A Defensive Computing Checklist    by Michael Horowitz

HOME | About | Domain Names | VPNs | Rules of the Road | DC Presentation | ChangeLog | Stats |

SCAM SCHOOL

When it comes to scams, the rule is Never Trust.

1. When you get a text message, you have no idea who sent it. Act accordingly.
2. When you get an email message, again, you have no idea who sent it. The FROM address can be faked. If you don't understand the rules for Domain Names, you can be easily tricked. Even if the FROM address is legit, it does not mean that that person actually sent the message. Act accordingly.
3. When you get a phone call, you have no idea who the caller is. CallerID can be forged. Voices can be artificially generated based on a very small sample of someone speaking. Act accordingly.
4. If anyone calls and says they are from Apple, Google, Gmail or Microsoft, it is a scam. No one from Apple, Google or Microsoft will ever call you, out of the blue, for any reason.
5. If you ever think there might be an issue with your bank or credit card, DO NOT call the number in the text message or email message or the whatever. For a credit card, only call the phone number on the card. The safest place to get a bank phone number is from a bank statement.
6. Searching online for a customer service phone number, is likely to lead you to bad guys. They love to trick Search Engines to attract victims who have not seen this page.
7. In the US, phone calls from/to area code 833 are more suspicious than other area codes.
8. The person contacting you knows so much about you that they must be legitimate. No. No. No. As a result of far-too-many data breaches, and the total lack of privacy legislation in the US, the bad guys know a lot about you. This has been true for a long time, but it is getting worse. See AI, huge hacks leave consumers facing a perfect storm of privacy perils by Joseph Menn for the Washington Post (last update Dec 3, 2024). Quoting: "Hackers are using artificial intelligence to mine unprecedented troves of personal information dumped online in the past year, along with unregulated commercial databases, to trick American consumers and even sophisticated professionals into giving up control of bank and corporate accounts."
9. December 18, 2024: Brian Krebs wrote How to Lose a Fortune with Just One Bad Click about someone who lost control of their Gmail/Google account. In part, the victim was scammed by an email message sent from google.com. Normally this means the email came from Google, but, not here. The article references this December 2023 article by Graham Cluley: Google Forms Used in Call-Back Phishing Scam. Suffice it to say, that the Google Forms system can be abused by bad guys to send victims scam emails that really come from google.com. As I write this, it has been over a year and Google has not fixed this problem.
10. Get a message about an expensive thingy you purchased with a phone number to call? Don't call. The thing may be an Apple computer or an anti-virus program. Whatever. You did not buy it.

    A picture is worth a thousand words, so here is a real-life example of this scam. A gmail user sends an email thanking the victim for the purchase of cryptocurrency and attaching a phony invoice. The attachment is an image, not a PDF file, which, I assume, is done to avoid detection. This is a particularly stupid scam as the body of the message is about a refund while the subject line is about a purchase. No matter, the point here is to get you to look at the false invoice and make a phone call to cancel the order that never existed.

11. The majority of prompts, asking you to install software, are scams. As Brian Krebs says "If you didn't go looking for it, don't install it!"
12. If you try to login to a website/system and get a text message with a temporary code as an additional login step, NEVER EVER NEVER give that code to anyone. NEVER. All instances of this are scams. Now I frequently see a warning included with the temporary code, this is progress.

    An interesting example of this was given in this Washington Post article: AI, huge hacks leave consumers facing a perfect storm of privacy perils by Joseph Menn (December 3, 2024). The almost-victim is a widely recognized privacy expert who came very close to being scammed himself. Google accounts have a recovery phone number for when your forget your password. A bad guy calling from a Google support number warned the almost-victim that someone might be trying to take over their email account by adding a new recovery phone number. At this point the almost-victim made two mistakes. One, they forgot that callerid is not trustworthy. Two, they forgot that there is no tech support for free services, such as Gmail. Maybe he let this slide because he was somewhat famous and thought he was special? Dunno. The scammer told the almost-victim their previous recovery phone number to prove the really worked for Google. But, between the lack of privacy in the US and data breaches, his phone number was widely available to bad guys. Trusting this, was the 3rd mistake by the almost-victim. The scammer said they created a ticket for the issue and needed to prove that the almost-victim was really the almost-victim. First, the bad guy sent the almost-victim an email. Eh. Then, the good stuff: The bad guy sent a code to the almost-victims phone to insure that he really had control of the correct recovery number. It was not until the scammer asked the almost-victim (again, an expert in this stuff) to read back this code that the light bulb went off in the almost-victims head. End of scam. There was always a tiny delay before the scammer spoke, so the thinking is that the voice was an AI-assisted translation from text to speech.

