The Consumer Reports Scam Protection Guide

It’s harder than ever to tell if that email, text, or phone call is from someone trying to steal your money, personal information, or both. What you need to know now.

Technology offers so many convenient ways to keep in touch with friends and family, and manage our daily lives: cell phone calls, emails, texts, social media, and beyond. But it also allows would-be scammers to contact us on these platforms relentlessly—and try to get hold of our money, personal information, and identities. It can make you dread the simple act of answering the phone or opening an email.

That’s how Alyson Friedman feels. A business owner in New York City, Friedman was fooled into giving important financial details to a scammer. “Recently, on a hectic day, I got a text saying there was a problem with my bank account,” she says. It said that for security reasons, she needed to click a provided link and verify her details. Friedman assumed she’d made a mistake in a Zelle payment: “I figured I must have typo’d the address—I’d just sent money for upholstery cleaning.”

So Friedman clicked the link and entered her bank account username and password, only to receive another text—that a new user was attempting to log in. Sensing that something was wrong, she called her bank directly. “I felt like such a fool,” says Friedman, who ended up not losing money to the scammer, thanks to her bank’s fraud prevention team. Now, she says, “I barely answer my phone unless I recognize the number.”

Given the ever-increasing sophistication of scams and scammers, caution is warranted. Plus, these criminals may be more likely to target older adults, thinking they’re less tech-savvy than their younger counterparts. According to the Federal Trade Commission, those in their 60s and 70s who report that they’ve been defrauded have median losses of $666 and $1,000, respectively. The numbers are $552 for those in their 50s, $600 for those in their 40s, and $590 for those in their 30s.

But you are not powerless against scammers. This guide will help you raise your awareness of criminal gambits in the making, so you can sidestep them. It will also tell you what to do if you’ve been scammed. And don’t feel embarrassed or ashamed if you’ve been tricked, says Eva Velasquez, president and CEO of the Identity Theft Resource Center in San Diego. Even the most tech-savvy people have been fooled by these cunning new frauds.

New Text Scams

Those text messages certainly are attention-grabbing, saying there’s a problem with your Amazon, Apple, Netflix, bank, or cell phone account, or that you’ve won a great prize or gift card. Or it could have been a “wrong number” text, from someone who supposedly contacted you in error.

Whatever the conceit, these texts usually urge you to click immediately on an embedded link. But doing so can take you to a web page that requests personal information, like passwords to your Netflix account or credit card numbers to “pay” for shipping and taxes on the prize you supposedly won.

Instead of a prize, you could find unauthorized charges on your credit card or worse: Sixty percent of scam texts are designed to transmit “malware,” says Michael Bruemmer, head of global data breach resolution at Experian, the credit reporting agency. This malicious software can infect your device and grab enough personal info to take over your shopping, financial, and social media accounts, or even steal your identity. Text scams, or “smishing,” are overtaking phone call scams as criminals’ digital tool of choice, and now account for 22 percent of all fraud reports to the FTC’s Consumer Sentinel Network, which shares scam info with law enforcement agencies. One likely reason: It’s easy for fraudsters to send out numerous messages at a time via a chatbot, a tool that can engage in human-sounding communication.

Spotting a Text Scam
“One of the best prevention tips is to be wary of any unsolicited, out-of-the-blue outreach,” says Eden Iscil, public policy manager of the nonprofit National Consumers League. And any text that mentions “fraudulent activity detected” or “free gift” should set off alarms. Spelling and grammar mistakes may also be signs of a scam message.

So if you’re unsure, don’t respond or click on a link. Contact the source that the text appeared to come from through official channels. “If it’s regarding your credit card, call the issuer,” Velasquez says. “If it’s about your bank account, call the bank directly or log in to your account online to investigate. Call your cable company’s customer service number directly.” (If you get confirmation that the text was a fake, forward it to 7726 to help your wireless carrier identify scammers. Then block the sender and delete the text.)

If you opened the text: Opening a suspicious text or even sending a simple reply—for example, “You don’t have the right person”—won’t put you in danger of malware being transferred to your device or your personal data being taken, Velasquez says. But it does tell the fraudster your number is active, so you could receive more smishing texts in the future. (The same can happen if you click on “unsubscribe” or “stop” links.) Simply forward the text, then block the sender and delete the text.

