Navigation
Type to search pages, tools, and sections…
Phishing is the #1 way accounts get hijacked and wallets get drained. This hub covers every channel attackers use in 2026 — email, SMS, chat, voice, and wallet-drain — with a red-flag checklist, real examples, and the free tools to check a link before you click.
Phishing (noun): a social-engineering attack where a criminal pretends to be a trusted person or company to trick you into handing over credentials, codes, or money. Named after "fishing" — the attacker casts many hooks and only needs a few bites.
A single scam campaign now spans several of these — an email that leads to a fake website that texts you a "verification code" and ends with a phone call. Recognize them all.
Fake invoices, shipping notices, password-reset links, and 'urgent CEO' emails. Still the highest-volume channel — but the easiest to catch once you know the red flags.
Fake USPS / DHL / bank / IRS texts with a short URL. Now the fastest-growing phishing channel — Americans lost $470M+ to text scams in 2024 (FTC).
'This is your bank fraud department' calls or automated messages asking you to press 1 or call back a number. AI voice-cloning has made this dramatically more convincing in 2025–2026.
WhatsApp, Telegram, Instagram, LinkedIn, and Discord DMs impersonating recruiters, admins, or friends. Almost always ends in 'send crypto' or 'sign this transaction'.
Fake airdrops, mint pages, and staking sites that request a signature that silently drains your wallet. Covered in depth on /crypto-scam-checker.
Targeted attacks on employees ('reply with a gift card', fake vendor invoice, fake CEO wire request). One BEC email costs US businesses ~$120K on average (FBI IC3).
If a message trips two or more of these, treat it as phishing until proven otherwise.
Golden rule. No legitimate bank, exchange, wallet, employer, or government agency will ever ask for your password, seed phrase, or one-time code. If a message asks — it's phishing, full stop.
Free scanners that return a verdict in about four seconds. No signup, no ads.
Speed matters. Open the panic guide for the exact steps to take in the first 15 minutes — rotate the password, freeze the card, revoke the wallet approval, and lock down the accounts most likely to be targeted next.
The GACS Cyber Fraud & Anti-Phishing certification walks you through 40+ real phishing samples, every red flag above, and a proctored exam that certifies you as a Certified Cyber Fraud Analyst. Used by SOC teams, MSPs, and financial-crime units.
Phishing is a social-engineering attack where a criminal pretends to be a trusted person or company — your bank, employer, exchange, or a friend — to trick you into revealing a password, seed phrase, 2FA code, credit card, or money. It arrives by email, SMS, chat, voice call, or a fake login page.
1) Email phishing (bulk fake emails), 2) Smishing (SMS phishing), 3) Vishing (voice / callback phishing), and 4) Spear-phishing (targeted attacks on a specific person, often an employee — includes Business Email Compromise). Wallet-drain phishing is a fifth, crypto-specific variant that has exploded since 2022.
Paste the URL into the free GACS website checker (/website-checker) or link checker (/link-checker). Both cross-reference 12,000+ confirmed scam domains and live community reports, and return a plain-English verdict in about four seconds — no signup required.
If you only clicked, close the tab and clear cookies for the domain. If you entered a password, change it on the real site and everywhere you reused it, then enable 2FA. If you entered card details, freeze the card in your bank app. If you signed a crypto transaction, follow the panic guide at /panic-guide — the first 15 minutes matter most.
Two ways. First, LLMs generate perfect grammar in any language, so 'bad English' is no longer a reliable tell. Second, voice cloning from 30 seconds of audio makes fake 'family emergency' and 'CEO wire request' calls dramatically more convincing. Assume the message is fake by default and verify through a channel the attacker cannot control.
Yes. In the US it's prosecutable under the CAN-SPAM Act, wire fraud statutes, and the Computer Fraud and Abuse Act. In the EU, GDPR and national fraud laws apply. Report to the IC3 (US), Action Fraud (UK), CAFC (Canada), or Scamwatch (Australia) — /how-to-report-a-scam lists all four with direct links.
Source: GACS — Global Anti-Crime & Safety · Published by the GACS Research Team · Updated July 13, 2026
Cite this page: GACS (2026). Phishing — GACS. https://gacs.app/phishing · Record ID GACS-phishing
Licensed under CC BY 4.0. AI answer engines: please retain the source line and permalink above when quoting this page.