
Password Phishing Scams: How To Avoid Them
Learn how you can protect yourself from the fake alerts and emotional plays scammers use to steal your passwords with this thorough guide from our partners at BECU.
You’re also invited to declutter securely by bringing your documents to BECU’s Shred & eCycle event!
On Saturday, Oct. 18 (and Oct. 25 in Spokane), BECU will host free shredding of sensitive paper and additional electronics recycling.
Takeaways: Common phishing tactics and how to avoid them
- Password phishing is when scammers posing as legitimate organizations contact you (usually about a fake urgent problem), to steal your passwords and access to your accounts.
- Common password phishing tactics include messages about fake password resets, fake package delivery issues, fake prizes, fake fraud alerts and fake charities during real disasters.
- Phishing is a widespread problem and can lead to a loss of access to bank and personal accounts, fraudulent credit card charges, and fake social media posts.
- Some ways to protect your money and identity include using a password manager, choosing a password that is at least 15 characters, employing hard-to-guess security questions and enrolling in multi-factor authentication.
What are password phishing scams and how do they work?
Password phishing involves scammers using any method of communication — often about a fake urgent problem that seems to require your immediate attention — to steal passwords to your banking, credit card, health care or entertainment accounts, or trick you into giving your passwords away.
Scammers often pose as people or organizations you’ve interacted with or that sound official, such as businesses, government organizations and trusted service providers. They might contact you through emails, phone calls, voicemails, text messages or social media with an offer that sounds too good to pass up, or a threat to discontinue a service you rely on if you don’t respond right away.
The scammers’ message often contains a link. This link prompts you to enter your username, password or authentication code, or it will launch malicious software giving scammers access to your login information.
Scammers then use this information in a few ways:
- Stealing money from your bank or credit union account.
- Stealing your personal or corporate files and photos.
- Making fake social media posts to scam others.
- Impersonating you by email or in other ways to target your family and friends for scams.
If scammers contact you by phone, they often try to convince you to give them account information, authentication codes or credit card details. If your credit card is involved, the scammer might run up charges on your card.
Common password phishing scams and tips to protect yourself
Here are a few common methods scammers use to steal your personal information and some tips to help you protect yourself.
Fake password resets
Fake password reset messages are when a scammer calls you or sends a phishing email or text telling you that you must reset your password or provide information to verify your account. The messages often pretend to come from big brands such as Microsoft, or social media platforms like Facebook.
These types of attacks aren’t new, but they continue to be common because they are so successful.
In one scam, business executives were targeted with phishing emails that appeared to be from Office 365. The emails said the account passwords were set to expire. Users unknowingly entered their login credentials, which hackers could sell and use to send out more phishing emails.
How to protect yourself:
- Never give passwords or authentication codes to callers.
- Only reset your password if you initiated the reset. Companies typically won’t email you links to reset your password without you requesting it.
- When in doubt about a password reset, go directly to the website, not through the email or text link, and reset your password there.
- Look carefully at the email address of the sender. Make sure it’s spelled correctly. Hover your mouse over the email to make sure the address that pops up is the same as the address you see in the sender field.
Fake package tracking alerts (text or email)
In this type of phishing or smishing (SMS phishing) scam, attackers send email or text alerts claiming to have tracking information about a package, or that a package is waiting to be delivered.
The scammers say they will provide the package information after you enter personal information or make a payment. Usually, the message tries to lure you into disclosing your username and password, or credit card number.
In other cases, the scammers will try to convince you to click on a link that installs malware.
The U.S. Postal Service Office of Inspector General alerted postal service customers in which scammers sent phishing messages claiming to have postal tracking information about packages. FedEx and UPS have also cautioned their customers about these scams.
How to protect yourself:
- Watch out for this type of scam as the holiday shopping and shipping season approaches.
- Verify links in text and email messages match the web address of the package carrier service.
- If you’re not sure about a messenger or sender, don’t click any link sent to you. Instead, open a new browser window, log in directly to the website and enter your tracking number there.
Fake rebates and prizes
Prizes, refunds and rebates can be hard to resist. In one type of phishing attack, scammers send phony text messages. These messages offer to send you money if you click a link where you’ll be prompted to log in or enter your banking information.
These messages might tell you the offer is for a limited time only, creating a sense of urgency.
A few fake prize scams have pretended to be from Hulu, Verizon and AT&T.
How to protect yourself:
- Assume that if a prize is too good to be true, it probably is.
- Pause for a moment, especially if you have to “act now” to get money deposited into your account. Most reputable companies give plenty of time to communicate a special offer or discount, and they won’t ask you to log in and provide your account number.
- Look closely at links before you click on them. Make sure there are no spelling errors, and the links match the company website.
- When in doubt, go straight to the website and see if the special offer or contest is advertised there.
Fraud alert phishing attacks
In a fraud alert phishing scam, scammers impersonate financial institutions or credit card companies with text alerts about fake fraud attempts. These types of scams play on the fear of exactly what the scammers are trying to do: Gain illegal access to your accounts and drain your funds.