If you clicked on a link and were led to a website, exit the browser ASAP, and delete the URL from your browsing history, Bruemmer says. Then forward, block, and delete as above. Temporarily disconnect from WiFi or turn on airplane mode. Then, because you can’t always tell when a device has been infected with malware, it’s smart to run a security program (see “7 Smart Security Steps,” below). Or call the device’s manufacturer for tech support or a referral to a tech pro who can scan it, Iscil says. And if you shared info that could compromise an account (notably, a password), change relevant information, such as password and username.

If you got scammed: The remedies vary, depending on what was taken and how quickly you became aware of the scam. But if, after reporting and blocking the sender, you suspect or know that someone got into accounts that have payment methods associated with them (perhaps you notice an unfamiliar autopayment coming out of your bank account or your credit card issuer put a hold on a card), contact the fraud teams at those companies right away for guidance. You can search online for the contact number. You may have to close some accounts and open new ones, Bruemmer says, and you’ll certainly want to change passwords and usernames of compromised accounts. Then get in touch with the customer service or fraud departments at any nonfinancial accounts and platforms you think may have been affected.

If your mobile device isn’t working after an encounter with a scammer, whether they reached you by phone or another method, take the device to a tech repair service as soon as possible. This can stop a scammer from accessing your personal data and contacts. Also, call your cell carrier for advice; search its name and “fraud department” online to find the appropriate number. They may have you reset the phone.

• Filing a report with your local police is wise. You might need to do this if you have to prove to creditors and credit bureaus that you were defrauded.

• If you think the scammer may have sufficient information to open lines of credit in your name (your name, address, and Social Security number can be enough), ask the three credit reporting agencies—Equifax, Experian, and TransUnion—to freeze your credit to prevent this. Request copies of your credit reports, too, and monitor them (and all money-related accounts) for a year afterward for oddities like your credit score drifting down for no discernible reason or new credit card accounts you didn’t open.

• Watch for unexpected credit or debit cards in the mail, or denials for such cards, says Velasquez at the Identity Theft Resource Center. Iscil at the National Consumers League adds, “Victims of identity theft may also notice incorrect information on a credit report, receive bills for credit cards they did not open, or detect abnormalities on their tax forms or Social Security benefit statements.”

• Depending on your particular situation, you might want to take additional steps. For instance, if you think your Social Security number or Medicare data was used in fraudulent ways, contact those organizations. The FTC’s, the Identity Theft Resource Center, the AARP Fraud Helpline (877-908-3360), and your local FBI office may have advice for specific issues.

Latest Phone Scams

Many of us are familiar with those out-of-the-blue calls, alerting us to a supposed computer virus or perhaps telling us we owe money to a company or government agency and must pay right away. These calls may sound believable, but they’re likely from scammers. Phone fraud cost some 68.4 million Americans money in 2022, says the U.S. Spam & Scam Report from Truecaller, creator of a spam-blocking app. The median loss was $1,400 per person scammed, the FTC says.

These days, some scammers are taking advantage of technological advances such as artificial intelligence to trick us. With voice cloning, a fraudster snags a snippet of a person’s voice—perhaps from a video on social media or recorded during a prior phone call—and creates false statements with the “voiceprint.”

Recently, a Phoenix TV station reported on such a situation. According to KTVK, an Arizona family received a terrifying call from someone who claimed to have kidnapped their daughter—with the sound of her crying in the background. But it was an AI scam, the station says.

Scammers can also “spoof”—or fake—phone numbers to make it seem as if they’re calling from a specific organization or area. For instance, a 202 area code (Washington, D.C.) might make a fake call from the IRS seem more credible. Or a criminal may use your area code and first three local digits, hoping the familiar numbers encourage you to pick up.

Spotting a Phone Scam
It can be hard to tell, experts say, but statements like “Scam Likely” or “Potential Spam” on your caller ID may be a tip-off. Spam filtering from your phone carrier and manufacturer may help, too (see “Can You Block Scammers?” below).

But generally, experts say, it’s best to let unsolicited calls from unfamiliar numbers—and those that appear to be from businesses, government agencies, and other organizations—go right to voicemail. If the caller leaves a message, you can listen to it later.

