The best way to protect oneself is to carefully inspect two key indicators of incoming email: the email address in the “from” or “reply-to” fields and the domain of the landing page. All legitimate Chase email addresses should end with chase.com and nothing else. If, for some reason the email seems to be legitimate, call a local branch or the phone number at the back of a Chase debit/credit card and ask if any fraudulent activity was detected. If, for some reason checking the email does not suffice, examine the link. Doing a long press on the link if on a smartphone or right-clicking to copy the link on a desktop computer can allow you to copy the forwarding link and paste it onto a notepad or use a URL service urlscan.io that can assist in determining if the landing page is a real Chase sign-in page. As always, slowing down to examine the alert you are getting will be the most effective tool to determine because, at that point, one can take time to explore the potential phish more closely. If in doubt, do not use the link from the email, and instead log in through the bank’s normal website or app.

References:
https://www.bleepingcomputer.com/news/security/psa-active-chase-phishing-scam-pretends-to-be-fraud-alerts/
https://urlscan.io/