Someone on a call, chat, or message asks for a login, a verification code, or permission to take a look at your device.
This rule has very few real exceptions. Banks do not need your password to look at your account. Microsoft does not call to fix a virus. Apple does not text you a code and then ask you to read it back. The IRS does not need a Google Play card.
If you remember nothing else from this library, remember this one. A code read aloud is an account given away.
A text claiming your bank just blocked a suspicious $487 charge and asking you to call a number to confirm or deny it.
A loud pop-up on a website claims your computer is infected and tells you to call a number for Microsoft or Apple to fix it.
A caller says they're refunding you money, 'accidentally' sends too much, and asks you to send the difference back.