The Most Successful Cyber-attacks are Phishing: How to Recognize and Avoid These Scams

“Phishing has become a psychological chess match, not a technical skirmish. Winning today means understanding and influencing human behavior, not just upgrading firewalls.” ~ Rachel Langston, CISO, GlobalTech Holdings

By now, most people have encountered phishing emails and text messages at least occasionally, if not fairly regularly: notices that your Amazon account is about to be closed, bills for services you never ordered, or too-good-to-be-true offers. Perhaps you recognize one (or all) of these:

• Unpaid tolls and overdue traffic tickets: Cyberscammers are impersonating tolling agencies across the country, sending text messages demanding you click the link to pay an unpaid toll. The Federal Trade Commission (FTC) warns about this phish and another similar scam: people are also receiving messages from cybercriminals claiming that they are from the Department of Motor Vehicles (DMV) and that your license may be suspended if you don’t pay for an overdue traffic ticket. The FTC offers similar advice in both cases: unexpected texts are likely a phish, but if you are concerned, check using the organization’s phone number or website.

• Tech support scams: You may have received a phone call out of the blue from someone claiming to be a representative of a tech company like Microsoft or Apple. Or you see a pop-up error message appear on your computer screen. If they suggest you install applications, call their “technical support hotline,” or ask for payment (often in the form of crypto or gift cards), beware. Microsoft offers advice on dealing with these scams.

• Utility impersonators: Fraudsters may impersonate utility companies, claiming your bill is overdue and possibly threatening to shut off service if the bill is not paid immediately. This scam has been reported as occurring over the phone, by text, in person, and by email (most recently in Washington State).

We know to be aware of emails urging us to open harmful links or attachments, or to divulge personal information. But as we adapt and begin to better recognize these attempts to get us to click before we think, cybercriminals are becoming ever more sophisticated and using new and clever approaches. Add to that, AI-driven phishing is raising the threat to a new level. It’s more important than ever to use caution as you maneuver through digital spaces, and to learn some basic cybersecurity practices. The good news is that awareness and training can make a huge difference in reducing the likelihood that you will fall prey to phishing scams. Here are some tips for recognizing phishing and preventing yourself from becoming a victim.

How does phishing work?

Phishing is an attempt to access personal information in order to commit fraud or identity theft, done through social engineering—meaning it works by manipulating the intended victim to take harmful action. Some phishing may attempt to get the user to click on malicious links or attachments that will install malware to provide the criminal access to the device. Other phishing attempts try to get the victim to provide their personal information, including passwords and login credentials, credit card numbers, bank account information, and Social Security numbers. Cybercriminals may sell this information or use it directly to commit theft or fraud.

All phishing is the art of getting around the intended victim’s critical thinking so that they will act reflexively. The cybercriminals are hoping that you will click before you notice any red flags. They accomplish this through a variety of techniques, often impersonating an individual or institution you trust and trying to induce a sense of urgency or even panic. Some common approaches include:

• Messages notifying you of suspicious activity or log-in attempts
• Messages claiming there is an issue or problem with your account or payment information
• Warnings that your account will be closed if you don’t take immediate action
• Notices that your multi-factor authentication is expiring
• Threats of automatic payments being withdrawn from your accounts
• Order confirmations and invoices for services or items you didn’t order
• Requests to confirm personal or financial information for a trusted institution or organization
• Requests to make payments via a link
• Notifications that you are eligible for government refunds

Many phishing emails and text messages look very legitimate at first glance. They may copy an organization’s brand and logo to look official. With AI, phishing messages can adapt based on your personal role or location and mimic your personal and professional contacts. Cybercriminals use behavior patterns and psychological traits to target individuals with highly personalized strategies. Phishing may take advantage of generational vulnerabilities, reaching young people through mobile apps, targeting working people with HR scams, and exploiting older people’s trust in authority and unfamiliarity with digital verification practices.

