Cybercriminals are persistent and increasingly convincing. The good news is that most scams share familiar warning signs. A little pattern recognition can go a long way toward protecting your identity, your accounts, and your peace of mind.
Below are practical ways to tell when an email, text, or phone call may be a scam, plus what to do the moment something feels “off.”
The big picture: what scammers want
Most fraud attempts fall into a few categories:
- Stealing your credentials (passwords, verification codes, account numbers)
- Getting you to move money quickly (wire, ACH, gift cards, crypto, or checks)
- Installing malware on your device (through attachments or links)
- Collecting personal information (Social Security number, date of birth, security questions)
A key principle to remember: legitimate institutions rarely need you to act urgently or secretly. Scammers almost always do.
Email scams: common red flags
Email remains one of the most common ways criminals try to impersonate banks, custodians, delivery companies, and even “a colleague” or “a family member.”
Watch for these indicators:
Urgency and pressure
- “Your account will be locked today.”
- “Final notice.”
- “Unauthorized login—act now.”
Suspicious sender details
- The display name may look right, but the actual email address is slightly off (extra letters, swapped characters, odd domains).
Links that don’t match the message
- Hover over links (without clicking) to preview where they go.
- Be cautious if the link is shortened, misspelled, or unrelated to the supposed company.
Unexpected attachments
- “Invoice,” “secure document,” or “statement” attachments you weren’t expecting are common malware carriers.
Requests for sensitive information
- If an email asks for a password, verification code, or personal data, assume it’s suspicious.
Text scams (smishing): quick, simple traps
Texts are effective for scammers because they’re brief and people respond quickly.
Common patterns:
- Fake package/delivery alerts: “Your delivery is on hold—confirm address.”
- Bank/brokerage alerts: “Fraud detected—reply YES to confirm.”
- “Wrong number” messages that try to start a friendly conversation
- Links with urgency: “Update now” or “Confirm immediately”
Two key rules for text safety:
- Don’t click links from unknown senders.
- Don’t reply to confirm anything. Replying can validate your number and invite more attempts.
Phone call scams (vishing): the “trusted voice” problem
Phone scammers exploit authority and emotion. They may pretend to be:
- Your bank’s fraud department
- A government agency (IRS, Social Security, Medicare)
- Tech support
- A family member in trouble
- A business vendor or title company during a real estate transaction
Red flags in calls:
- They ask for a one-time passcode (OTP) sent to your phone/email. This is a major warning sign—those codes are often what protect you.
- They demand secrecy: “Don’t tell anyone; this is an investigation.”
- They insist on unusual payment methods: gift cards, wires to new accounts, payment apps, or “safe accounts.”
- They discourage call-backs or claim you “can’t hang up.”
If you’re unsure, the safest move is simple: hang up and call back using a known, trusted number (from the back of your card or the firm’s official website).
High-confidence scam indicators (the “stop immediately” list)
If you notice any of the following, treat it as highly suspicious:
- A request for your password
- A request for verification codes (texted/emailed)
- Instructions to move money quickly to “protect it”
- A demand to keep the situation secret
- A request to download remote access software
- A message that creates intense fear, urgency, or excitement (panic is the point)
What to do when something seems suspicious
When your instincts say “maybe,” use this quick checklist:
Pause and take 60 seconds Scammers rely on speed. Slowing down is a powerful defense.
Don’t click. Don’t reply. Don’t share. Avoid clicking links, opening attachments, or providing information.
Verify independently
- If it’s “your bank,” call the number on your card.
- If it’s “a family member,” contact them using a saved number.
- If it’s “tech support,” go to the company’s official site and find the support number there.
Use a second channel If the message arrives by email, verify by phone. If it arrives by text, verify by logging into your account through your usual app or a bookmarked website.
Tell us (or your trusted professionals) before you act If a message involves accounts, transfers, beneficiary changes, new wiring instructions, or anything time-sensitive, consider reaching out to our office so we can help you sanity-check the request.
If you clicked, act quickly
- Change passwords (starting with your email account)
- Enable multi-factor authentication where available
- Contact the relevant institution to place appropriate protections
A few practical habits that reduce risk
- Use an authenticator app (where available) instead of SMS codes.
- Create unique passwords for email and financial accounts.
- Keep devices updated so security patches install.
- Bookmark key financial sites and use those bookmarks rather than links in messages.
A helpful resource
For easy examples of what banks do—and don’t—ask for, visit: https://banksneveraskthat.com/
Bottom line
You don’t need to be technical to protect yourself. Look for urgency, secrecy, odd payment requests, and demands for codes or credentials. When in doubt, pause and verify using a trusted contact method. A few extra minutes can prevent a costly and stressful situation.
This article is for general educational purposes and isn’t security, legal, or investment advice. If you believe you’re experiencing fraud, contact the relevant institution promptly and consider reporting it to the appropriate authorities.