How to recognize, avoid, and beat the scams.
You’ve probably heard the term social engineering. It’s behind almost every scam.
Social engineering isn’t about technology, trickery, or even intelligence or the perceived lack thereof; it’s psychology, pure and simple. It’s about pushing your buttons.
And we all have buttons to be pushed.
Social engineering playbook
Scammers are experts at messing with your mind. They use fake urgency, pretending to be someone important, or scaring you to get you to act fast. When something feels off, slow down! Hang up if you must. The more red flags you spot, the more likely it’s a scam.
Social engineering
Social engineering is nothing more than manipulating you into doing something — perhaps something you wouldn’t normally consider doing — by exploiting how your brain works.
The techniques vary, but it generally boils down to pushing the right buttons in the right way at the right time. If they do that sucessfully, it’s possible to get you to do just about anything, whether it’s in your own best interest or not.
Fortunately, you can become more resistant to the mind games with a little knowledge. You can bring that awareness to bear whenever something seems even the slightest bit off.
Help keep it going by becoming a Patron.
Mental shortcuts
Your brain is busy all the time. That means it often looks for shortcuts to avoid working quite so hard.
For example, perhaps you get an email with your bank’s logo prominently displayed. Your brain relaxes a bit at the familiarity; it doesn’t feel as great a need to be suspicious, even though we know anyone can send you an email with your bank’s logo. Your brain has taken a shortcut.
If you come across something you already believe, or something new that confirms your pre-existing belief, your brain takes another kind of shortcut. If you already believe something to be true, your brain doesn’t spend extra effort confirming it yet again. This is known as cognitive bias.
If you’re busy, distracted, or stressed, your brain is much more likely to reach for a shortcut rather than think something through carefully. Scammers know this, and they’re more than ready to take advantage of it.
None of those thing have anything to do with intelligence. They’re about being human. You’re not “dumb” if you fall for a scam; you’re human.
Scammers are highly skilled manipulators. They know your brain takes shortcuts, and they leverage that to try to scam you.
Fortunately, recognizing the techniques scammers use is a skill you can build.
Related
All the “Ishings” Trying to Scam You
The concept of phishing has spawned a variety of "ishing" terms. They represent different ways scammers try to achieve a common goal: to scam you. I'll review what they all mean.#181492
Manipulation techniques
These are common techniques scammers use to manipulate you. Understanding and recognizing them makes you less vulnerable to their scams.
Scammers lie
This isn’t a technique as much as it is a characteristic of all scams, and I can’t stress it enough: scammers lie. They’ll say anything to further their story and sucker you in, whether it’s true or not.
I often hear stories from victims who end up defending themselves, or even the scammer, by saying something like, “But they said …” Indeed, they did say that, and it was a complete fabrication; a lie. You cannot believe anything a scammer tells you. Scammers use AI to lie in new, creative, and convincing ways; you can’t necessarily believe anything you read, hear, or see.
Urgency
Time pressure is at odds with critical thinking, and it’s a common sign that something might not be legitimate.
Anything with a deadline triggers our brains to prioritize that thing and to avoid taking the time to question it.
Examples are numerous. They include the email threatening you with online account closure if you don’t take some kind of immediate action, or the message that insists you pay a certain amount in “fees”, or “good faith”, or even an explicit “ransom” by a certain time, or the police will show up at your door and take you away.
Authority
We’re wired to respond to authority figures from childhood, and scammers love to turn that programming into something malicious.
Scammers often impersonate someone with power, from an IRS agent to your boss or some other respected figure. It’s not uncommon for the scammer to be so thorough that they’ll take on the persona of a real person. If you do try to investigate, the surface-level facts line up in the scammer’s favor. For example, a scammer could look up the name, phone number, and even badge number of a local police officer and then impersonate them. Any simple searches you do to confirm their identity could seem to confirm it.
Other examples include the infamous tech support scam, where scammers call and pretend to be someone from a respected company or agency.
Related
Many Ways Your Account Can Be Hacked and What to Do About It
There are many ways accounts can be compromised. There are also many simple ways you can protect yourself.#180742
Fear
Scammers play on your fears. Done well, this can trigger a deep-seated fight-or-flight response that once again bypasses your critical thinking skills.
Examples include emails claiming to have footage of you in a compromising position1, arrest warrants in your name, heavy fines if you don’t take some kind of action, and more. In all cases, the fear of embarrassment or financial loss can drive you to take action you normally wouldn’t if you took the time to think about it carefully.