If you think the message might be genuine, look up the company or organization’s contact info on its website. Call that number—not the one that was left on your voicemail. You can’t assume the one in the message is real.

If you answered the call: Picking up tells the scammer that they’ve hit on a working number, which could lead to an uptick in such calls in the future.

More worrisome is that having a conversation with the caller could allow them to create a voiceprint of you for use in future scams. So the moment you suspect that you’re on the line with a bad actor or scammy robocall, hang up and block the number. With robocalls, don’t press any buttons or use voice commands to opt out of future calls—this can put you on a call-again list, says Bruemmer at Experian.

What if you get one of those scary relative-in-distress calls? Asking a question only they know the answer to can tell you if it’s actually your loved one on the line. (If you’re uncertain, call or text them from another device to verify their safety.)

For the future, Rachel Woods, an AI startup founder, recommends in a TikTok post that you establish a safe word—such as Nantucket—with your nearest and dearest, to protect you all from falling for this kind of scam.

If you got scammed: If a scam that started with a phone call cost you money or compromised your personal credentials, or you notice your phone isn’t working properly, see the advice in “New Text Scams,” above.

Suspicious Emails

Phishing emails—which are designed to get you to share financial and other personal info—have been around since the mid-1990s and are still going strong. And these days, evolving technology can make email ruses harder to detect. For instance, fraudsters can rapidly create believable messages with ChatGPT, an AI chatbot, says Steve Baker, founder of the Baker Fraud Report and former director of the FTC’s Midwest region.

Common email scams play on emotions to get you to send money or information: joy (you’ve won something!) or fear (your credit card or utility account is locked, and you must click the link to update your credentials). Some appeal to your desire to help others, like alerts to a GoFundMe for someone with a terrible disease. One such recent plea was for a toddler in need of medical care. But the donation link in the email sent funds to a scammer, according to a caution from the city of Urbana, Ill.

Spotting an Email Scam
First, check the email address. On a computer, without opening the email, hover your cursor over the sender’s name to bring up the full address. If it’s not from the sender you expect or it’s odd—say, “Amazonn” instead of “Amazon”—it’s not legit. On a mobile device, open the email and hit reply, but don’t send a response. This should let you see the sender’s address, though you may need to tap on it, Baker says.

Another red flag is being asked for any payment for something you ostensibly won. Also, a reputable business won’t send an email requesting updated information via an embedded link. You’d likely be asked to log in to your account through its website or to call customer service. When in doubt, go to the business’s official website and get the contact information there. Be cautious about GoFundMe requests with a tight deadline or about requests for cash, crypto, a gift card, or a wire transfer, the FTC says. Tip: A reverse search in Google Images (search in your web browser for how) may tell you whether photos were stolen and are actually associated with other people. For a charity, see how it’s rated on sites such as Charity Navigator and use the organization’s website instead of an email link to donate.

If you opened the email: As long as you didn’t click a link or download an attachment, you’re at little risk—even if you replied to the email. (This could put you on an “email again” list, though.) Skip any “click here to unsubscribe” links, which could take you to a malicious website or give criminals the chance to hack your device, says Kathy Stokes, the AARP’s director of fraud protection programs. Label the email “spam” or “junk,” and it should be moved out of your inbox. Then block the sender.

If you did click on a link or an attachment, close the email right away, and label and block as described above. And if your click opened a website window, shut it promptly and delete the address from your browser history to make sure you don’t accidentally open it again. Promptly trash any attachment you downloaded and disconnect from WiFi or turn off your phone, tablet, or computer for a minute; this may interrupt any malware that’s downloading. To make sure, run a security program (see “7 Smart Security Steps,” below) or have a tech pro check your device. What if you entered personal details, such as your credit card log-in? See “New Text Scams,” above.

If you got scammed: Follow the guidance in “New Text Scams.” And if your email was hacked, ask your email provider what steps you need to take next. For instance, if you can’t regain control of your account, you might need to open a new one.

Facebook Frauds

Scam artists are loading up Facebook, Instagram, and other social media platforms with cons: In 2022, social media was the starting point for 11 percent of reported fraud where a contact method was specified. The median loss per incident was $528.

