14 Online Scams You Need to Be Aware Of—and How to Avoid Them
When it comes to protecting yourself from online scams, education is your best defense. Here’s what you need to know to stay safe.
The most common online scams
Think you could never fall for one of the most common online scams? Think again. It’s all too easy to get caught up in the excitement of an incredible vacation deal or the panic that you owe back taxes to the IRS. Scammers can be incredibly convincing, and there are more and more of them to contend with. In fact, the FTC received more than 2.8 million fraud reports in 2021, which amounted to losses of more than $5.8 billion—up a whopping 70% from 2020.
That’s a hefty increase, to say the least, and our changed world has provided the perfect petri dish for scams to thrive. Experts point to the pandemic as one main cause, since millions of people became reliant on “card not present” credit card purchases on retailers’ websites. This is now the main vehicle for credit card fraud, with 80% of incidents occurring this way.
The pandemic also increased feelings of isolation and loneliness, prompting people to connect online—for better and for worse. “Social media is an easy way for a scammer to find and connect with victims, who can then be ‘social engineered’ into providing personal information, visiting a malicious link or sending payments,” says Jason Glassberg, co-founder of Casaba Security. More than one in four people who were victims of fraud in 2021 report that it started on social media.
So, what can you do to protect yourself? People become victims of online scams when they’re caught off guard. By familiarizing yourself with these common scam techniques, you’ll think before you click. We’ll also help you boost your password security, smartphone security and privacy and general online security to make sure you have an ironclad defense against potential hacks, attacks and computer viruses. Here’s what you need to know to stay safe and avoid becoming a statistic.
Free trial scam
How it works: You see an internet offer for a free one-month trial of some amazing product—often a weight-loss program, a teeth whitener or some other thing offering incredible results in record time. All you pay is $5.95 for shipping and handling … or so you think.
What’s really going on: Buried in the fine print, often in a color that washes into the background, are terms that obligate you to pay $79 to $99 a month in fees—forever. Canceling these subscriptions can be a beast and can take months.
The big picture: “These guys are really shrewd,” says Christine Durst, an internet fraud expert who has consulted for the FBI and FTC. “They know that most people don’t read all the fine print before clicking on ‘I agree,’ and even people who glance at it just look for numbers. So the companies spell out the numbers, with no dollar signs. Anything that has to do with money or a time frame gets washed into the text.”
Avoidance maneuver: To avoid this subscription scam, read the fine print on offers, and don’t believe every testimonial. Also check TinEye.com, a search engine that scours the Web for identical photos, or do a reverse image search on your own. If that woman with perfect teeth shows up everywhere promoting different products, you can be fairly certain her “testimonial” is fictitious. Reputable companies will allow you to cancel, but if you can’t get out of a “contract,” cancel your card immediately, then negotiate a refund. If that doesn’t work, appeal to your credit card company.
Fake Wi-Fi hotspot scam
How it works: You’re sitting in an airport or a coffee shop, and you log into the local Wi-Fi. It could be free, or it could resemble a pay service like Boingo Wireless. You connect, and everything seems fine.
What’s really going on: The site looks legitimate, but it’s actually an online scam run by a criminal from a laptop. He’s most likely sitting very close to you, and you have no idea he’s mining your computer for banking, credit card and other password information. If it’s a fake pay site, he also gets your credit card info, which he’ll then sell to other crooks.
The big picture: Fake Wi-Fi hot spots are cropping up everywhere, and it can be difficult to tell them from the real thing. “It’s lucrative and easy to do,” says Brian Yoder, a cybersecurity consultant. “Criminals duplicate the legitimate website of a Wi-Fi provider like Verizon or AT&T and tweak it so it sends your information to their laptop.”
Avoidance maneuver: Make sure you’re not set up to connect automatically to non-preferred networks. For PCs, go to the Network and Sharing Center in the Control Panel. Click on the link for the Wi-Fi network you’re currently using. A box with a “General” tab should pop up. Click “Wireless Properties.” Then, uncheck the box next to “Connect automatically when this network is in range,” and click OK to enable. For Macs, click on the Wi-Fi button in the upper right, click “Open Network Preferences,” and check “Ask to join new networks” and “Limit IP address tracking.”
Before traveling, it’s also a good idea to buy a $20 Visa or MasterCard gift card, so you can purchase airport Wi-Fi access without broadcasting your credit or debit card information. You can also set up an advance account with providers at airports you’ll be visiting. If your cellular plan allows it, set up your own personal hotspot.
