How to Spot and Avoid Online Scams

7 Common Scam Types — and How They Work

1. Phishing (and Its Cousins: Smishing and Vishing)

Phishing is the practice of sending a message that impersonates a trusted organization — a bank, an email provider, a delivery service — to trick you into clicking a link and entering your credentials. The email looks genuine: correct logo, a professional layout, even a footer with copyright notices. The tell is the URL. The link leads not to your bank's real domain but to something like secure-bank-alert.net or a domain with a subtle typo.

Smishing uses text messages instead of email. Vishing uses phone calls, often with spoofed caller-ID that shows a number you trust. The FBI has noted a rise in vishing campaigns where callers impersonate financial institutions and convince victims to "confirm" their full account number to prevent a fraudulent charge.

2. Fake Invoice Fraud

A realistic-looking invoice arrives by email, usually for a service renewal — cloud storage, antivirus software, a subscription you may or may not actually have. The amount is small enough to feel plausible but large enough to be alarming. The invoice instructs you to call a phone number to dispute the charge. When you call, you are connected to a "fraud agent" who eventually requests remote access to your computer or asks for payment via gift card to "process the refund."

3. Tech-Support Scams

A pop-up fills your browser screen warning that your computer is infected and that you must call a support number immediately to prevent data loss. The pop-up may play an alarm sound and make it difficult to close the window. The "technician" on the other end walks you through installing remote-access software, then uses that access to create fake problem demonstrations, access your files, or install real malware. Legitimate operating system makers and antivirus companies never initiate contact with you about a problem they have spotted on your machine.

4. Romance Scams

Someone contacts you on a social platform or dating app. Over weeks or months, they build a warm, detailed relationship — sharing life stories, photos, daily check-ins. Eventually a crisis emerges: a medical emergency, a stranded flight, a business deal that needs a short-term loan to proceed. The request for money follows. Romance scams are among the highest-value frauds per victim because the emotional investment is real, even if the relationship is fabricated. The perpetrators — often operating from overseas networks — play long games, sometimes maintaining contact for six months or more before asking for money.

5. Marketplace and Classified-Ad Scams

When selling an item online, a buyer offers to pay more than your asking price, sends a fake payment confirmation, then asks you to forward the "overpayment" to a shipping agent before the funds clear. Since no real payment was made, you lose both the item and the forwarded cash. When buying, a seller requests payment by instant transfer or gift card before shipping, then disappears. Always confirm payment has fully cleared in your actual bank account before releasing goods, and treat any buyer who overpays as a red flag regardless of their explanation.

6. Prize and Lottery Scams

You have won a prize you never entered for. To claim your winnings, you must pay a small processing fee, a customs charge, or a tax advance. That fee is the scam: there are no winnings. Real lotteries and contests deduct fees from prizes and never require winners to pay upfront. The prize itself is always described in vague but enticing terms — often a large cash sum or a luxury item — to maximize the temptation to pay.

7. Impersonation Scams (Government, Family, and Executive)

A caller claims to be from a tax authority, a social security office, or law enforcement. Your account has been flagged for suspicious activity. You owe back taxes and will be arrested within hours unless you pay immediately. The pressure is intense and deliberate: scammers want you frightened, not rational. In family impersonation scams — sometimes called "grandparent scams" — a caller claims to be a grandchild in legal trouble, desperately needing bail money wired before the family is told. Business email compromise is the corporate version, where a hacker spoofs an executive's email address to instruct an employee to wire funds to a new account.

Universal Red Flags

Despite their different disguises, almost all scams rely on one or more of these pressure mechanisms:

Suspicious Payment Requests: A Hard Rule

The payment method a scammer suggests is your most reliable alert signal. Treat each of the following as an automatic stop sign:

• Retail gift cards — No government agency, tech company, or legitimate business collects payments via gift card codes read over the phone.
• Peer-to-peer instant transfers — Once sent, these funds are almost never recoverable, even if the recipient is identified.
• Wire transfers to a new or foreign account — Especially suspicious when the request comes by email from someone you normally pay by other means.
• Cryptocurrency "for your protection" — Legitimate organizations do not ask customers to convert cash to cryptocurrency to resolve an account issue.
• Overpayment cheques — A cheque that clears initially can still bounce weeks later under bank rules, leaving you liable for the full amount.

How to Verify Before Acting

Verification is a simple habit that stops almost every scam in its tracks. For any unexpected message requesting action or information, work through this checklist:

1. Do not use contact details from the message. Look up the organization's official website independently — type it into your browser, do not click the link in the email.
2. Check the sender's actual email address — not the display name, which can say anything. In most email clients you can click or hover the name to see the full address. Legitimate organizations use their own domain consistently.
3. Hover over any link before clicking. Your browser shows the real destination URL in the status bar at the bottom of the screen. Compare it carefully to the legitimate domain.
4. Call the organization directly using the phone number listed on their official website or the back of your card.
5. Talk to someone you trust before sending money or sharing personal data. Even a five-minute conversation can break the spell of urgency.
6. Search the exact wording. Copy a distinctive phrase from the suspicious message and search it online. Scam texts and emails are often mass-distributed, and victims post reports quickly.

If You Have Been Targeted — What to Do Next

Being targeted by a scam is not a reflection of your intelligence. These operations are run by organized teams that refine their techniques constantly. What matters is responding promptly and calmly.

If you gave away financial information

• Call your bank or card issuer immediately using the number on the back of your card. Most have dedicated 24-hour fraud lines. Ask them to flag your account and reverse any unauthorized transactions.
• Change your online banking password and any other account that shares the same password or email address.
• Enable two-factor authentication on your most important accounts if you have not done so already.

If you gave away personal identity information

• Contact your national credit reporting agencies to place a fraud alert or credit freeze on your file. This prevents a scammer from opening new credit in your name.
• Keep records of everything: screenshots, email headers, transaction confirmations, dates, and phone numbers.

Report it — your report helps others

Reporting to your national consumer protection or fraud-reporting agency takes about ten minutes and directly informs law enforcement investigations. In many countries you can also report to a dedicated national cyber crime unit. The data from individual reports is aggregated to track scam networks and shut them down. Your experience, documented and reported, has value beyond your own situation.

Protecting Family Members

Helping a parent, grandparent, or less tech-savvy family member build scam awareness is one of the most valuable things you can do. The key is to make it a conversation, not a lecture.

Establish a family verification rule

Agree on a simple household policy: before sending money or sharing sensitive information in response to any unexpected contact, make a quick call to a family member first. Frame this as a shared team approach — "we look out for each other" — rather than implying the person cannot handle their own affairs. The two-minute call becomes a habit that prevents loss.

Talk about specific scams by name

Abstract warnings ("be careful online") are less effective than concrete examples. Describe the grandparent scam specifically: "If someone calls claiming to be me in trouble and needing money urgently, hang up and call me directly on my usual number before doing anything." Named scenarios are easier to recall in the moment.

Make verification feel easy, not paranoid

Keep a short list of trusted phone numbers — bank fraud line, family contacts — posted somewhere visible near the phone or saved in an easy-to-find place on their device. Practice looking up an organization's number using a browser rather than calling numbers from messages. A few rehearsals build the reflex without turning every online interaction into an ordeal.

Check devices periodically

Offer to check that operating systems and apps are updated, that antivirus software is active, and that no unexpected remote-access applications have been installed. Make this feel routine — "mind if I just check things are running well?" — rather than surveillance.