It just never ends. No matter how much publicity these scams get, no matter how many years old the internet is, people still hand over their money to scammers.
It doesn’t matter how old you are; last year, in fact, more consumers age 20 to 29 reported losing money to fraud than the over-70 crowd did.
It doesn’t matter how powerful or educated you are, either. Just ask Hillary Clinton campaign manager John Podesta, who exposed the campaign’s email stash by falling for a phishing scam.
Hackers stole $172 billion from consumers in 20 countries in 2017, according to Norton; 2.7 million Americans reported some form of fraud to the Federal Trade Commission. (Top states: Florida, Georgia, and Nevada.)
Most internet scams are fundamentally the same. They prey on one of two human weaknesses:
- Greed. Someone offers you something you want for nothing. It’s usually money, but it might also be male sexual prowess, weight loss, or a cure—for baldness, herpes, cancer, cellulite, heart disease, diabetes, or deafness.
- Fear. They email you about a problem with your computer, with your bank account, with your Apple (AAPL) or Amazon (AMZN) account. You click a link, you wind up on a fake login webpage, and boom — you’ve just handed over your password.
Here’s a shocker: Not everything you read on the internet is true. And so, for your own entertainment and education, here they are: 9 internet scams we’re still falling for.
1. The classic phishing scam
As of the first quarter 2018, phishing scams represent about half of all cyberattacks, according to the security firm RSA. Phishing scams were the third-most common type of internet crime reported in 2017, according to the FBI.
Why is it getting worse? Scammers are making their phishing attempts seem more plausible to suckers like us by addressing their scams to specific people and making it look like emails come from a trustworthy source — a more targeted approach known as spear phishing.
You get an email or a text message from Apple (or DropBox, Microsoft, Google, your bank, Amazon, eBay, PayPal, Yahoo, etc.) saying that there’s a problem with your account. Or the come-on might be a “Delivery Issue,” “Parking Ticket,” “Canceled Transaction,” or “Refund for Purchase.”
You’re encouraged to click the link to pursue the issue —“or else your account will be suspended!”
If you do click the link, though, you go a fake version of the company’s website. When you then “log in,” you’re actually providing your name and password to those who are fishing for your login information, so they can steal your identity and make your life miserable. (This scam is called phishing because they’re “fishing” for your information.)
Examples of phishing include:
- Whaling, or business email compromise (BEC). These scams often go after employees with access to a company’s internal finances; last year, the FBI’s Internet Crime Complaint Center received nearly 16,000 BEC complaints with losses totaling $675 million.
- W-2 phishing. In this scam, popular around tax time, employees in HR or payroll departments get emails asking for a list of employees and their W-2 forms. This is a type of BEC scam, which the IRS’s commissioner calls “one of the most dangerous email phishing scams we’ve seen in a long time.”
- Holiday gift card phishing. The FBI warned the public about this scam in December. Hey, someone’s sent you a gift card! These scams often lure you into filling out a survey designed to steal your data, according to the FBI.
So how can you defend yourself? The usual advice goes like this: Whenever you get any kind of email from a financial or commercial institution, do not click the link in the email.
If the email comes from a company, open your web browser and type in the company’s address yourself (www.citibank.com or whatever). You’ll discover, of course, that there’s nothing wrong with your account.
Usually, though, you can tell at a glance that these emails are fake. They’re filled with misspellings, typos, and the wording of a non-native English speaker.
But here’s my favorite trick of all: You can confirm that a phishing email is fake!
- Computer: Point your cursor at the “click here” link without clicking.
- Phone: Hold your finger down on the link.
In either case, a pop-up bubble shows you the address of the website that will actually open, as you can see here.
And guess what? It’s not actually Apple/the bank/PayPal/Amazon/your bosses! This time, you have the upper hand.
