Learn how to spot and report suspicious email and text messages that appear to be from Wells Fargo.
Phishing is the fraudulent attempt to obtain sensitive information, such as usernames, passwords, and account details, typically through an email, text message, or even a phone call. It's a popular scammer ploy to get you to share key information they can use to steal your money, commit identity theft, or even sell your information to other fraudsters.
These messages may impersonate a company, charity, or government agency, and are often posed as an urgent request to convince you to sign on to a fake site, open an email attachment containing malware, or share your personal or account information.
If you receive a unexpected or suspicious email or text message, don’t respond, click any links, or open attachments. Don't sign on to your account from a link in the suspicious message. Close the suspicious message and sign on to the Wells Fargo Mobile® app or type wellsfargo.com in a new browser window or tab to access your account directly.
If you responded
If you clicked on a link, opened an attachment, or provided personal or account information, call us immediately at 1-866-867-5568.
If you didn’t respond
Forward the suspicious email or text to reportphish@wellsfargo.com and then delete it. You will receive an automated response. We will review your message right away and take action as needed.
Phishing scams can be hard to spot, but typically include the following:
Suspicious sender
Do you recognize the email address, phone number, or short code? Don’t respond to messages from a sender you don’t know.
Urgent request
If you receive an urgent request to unlock your account, verify your identity, or confirm account details, don't click any links or respond. It's likely a phishing attempt and should be deleted.
Unusual language
Are there spelling or grammar mistakes in the message? Does it contain unusual formatting, such as ID numbers or punctuation like exclamation points? It may be a scam, so don’t respond.
Unexpected phone call
Phone numbers can be spoofed to impersonate legitimate companies. If someone calls asking for your PIN, access code, or online banking password, hang up. Call the number on the back of your Wells Fargo card or the website to verify the request.
Bank imposter scams are on the rise. Learn how to help protect yourself from this type of phishing.
Wells Fargo may email, text, or call you if we detect unusual account activity.
Important: Wells Fargo will never ask for your card PIN, temporary access code, or online banking password.
If someone claiming to be from Wells Fargo asks for this information, do not respond. It's a scam. When in doubt, call us immediately using the number on the back of your card.
We may send you a access code to verify your identity when you take an action, such as when you sign on or use Zelle®. If you receive an unexpected access code, do not provide it to anyone who contacts you asking for it and call us immediately.
What does phishing look like?
Phishing emails can be difficult to distinguish from legitimate emails. In this example, notice:
- Non-Wells Fargo email address: The sender's email address does not include wellsfargo.com, but instead uses something very similar like wells-fargo.info, which is not a legitimate Wells Fargo address.
- Urgent call to action: The email conveys urgency by saying, "you need to update your account today for security purposes" to convince you to take action.
- Suspicious web address (or URL): The email contains a link that appears to be legitimate but leads to a fraudulent website. If it looks suspicious, don't click. Preview any link you have doubts about before clicking on it. On your mobile phone, you can press and hold the link and the URL will appear in a pop-up box. If you’re using a computer, hover over the link with your cursor, and the URL will show in the bottom left of your browser window. Beware: URLs beginning with "https" can also be used for phishing.
What does smishing look like?
Text phishing or “smishing” is similar to email phishing. In this example, notice:
- Suspicious sender: The text was sent from an unknown phone number, instead of one of Wells Fargo’s official short codes: 93557, 93733, 93729, 93767, or 22981. Five-digit short codes are commonly used by companies, like Wells Fargo, to send text messages. Tip: Add trusted short codes and phone numbers to your contact list so you recognize them when you receive a text.
- Unexpected request: The message may include an unexpected request to provide "required information" in order to regain access to your credit card. Also, be on the lookout for unusual formatting, which could be a red flag.
- Suspicious web address (URL) or phone number: The text message contains a link to a non-Wells Fargo URL, which could be a fraudulent website. Always preview a URL in texts. If you have any doubts, call us directly using the number on the back of your card to confirm we sent you the text. On a mobile phone, press and hold the link and the URL will appear in a pop-up box. Phishing texts may also include a fraudulent phone number. Do not call the number in a suspicious text. Call the number on the back of your Wells Fargo card or the website to verify the request.