Principles

A short list of reflexes worth keeping.

Most scams pivot on the same handful of human reflexes. These rules cover almost every scam in the library. The specifics change. These do not.

  1. Call back through a number you found yourself

    If someone contacts you claiming to be your bank, the IRS, or a tech company, hang up and reach them through a number you look up independently.

  2. Treat urgency as a scam signal

    Real institutions give you time. Pressure to act in the next few minutes is one of the loudest signals a scam gives off.

  3. Make them prove who they are, not the other way around

    A real institution can confirm details about your account. A scammer needs you to confirm details for them.

  4. Reach websites by typing the address, not by tapping a link

    Type the address yourself or use a saved bookmark. Tapping a link from an email or text hands the destination to whoever sent it.

  5. Don’t trust the name on the screen

    The name on your screen shows what someone wants you to think. The actual caller or sender is a separate question.

  6. Never give out a password, a 2FA code, or remote access

    Legitimate support never needs your password, your one-time code, or control of your screen. Anyone asking for those things is running a scam.

  7. If you did not start the conversation, you are not in control of it

    Whoever initiates contact sets the script. Reset by closing the channel and reaching out yourself.

  8. Verify any money request through a second channel, even from people you know

    If a friend, boss, or family member messages you needing money or gift cards quickly, confirm through a different channel before you do anything.

  9. Gift cards, wire transfers, and crypto are scam currencies

    Legitimate bills, fines, and fees are paid with checks, cards, or bank transfers. If a stranger wants gift cards, Bitcoin, or a wire, the request itself is the scam.

  10. Use a unique password for every account, and let a password manager remember them

    Reusing one password across accounts means one breach opens all of them. A password manager handles the remembering so you can stop.

  11. Turn on two-factor authentication, and use an app instead of text messages

    Two-factor authentication blocks most account takeovers. An authenticator app is stronger than codes sent by text.

  12. The follow-up “we can help you recover your money” call is the second scam

    After a scam, recovery specialists appear quickly. They are almost always the same network, coming back for a second pass.

  13. Getting scammed is what these operations are designed to do

    Scams are engineered by full-time professionals targeting normal human reflexes. Anyone can be caught on the wrong day.

  14. When in doubt, do nothing and ask someone you trust

    Doing nothing is almost always safe. The cost of waiting an hour to ask a trusted person is nearly zero.

  15. A login screen is only as safe as the page hosting it

    Real-looking login pages are easy to clone. Check the address bar, or skip the link entirely and go to the site directly.

  16. Treat public Wi-Fi and unknown USB ports as untrusted

    Free Wi-Fi networks and borrowed chargers can be rigged to capture what passes through. For banking or logins, use your phone's cellular data and a charger you own.

  17. Real agencies write letters

    Government agencies and utilities open serious conversations by physical mail. A first contact that arrives as an urgent call is almost always a scam.

  18. If you can’t undo it, it’s probably a scam

    Real transactions can be disputed, reversed, or paused. Anything pushing you toward a one-way action is designed that way for a reason.

  19. Real companies have real phone numbers

    A legitimate employer, support team, or business has a website, a published main number, and a real address. If the only way to reach them is a chat window or a messaging app, that is the tell.

  20. You cannot win a contest you didn’t enter

    Prize notifications for sweepstakes you never signed up for are scams. Every time.