Phishing exploits the gap between tools and trust

How phishing occurs (and why it persists)

Phishing is a deceptive attempt to persuade someone to share sensitive information or grant access by impersonating a trusted source. Rather than relying on technical complexity, these schemes often exploit familiarity and routine, seeking credentials, verification codes, financial information, or permission to install software. 

Despite years of awareness efforts, phishing is still one of the most frequently reported forms of internet crime in the United States.  Its persistence reflects both technical gaps and the ways in which routine behavior and time pressure are exploited. Phishing spans a spectrum from broad, high-volume efforts to targeted spear phishing that draws on personal details to build credibility. 

What phishing looks like today

Today’s phishing attempts span a wide range of channels and formats, mirroring how people interact with financial and everyday services across devices and platforms. These attempts often use signals of legitimacy, including branding, tone, and context, to align with routine activity. Common forms include:

• Emails sent from addresses that closely resemble financial institutions, retailers, or service providers.

• Phone calls displaying masked or spoofed caller IDs that appear to originate from official organizations.

• Text messages (“smishing”) tied to account activity, deliveries, or password resets.

• Pop-ups or in-app prompts that mimic security warnings and urge immediate action.

The defining feature in all these variations is not the surface-level instruction, but the request for access itself.

Why phishing can be difficult to recognize

These attempts succeed not because people fail to pay attention, but because they’re designed to blend into familiar routines and expectations. Effective attempts often rely on cues that feel familiar or plausible such as:

• Recognizable logos and institutions.

• Timing that aligns with common life events such as travel, new devices, or account changes.

• Urgency or authority that discourages verification.

• Conversational or casual language, particularly in text messages.

A phishing attempt is the message itself. The risk occurs when clicking, sharing, or responding.

The attempt versus the risk

_{Source: Vanguard.}

A message, call, or alert may seem routine, but its purpose is to draw engagement. The risk increases when a person responds by giving fraudsters a path to continue the interaction. Even small actions can signal access and lead to further attempts, turning a single prompt into an opening for broader exploitation over time. 

When phishing escalates into exploitation

While phishing is often framed as a single event, it can also mark the starting point for broader scams that evolve over time. In many cases, escalation is not driven by the message itself, but by the response—small actions that signal availability, trust, or willingness to continue the exchange. Escalation may include:

• Ongoing contact that extends well beyond the initial message.

• Increasing personalization that often incorporates life details or prior interactions.

• Heightened pressure, including claims of urgency, risk, or exclusivity.

• Platform shifts, such as requests to move conversations from email or text to encrypted messaging apps.

• Requests to keep the interaction private, sometimes framed as a precaution or special instruction.

For example, a casual greeting via text can continue to ongoing contact, platform shifts, and increasing personalization. Over time, what starts as a low-stakes exchange may prove to be a sustained effort to influence behavior that could result in significant financial loss.

Digital hygiene as a risk-reduction framework

While updates, strong passwords, and multifactor authentication play an important role in preventing unauthorized access, phishing and other exploitation ultimately hinge on engagement. Choosing not to respond to unsolicited messages and navigating directly to trusted websites or apps when verification is needed can significantly reduce exposure.

Common digital hygiene practices include:

• Avoiding links or attachments in unexpected messages.

• Deleting or reporting suspicious messages rather than engaging.

• Keeping operating systems and applications current.

• Applying the same standards across all devices.

When messages are designed to create urgency, a brief pause can be a powerful countermeasure. Effective responses often follow a simple sequence:

• Pause before acting.

• Analyze what is being requested.

• Consult someone trusted, especially when situations feel time-sensitive or unclear.

Introducing a second perspective can help disrupt isolation and identify red flags that are harder to spot alone.

Phishing awareness and digital hygiene are most effective when part of a combined effort. As scams continue to adapt across platforms and devices, the greatest risk often emerges in the speed of the response rather than the message itself. By pausing, verifying all information through trusted channels, and maintaining consistent habits across devices, investors can significantly reduce the likelihood that a routine prompt becomes something more serious. 

_Notes: 

_{Publication date: May 2026}

_{The information contained in this material may be subject to change without notice and may not represent the views and/or opinions of Vanguard Investments Canada Inc.}

_{Certain statements contained in this material may be considered "forward-looking information" which may be material, involve risks, uncertainties or other assumptions and there is no guarantee that actual results will not differ significantly from those expressed in or implied by these statements. Factors include, but are not limited to, general global financial market conditions, interest and foreign exchange rates, economic and political factors, competition, legal or regulatory changes and catastrophic events. Any predictions, projections, estimates or forecasts should be construed as general investment or market information and no representation is being made that any investor will, or is likely to, achieve returns similar to those mentioned herein.}

_{While the information contained in this material has been compiled from proprietary and non-proprietary sources believed to be reliable, no representation or warranty, express or implied, is made by The Vanguard Group, Inc., its subsidiaries or affiliates, or any other person (collectively, "The Vanguard Group") as to its accuracy, completeness, timeliness or reliability. The Vanguard Group takes no responsibility for any errors and omissions contained herein and accepts no liability whatsoever for any loss arising from any use of, or reliance on, this material.}

_{This material is not a recommendation, offer or solicitation to buy or sell any security, including any security of any investment fund or any other financial instrument. The information contained in this material is not investment advice and is not tailored to the needs or circumstances of any investor, nor does the information constitute business, financial, tax, legal, regulatory, accounting or any other advice.}

_{The information contained in this material may not be specific to the context of the Canadian capital markets and may contain data and analysis specific to non-Canadian markets and products.}

_{The information contained in this material is for informational purposes only and should not be used as the basis of any investment recommendation. Investors should consult a financial, tax and/or other professional advisor for information applicable to their specific situation.}

_{In this material, references to "Vanguard" are provided for convenience only and may refer to, where applicable, only The Vanguard Group, Inc., and/or may include its subsidiaries or affiliates, including Vanguard Investments Canada Inc.}