The email looked exactly like my bank's. It wasn't.

An email copied my bank’s layout—logo, footer, tone—and said suspicious activity meant I had to verify or the account would lock.

I was between meetings and did not want payments to fail, so I treated it like an urgent chore.

I used the link in the email, landed on a page that matched the real login, and entered my username and password.

By evening transfers and card taps I had not made were moving out of the account.

Phishing pairs a fake message with a fake site so credentials go straight to criminals.

They drained thousands before the bank’s fraud filter froze what was left; recovery meant affidavits and new cards.

At the time I believed speed would stop a lockout; I knew the rule about not clicking bank links, but the fear of losing access won for five minutes.

The fraud line on the number on my card said they had not sent that email; when I compared the link character by character, the domain was wrong.

Savings took a hit and the weeks of disputes were exhausting; I kept checking the app for new alerts long after the case closed.

I never use verify or login links from email or texts.

I open the bank’s site from a bookmark or typed URL and log in there.

• Never click login links in unsolicited email or SMS; use your official app or typed URL.
• Report phishing to your bank and FTC (US) or your national reporting centre.

For more help, see our Report a scam page and Spot and avoid scams guide.