How to not get scammed

Posted bythereadyistPosted inInformation Security

Out in the real world, you’d be called paranoid if you thought that everyone was out to get you. But on the Internet, it’s true: everyone really is out to get you.

Most email is spam. Most websites are fakes. Most apps are just thinly-veiled data-harvesting tools (yes, even TikTok), and a lot of the rest are straight-up malware (yes, even that neat flashlight app you downloaded a while ago). In an environment like this, it pays to be a bit skeptical. There’s an entire network of criminals out there just waiting for you to make a mistake. To download this “hilarious puppy video”, to just “confirm your account details real quick”, to click the button that says “yes, I am sure I want to install this untrusted software from the Internet that is requesting all possible permissions”.

So then how does one become more skeptical? How does one learn how to not get scammed?

Basically, learn to question everything. Assume that every email, every call, every text, every website, and every app are just trying to trick you. They are guilty until proven innocent.

Unsurprisingly, a mindset like this is hard to teach—and even harder to learn. And quite frankly, I’m not sure I actually can teach it. But maybe you can try to keep a sticky note on your laptop or something that reminds you to question everything, and if you see it enough, maybe you’ll remember to do it. And maybe if I tell you about some things to look out for, then eventually, through practice, you’ll start to pick up the patterns and figure out what’s legit and what isn’t.

So here we are. Get ready to train your instincts with some tips on how to act skeptically:

If it seems to good to be true, it probably is

Be wary of anything that’s free or that seems perfect. Told that you will receive a free gift if you can just pay the shipping costs or a customs fee? Scam! Randomly contacted about a job that pays you twice as much as your current one? Scam! Someone with an attractive profile pic says they want to date you but just need $200 for a plane ticket to visit? Scam!

Another classic: If you’re not the customer, you’re the product. In other words, if you’re not paying for something, they’re probably making money off of you some other way, e.g. by showing you ads, selling your data, and/or trying to install malware on your devices. Your favorite “free movies!!!” website probably isn’t the safest one around. Even paid products aren’t always safe!

In fact, I recommend that you almost never install apps if you don’t have to. Most apps are basically just websites, and indeed, also have websites that work just fine on phones. The only reason why they want you to download the app is so that they have more permissions on your device to track your location, calls, and other data. If you must install an app, don’t just blindly install them because a website asked you to or because you found it while browsing the app store and it looked fun. Read the reviews! Check the 1-star reviews in particular, since many scammers often get lots of fake 5-star reviews to bury the real ones (which are usually bad). And if an app asks for permissions that it doesn’t need, don’t give them the permission—and preferably don’t install the app at all!

Be wary of links and attachments in emails or other messages

Generally, if you get an email about something that literally just happened a few seconds ago, and you were expecting it, it’s probably safe. You know, like a confirmation email with your tickets for a flight you just booked. Stuff like that.

But otherwise, unless you really need to, just don’t open them. Ask yourself: “Is this really the person/company I think it is? Is this really the kind of email they would send? Is there anything about this that doesn’t seem quite right?”

If the message is suspicious and you know the sender, you can try calling them to confirm that they were the person who actually sent it.

Always check if the sender’s email address is actually the correct one. For example, if the message claims to be from your bank, make sure the “From” address is something like “noreply@mybank.com”, and not mybamk.com, mybank.net, my.bank.com (extra period in the middle), mybank.other-site.com, or anything else weird like that.

  • Hover over it first (or press-and-hold on mobile) to see the actual URL. Even if the link is a URL, that doesn’t mean it actually goes there. For example, try clicking this link: https://totallynotgoogle.com. If the link doesn’t match the text, someone is trying to trick you! This kind of trick is commonly done with “URL shortening” services, like bit.ly, which just redirect you to the real website when you click it. Sometimes shorteners are used for legitimate purposes, but it’s always better to be safe than sorry.
  • Instead of just clicking it, go to the site as you normally would, e.g. via a bookmark, or even just by Googling it (which is usually safer than typing the URL directly, since Google will catch typos—just make sure you’re clicking an actual result instead of an ad!).
  • If the link would bring you to a specific page that you can’t find by visiting the site normally, then copy the link (via right click, or press-and-hold on mobile; a “copy” option appears) and paste it into your browser’s URL bar (without hitting enter). Then delete and retype the domain name. Then hit enter. This will thwart those devious lookalike websites.
    • For example, if the link is http://mybank.com/message_center, then retype the mybank.com part. Yes, do it every time, even if it already looks correct! Here’s why. If you want to be resistant to typos, you can even copy the domain name from a known-good link and paste it into the suspicious one. I personally do this every time!
  • If doing the above is too much work for you… then at least look at the link really closely to make sure it’s the right site. And if you do end up clicking it, then:
  • Be skeptical of login pages. If you are given a link to a web page, Google doc, etc. and it brings you to a login page even though you thought you were already logged in… it’s probably a fake login page designed to steal your password. If you must view the file, go to the site via your regular method (NOT from the link) and make sure you’re logged in there. If you’re logged in on the real site, but not from the link, then the link is a fake.
  • Remember that scanning a QR code to visit a website is the same thing as clicking a link! In fact it’s even worse, because some apps may not even show you the full URL before you load the site.

