Phishing Scams in the United States
US phishing attacks impersonate the IRS, USPS, Social Security Administration, major banks, and popular tech brands — with spear-phishing and business email compromise among the highest-cost variants.
Part of: Phishing
Last reviewed: 1 June 2026
The United States experiences the highest absolute volume of phishing fraud globally, with the FBI's IC3 recording billions of dollars in losses annually from phishing-enabled attacks. The decentralised US financial system — multiple banks, credit unions, and financial apps — gives phishers a wide range of institutions to impersonate, and the country's high digital banking and e-commerce adoption means victims frequently transact online.
Spear-phishing — targeted attacks on specific individuals or organisations — accounts for a disproportionate share of US phishing losses because it enables business email compromise, payroll diversion, and wire fraud at scale.
How this scam works on United States
IRS phishing is seasonal but persistent, peaking in January–April and claiming recipients owe back taxes, face penalties, or are eligible for refunds. The IRS does not initiate contact by email, text, or social media — any such contact is fraudulent.
USPS and FedEx phishing follows parcel delivery patterns, sending fake tracking SMS messages with links to sites that capture card details for small delivery fees. The volume spikes around holiday shopping seasons.
Business email compromise (BEC) phishing targets organisations by compromising or spoofing executive email accounts to redirect payments, payroll, and vendor invoices. The FBI IC3 consistently identifies BEC as the highest-dollar-loss cybercrime category in the US.
Common red flags
- IRS email, text, or social media message about a tax debt or refund — the IRS only writes letters
- USPS or FedEx SMS about a delivery issue with a link to pay a fee
- Email appearing to come from a company executive requesting an urgent wire transfer or gift cards
- Social Security Administration contact about a suspended Social Security number
- Bank text message that appears in a genuine message thread asking for login verification
How to protect yourself
- Forward phishing SMS to 7726 (SPAM)
- Forward phishing emails to [email protected] and to the impersonated organisation
- Access the IRS only at irs.gov — never through links in messages
- Report IRS impersonation to [email protected]
- Enable multi-factor authentication on all banking and financial accounts
How to report it
- Report to the FBI IC3 at ic3.gov
- Report to the FTC at reportfraud.ftc.gov
- Contact your bank or financial institution immediately if credentials were entered
Frequently asked questions
Does the IRS ever contact Americans by email or text?
The IRS initiates contact almost exclusively by postal mail. Emails, texts, and social media messages claiming to be from the IRS are fraudulent. If you receive one, report it to [email protected] without clicking any links.