This kind of cyberattack has also grown explosively in the last couple of years—2,500%, by one estimate by the security firm Carbon Black. You succumb by opening a file you shouldn’t have—an email attachment you’re tricked into double-clicking, for example, or a download from a piracy site.
You wind up with a virus or malware that locks you out of your PC, or encrypts all of your files. A message appears on the screen, letting you know that if you pay the bad guys $700 (or whatever), they’ll happily unlock your files for you. (You’re often asked to pay the ransom in bitcoin, so that the recipient can’t be traced.)
The FBI and security experts encourage you not to pay the ransom; you’ll only encourage more ransomware attacks.
Unfortunately, if you don’t have a backup, your options for getting your files back otherwise are slim. Best bet — yes, you’ve heard this before — is to set up a continuous backup system, accept the latest Windows (MSFT) updates when they come, don’t open emailed file attachments, and don’t download pirated files.
3. The “mugged on vacation” scam
“I’m writing this message to you with great sadness,” says an email from one of your friends. “I was mugged, and all my belongings including cell phone and credit card were all stolen at gunpoint. I need your help flying back home and paying my hotel bills!”
This one’s especially confusing because the message comes from someone you know. (Sometimes, it’s even purporting to be a family member. It may even be a brief phone call instead of an email.)
Needless to say, your friend wasn’t actually in London and hasn’t been mugged.
Instead, the bad guys have planted software on your friend’s computer that sent this same sob-story email to everyone in his address book. (In a variation on this, a scammer takes over your friend’s Facebook profile and sends the message directly from there.)
If you’re even a tiny bit persuaded that this note might be legitimate, it’s easy to find out for sure: Ask a question that a scammer couldn’t answer. Not something easy to find out, like your friend’s name or employer, but something harder to guess, like details of a family event.
4. The fake-check scam
You’re trying to sell something on Craigslist, the free classified-ads site — a bicycle for $300, let’s say. You hit paydirt almost immediately:
“Send me your address, and I will mail you check right away for $1,500 to cover the bike and shipping to me in Germany. Deposit the check, and then send $450 by Western Union to my shipping company.”
Maybe your spider-sense is tingling. But sure enough, you actually do get a money order or certified check in the mail. Fantastic!
Problem is, it’s a forgery. You’ll deposit it, wire this guy $450 of your real money—and a couple of days later, your bank will let you know that the money order was a fake. Now you’ve lost your bike and $450.
Three big clues that you’re being targeted: (a) The offer is for more than you’re asking; (b) you’re supposed to send your item to another country; and (c) you’re asked to use the other guy’s shipping company.
Fraud.org says that internet-merchandise scams represent a third of all reports it gets. If you’re going to buy anything online, pay by credit card (because if it’s a ripoff, the bank pays instead of you). And compare the price with the same kind of thing on, for example, Amazon. That way you’ll know if it’s too good to be true.
5. The you’ve-won-the-sweepstakes scam
Hey, wow! You just won an overseas sweepstakes — one that you never even entered! How lucky can you be?
And get this — once you supply your mailing address, you actually do get a check for a huge amount of money! They tell you to deposit it, but in the meantime, send them a check for a couple hundred bucks to cover processing fees and taxes.
Only one problem, which you can probably see coming down Sixth Avenue: Their check was bogus. Your check is real. The only one who made money from this “sweepstakes” is the scammer.
Similar cons: “You’re pre-approved for a credit card!” “You’ve landed a great job!” “You’re invited to a great investment!” “You owe money on a debt you didn’t know you had!”
All told, last year the FBI and the FTC received complaints about sweepstakes and lottery scams from 145,881 Americans with losses of nearly $112 million. The Better Business Bureau calls these tricks some of “most serious and pervasive frauds operating today.”
6. The Nigerian email scam
Yes, people still fall for the Nigerian scam (also called the 419 scam, a reference to a Nigerian law code). A lot of people; 350,000 people reported this and other impostor scams to the FTC last year, losing $328 million. Commence mass forehead-slapping.