Also—and this is incredibly important—don’t do any banking or online shopping from public hotspots unless you’re certain the network is secure. Look for “https” in the URL, or check to the left of the URL in your browser for a small padlock icon. Finally, always be on the lookout for these red flags someone has hacked your computer.
Bogus contest scam
How it works: You get a direct message or a comment on a social media post announcing a contest for a free iPad, a trip to Hawaii or some other expensive prize. The message says, “Just click on the link to learn more.” The scammer will tell you that in order to claim your winnings, you must pay a small fee that they call “taxes,” “shipping and handling charges” or “processing fees.”
What’s really going on: This online scam happens mostly on Twitter, but it can happen on any social media or networking site and even via email or text. It occasionally happens over the phone, and if it does, the caller will ask for your email so they can send a link and you can claim your prize. The link takes your fee for the “prize,” steals your credit card information and also downloads a “bot,” which will let the hacker send spam emails from your account.
The big picture: Scammers are taking advantage of URL-shortening services that allow them to create links that look sort of legitimate. When users can’t see the actual URL, it’s easy for bad guys to post malicious links. “Once you click on the link, you become vulnerable to phishing or malware being spread to your device,” Glassberg says.
They also take advantage of your desire to strike it rich. While it may be irresistible to think about sweepstakes winnings that can change your life, you should never wire money, send cash or pay with gift cards or cryptocurrency to get your prize. “Don’t do it,” warns the FTC. “Scammers use these payments because it’s hard to track who the money went to. And it’s almost impossible to get your money back.”
Avoidance maneuver: It’s best not to click on links from strangers, but if your curiosity is getting the best of you, do a little research first. If you’re contacted through social media, check out their profile. You can also Google the person’s or company’s name and phone number to see what comes up. If you see the word scam in any of the search results, that’s all you need to know.
How it works: A window pops up about a legitimate-sounding antivirus software program like “Antivirus XP 2022” or “SecurityTool” and says that your machine has been infected with a dangerous bug. You’re prompted to click on a link that will run a scan. Of course, the scan finds a virus—and for a fee, typically about $50, the company promises to clean up your computer.
What’s really going on: When you click on the link, the sham company installs malware on your computer. No surprise—there will be no cleanup. But the thieves have your credit card number, you’re out the money and your computer is left on life support.
The big picture: “Scareware” affects more than a million users daily, according to Dave Marcus, director of security and research for McAfee Labs, a producer of antivirus software. “This is a very clever trick,” he says, “because people have been told for the past 20 years to watch out for computer viruses.”
Avoidance maneuver: If you get a pop-up virus warning, close the window without clicking on any links, and then run a full-system scan using legitimate antivirus software. We recommend Norton or McAfee. It’s best to stick to name brands for this, as the knockoffs will likely infect your device. The legitimate companies will use clear, calm language, while the scam sites are always sounding five alarms. To that point, Norton says to watch out for pop-ups that use lots of exclamation points, tell you to act fast and are hard to close. This type of urgency is common, FYI, with other online scams, including some gift card scams.
How it works: You receive a text from your bank or credit card issuer, saying there’s been a problem and you need to call right away with some account information. They might tell you your account has been compromised and you need to act fast so you don’t lose everything.
What’s really going on: The “bank” is a scammer who hopes you’ll reveal your account information. If you do, you’re actually surrendering your credit card information to black-hat marketers who will ring up phony charges.
The big picture: Welcome to smishing, which stands for SMS phishing, the text-message version of the lucrative email scam. “Cell phone numbers are easy to track down on the Dark Web, and smishing messages are much easier to craft and deliver than phishing emails,” says Glassberg. “They are significantly shorter, they don’t require any formatting and the attacker doesn’t have to worry about bypassing spam filters and antivirus protections.”
Plus, since many banks and businesses offer text-message notifications, this scam has the air of legitimacy.
Avoidance maneuver: The best course of action when you receive a text message like this is to contact your bank. “But be careful not to misdial the telephone number of your bank,” warns Steven J.J. Weisman, a recognized expert in scams, identity theft and cybersecurity. “Some scammers purchase phone numbers similar to those of legitimate banks and credit card companies, hoping that they will receive calls from unwary consumers who may have merely misdialed the telephone number of their bank or credit card company.” Beware of these phone call scams that can steal your money too.
How it works: You get an email or social media DM with an image of a malnourished orphan from a developing nation. “Please give what you can today,” goes the charity’s plea, followed by a request for cash. To speed relief efforts, the email recommends sending a Western Union wire transfer as well as detailed personal information, such as your address, Social Security number and checking account info. It’s for the children!