Reciprocity
Your brain is wired to return favors. Thus, a scam that offers you something first can create an implicit feeling of obligation or even comfort and familiarity.
Free trials, free computer scans, someone reaching out to help you with a problem you didn’t even realize you had — these are all designed to make you feel indebted to take the next step.
Guilt is also built on reciprocity. Romance scams are notorious for this. Scammers invest heavily to build a (fake) relationship with you, only to play the guilt card when you refuse their inevitable need for cash or question anything at all.
Trust
Most people let their guard down around people they like or corporations and brands with which they have an existing and good relationship.
Scammers impersonate whomever they can to get you to trust them. Panicked calls from “grandchildren” in a pickle, fake Facebook accounts impersonating people you know, and, as always, email messages that claim to be from a company you know and do business with, and yet are anything but.
Social proof
When you’re uncertain about something or realize you don’t have enough information to make an informed decision, you often look to what others have done.
Scammers often use fake testimonials, manufactured reviews, and even fraudulent crowdfunding campaigns to make their efforts seem more legitimate than they really are.
Empathy
An entire class of scams is based on getting you to feel sorry for the scammer and take action to help them out. Whether posing as someone you know or not, they weave a story, often something that tugs at your heartstrings, in order to get you to help them — typically with cash.
A variation is a social engineering approach scammers use to perform sim swap scams. They call your mobile provider and pretend to be you, telling a sob story about a lost device. When successful, your phone number (and everything associated with it) is transferred to the hands of the scammer.2
Additional signs
These aren’t as explicitly manipulative, but they are signs that something could be amiss.
- Being instructed to pay via cryptocurrency or gift cards. Once payment is made, it cannot be recovered. This is almost always the sign of a scam.
- Being instructed not to tell anyone. Besides the obvious “we need to keep this between us for security” or similar excuse, some scams go so far as to keep the mark on the phone the entire time while they visit their bank and retrieve money to be given to the scammer.
- Being instructed to install software or open an attachment or link. You could easily be installing malware, giving the scammer access to more than you ever realized.
All of these are frequent signs that someone is attempting to manipulate you into doing something that isn’t in your best interest.
Related
I Got a Call from Microsoft and Allowed Them Access to My Computer. What Do I Do Now?
A very common scam has people supposedly from Microsoft, your ISP, or other authorities calling to help you with computer problems. Don't fall for it.#4863
Constructing a scam
It’s important to understand that scammers don’t use just one of the techniques I’ve listed. They layer the various techniques in ways that minimize the obviousness of each. Combined, they lead you down a path to disaster.
Take that email from your bank.
- Authority and familiarity: the official-looking letterhead.
- Urgency: You need to respond quickly or risk losing something important.
- Fear: threatening you with monetary loss if you don’t respond appropriately.
- Trust: it’s (supposedly) your bank, an institution you’ve probably been dealing with for years.
Each may not seem out of the ordinary enough to trigger red flags, but the combination is killer.
A scam by any other name would smell as bad…
If you pay attention to the patterns above, you might realize that everything I’ve described applies to something else that, while not technically a scam, often comes pretty darned close: marketing.
The techniques I’ve listed are often used when promoting presumably legitimate products and services. In fact, many of the best references on the topic of manipulation are resources created specifically for individuals and corporations trying to sell you something.
Inoculating yourself against scams will help you see through marketing hype as well.
Take a beat, not a beating
The single most important thing you can do is STOP and take a beat.
The single most obvious sign? Urgency. If you’re being pressured to do something quickly, or more quickly than you’re comfortable with, come to a complete halt.
Urgency is a big clue that you need to slow down and think things through carefully.
Review the list of techniques above. How many can you count in your current interaction? The more you recognize, the bigger the chance that it’s all a lie.
If the scammer claims to be from an organization you recognize or even do business with, then contact that business directly to confirm whatever the scammer claims is happening. Look up the phone number or website yourself. Never rely on anything the potential scammer offers. Remember: scammers lie.
Bounce it all off a trusted friend or family member. There’s no shame in asking for a second opinion, especially if it’s about to impact your life savings.
It’s OK to hang up. We’ve also been programmed to be polite, and that works against us when we’re in the hands of a scammer. Scammers don’t deserve it, and they’ll use it against us as much as they can. Hang up and verify through different channels to stay safe.
The red flag checklist
- ☐ “You must act immediately.”
