor authentication guidance
Reporting a scam message
Reporting matters because it helps providers and agencies spot campaigns faster.
The FTC says you can:
- forward phishing emails to
reportphishing@apwg.org - report the attempt at
ReportFraud.ftc.gov - forward spam texts to
7726(SPAM)
Sources: FTC phishing alert, FTC spam text guidance
If your household keeps running into these questions, the individuals page is the cleanest place to see how we approach family account security in a more structured way.
Final answer
Phishing is not mainly a grammar test. It is a pressure test.
The fastest way to recognize a scam email or text is to look for the pattern: unexpected message, urgent emotion, and a push to click, log in, pay, or share information through the message itself. When you see that pattern, stop using the message as your guide. Go to the real app, real site, or real phone number you already trust.
That one habit will prevent more damage than trying to outsmart every scammer line by line.
FAQ
What is the fastest way to spot a phishing email or text?
Ask three questions: was it expected, is it urgent, and does it want you to click or hand over information? If yes, assume scam until verified independently.
What are the biggest phishing red flags?
Urgency, fake account problems, suspicious links, requests for passwords or one-time codes, fake invoices, and any message pushing you to solve the issue through the message itself.
Should I reply to a suspicious text to ask if it is real?
No. Use the company app, website, or phone number you already know is legitimate.
What should I do if I clicked a phishing link?
Stop using the page, go to the real site directly, change exposed passwords, turn on MFA, and review the account tied to the message, especially email if that account resets other logins.
How do I report a scam text?
Forward it to 7726 (SPAM), report it in your messaging app if that option exists, and file it at ReportFraud.ftc.gov.
Sources and references
Last updated
June 15, 2026. We refresh this content as the threat landscape and tools evolve.
FAQ
Questions readers usually ask next
What is the fastest way to spot a phishing email or text?
Slow down and check three things first: was it unexpected, is it pushing urgency, and is it trying to get you to click a link, open an attachment, log in, or hand over personal information.
What are the biggest phishing red flags?
Unexpected contact, pressure to act fast, links to lookalike websites, requests for passwords or one-time codes, fake invoices, fake delivery notices, and messages that tell you to solve the problem through the message itself.
Should I reply to a suspicious text to ask if it is real?
No. If it might be real, contact the company or person through a phone number, app, or website you already know is legitimate.
What should I do if I clicked a phishing link?
Stop interacting with the page, change the password for the account involved, turn on MFA if it is missing, and check the account directly through the real site or app.
Are scam texts handled differently from scam emails?
The core rule is the same, but texts should also be reported through your phone or wireless provider. The FTC says you can forward spam texts to 7726 (SPAM).
Related reading
Keep going
Do you really need a VPN? An honest 2026 answer
A plain-English guide to whether most people actually need a VPN in 2026, what a VPN really does, when it helps, and what it does not protect you from.
Read articleGovernment impersonation scams: when the IRS, SSA, or Medicare calls
A plain-English guide to government impersonation scams, including IRS, Social Security, Medicare, and FTC fake-contact schemes, with the red flags families should treat as immediate warnings.
Read article