Oh yeah, and you know that https:// part at the beginning of a URL (where “s” = secure), or the little lock icon next to it? Just because you see that doesn’t actually mean you’re safe. All it tells you is that the page you are seeing is in fact coming from, say, totally-google-search.com (just for example). But it doesn’t mean that the site is trustworthy, nor does it mean that it’s related to or owned by Google. Don’t be fooled!

The only way to know for sure is if BOTH the front of the URL says “https://” AND the domain (the bolded part below) ends with e.g. “https://google.com” or “something.google.com (or whatever website you trust). So for example:

  • https://google.login.com/other?random=stuff” is NOT legit! This is NOT Google! It is login.com!
  • https://google.com.login-google.com/other?random=stuff” is NOT legit! This is NOT Google! It is login-google.com!
  • http://login.google.com/other?random=stuff” is a possible phishing site because it starts with “http” instead of “https”! Add the “s” to the URL and hit enter, and make sure your browser shows the lock icon, and with no errors!
  • https://login.google.com/other?random=stuff” is legit! The domain is actually google.com and it’s https.

And one more thing: this is a bit of a tangent, but advanced users may find this article interesting, as it relates to things that websites can do to trick you: The Line of Death.

If you absolutely must download an attachment:

  • See if you can’t download the attachment directly from the website. Remember to go to the website via a bookmark or Google or something, instead of clicking any links in the email.
  • Check the file extension to make sure it’s the right type (if you’re using Windows, you may have to make Windows show file extensions first). For example, if the sender says they attached a Word doc (e.g. .docx) or photo (e.g. .jpg), but the file extension doesn’t match, then DO NOT OPEN IT. Always look up a file extension that you don’t understand and make sure it’s not an executable one (e.g. .exe, .bat.vbs, or .sh).
  • If you open a Microsoft Office file, make sure you do NOT click the button to enable macros, even if it asks you to or says that certain features might not work.

Don’t give out personal information to anyone who contacts you

…Even if they say they’re calling from your bank, doctor’s office, etc. It’s very common for scammers to call you to “confirm your password”, “confirm your account details”, or “confirm some personal information” in order to keep your account open or give you an “urgent message” or something. They just want your personal information so that they can steal your account/identity.

Other scammers may call pretending to be IT or tech support staff who need access to your computer to repair it or remove a virus or something. Never give out your password or install any software that they ask you to install—it will allow them to control your computer and drain all of your bank accounts, etc.

But they already have my personal information, how else could they call me?”, you might ask. But by searching through public records, Facebook posts, and information from hacked companies, it’s actually surprisingly easy for a bad actor to get basic info about you. Yes, it’s quite likely that your full name, birth date, email address, real address, phone number, mother’s maiden name, and maybe even social security number are practically public information at this point—so don’t be fooled into thinking that anyone who has that info is legit. And even if that info is out there already, it’s still a good idea to never give it out willingly to anyone who asks.

“But they’re calling me about a specific thing that just happened to me!”, you may shout. Perhaps they’re calling about your recent Amazon order, or the student loan payment you just made, or your car’s expiring warranty. But unless they can tell you specifically what you ordered or your exact make/model/year, ignore them! Because guess what? Millions of people order stuff from Amazon, millions of people have student loans, and millions of people have cars. Scammers know this, and often will just send out bait in the hopes that it will be relevant to at least some of their victims. And that’s why you probably also receive spam emails/texts/calls about all of these things even if they don’t actually apply to you.

Oh yeah, and NEVER give out a 6-digit code you receive via text message to anyone who asks for it. Sometimes, scammers on Craigslist, Facebook Marketplace, etc. will say that they will send you a code to “verify your identity” or “prove that you’re not a scammer”, but the code that is texted to you is from the other person trying to log in as you. They want the code so they can steal your account! The ONLY time you should ever use a text/SMS verification code is when you specifically were told to expect one from a site you are actively logging into, and then you should only enter the code directly into that site (and never to someone who claims to be a “customer representative” or anyone else).

Never trust someone who asks for money

Particularly if they’re asking for money in the form of gift cards, prepaid VISA cards, Western Union, MoneyPak, Bitcoin, Monero, or other nonstandard methods. Criminals ask for these forms of payment because they’re harder to trace and harder to reverse transactions for. Legitimate organizations never ask for these. The IRS, police, etc. do NOT accept payment in iTunes gift cards.

You also should not send money from your bank account, whether via wire transfer, ACH transfer, Zelle, PayPal, etc. Scammers often convince people that they need to make a transaction to themselves in order to keep their money or move it to a new account, but they’ll trick you into sending it to the scammer’s account instead. And banks aren’t likely to reverse transactions that you legitimately made yourself, since that’s not technically fraud (even if it was obviously a scam).