- ☐ Request for gift cards, wire transfers, or cryptocurrency.
- ☐ Unexpected and unsolicited contact from a company or organization you recognize (and even those you don’t).
- ☐ Threats, particularly of financial loss or harm.
- ☐ Pressure not to tell anyone else.
- ☐ Offers that seem too good to be true.
- ☐ Requests to download software or click a link.
- ☐ Emotional appeals that feel off.
The more of these that apply, the greater the chance that you’re dealing with a scam.
Do this
Review the information above. With it in hand, you now have a toolkit you can apply to any potential scam, including those that haven’t been invented yet. People get scammed every day, but you don’t have to be one of them.
And remember, it’s a skill! Like any skill, it gets stronger the more you exercise it, and I encourage you to exercise it often. Certainly, we come across plenty of opportunities to practice this skill every single day.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Podcast audio
Footnotes & References
1: Not that actual sexploitation doesn’t exist; it does. But these are scams, and nothing the scammers claim is true.
2: See if your mobile carrier supports something called a “lock pin”, which is additional security designed to prevent exactly this scenario.
Additional resources
Influence, New and Expanded: The Essential Guide to the Psychology of Influence and Persuasion in Everyday Life – Robert B. Cialdini Ph.D
CISA (Cybersecurity and Infrastructure Security Agency) – social engineering resources
Stanford Social Influence Lab – research on compliance and persuasion
I wish I knew this a few months ago because I was scammed out a lot of money and they did exactly what you said a few months ago. I have beat myself up and asked how I could have been so stupid. It is like they take over your brain and they had me thinking I was giving their money back to them. All the red flags were going up but like I said I thought I was giving their money back. It is a very strange feeling. Thank you for this article at least it explains how these guys work. It is a shame that they can’t catch them.
Thank you for the article. I have been trying to educate myself as much as possible so it NEVER happens again.
Your comment is so valuable, Connie, as it validates what Leo told us. It can happen to almost all of us. I’m sorry it also happened to you.
A few years ago I used to pick up a few bucks doing in-home computer repair in our town. Simple problems usually. Connect a new printer, troubleshoot loss of network, and so on.
One day I’m at an elderly widow’s home and she’s asking about an email she’d gotten. Even before opening anything, I could see from the subject lines that her Inbox was full of suspicious emails. She’d been identified and targeted.
When I said to her, “Margaret, you know some of these emails look like scams, right?” she replied with words to the effect, “Not to worry, they’re good people.”
I didn’t push it, but I think of her and the millions like her and you almost have to weep. These are sheep being led to slaughter.
In the past year I’ve presented a simple 1-hour block on staying safe at our computers to our local JWV post and at the YMCA, but it’s spitting into the ocean.
So thanks, Leo, for your as-always excellent attempt to educate us. I worry it’s not nearly enough. Maybe all we can do is hope the children of the elderly read you and make this one of their topics of conversation with their parents.
The folks I feel the worst for are those gradually losing their mental capacity due to things such as dementia and related issues. Before they’re truly incapable of taking care of themselves (and thus could be protected by a trusted friend or family member), they are super vulnerable. Have an acquaintance in this situation right now.
Dear Leo, They almost got me too even though I know better. How? They went through the PayPal invoicing system to warn me that my account had been hacked and my money was used to purchase something and that I need to call them immediately. Because the return email address was indeed from Paypal.com, I believed it and called the number in the email. I was also recovering from surgery so I was off my game. What saved me was the fact that I never do anything transactional from my cell phone, meaning that even though I let them in, they found an empty wallet. Yet, they persisted and convinced me to let them into my computer and do a zelle transaction supposedly as a test. I did it and then they were telling me I needed to go buy gift cards which is when I caught on and called my bank immediately to reverse the zelle transaction and change my password, etc. Having been a computer professional in my career, I was ashamed about it and didn’t want to discuss it at the time. I hope this will help others because they have gotten so sophisticated that you can’t trust the return email address being legit. Never call the number provided in the email. Always call the institution directly from their official number.
I recently received an email apparently from my email provider stating that a software update would require a one time sign in. The link showed what looked exactly like the sign in page for my email. However, my password manager would not fill in the form. I then saw that the URL for the sign in page was not what I would expect from my provider. I was saved by my password manager.
This is gold: I was saved by my password manager.
That’s one great side effect of password managers. They won’t log you in to anything but the correct site. They match domains, not appearances.