What’s really going on: The charity is a scam designed to harvest your cash and banking information. Nothing goes toward helping those in need—every penny you sent goes to the scammer. Even worse, the scammer now has access to all your personal information, and if you don’t act quickly, they’ll drain your bank accounts, rack up charges on your credit cards and possibly steal your identity.
The big picture: Hackers create fake personal, business and charity accounts on social media to lure their victims. “They may use catfishing tactics, fake deals and special offers, spoof businesses or hijack real accounts through which they spread malicious links,” Glassberg says. “Phishing attacks are very common on these platforms because people are less vigilant with a message in Facebook, Twitter or LinkedIn than they are in their email. Plus, the platforms aren’t filtering spam or monitoring for malicious links.”
Avoidance maneuver: Donate to real charities on their own websites instead of clicking on links in email solicitations. Also be aware that genuine aid organizations will accept donations by credit card or check, and they won’t ask for wire transfers, bank account information or Social Security numbers. Donations via text message are OK as long as you confirm the number with the organization.
Psst—this is what to do if your laptop gets stolen.
How it works: You meet someone on a dating site, on Facebook, in a chat room or while playing a virtual game. You exchange pictures, talk on the phone and get close quickly. It soon becomes obvious that you were meant for each other, but the love of your life lives in a foreign country and needs money to get away from a cruel father or to get medical care or to buy a plane ticket so you can finally be together.
What’s really going on: Your new love is a scam artist. There will be no tearful hug at the airport, no happily ever after. You will lose your money and possibly your faith in humankind. It may be hard to admit it happened to you, but you’re the victim of a romance scam.
The big picture: Online social networking has opened up bold new avenues for heartless scammers who specialize in luring lonely people into phony friendships and love affairs, only to steal their money. According to the FBI, a whopping 24,299 people reported romance scams in 2021, and their combined losses amounted to more than $956 million. The amount of money stolen via these online scams was surpassed only by business email compromise (BEC) schemes and investment scams.
Avoidance maneuver: “On the internet, it is almost impossible to be too paranoid,” says Durst. “But don’t be paralyzed—be smart.” Dating and social-networking sites can be a great way to meet people, even from foreign countries, but if someone you know only from the Web asks for money, you should sign off quickly. It was never about love; it was always about how the scammer could swindle you.
Business email compromise scam
How it works: You sent your client an invoice, but they didn’t pay after 30 days, so you send a reminder that their payment is past due. The client replies and tells you they paid via wire transfer. The only problem? You don’t accept payments via wire transfer.
What’s really going on: Someone hacked into your business account and sent an email to your client with directions on how to wire the money to pay their balance. The client wired the money—but not to you—and now the scammer has the money, and the account is closed or untraceable.
The big picture: Business email compromise (BEC) scams and email account compromise (EAC) scams are currently the biggest online scams, according to the FBI. The Internet Crime Complaint Center (IC3) received 19,954 BEC/EAC complaints in 2021, which amounted to losses of nearly $2.4 billion.
BEC/EAC scams aren’t new, but they’re evolving and getting more sophisticated. “These fraudulent wire transfers are often immediately transferred to cryptocurrency wallets and quickly dispersed, making recovery efforts more difficult,” the FBI explains in its internet crime report.
Avoidance maneuver: Set up two-factor authentication codes for everything, but especially your work email. When invoicing clients, be explicit about the available methods of payment, and ideally, forgo wire transfers.
Of course, even with the best practices in place, you may still get scammed if someone hacks into your business or personal email. If this happens, report it immediately to the IC3. In 2021, the IC3 was able to intervene in 1,726 BEC incidents, saving consumers approximately $329 million.
Counterfeit goods scam
How it works: You’re doing some online shopping, as one does. You see what looks like a great deal on Amazon (for new items) or eBay or other resale sites (for vintage items) and place an order. Everything seems fine … until you get the item.
What’s really going on: The seller’s a scammer, and they’re going to send you a counterfeit product (or nothing at all)—and they’ll still get your money. These scammers often post delivery dates that are three or four weeks from the date of purchase, and they typically receive payment long before you discover that it was a scam.
The big picture: The sale of counterfeit items is a major problem, and it hurts not just buyers but other sellers as well. “There’s been rampant theft of intellectual property—Marvel, Disney, Star Wars, NFL teams, sports jerseys,” says Monica Eaton, COO of Chargebacks911. “Facebook Marketplace, OfferUp, Craigslist and other sites are rife with rip-offs.”