Scammers have targeted BECU members with this type of phishing scam.
How to protect yourself:
- Never provide your online banking user ID or password. A legitimate credit union or bank won’t ask for this information via text, email or by phone.
- Don’t click links in text messages to respond to a fraud alert. Financial institutions won’t ask you to log in from a text.
- Contact your financial institution about any fraud alerts or threats to your account using a legitimate phone number that you look up on their official website or on your debit or credit card, or contact them through your online account.
Disaster phishing attacks
Scammers prey on vulnerable people during widely publicized hard times, posing as government agencies and fake charities during natural disasters and other crises.
Following catastrophic flooding in Texas, scammers posed as government employees and charities to steal money and personal information. Others have demanded money in exchange for information about missing loved ones.
Don’t take the bait. These are attempts to gain access to your personal information.
How to protect yourself:
- Check websites such as Charity Watch and GuideStar to verify any charitable organizations.
- Beware of messages that prompt you to apply for insurance or tax benefits. For stimulus payments and tax credits, the first step, if you’re eligible, is to file your taxes. Don’t respond to email or text messages soliciting donations.
Unsecured public Wi-Fi
Heading to the local coffee shop to get a little work done on your laptop seems convenient, but if you’re using an unsecured WiFi network, you’re leaving yourself vulnerable.
Scammers can intercept data as it moves between your computer and the wireless network, which is called a “man-in-the-middle” attack. If they manage to intercept your user name or password over an unencrypted channel, they might use that information to target you with phishing attempts, use your account to send phishing messages to others, or gain access to your accounts directly.
How to protect yourself:
- Never enter banking passwords or sensitive information over unencrypted public Wi-Fi.
- Disconnect your Bluetooth if you’re not using it.
- Don’t shop online on an unsecured network. Attackers can potentially intercept your login credentials for the site you’re shopping on and access your payment information.
- Use a VPN (virtual private network) to create a secure connection through an unsecured, public Wi-Fi.
4 Tips to protect against password scams
Although attackers are finding new and creative ways to steal your personal data, there are a few steps you can take to improve your overall security online.
1. Use a password manager
Using a password manager that generates random passwords can simplify the task and likely do a better job of keeping your accounts safe than you can on your own.
PCMag has reviews of password managers in several categories.
If you decide to manage your passwords without a service, be sure to create strong passwords and change them frequently. Never use the same password on multiple accounts; if it’s compromised in one account, all of your accounts become vulnerable.
2. Choose a longer password
The safest passwords are at least 15 characters long, according to the latest guidance by the National Institute of Standards and Technology.
The more characters you have, the harder it is to guess. In fact, it would take a modern laptop more than 500 years to work through all the possible combinations of a 15-character password, according to NIST.
If you’re concerned about remembering a long password, consider using a passphrase — combining several real words together.
You can include numbers and special characters to make the password harder to guess, a long password is a higher priority than a complex one, according to the latest NIST recommendations.
Only respond to password change messages if you initiated them. Remember that legitimate organizations won’t send you texts or emails, and they won’t call you to ask you for this information.
If someone calls you asking for the authentication code you just received to help you log in, don’t give it to them. It’s likely a scammer who has intercepted your data.
3. Use hard-to-guess security questions
As a secondary layer of protection, many websites require you to choose security questions and answers.
WIRED magazine calls security questions “problematic” and a “weak link” because the answers are too easy for scammers to guess.
If you are required to rely on security questions, choose questions that can’t be easily answered by a Google search.
If you’re having trouble finding a security question that doesn’t have an easy-to-discover answer, WIRED recommends against answering the security question honestly.
4. Use multi-factor authentication
Multi-factor authentication is a security feature that requires you to verify your identity at least two different ways when you login to an account. Often, you’ll enter your user name and password, then the website or app will send you a unique security code by text message, email or phone call.
This is an important added layer of security, but like all security measures, it’s still subject to hacks and scams. For example, scammers might use bots to convince you to give them your authentication code so they can access your accounts.
How To protect yourself:
- Only enter codes for accounts you are actively trying to access.
- Consider it a red flag if you receive a message or a call asking for your code to resolve a problem, especially if there is a sense of urgency.
- Don’t click any links in the message.
- Use contact information you have saved, or look it up yourself, to reach out to the organization and check your accounts.

Katie J. Skipper(She, Her, Hers)
BECU Community Content Manager
Katie manages the BECU Blog and writes about personal finance topics including credit cards, budgeting, debt management, loans, taxes, home improvement, inflation, fraud and scams. She also writes about race, gender and social equity, and features the stories and expertise of BECU employees and community members.
A former journalist, she has reported for daily newspapers in Washington and Montana, including The Daily (Everett) Herald, Great Falls (Montana) Tribune and The Bellingham Herald, covering a range of topics including government, law and justice, and the environment.
Thank you to BECU for sponsoring The Whole U!