Just a few examples of what you may see in your social media feeds: Ads touting incredible bargains on all kinds of products, offers of low-interest loans and amazing cryptocurrency investing opportunities, friend requests from strangers who think you sound interesting or, curiously, from people you’re already friends with.

Some are surely scams. Send off your payment for those interesting products, for instance, and you may get nothing, or just an item of little value—like a sticker instead of the 50-piece tool set you ordered, Stokes says.

Spotting a Social Media Scam
If you receive an odd message from a friend or relative, they were likely hacked, says Velasquez at the Identity Theft Resource Center. Don’t respond. Contact them off the platform to see if a scammer was reaching out in their name.

That stranger who wants to get to know you on social media? They may be after money and not friendship. It’s wise to ignore anyone you don’t know, no matter how many common connections you have, Stokes says. (And keep in mind that any information you share on social media—from your answers on those ever-present quizzes to pictures from a recent vacation to a health diagnosis—can be used by scammers to buddy up to you and gain your trust.)

Also, any loan or investing opportunity that sounds too good to be true probably is—especially cryptocurrency investment offers. From January 2021 through March 2022, almost $4 out of every $10 reported lost to a fraud originating on social media was in crypto, far more than any other payment method, according to the FTC.

For shopping, you may get some insight by checking for negative comments below a product post, seeing what the Better Business Bureau has to say, and searching online for the business’s name and the word “scam” or “fraud.” Your safest move might be going directly to a familiar brand’s website and buying there, Iscil says. While certain ads in your feed may be legitimate, it can be tough to tell. For instance, Facebook’s blue check mark indicates that the seller’s identity has been verified. But scammers can duplicate such visuals, as well as logos.

If you responded: Merely messaging with another account won’t put you at risk, but stop if you have an uneasy feeling, then block the sender and report the incident to the platform’s help center. If you revealed personal details (account numbers and/or passwords, for instance), or clicked on a link or downloaded an attachment, follow the related advice in “New Text Scams.”

If you got scammed: Follow the advice in “New Text Scams” to secure your accounts and request charge-backs and refunds. For instance, if you used a credit card to pay for an item that never arrived, contact your card issuer. If you lost money investing in cryptocurrency, your odds of recouping it are low, experts say. But it’s still smart to report it, as outlined in “New Text Scams.” And if you lost access to a social media account because of a scam, get in touch with the platform’s fraud department. Go to the platform’s website to find the contact info. If you have to open a new account, alert friends not to communicate with the old account, to reduce their likelihood of being scammed, too.

Watch Out for This ATM Card Scam

When using an ATM, you probably should shield your PIN to make sure no would-be thief sees it. But there’s a newer ATM scam you might not yet be aware of: the “glue and tap.” Here, according to news reports, a fraudster jams an ATM card slot reader so you can’t insert your card. They then suggest that you bypass the slot and use the card’s “tap” function instead. But unless you log out of the account after a tap transaction, which you might not realize is necessary, the scammer can access your account once you’ve walked away from the ATM.

If you encounter a jammed ATM terminal and a stranger is on hand offering advice, find another location with a functional machine. You may want to do the same if someone is just loitering near an ATM you want to use, especially if they try to strike up a conversation. “I wouldn’t want to interact with any stranger hanging out while I conduct a financial transaction,” says the AARP’s Kathy Stokes.

And if you lost money through an ATM scam, call the police and file a report as soon as possible. Also, immediately contact the bank to request a refund. If you report the crime within two days, you should be protected under the Electronic Fund Transfer Act.

Be Careful With QR Codes

During the pandemic, restaurants started using QR codes to give touchless access to menus. Patrons scanned the code with their smartphone camera and a link to the menu popped up. Such codes are now used in various official settings—for instance, to provide information to visitors at certain museums, and at Walmart’s self-checkout lanes.

But scammers are also creating QR codes that can lead to fake payment websites or download malware, the FBI says. The Better Business Bureau says these may show up in emails or texts offering debt consolidation, on ad flyers, on phony parking tickets placed on windshields, or on stickers put on parking meters.

Think twice if you see a QR code on a sticker. “It’s very easy for bad actors to print out a sticker of their own QR code and place it over the legitimate one,” says security expert Eden Iscil.