Some people don’t care about counterfeit or knockoff goods—a fake Louis Vuitton looks close enough to the real deal for some people—but that’s for them to decide, with full knowledge of what they’re buying.
Avoidance maneuver: Watch out for new sellers (also known as “just launched” sellers), and take a careful look at the seller’s reviews before you buy. Read the one- and two-star reviews as well as the glowing ones, take a close look at photos reviewers have attached and read the wording on the reviews. (If you find a string of clichés, it’s probably a fake testimonial.)
Although positive reviews are generally a good thing, if a new seller has 20 five-star reviews and the product is listed as brand-new but at a fraction of the retail price, those are all red flags. As a general rule, stick with sellers who have products with several hundred reviews and an average rating of four stars or higher.
How it works: You get an email (or a text) from someone saying he’s been hired to kill you or kidnap a family member. He tells you to send a large amount of money via Cash App or another irreversible method in exchange for your safety. Usually, the email will also warn you against contacting the authorities, saying that will only make things worse.
What’s really going on: There is no assassin. Somebody found your email address randomly (along with hundreds of others) and just wants your money.
The big picture: Your first thought might be to wonder how anyone could possibly fall for this. But keep in mind that the first response of anyone who’s just been threatened with murder online is, most likely, to panic. Even scarier, many of these scams include the victim’s personal information—such as where they (or loved ones) work or go to school, or even what street they live on—which can be easy to access through social media.
Avoidance maneuver: If you get one of these scary messages, block the number. Responding to the scammer clues them in that they have reached a live account, and they’ll probably respond with more aggressive threats. Next, contact local law enforcement. It’s not likely that the scammer is in your town—they’re probably halfway across the world—but the authorities need to know in case there’s a real threat.
Also, be careful of what you post online. You might think it’s harmless to show casual photos of your home and vehicle, but these details can be used against you to coerce loved ones into believing the scammers know who you are, where you are and that they intend to harm you if they don’t pay up.
How it works: You see a social media post or get an email advertising an amazing deal on airline tickets or an all-inclusive vacation to an exciting destination like Paris or Fiji. And it is truly amazing: We’re talking a $10,000 vacation for just $999. How could you say no?
What’s really going on: Like the “free trial” scam, travel scams often have extra costs hidden in the fine print. If it does, the initial fee won’t cover much, and you’ll have to pay thousands in resort fees. Or that confirmation code may never land in your inbox. Either way, the scammer will now also have your credit card info—or ask you to pay through CashApp or Zelle—opening you up to additional theft.
The big picture: The peak time for these kinds of online scams is the summer, when people have vacation on the brain, but they’re also common right before Christmas and New Year’s. Scammers intentionally choose exotic, remote places that would be difficult to get to without their “amazing offer.” Finally, they throw in an expiration date, saying you only have a few days, or even hours, to take advantage of this deal, hoping that a sense of urgency will rope you in.
Avoidance maneuver: Scour the details of the offer before clicking any sort of confirmation button, and also Google the site and/or the email offer to see if anyone warns of fraud. Plus, the email or site will hold plenty of clues that it’s not legit. “Are the images low-resolution? Does the verbiage include spelling errors and grammatical mistakes?” Eaton asks. “These are the telltale signs of a fake online store, site or organization. Delete the email, and don’t submit your personal information.”
Keep in mind that fake websites look like legitimate sites, but reputable e-commerce sites and major airlines, banks and hotel chains use website addresses that begin with https. “The ‘s’ indicates a higher level of security,” Eaton says. “Most scam sites, however, are http, because http sites are cheaper than https sites.” Next, learn how to identify a fake Instagram account.
Empty house scam
How it works: You’re on vacation having the time of your life, and you want to share the joy with your friends and Instagram followers. You post a few photos from Lisbon, announcing, “Next stop, Amalfi Coast!” You don’t think twice about it, but when you get home, your house has been ransacked and robbed.
What’s really going on: Criminals scour social media sites for people posting pictures of themselves out of town so they can find empty residences to burglarize. Some even pay attention to obituaries. This is a scam that exists mostly offline, but it’s your online activity that makes you a potential victim.
The big picture: Criminals search for keywords that indicate you’ll be out of town. For example, it’s pretty common for people to share photos from a bridal shower with the caption, “This time next month, we’ll all be celebrating in Vermont!” But scammers take note and check back when they think you’ll be away. While there aren’t official stats on how many burglaries result from this type of online scam, Eaton points out that 60% of burglary victims were active on social media either daily or multiple times a week.
