Most Common Phishing Lures in Every State

Cybercriminals are getting smarter—and so are their scams. Attacks involving the impersonation of real companies, organizations, and even individuals to solicit sensitive information are on the rise. These phishing lures, once easy to spot, have transformed into increasingly sophisticated attacks, often using social engineering tactics to manipulate individuals into revealing sensitive information. Whether through email, text message, or social media, these scams are designed to appear as legitimate as possible.

Phishing lures aren’t just an inconvenience, either. They can lead to stolen identities, drained bank accounts, and dangerous security breaches. While some people are quick to recognize and delete suspicious messages, others unknowingly take the bait. And with cybercriminals constantly evolving their methods, staying ahead of the latest scams is more important than ever.

But who is falling for these scams the most? Which U.S. states are most vulnerable, and which companies are most commonly impersonated? Fullstack Academy investigated these key questions by conducting a nationwide survey to provide a state-by-state breakdown of phishing trends in 2025.

Keep reading to learn which scams are most prevalent in your state, which tactics scammers use the most, and how different generations are fighting digital scammers.

Key Takeaways

• "Package delay," "claim your prize," and "unusual account activity detected" are the three most common phishing lures in the U.S.

• Alabama, South Carolina, and Idaho residents are the least likely to have fallen victim to phishing lures.

• Georgia, Indiana, and Florida residents are the most likely to have fallen victim to phishing lures.

• Florida, Arkansas, and New York residents are the most likely to have received local-related phishing lures (such as messages impersonating local businesses or referencing current events).

• Respondents most frequently ​​delete immediately, block sender, or mark as spam when receiving phishing lures.

• To protect against phishing lures, respondents are most likely to not click on suspicious links, use strong passwords, and enable two-factor authentication.

Most Popular Phishing Lures in the U.S. by State

Residents of 25 of the 45 states included in the study noted that package delays or shipping issues were their most commonly encountered type of phishing lure. That matches with the overall data—75% of all respondents reported having received a package-related phishing lure. Among states, Virginia is the most popular place for package delay phishing lures, as 85% of Virginians say they’ve encountered one.

The next most common type of phishing lure is focused on claiming a hoax prize. Overall, 71% of respondents have received that type of scam, with five states voting it as the most common. In no state is that scam more common than New Mexico, where 81% of respondents say they’ve received a “claim your prize” scam before.

In third position are unusual account activity scams, as 70% of respondents have encountered one. Nine states voted this type of scam their most popular, with 84% of Delawarans having received one, the highest percentage out of all states.

Connecticut, Oklahoma, and South Carolina were the only states where “account comprised” phishing lures were most popular (and 66% of all respondents have received one), while Florida was the lone state to pick invoice or payment request as most common (this one was received by 64% of all respondents).

When it comes to getting hoodwinked by a scam, 43% of Georgia state respondents admitted to falling victim, which beats out Indiana (40%) and Florida (36%). On the flip side, just 10% of respondents from Alabama, South Carolina, and Idaho reported having been duped, making those three the least likely states where residents have fallen victim to a phishing lure.

Organizations Most Commonly Impersonated For Phishing Lure Scams

While respondents marked impersonations for numerous organizations, 40% or more reported having encountered five: Amazon, USPS, UPS, PayPal, and FedEx. And here is where a trend emerges: USPS, UPS, and FedEx are all shipping organizations, while Amazon and PayPal deal in e-commerce (in addition to shipping, in the case of Amazon).

Outside of the top five, tech giants Google, Microsoft, Facebook, and Apple are also commonly impersonated, while the Internal Revenue Service is also a frequent guise of scammers.

Shipping scams are so prevalent that the USPS has guides to detecting and protecting yourself from such impersonators. Per FTC data, consumers lost $12.5 billion in 2024 to scams, with imposter scams accounting for $2.95 billion in losses alone. With so much money on the table, it’s no wonder that phishing lures are impersonating trusted organizations.

The gender breakdown has one noticeable trend in this area: Women are more likely than men to receive phishing lures impersonating shipping companies. Out of all female respondents, 54% said they’ve received USPS scams, while just 46% of male respondents said so. And with UPS-impersonated scams, 53% of women reported receiving one, while just 45% of men have received one.

When breaking down responses by generation, Gen Z is the most common receiver of scams impersonating USPS (55% reported receiving one) and UPS (54%), while millennials lead the way for IRS ones (32%). And Gen X is the most popular generation for Amazon (61%) and PayPal (49%) phishing lures.

Phishing Lure Trends in 2025

Phishing Lure Trends by Demographic

For overall trends, Gen X is the most frequent receiver of phishing lures, with 57% saying they receive an attack daily or weekly. That generation is also most likely to admit having fallen victim, with 24% saying they’ve been duped by a phishing lure.

Gen Z is the only generation that reported receiving more phishing lures by text message than by email. Meanwhile, 22% of the Baby Boomer generation say they report scams to the authorities—a more significant percentage than any other generation. Millennials consider themselves the most scam-savvy generation, with 51% feeling “very confident” in being able to identify a phishing lure.

Out of the notable trends by gender, men are more confident than women when it comes to these digital scams—49% of men claim to be “very confident” when identifying phishing lures, 12 percentage points higher than women. Additionally, 62% of women say phishing lures have become more difficult to detect in the past year, while 53% of men say the same.

The Future of Phishing Scams

Finally, we asked respondents about scams impersonating local businesses they know and trust—a growing trend. One-third of respondents said they’ve received phishing lures related to local businesses, while 32% reported receiving lures related to current events like natural disasters or local elections. Florida, Arkansas, and New York residents are the most likely to have received these locally targeted phishing lures—nearly one-half of respondents from Florida (48%) said they’ve received such a scam.

It’s worth noting that scammers are increasingly using AI to target victims. Artificial intelligence can result in more realistic messages, which result in lures with a higher click-through rate. AI can also enable scammers to send more than just text messages or emails—new voice cloning programs allow for attacks to impersonate humans over a phone call. Overwhelmingly, the evidence suggests that phishing lures are here to stay, and are steadily evolving to be more prevalent and sophisticated.

Protect Yourself from Phishing Lures with Education

Phishing attacks are not just a minor inconvenience. They can lead to financial losses, identity theft, major security breaches, and more. Whether it’s a fake package delay notice or a fraudulent prize claim, phishing lures are designed to trick you into revealing sensitive information. Understanding how these scams work is the first step in staying safe.

At Fullstack Academy, we’re dedicated to equipping the next generation of cybersecurity professionals with the skills to combat these rising threats. Over the course of bootcamp training, students learn how to protect organizations, networks and systems, and individuals from cybercrime.

Aspiring cyber professionals can get started today and join the fight against phishing lures with the Fullstack Academy Cybersecurity Bootcamp.

Methodology

In this study, we surveyed 2,456 Americans in all 50 U.S. states to learn more about phishing lures. We asked a variety of questions from how often, what type of phishing lures they most frequently receive, what companies are impersonated the most in these phishing lures, if they've fallen victim to a phishing lure, and more.

We then took each state's responses about frequent types of phishing lures to determine the most uniquely popular phishing lures in each state.

Due to a lack of survey responses, Alaska, Montana, North Dakota, Vermont, and Wyoming were not included in the most popular phishing lure list.