Another popular scam is the fake payment scam, where someone will pay you too much (e.g. for selling something online) and ask for a partial refund. But what happens is that they send fake money to your bank account, or they provide a fake check, etc. and so even if you can see the money in your bank account, it will be removed a few days later (yes, the banking system is really dumb for allowing this). When you give them a “refund”, you’re sending them real money, while in the end, you lose all the fake “money” they gave you, which means… you lost money. And yes, your account balance can go negative from this! This also commonly happens when someone is trying to purchase something from you and are willing to give you extra money to “throw in a gift card for my daughter because it’s her birthday” or to “pay a courier who will be picking up the item”. Again, you’ll be giving them (or the “courier”) real money (or real gift cards) in exchange for fake money. When it comes to avoiding scams, cash is king.

Be wary of anyone who threatens you or makes extremely urgent requests

These are very common scam tactics, since people are often more willing to comply if they are frightened and under pressure. If anyone tells you that they are from the IRS/FBI/etc. and will send you to jail if you don’t give them $300 for legal fees or bail by tomorrow, just hang up and ignore it. Even if they don’t mention gift cards, it’s still probably a scam.

If you’re really worried about jail and you simply must double check whether you’re actually in trouble, then hang up, look up the real number for the IRS/police/etc. on the internet, and call that number to confirm whether you are legitimately in trouble. Call 911 if you must. But do NOT just call back the number they called you from (or any number that they provided to you).

Never deal with anything important while you’re vulnerable

That means if you’re sleepy, drunk, stressed, scared, rushed, or otherwise impaired, hold off on making any important decisions until later. Scammers will try to use this to your advantage, by telling you that something bad will happen (like your account being closed, your utilities being shut off, or you being arrested) unless you act right that moment. This is intended to make you feel stressed and frightened so that you can’t think properly and realize the scam. Don’t let them do that to you.

And this tip doesn’t just apply to foiling scammers—you really shouldn’t do anything important when you’re vulnerable, including things as simple as booking travel. It’s surprisingly easy to accidentally pick the wrong dates and then suddenly be out hundreds of dollars. (I know this from experience; I try not to do anything important after midnight now, as a rule).

What to do if you’re not sure whether something is a scam

If you’re not sure whether a phone call is a scam:

  • If you’re being told that you need to immediately pay some sort of fee or bail to resolve a legal/criminal/tax issue, then it’s probably a scam.
  • If the person says that you will be arrested (or something else bad) if you hang up, then it’s a scam.
  • If the person claims they have embarrassing videos/photos of you, they probably do not, and it’s probably a scam. Even if they do, don’t pay them to keep the photos/video secret, because they’ll likely just keep asking you for more and more money, and then perhaps release it anyway. Everyone is naked sometimes, just deal with the possible temporary embarrassment and move on. Maybe don’t send nudes any more, or keep a sticky note on your laptop’s webcam.
  • If the person has broken English or uses odd words like “kindly”, they’re probably a scammer.
  • Ask for how to resolve the issue via the official phone number for that organization (e.g. the one on their website, on the back of your debit card, etc.). Ask for their full name, department name, a case number, and a phone extension (only use the extension). Then tell them that you’re worried this might be a scam, so you’ll have to call them back through the organization’s official phone number. Do NOT do anything they ask, and do NOT call them back on the number they called from or any number that they gave you. The reason why you have to do this is because it’s incredibly easy for scammers to spoof phone numbers—they can make it look like the call is coming from your bank, your doctor’s office, your mom, anyone. Just because the caller ID says it’s from the official phone number… doesn’t mean it is.
    • If your phone number’s area code doesn’t match where you currently live, then you can probably assume that most calls from numbers with your same area code are also scams. Scammers often spoof a fake number that has multiple digits in common with yours, in order to make the call seem more “local” and “familiar”.

If you’re ever unsure about a scam:

  • Look it up. Many times, scammers follow a script, whether it’s on the phone or in an email. If you just Google some of the phrases, you’ll often find results where people discuss what the scam is.
  • Ask for a second opinion. Try posting on reddit.com/r/Scams. Or talk to someone knowledgeable and worldly.
  • Again, sleep on it and come back later. Most decisions can wait a day.

Conclusion

Hopefully you’ll be able to take some of these tips to heart, or if not, at least remember to re-read this article occasionally to refresh your memory. Yes, being vigilant to scams isn’t easy, and making sure that you’re safe is often inconvenient. You may think to yourself: “Why am I bothering to call people back or never click links in email? Nobody else does this stuff and they’re just fine”. Well the problem with that… is that everyone is NOT just fine. People get scammed by these methods all the time—and most are probably just too embarrassed to talk about it.

And as for the ones who haven’t been scammed yet and still aren’t taking any precautions? Well, they’re just lucky… for now. Don’t rely on luck. Put in the work, and stay safe!

4 thoughts on “How to not get scammed

  2. Pingback: Should you use a password manager? – The Readyist
  3. Pingback: “How to not get hacked” 101: 4 simple tips to protect yourself – The Readyist
  4. Pingback: “How to not get hacked” 102: Even more simple tips to protect yourself – The Readyist

Leave a comment