Also, bypass any that look odd (very big, small, or pixilated) or are in text or email payment requests, says lawyer Steve Weisman, founder of Scamicide, a website that tracks numerous kinds of scams. Before you use a code, check the website address displayed. The URL should start with “https,” be similar in length to other URLs, and have no misspellings.

If you scan a code and are sent to an unexpected website, close it, shut your WiFi off, and run a security program or consider having your device scanned by a tech professional—even if you didn’t share personal info or make a payment. “Malware can be downloaded just by connecting to the scammer’s website,” Weisman says.

Can You Block Scammers?

There’s no surefire way to stop all undesirable messages. But these strategies can help decrease the volume significantly.

For Phone Calls
Wireless carriers’ free filtering apps, such as AT&T’s ActiveArmor, T-Mobile’s Scam Shield, and Verizon’s Call Filter, identify and block calls that are likely to be scams or spam. Premium options ($4 per month per line) add features like reverse number lookup.

In addition, Apple and Android phones let you silence calls from people you don’t know. On an Android phone, go to the phone app, then Settings, then Blocked numbers, and turn on Unknown. On an iPhone, go to phone Settings, then Phone, then choose Silence Unknown Callers.

And you can sign up for the National Do Not Call Registry. This won’t stop fraudsters, but it blocks most real sales calls (groups such as charities and political organizations are exceptions). That way, you’ll know sales calls are fairly likely to be scams—and can be on your guard.

For Text Messages
On an Android phone, open Messages, tap the three-dot icon on the top right of the screen, go to Settings, then Spam protection, and turn on “Enable spam protection.” This way, you’ll be alerted if a message may be coming from a dubious source. On an iPhone, go to Settings, then Messages, then Filter Unknown Senders, and you won’t receive message notifications from senders who are outside your contacts list.

For Emails
Email platforms do try to block dangerous emails such as phishing attempts, but some could still get into your inbox. You can filter out messages from specific email addresses and those that have particular words in the subject line; search the platform’s help center with a term like “email filtering.”

For Social Media Accounts
Make these as private as possible to keep the circle of people who can post or send you messages small. “That’s the safest option for most consumers,” says Eden Iscil at the National Consumers League. How you do this and what exactly you can do varies by platform, so you’ll need to check your account settings. For instance, on Facebook, you can change the “Who can send you friend requests” setting from “Everyone” to “Friends of friends.”—Melanie Pinola

7 Smart Security Steps

1. Slow down. Scammers often press you for immediate action. Pause and think through whether what you’re being told is plausible. You can always respond later, through an organization’s official channels—not a mail, text, phone number, social media message, or link sent to you.

2. Share less of your personal info. People on Facebook, Goodreads, and online neighborhood groups don’t need to know your favorite musician, your mother’s maiden name, or your birthday. Such info helps crooks “phish” for possible answers to security questions. Online quizzes can also provide personal info to scammers.

3. Delete old accounts. The more digital accounts you have, the greater the risk of your personal info being stolen or misused. Shut accounts you rarely use and delete the apps.

4. Allow automatic software updates. These ensure that you always have the latest security patches for smartphone, computer, and router operating systems. Allowing them is usually the default setting, so you might not need to do anything.

5. Double up. Multifactor authentication provides an extra layer of security. So if someone steals your bank or email password and tries to use it from an unrecognized device, the account remains sealed until you respond with a second proof of identity (like a one-time code). Scammers may try to get these codes, so never share them over the phone or via text or email.

6. Stick with safe payment methods. Credit cards (and PayPal) offer legal protections not found with other methods. With gift cards, cryptocurrency, and wire transfers, it’s almost impossible to get your money back if you’re scammed. Peer-to-peer payment apps like Venmo and Zelle also offer little recourse if you get swindled—it’s best to use these only with people you know.

7. Use antivirus protection. Windows 10 and 11 have Microsoft Defender Antivirus, which can shield you from threats like malware. (Check settings to make sure it’s turned on.) Apple’s built-in security is always on. You can get additional protection from software like Avast Premium Security or Bitdefender Internet Security. Get comprehensive security tips at the CR Security Planner.—Chris Raymond

To read the full article, click here.