We have been alerted to an active and malicious phishing campaign where individuals are sent a text message asking them to verify a Schwab transaction involving a disbursement from their investment account. The texts come from different international numbers and tempt users to cancel the disbursement by clicking a link, which is a variation of a fake Schwab domain, with misspellings such as “schwbab” or “schwbba.” Another active scam alerts users that the IRS requires a form W-8BEN form certification with a link to re-certify and a warning that failure to do so may result in additional tax withholding. Be on the lookout for these and other similar phishing attempts; use the tools below to help spot them and protect yourself.

Sources:

¹ Identitytheft.org 2025 Phishing Facts and Statistics; https://identitytheft.org/attacks/phishing/statistics/

² DeepStrike.io Phishing Statistics in 2025: https://deepstrike.io/blog/Phishing-Statistics-2025

³ Identitytheft.org 2025 Phishing Facts and Statistics; https://identitytheft.org/attacks/phishing/statistics/ and Federal Trade Commission How to Recognize and Avoid Phishing Scams; https://consumer.ftc.gov/articles/how-recognize-and-avoid-phishing-scams

⁴ Hoxhunt Phishing Trends Report updated for 2025: https://hoxhunt.com/guide/phishing-trends-report

⁵ StationX Top Phishing Statistics for 2025: https://www.stationx.net/phishing-statistics/

Recognizing a phish

Awareness, caution, and slowing down are your best friends when it comes to protecting yourself from phishing. Giving yourself time to take a moment before reacting and clicking can make all the difference. It’s important to take the time to look for and notice these red flags:

• Look for misspellings, grammatical errors, or mismatched fonts.
• Be wary of slight alterations of the organization name or website, such as amazan.com in place of amazon.com or schab.com in place of schwab.com.
• Check the sender’s domain name; often, it won’t match what you would expect from the brand or organization the email purports to be from.
• Hover over links to reveal the website’s URL – if it is not what you expect, don’t click.
• Be suspicious of emails that have grayed out the “To:” and/or “CC:” lines, as that may indicate a mass distribution email.

Take precautions against cyberfraud

There are a number of best practices that can help protect you from phishing and other types of cyberfraud.

• Make a habit of visiting websites directly rather than clicking links in emails or text messages.
• Use security software and automatic updates to keep your devices up to date and secure.
• Use multi-factor authentication. Many organizations offer extra security by requiring two or more credentials to open your account, such as a verification code sent to your phone or from an authenticator app or a biometric authentication, such as your fingerprint or a facial scan.
• When in doubt, call to confirm. Call a known number to request confirmation if you are uncertain whether an email or text request is legitimate.
• Consider using a password manager like Keeper or Bitwarden to securely store your credentials.
• Back up your data. Keep the data on your computer and other devices backed up just in case there is a breach.

Reporting phishing messages can help fight scammers:

• You can report phishing attempts to the Federal Trade Commission (FTC) at ftc.gov.
• You can report phishing emails to the Anti-Phishing Working Group at reportphishing@apwg.org
• Forward phishing text messages to SPAM (7726).

If you experience a breach

It’s a myth that only the careless fall prey to phishing. Anyone can become a victim in a moment of distraction or multitasking. If you do find that you clicked on a malicious link or gave out personal information, there are steps you can take to mitigate the damage. Click here for detailed instructions on how to respond to a data breach.

Coldstream is here to help. Contact your Coldstream wealth manager if you have questions related to cybersecurity, suspect that you are the victim of identity theft, or notice any suspicious activity in your accounts. We can help collaborate with you to take extra precautions to verify your identity and ensure the authenticity of any fund transfers.

Please find below additional helpful resources and information on phishing and cyberfraud.

Additional resources

• Protect Yourself Against Phishing: Charles Schwab
• Understanding and Preventing Phishing Attacks: U.S. Department of State
• Recognize and Report Phishing: U.S. Cybersecurity & Infrastructure Security Agency
• U.S. Cybersecurity & Infrastructure Security Agency Phishing Tip Sheet
• Federal Trade Commission IdentityTheft.gov: When information is lost or exposed
• Cybersecurity and You: Protecting Your Assets: Coldstream