Photo: Getty Images
We know—you’re too tech-savvy to be fooled by an online scam. But even the smartest among us can fall victim to internet trickery, and we’ve all got those friends and relatives who could use a little extra help with digital security.
The basic rule for surviving internet scams is simple: If it sounds too good to be true, it probably is. A little common sense goes a long way to realizing that you aren’t going to suddenly win the Spanish National Lottery when you didn’t even know you had a ticket.
Here’s our definitive guide to helping you (and your loved ones) stay safe online.
Never, ever click a link to your bank or financial institution from an email
Many security experts would argue that you should never click links in emails, period. Scammers can spoof messages to make them look like they come from sources you trust—yet the links lead to fake websites designed to collect your personal information or force you to download malware.
This advice is especially true when it comes to messages from your financial institutions. Legitimate banks, and services like Paypal, don’t just email people out of the blue asking them to verify their information or reset their passwords. If you receive a notice like this, and you don’t remember requesting it, ignore it. And if you want to confirm that a “new notification” on a financial service is for real, don’t use the hyperlink in the email to log in; type the service’s domain name directly into your browser yourself, and log into your account the normal way to find the message (if it exists).
Before you log into a service’s site, make sure you’ve taken a second to look for the lock icon in your browser’s address bar. Though this isn’t a foolproof way to tell fake from real, it at least gives you a little extra clue that the site your connection to a site or service is encrypted, making the site (potentially) more legitimate.
Don’t give out your passwords
This is obvious, but less tech-savvy people might cough up their passwords if a request appears legitimate. The hard-and-fast rule is that you should never give out any of your passwords, period. This is not something individuals or companies should ever ask for directly. If you get an email or a text message asking you to send over your password for any reason whatsoever, don’t do it. Easy as that.
Use strong passwords (and secret questions)
Plenty of people are still using stupid passwords like “password” and “123456.” Don’t be one of them. If your password is easily guessed (because it contains basic identifying information like your birthdate or your spouse’s name), it won’t even matter if you accidentally give it out. A hacker will crack it in no time.
You’ll want to read our guide on how to choose and remember a strong password and create different credentials for each and every online account you open. If you use the same password for everything, and that password gets leaked during a data breach, your entire online existence is up for grabs. We recommend using a password manager to keep track of your dozens or hundreds of unique logins.
Your password security lesson doesn’t stop there, though. A weak link in your security may be those secret questions and answers that most sites ask you to enter to help you reset your password. Even if your password is tough, your secret question often isn’t—so you should make sure to protect your accounts with strong secret questions. And use two-factor authentication whenever possible, to help thwart someone from accessing your account even if they have your login credentials.
Don’t buy anything from a random email you receive
A good spam filter should catch the obvious stuff, like emails trying to sell you everything from cheap watches to fake male enhancement products. But it’s relatively easy for scammers to pretend they’re from Amazon, just like it’s easy for them to pretend they’re from your bank. The simplest rule is to never buy anything from an email. You could maybe make an exception for email newsletters from sites you trust, but at the very least make sure that you aren’t clicking on anything from an unsolicited message.
You can always go directly to Amazon or whatever e-commerce store you’re interested in—type that address right into your browser bar—and search for the product they’re advertising.
Watch out for job postings that look too good to be true
If you’re job hunting or just looking for a way to make some extra cash on the side, be very skeptical of positions posted on sites like Craigslist. It’s not that Craigslist isn’t an OK place to look for gigs, but you have to be careful of scammers lurking to take advantage of unsuspecting victims.
Those jobs that say you can “Make $50+ / hour working from home!” or “Mystery Shopper Needed!” and promise tons of money for almost no work—yeah, they are completely fake.
A huge red flag is any job involving Western Union, Moneygram, wire transfers, money orders, or dealings with any financial transaction. Scammers will ask you to deposit a check or money order and wire transfer the money back to them—and it’s not until later that you find out it was a forgery. Generally speaking, if someone is asking you for money in exchange to give you even more money, a wonderful prize, or something like that, ask yourself: Why are they being so generous? Doesn’t that seem incredibly strange?
Do not give out your personal info or Social Security number
Online retailers (and most other services) don’t ask you to enter your Social Security number as part of the login or account-creation process (unless you are applying for credit, for example, which is another topic entirely). You should also be very suspicious of websites that ask you to re-enter your personal information—especially if they appear to be websites that should already have this information on file, like your bank. Be very careful not to divulge your information to anyone online (even innocent information, like your birthday).
Take advantage of your browser’s security features
Web browsers (Chrome, Firefox, etc.) have built-in features for checking security certificates from trusted websites—click on the lock icon to see all the information about the certificate, including whether it’s valid, who issued it, and where.
Browsers will also generally alert you if you’re trying to access a malicious site or download a dangerous file.
Ignore website popups that say you have a virus
Get yourself an ad blocker, either built into your browser or via a third party. If you are seeing popups or ads as you surf, don’t click on them. Any message that’s scary or has a sense of urgency—your PC is infected with a virus and you need to download this software RIGHT NOW—is a scam.
You can also use antivirus software to detect and prevent viruses and a VPN to anonymize your data as you browse. Aren’t sure which to choose? We’ve got a few favorite antivirus apps and some tips for picking a trustworthy VPN.
Even if you already do all of these things (and more) to protect yourself from internet scams, take a few minutes to share these tips with your loved ones. You can’t be too careful when it comes to privacy and security online.
This piece was originally published in 2009 and updated in January 2020 with the most current information.