13. Messages that appear to be from the U.S. Postal Service, FedEx or UPS about a shipment issue, are likely scams.
14. Common scam: Alert! Storage Full. Your account has reached its allocated capacity. Backup services, file synchronization, and incoming communications are currently suspended.
15. Any message that requires you to act quickly, is likely a scam. The power company is not turning off your electricity tomorrow morning. Scams pretend that you must act quickly so that you don't have time to take a breath and question things.
16. When you hear someone's voice, be it a famous person or a relative in distress, be aware that the voice and the words could both be fake.
17. If anyone calls and asks for your Medicare, Social Security, or bank or credit card information, hang up.
18. If someone is trying to get you to transfer funds out of your bank, investment or retirement account "for your protection", it's a scam. This may start with a phone call where the callerid was spoofed to appear to be from your bank. A scammer will warn that your account has been hacked. Then they, or a phony supervisor, will walk you through a reversal procedure to secure your money. This just sends your money to the bad guys. To further appear legitimate, the bad guys may provide valid information about you or your account. No doubt, this information comes from one of the hundreds of data breaches that happen every day.
19. Official agents of the U.S. government do not message you on Facebook, WhatsApp or any other social media or messaging app. Likewise, they don't call on the phone. If you think you are being contacted by the U.S. government the best thing to do is to contact the agency directly.
20. Most everything involving cryptocurrency is a scam.
21. If anyone wants remote access to your computer, run for the hills.
22. There are wolves in sheep's clothing. If you get a message, intended for someone else, from a very kind and polite person, it may be the first step in a pig butchering scam. The scammers will start off talking about small things and keep the conversation going and going. For months they will continue to engage with a victim. Eventualy, they will become a friend, and then a trusted friend and, finally ... gimme money.
23. Too many ads are scams. See the page here on Web Browsers for information about installing the uBlock Origin ad-blocking browser extension.
24. April 23, 2026: There’s a New Phishing Scam: Fake Invitations by Steven Kurutz for the New York Times. The scam emails pretend to be from Paperless Post, Evite and Punchbowl. Sometimes clicking the link in the email appears to do nothing, but under the covers it has installed a virus. Other times, the link is functional but it opens a web page that asks for a password or other personal information. Defenses:
    To verify a message from Paperless Post send it to phishing@paperlesspost.com
    See Spotting fake Paperless Post emails and spam texts: How to know what’s real from Paperless Post
    See Is that Evite real or a phishing scam? How to tell the difference from Evite.
25. Here's an easy one: Never Buy Tickets on Social Media - It's Nearly Always a Scam by Joe Keeley for How To Geek. December 6, 2024.
26. FYI: Free Service to detect scam emails. This free email scam detector gives you the protection Gmail and Outlook don't by JR Raphael for Fast Company. August 9, 2025. Quoting: "Snitcher Space does just one thing and does it impressively well: It analyzes any email you send it, on the spot, and tells you if it seems likely to be a scam - along with exactly what red flags (if any) led to that verdict . . . It's an incredibly useful resource for identifying fishy emails and instantly confirming that something isn't what it seems - and, in all likelihood, is out to try to scam you in some way . . . just forward [an email] to the address scan@snitcher.space."
27. FYI: Seniors in the US should review this advice from the Social Security Administration: Protect Yourself from Scams. There is actual good advice here.
28. FYI: Good, but undated, advice from American Express How To Detect Scams and Prevent Fraud. However, they nag you to install their mobile app. There is no need for this, and I don't think it is a good idea to have financial apps on a phone that can be lost or stolen.
29. FYI: New scams are always being invented. To keep up, the Federal Trade Commission issues consumer alerts about scams that you can get for free. If you are an AARP member, you can get their biweekly Watchdog Alerts newsletter about the latest scams.

Money: Of course a scam ends with the victim paying out money. Bad guys like to use forms of payment that are hard to trace such as: a gift card, prepaid debit card, cryptocurrency, wire transfer, money transfer, or even mailing cash. They may even try to get you to transfer your money to their super special, extra protected account. The use of gift cards, in particular, has been so common that ... ... any time you are asked to pay for something with a gift card ... ... it is a scam. Here we see a drug store that fought back against these scams.

And, again   top

Act accordingly.

Copyright 2019 - 2026