Be careful, if the password manager doesn’t log you in, don’t try to manually unless you are absolutely sure it’s the correct site. I mention this because, on rare occasions poorly designed websites block password managers and you have to log in manually. I’d avoid those websites alternatives.
Hi Leo,
Received an email last week from my car insurance that comes out monthly from my credit card.
Yet after ten (10) months of “no problem”, all of a sudden there is and urgency for me to call them with alternate form of payment, or am threatened with and immediate $25 NFA charge. In short, all the hallmarks of scam.
What did I do?
Looked up the business card of the gal at the dealership that sold me that insurance, so that I knew who I was deleing with, and then expedited over the phone. Took a partly screenshot to demonstrate there is no issue on my end, and refused to give any alternate payment options. Guess what, problem went away (suspect nefarious insurance employee, as it was very personal targeted).
Takeaway is, if it dont smell right, do not react but rather smoke out the rat using trusted contact details aka business card.
You did the correct thing.
I don’t necessarily see it being a rogue employee. Social engineering hackers have other means of getting your information. I don’t expect an employee would risk their job sending out Phishing emails. It’s possible but unlikely.
A few things that I do to make scamming me a (little) more challenging for the scammer:
First, I set my phone to “Silence unknown callers.” If a legitimate call is silenced, the caller still gets a chance to leave a message. They almost never do.
Second, I pay attention when my phone flags a text as “Possible scam.” Unless I’m 100% sure it’s not a scam, I delete and mark as spam (I’ve never had a “possible scam” turn out to be real.
That leaves email. For that I keep two mailboxes on two different services. One, my “main” address, is for trusted correspondents (family, friends, AskLeo, etc.). The other is the one I give to the world. I scrutinize those before I act on anything they’re trying to tell me.
Do these steps make me immune to being scammed? No, but they do seem to help: I haven’t fallen for one yet (that sound you’re hearing is me knocking wood).
That doesn’t make you immune to being scammed. The only real protection against scammers is constant vigilance. Just don’t interact. Your method can help limit spam and keep the phishers at bay.
Interesting story.
Most of us have been scammed at some time or other although few will admit to this.
In my case, I had been having a problem with my hp printer. Googled hp and began an online exchange.
The hp person I contacted provided some correction procedures none of which worked. Suggesting he was impatient with my lack of progress, he encouraged me to let him take over my computer. I followed his directions carefully and watched as he rifled through my machine, screens passing by at lightning speed.
This went on too long. It was apparent this non-hp person was raping my machine. When this was apparent, I de-powered the computer altogether.
It was too late. Damage had been done. Fortunately I back up my drives frequently and later restored nearly all of my data.
My printer problem, by the way, was rooted in the fact that I had two hp printers on line. In fact, I only have one. Once I corrected this, the problem evaporated.
My advice: Back up often. At least twice a month.
Then I changed my computer sign-in code needed to come on-line. This is important.
I experienced the HP Printer scam also, very recently. I was online at an HP website, when a chat box popped up. Rep got around to requesting my phone number as a tech would call to assist me. Pretty much the same story, however I got to the point where the guy said my HP Printer license had expired and I needed to renew it. $200 for 1year, $300 for 2 years. At this point I said, “I thing this is something that is not legit.” He hung up.
Went to my control panel, deleted two HP Printer files that had been added, plus any thing else with that same date. Took my computer to be checked out, one malicious file was removed. Unlike you and what Leo has advised, I haven’t done a full image backup of my machine. Soon however that will be done.
My advice: back up often — at least once a day.
A regular system‑image backup combined with daily incrementals is essential. That way, the worst you’ll ever lose is a day’s worth of work.
If you’re using a cloud‑sync service like OneDrive, Dropbox, Google Drive, etc., then your documents are already protected continuously. In that case, the only things you’d lose after a failure are:
Programs installed since the last image
System settings or tweaks made since the last image
Everything else is recoverable.
How Can I Back Up My Data More or Less Continuously?
Use Dropbox for almost real-time backup.
Using OneDrive for Nearly Continuous Backup
You Googled HP.
That can also be dangerous. There are thousands of scam sites that look legitimate. If you google a support phone number or website, check very carefully if that’s a legitimate site.