It comes to you by email:
“I am Mr. Paul Agabi,” it says. “I am the personal attorney to Mr. Harold Cooper, a national of your country, who used to work with Exxon Oil Company in Nigeria. On the 21st of April, my client, his wife and their only child were involved in a car accident. All occupants of the vehicle unfortunately lost their lives.”
Amazingly enough, rich dead guy left behind millions of dollars — and your correspondent wants you to have it! If you’ll help Mr. Paul Agabi get those millions out of the country, using your bank account as a parking spot, he’ll share the dough with you.
So you get excited. You write back.
But then a funny thing happens: Mr. Agabi asks you to send some money to him, to cover bribes to officials. It’s only a couple hundred bucks, so you send it.
A week later, there’s another problem — he needs another payment, this time to take care of taxes. You send it.
Then legal fees. Then other fees.
You will never get any money. You will be asked to send more, more, more money until you come to your senses and realize you’re being bilked. Though it has expanded beyond the country of Nigeria, it is still called the “Nigerian” or “419″ scam (named for the section of the Nigerian penal code it violates).
7. The soulmate scam
The FBI says that “confidence/romance fraud” was the second most-reported crime in 2017, after business email compromise crime. You’re on a dating site, and you find The One: gorgeous, witty, and really into you. And this person really wants to meet you — and hints that your first date will be something you’ll never forget. You’re hooked, lined, and sunk.
Oh—but your new love needs a little money for a ticket to come see you.
Oh, and can you help out with his/her rent?
And how does it go when the big night arrives? It doesn’t. Your dream lover doesn’t show up, because it’s not a real person. It’s a stock photo and a con artist, usually in Nigeria or Russia, who’s been playing you.
8. The “infection detected” scam
This one, also known as the tech-support scam, is often run out of call centers in India, and it’s a doozie. “Reports of computer tech support scams have exploded in recent years,” says the Better Business Bureau. The FBI’s Internet Crime Complaint Center and the FTC got a combined 41,000 complaints last year, from Americans bilked of $21 million.
You’re on the web, when a pop-up message appears, claiming that your computer might be infected by a virus. You’re invited to click a link that will scan your system for infections. Surprise, surprise — the scan discovers one!
And for the low, low price of $50 (or $300, or $500), this mysterious remote company will clean up your PC for you.
If you fall for it, you’ll spend the money and not get a cleanup — in fact, you may wind up with a fresh installation of spyware. Of course, there was nothing wrong with your computer to begin with.
9. The bogus charity scam
Every time there’s a disaster — a hurricane, an earthquake — millions of people, grateful to be safe and concerned for the victims, want to help.
And a few people want to cash in.
The IRS added the fake-charity scam to one of its “dirty dozen” of the nastiest frauds last year, and no wonder: it punishes people who are trying to do good.
If, in the aftermath of a disaster, you get an email seeking money to help the victims, don’t click. Instead, go directly to the website of a charity you know, and contribute there!
The IRS also offers this advice:
- Be wary of charities with names that are similar to familiar or nationally known organizations.
- Ask for the charity’s Employer Identification Numbers (EIN), and check it against the IRS’s list of legitimate Tax-Exempt Organizations list.
- Don’t give your Social Security number or any passwords! No legitimate charity needs that stuff.
- Pay by check or credit card — never cash — so there’s documentation of the gift.
Human, meet internet
None of this is new. None of this is surprising. The internet may be the latest conduit for scams, hoaxes, and frauds — but the greed, fear, and hope it exploits are as old as homo sapiens.
But here’s the thing: homo sapiens means “wise person.” You have brains, too. Use them to steer clear of anything that’s too good to be true.
Spread the word, will you?
David Pogue, tech columnist for Yahoo Finance, welcomes comments below. On the web, he’s davidpogue.com. On Twitter, he’s @pogue. On email, he’s email@example.com. You can sign up to get his stuff by email, here.