Fake bank security alerts cost Americans billions of dollars last year, and the messages are getting harder to spot. People reported losing $3.5 billion to imposter scams in 2025, according to the Federal Trade Commission, which noted that some of the costliest cases began with a fraudulent security alert impersonating a bank. Five consistent warning signs separate these traps from real notifications, and recognizing them can mean the difference between a safe inbox and a drained account.
Why fake security alerts are draining billions right now
The FTC released data in June 2026 showing that $3.5 billion in reported losses stemmed from imposter scams during 2025. The agency specifically identified fake security alerts, often disguised as messages from a bank, as a trigger for some of the most expensive fraud cases. These emails succeed because they mimic the exact format people expect from their financial institutions: a short, alarming subject line, a branded logo, and a link that appears to lead to a login page.
The technique works by combining two psychological levers at once. Attackers pair urgent, time-pressured language with tiny alterations to sender addresses or embedded URLs. Research published by the National Institute of Standards and Technology in its Phish Scale User Guide (NIST Technical Note 2276) classifies these as distinct cue categories: contextual mimicry and domain-level deception. When both appear in the same message, the email closely mirrors a routine business process while also passing a quick visual check of the sender line. That double layer of deception is what makes security-alert phishing more effective than messages relying on urgency or spoofing alone.
Five red flags the FTC, FBI, and NIST keep flagging
Government agencies and security researchers converge on the same set of tells. Here are the five that appear most consistently across federal guidance and phishing cue research.
- Sudden, high-pressure deadlines. A legitimate bank will not threaten to lock an account within minutes unless a customer clicks a link immediately. The FTC warns that pressure to act quickly is one of the clearest markers of phishing. In its guidance for small businesses on phishing attacks, the agency stresses that real security teams give customers time to verify an issue, provide reference numbers, and direct people to contact the institution through a known website or phone number instead of a link in the message.
- Requests for login credentials or personal data inside the email. No reputable financial institution asks customers to enter passwords, Social Security numbers, or one-time codes by replying to an email or clicking an embedded form. The FBI defines this credential harvesting as the core objective of many phishing schemes and notes that clicking can route victims to convincing spoofed sites that replicate trusted brands. If a message asks you to “confirm your password” or “reply with the code we just sent,” treat it as suspicious and navigate to your account through a saved bookmark or your bank’s official app instead.
- One-character domain tricks. Attackers swap a single letter, add a hyphen, or change a top-level domain so that “yourbank.com” becomes “y0urbank.com” or “yourbank-secure.net.” The FBI’s explanation of spoofing tactics highlights how small alterations to email addresses or URLs are designed to look nearly identical to a legitimate source. Hovering over a link before clicking, rather than trusting the displayed text, exposes these substitutions. On mobile devices, where hovering is harder, it is safer to open a browser and type your bank’s address manually.
- Misalignment with normal account behavior. NIST researchers who analyzed real-world phishing emails found that attackers commonly mimic routine business processes, such as password-reset cycles or fraud-review workflows, but often get small details wrong. A message referencing a product the recipient does not use, arriving at an unusual time, or addressing the recipient with a generic greeting instead of a name signals that the sender is working from a mass template, not an actual account record. If the alert claims to be about a card you closed years ago, or references a recent trip you never took, that mismatch is a strong indicator of fraud.
- Instructions to bypass standard verification. Some phishing emails tell recipients to ignore two-factor authentication prompts, disable security software, or skip calling the number on the back of their card. Genuine alerts do the opposite: they encourage customers to verify through independent channels. The FTC advises recipients to pause, confirm independently through a known website or phone number, and consult a colleague or family member before acting. Any message that discourages you from double-checking should be treated as hostile by default.
Each of these signs can appear on its own, but the most effective phishing emails stack several together. A message that combines a 15-minute deadline with a spoofed domain and a request for a one-time passcode is engineered to override the recipient’s normal skepticism before they have time to think. Recognizing that pattern-urgency plus technical look-alikes plus credential requests-turns a vague sense of unease into a clear decision not to engage.
Gaps in the data and what to watch next
The FTC’s $3.5 billion figure covers all imposter scams reported in 2025, but the agency has not published a granular breakdown isolating losses tied specifically to security-alert impersonation versus other imposter tactics such as government or tech-support fraud. That gap makes it difficult to measure exactly how much damage this single email format causes on its own. Still, investigators and consumer advocates say the pattern is visible in complaint narratives: many of the largest-dollar losses begin with a message claiming that an account has been frozen, hacked, or used in a suspicious transaction.
Because the data is reported voluntarily, it also understates the true scale of the problem. Some victims never discover that a fake alert was the starting point of a broader identity theft case, while others feel too embarrassed to file a report. As banks roll out more automated alerts-texts for every purchase, emails for every login-attackers gain more opportunities to blend in with legitimate traffic. That growing volume makes it harder for both consumers and fraud teams to distinguish a real warning from a counterfeit one at a glance.
Regulators and security researchers are watching several trends that could shape the next wave of fake alerts. One is the increased use of personalization: criminals are scraping breached data to address people by name, reference real partial account numbers, or mention actual merchants the victim has used. Another is the spread of phishing across channels, with the same security scare arriving by email, text, and voice call in quick succession to create a sense of inevitability. These blended attacks can be especially persuasive for people who are already anxious about fraud.
At the same time, banks and technology providers are experimenting with defenses that rely less on customers spotting subtle clues. Some institutions are moving sensitive notifications into secure in-app inboxes and using email only as a generic prompt to “open your app for details.” Others are tightening authentication around high-risk actions, such as adding new payees or changing contact information, so that even if a victim clicks a malicious link, the attacker cannot easily drain funds without additional verification.
For now, though, individual vigilance remains a crucial line of defense. Treat every unexpected security alert as a starting point for verification, not as a command. Instead of clicking links, open your bank’s app or type its address into your browser. Call the number printed on your card, not the one in the message. If something feels off about the timing, language, or requested action, assume the message is fake until proven otherwise.
Imposter scams will continue to evolve, but the core red flags that federal agencies describe-manufactured urgency, credential requests, near-miss domains, behavioral mismatches, and pressure to skip safeguards-are unlikely to change. Learning to recognize those patterns turns each fake alert from a potential catastrophe into a routine annoyance, and keeps more of that $3.5 billion in losses from repeating in the years ahead.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
