It’s surprisingly easy to fall for an online scam even if you’re hyperaware of all the ways bad actors can trick you. Online scammers are playing a numbers game. If they send out their scams to enough people, they’ll find a few people who posses a magic combination: Folks who are distracted by life and also concerned with their online accounts.
That’s how I almost fell for an online scam. My credit card bill was coming due, but I was busy that month, and paying the bill was just one of many things percolating in the back of my mind. Then I suddenly got an email stating my bank was freezing my account if I didn’t login. “Oh no!” I thought. “I’m late paying my bill.”
Without another thought, I clicked on the link in the email, even though I knew the right thing to do was type out the URL myself. I was just about to put in my login details when another thought came bubbling to the surface: Something seemed not quite right.
I checked the website address, and sure enough I was about to enter my details into a phony website designed to harvest login credentials from my bank. It was a near miss. I had almost been the victim of phishing. This happened despite the fact that I’ve reported on just these kinds of exploits. Heck, I’d even written several articles with security tips about how you should never click on a link to your bank from inside an email.
Caught at the right moment of vulnerability, anyone can fall for an online scam. When you’re prepared, however, spotting an online scam is fairly straightforward. Then when the stars align to make you susceptible to an online scam, you might save yourself by knowing what to look for.
Here are some basic rules you can use to keep yourself and your online accounts out of the hands of the bad guys.
Rule #1: If you’re not expecting it, you shouldn’t expect it
A standard trick for online scams is to get you to click on a link. This link can show up in an email, a hijacked messaging account of one of your friends, a WhatsApp message, or even an SMS. The idea is to direct you to a malicious website. Then the scammers will try to download malware onto your device, or trick you into revealing your login credentials on a phony website that looks like the real thing.
The best way to combat these scams is to never clink on a link you weren’t expecting. If you get an email stating your bank account is about to be frozen, or your PayPal email account suddenly needs to be validated, don’t click. Even if you check that the email address and the link are leading to the real thing, just as a matter of security don’t click. Instead, enter the website address yourself by typing it out in the address bar. Don’t search for it—instead type it out yourself.
Then, once you’ve logged in to the legitimate website, you’ll be able to see if whatever the email claimed was real.
Tip: A good way to avoid falling for a phishing website is to use a password manager and its browser extension. If you land on a website that isn’t legitimate then the extension won’t supply your login details. Indeed, even if a website has a tricky URL like “paypal.com.098uq3409847890.net” it shouldn’t fool mainstream password managers.
Rule #2: Don’t buy into urgency
A classic scam is for someone to hijack a person’s Facebook account and then contact all her friends via the hijacked account. Often the scammer will claim some kind of emergency, saying your friend is in jeopardy such as, “I’m in London. I’ve been robbed, and I have no money.”
When you know this is a scam, you can see where it’s headed. In the moment of urgency, however, it can be harder to spot. Of course, you want to help your friend: “Oh my goodness! A foreign country where they might end up on the street? I need to help.”
Because an “emergency” is in play, scammers are banking on the likelihood you won’t look too closely at the details, and instead just take action. But on your end, you must resist the urge to act immediately. If your friend is in dire straits, you can still ask to talk to her on the phone, or verify with someone else over the phone that she is truly where she claims to be. The key is to talk to another human being whose voice you can recognize because pretending to be someone else via a text chat is so easy. Do not, however, take the word of some “hotel manager” or a supposed good Samaritan who’s speaking on behalf of your friend.
You can apply the same basic principle when it comes to taking immediate action to “unfreeze” your account. First, a bank or credit card company is more likely to call you or send a letter about dramatic action versus dropping you a note in Gmail. Nevertheless, if you want to be sure, type in the URL of your bank or credit card manually to visit the site. If there is truly a threat to your account, the institution will alert you once you login.
Rule #3: If it’s too good to be true…
If it’s too good to be true, then it probably is. This may be a cliché, but it’s also a good rule of thumb. Money doesn’t just come tumbling out of your inbox, after all. If a lawyer or business contacts you via email about making a tidy profit on a business transaction or reclaiming some kind of inheritance money, don’t fall for it. This sort of thing just doesn’t happen. No matter how legitimate these offers may seem.
This also goes for online sales. Yes, you can find some fantastic sale prices on Amazon, Best Buy, and other places online. But if you get an email or see a link on social media leading you to an incredible sale price on a site you’ve never heard of, then take a step back. Do some basic research using consumer sites like Trustpilot, Sitejabber, and the Better Business Bureau to see what others have to say about the business. What you’re looking for is overwhelming evidence that the site is legitimate. If you don’t find any information about the site or only a few sparse reviews, that is a huge red flag.
Advanced Tip: Hover over links
The next time you get a legitimate email from your bank, try this trick for practice. Use your mouse pointer to hover over the button or link your bank wants you to click without actually clicking it. Next, look in the lower left corner of your browser window. You should see the web address the link will take you to.
That’s an easy way to spot a scam because a bad link will never lead to your bank’s website, and scammers will often use a link-shortening service to try and hide that fact.
There are a few other things you can watch out for, such as poorly worded emails and chat messages, though this is becoming a less reliable guide in recent years. Another red flag is when someone asks for money in a non-traditional form like a gift card or a cash reload card. Even requests for a wiring money can be suspect. The FTC has a good video on what to watch out for when being asked for money via the phone or online.
The Internet is a great place to find information and manage your life, but it can also be a place where it is far too easy to get duped if you’re not paying attention.