Avoidance maneuver: Wait to post photos until you’re back, and don’t post information about future events. Otherwise, you’re not just putting yourself at risk. For example, if you’re attending a family wedding, a scammer could identify dozens of people, often in one community, who are out for the night—or out of town for a long weekend—and now they’re potential victims as well.
If you really, really want to share, Eaton suggests changing your privacy settings so only close friends or a specific group can see those photos. As an additional safety measure to avoid an Instagram scam, it’s always a good idea to leave a few lights on and have neighbors collect mail and packages so it doesn’t look like nobody is home. Next, read about how your Instagram account can get hacked by scammers.
Elder financial scam
How it works: A loved one becomes a widow. They’re alone and lonely, until another widow finds them on Facebook and says, “I know what you’re going through.” They become fast friends, and then the friend has an emergency—perhaps a sick grandchild or an unexpected car repair—and needs to borrow money immediately.
What’s really going on: This new “friend” isn’t a friend at all—they’re a scammer, of course. They may vanish after the first payment is made, or they may stick around to see how much more they can squeeze out of the unassuming elder. In elder fraud, the scammer might also eventually attempt to take over the elder’s bank accounts and even steal their identity.
The big picture: “Increased concentrated wealth (retirement accounts, pensions, etc.) make seniors a more attractive target to scammers,” says Jason Zirkle, training director at the Association of Certified Fraud Examiners. “Plus, scammers assume that Baby Boomers are more respectful to authority, that widows are lonely and that elders are reluctant to ask for help because they don’t want to be a burden to caregivers.”
Avoidance maneuver: “The best way to protect yourself and your loved ones is to educate yourself on the red flags that can help you avoid becoming a victim,” says Darius Kingsley, head of business practices at Chase. If you suspect this is already happening to someone you know, look for the following signs: a new friend they’re secretive about, changed spending habits, bounced checks after a lifetime of fiscal responsibility or a desire to cash out IRAs and/or change their will.
Make sure the elders in your life know how to stop spam calls and encourage them to get on the National Do Not Call Registry. Seniors can also fill out a Financial Vulnerability Survey, and you can set up an account-monitoring service such as Carefull to monitor their bank, credit card and investment accounts for suspicious activity.
Google Voice scam
How it works: You’ve posted something for sale on Craigslist or Facebook Marketplace, and someone messages you to say they’re interested in buying it. First, though, they need to verify your identity through a two-factor authentication (2FA) code. They’ll tell you they need to protect themselves because of the scams and fake online listings they’ve heard about.
What’s really going on: The 2FA code sent to you via SMS is actually from Google. When you give the scammer your code, they’ll be able to set up an account in your name. “The attackers claim a new Google Voice number that’s tied to your real phone number,” explains Paul Bischoff, a privacy advocate at Comparitech. “Scammers can then use Google Voice to send spam calls and texts under your name, likely without you ever knowing.”
The big picture: The way spam calls show up has evolved over the years. It used to be that the number came up as unavailable or as an 800 number, and most people ignored those. Now the numbers show up as if they’re from your home area code—or sometimes even your home city—which makes people think they’re legit. In the Google Voice scam, the con artist uses your identity to conceal their identity so they can contact people with the intention of ripping them off. Through the link they send, the scammer might also be able to gather other information, and if they get enough, they can open accounts in your name.
Avoidance maneuver: If you’re buying and selling stuff online, stick to the app—for all communication and payment. If you go offline, you won’t be protected, and you won’t be able to get your money back. This doesn’t work for Craigslist (though they can encrypt your email for you), but it works for most online selling platforms.
Additional reporting by Meghan Jones.
- FTC: “New Data Shows FTC Received 2.8 Million Fraud Reports from Consumers in 2021”
- Jason Glassberg, co-founder of Casaba Security
- Christine Durst, author and internet fraud expert who has consulted for the FBI and the FTC
- Dave Marcus, director of security research and communications at McAfee
- Steven J.J. Weisman, an expert in scams, identity theft and cybersecurity
- Monica Eaton, COO of Chargebacks911
- Brian Yoder, cybersecurity consultant
- Statista: “The U.S. States with the Highest Rates of Burglary”
- Jason Zirkle, training director at the Association of Certified Fraud Examiners
- Darius Kingsley, head of business practices at Chase
- Paul Bischoff, a privacy advocate at Comparitech