En español | If you bank, shop, watch movies or stream music online, you’re used to emails from the digital companies you do business with touting new products or alerting you to changes in their terms of service. But if a message from, say, Apple, Netflix, Amazon or PayPal warns of a problem with your account, proceed with caution: It’s likely a phishing scam aiming to hook your personal data.
The email might seem genuine at first, with familiar corporate branding at the top. But instead of addressing you by name, it will greet you generically (“Dear Amazon Customer,” for example), or not at all. The message will vary: A payment has failed. There’s a problem with your order. We lost your customer data. We’ve detected suspicious activity and locked your account.
But the ask will be the same: You need to “update” or “verify” your login or billing information, which you can do by clicking a link or following the instructions in an attachment. (In a variation on the scam, the message might include a phony invoice or receipt and ask you to confirm or dispute a purchase.)
You might also get an account-related phishing message by text. Whatever the contact method, don’t take the bait. The link will likely lead to a copycat website, where the scammers hope you’ll enter your username, password, or bank or credit card information.
Armed with that info, they can rack up bills on your dime, access your financial accounts or steal your identity. The attachment might also be booby-trapped with malware the crooks can use to harvest logins and personal and financial data from your device.
Online companies may contact you about a genuine issue with your account — for example, if the credit card you use for payment has expired. But they will not ask in an email or text for your login information, Social Security number or financial data. If you have any reason to believe there’s a real problem, contact the company’s customer service department or check your account status on its genuine website or app.
- The sender’s email address does not include the correct corporate domain (for example, @netflix.com or @paypal.com). If there is any variation after the “@,” such as extra characters or words, it’s probably not from the company.
- The greeting is generic (“Dear customer,” “Dear account holder”) or addresses you by your email rather than your name.
- The email seeks login credentials such as username and password, personal data like your Social Security number, or billing info like bank account or credit card numbers.
- The email includes typos, bad grammar or foreign spellings (for example, “centre” instead of “center”).
- You’re urged to act quickly, at the risk of losing your account.
- Do hover your cursor over links in the body of the email. This will reveal the true destination URL. If the link is unfamiliar, don’t click it.
- Do only use a company’s official website or app to update account information such as passwords or payment methods.
- Do contact the company directly, through an official website or customer service line, if you have concerns about an email or text message you received.
- Do use antivirus software and keep it up to date. Activate firewalls and other settings that block malicious files.
- Don’t open documents or download files from suspicious emails. They could install malware on your device.
- Don’t click on links or open attachments to “update,” “unlock” or “verify” an account. Go to the company’s website or app to check your account status.
- Don’t click on a link or call a phone number in a text “alert” to verify your identity or account status.
- Don’t reveal personal or financial information in response to an unsolicited email. Legitimate companies will not ask you to provide sensitive data in an email.
About the Fraud Watch Network
Whether you have been personally affected by scams or fraud or are interested in learning more, the AARP Fraud Watch Network advocates on your behalf and equips you with the knowledge you need to feel more informed and confidently spot and avoid scams.
- Forward faux-corporate phishing emails to:
- the Federal Trade Commission (FTC) at firstname.lastname@example.org.
- the Anti-Phishing Working Group, a consortium of companies and law enforcement agencies tackling cybercrime, at email@example.com.
- the business the sender claims to represent. Many companies have dedicated email addresses to report phishing, which you can find at their websites (see below).
- If you’ve been victimized by a phishing scam, file a complaint with the FTC online or at 877-382-4357, and visit the agency’s IdentityTheft.gov site for tips on how to limit and repair the damage.
Report Online Account Scams
Major digital companies have information on their websites about recognizing and reporting phishing scams that use their names. Follow these links to report scams to:
For other companies, do an online search for the company name and the words “report phishing.”
Published August 28, 2019
More From the Fraud Resource Center