Do Not Search for Support Phone Numbers
Searching for a Technical Support Phone Number? Avoid This Huge Trap
It’s safest to go to the company’s website directly, for example, type samsung.com, apple.com, or hp.com etc into the address bar. If you do need to search, check the URL and the landing page carefully. Scammers often use malicious look‑alike domains like:
hpsupport‑help.com
support‑hp‑official.net
hp‑contact‑247.com
A few years ago, my elderly mother was taken in (for a little while) by a telephone scam. She was about 85 at the time and I am so proud of her. It was the old “relative in trouble” scam and the bum convinced her to let him come over to her place and get some cash. After she hung up, her spidey sense began to tingle and she called the police. The police said to not let the bum into her apartment building but just stall him and call 911 as soon as he showed up, which she did. The police came right away and arrested the bum (trying really hard not to use bad words here). So ya, my 85-year old mom was part of a police sting. I wish all vulnerable people had her sense, and the courage to admit that she had made a mistake.
I get scam messages and emails regularly. One recent such email was purportedly from Amazon, such as the ones I get when I order something from them. It was perfect, looking exactly like the ones I’m accustomed to receiving, but with one critical difference – The origin email address didn’t match what I usually see on legitimate messages I’ve received, so I went to Amazon, using my password manager, and sure enough, three was no such record of any purchase in my list of orders, going back months before the purported order date and time. I went to the Amazon help site, and used the information there to report the incident.
My number one recommendation to everyone, when faced with anything unexpected or out of the ordinary is to check the purported source by other means, as I did by using my password manager to open and log me into the Amazon website to verify the (in this case) invalidity of the message.
I hope this helps others!
Ernie
Yes, the rule to follow when you receive an email with a link.
Never click on a link in an email
(There may be exceptions if you are absolutely sure, but it’s still safer to log in by going to their website and logging in with your password manager.)
Any suspicious email I usually receive has a weird, unrelated URL associated with it. Subject says “Amazon” but has an URL of “idiotemail.de”, I immediately hit the “mark as spam” button and make it disappear. Quick but efficient check. Also, hovering over any imbedded link will have a popup totally unrelated to the subject of the email. Another quick check.
Yes, many spammers and scammers use URLs and return addresses with no relation to the site they are pretending to be, but many others spoof the return address and/or use a misspelling of the URL to appear that it came from the purported source.
Obviously the world of the “interwebs” has become a lot more sinister than when it was just the Nigerian prince that we often heard from. Even phone scams seem trivial (but still too prevalent). The prospect of scammers impersonating governmental agencies is even ominous.
So– A huge THANK YOU for this article, and for those who have commented to it. This is extremely beneficial to the wider user community. Please keep up your excellent work!
I would never trust an email from a “government agency”. Any government agency will send a letter. Unfortunately, I’ve read about phishing snail mail. Be skeptical about what you get in the post. Treat everything as unverified until proven otherwise. For example, if you get a letter from the “IRS” go to irs.gov or ssa.gov for Social Security.
Your article is a very important and useful handbook for everyone. Kudos for it! Will encourage all my friends to read it, and the attached comments- a litany of the (sadly) ingenious techniques scammers have attempted. Will add a couple of recent examples for consideration:
A friend received online what appeared to be a summons to traffic court for “unpaid tolls”. She was very upset until I pointed out that her area had no toll roads.
Another friend got a call from a man with a convincing, gravelly “cop” voice telling her she was about to be arrested for failing to report for jury duty, but could avoid this by buying a cash card at Kroger…and so on and so forth. I had forwarded to her some of your previous articles on this subject, and she was not taken in (by the police or the scammer). She’s now a subscriber.
I’m certain your article will have a material impact in preventing or blunting the exploitation of many people by scammers. Good work, and a good work.
Some signs can be inconclusive as to whether it’s a scam or not. Asking for a gift or store card or prepaid credit card is not inconclusive. If someone asks for a gift card, it’s 100% sure it’s a scam. No government institution or any serious business would ever ask for a gift card.
Hello,
thank you for the article. I do feel that you should not overstress the “sign” of ‘urgency’. I’ve already encountered scammers that appear to have all the time in the world – causally going on with business as usual. Pretending to want to buy material from a manufacturing business. It wasn’t urgency that gave that one away – it was needing to use their choice of shipping company that got me suspicious.
So, don’t use the lack of urgency to think it’s not a scam; in the world of AI agents it is incredibly easy to be casually trolling dozens of people slowly and calmly, without any feeling of urgency. Because the scammers already know too that many people will know urgency is a red flag. Gotta stay ahead of those guys!