The worst online scams and how to avoid them

A laptop displaying the warning "scam alert!"
(Image credit: Rawpixel.com/Shutterstock)

Have you ever received an email from an acquaintance or relative who claims to be stuck overseas and asks for $2,000 to settle up his hotel bill because he's been robbed?

Or maybe you've received a text message from a customer-service agent, congratulating you because you've just won a free cruise to Jamaica. All you have to do is pay a $200 processing fee to claim your prize.

While you might think you're way too smart to ever fall for these and other internet scams out there, the crooks think otherwise. Swindling you out of your hard-earned cash is very lucrative for cybercriminals, which is why such scams continue to proliferate.

Here are the most common internet and telephone scams and how to avoid them. If you think you've fallen for any of these, contact the FBI's Internet Crime Complaint Center.

1. Advance-fee fraud

A criminal who perpetrates an advance-fee fraud promises you money, products or services if you'll only pay a small fee. The crook then offers you a chance to benefit from a special opportunity, tells you that you've got lottery winnings you didn't know about, asks you to help them get money out of a country experiencing unrest or, ironically, even helps the authorities catch thieves. 

But no matter what the crook calls this fee, they and your money will be long gone before you even know you've been scammed.

The best-known such scheme is the "Nigerian prince" con, also known as the "419 scam" because of the corresponding section in the Nigerian criminal code. It's a variant of the classic Spanish prisoner scam, which dates back centuries.

In the 419 scam, the criminal contacts his target, or mark, via email, instant message, a social network or even snail mail. They ask the mark to help move millions of dollars out of a foreign country into a U.S. bank, on behalf of a person who is being held prisoner, recently came into a large inheritance or otherwise can't access funds that are rightfully theirs.

The mark is asked to pay a "fee" — at least several hundred dollars — upfront so that the larger sum can be transferred. The mark is promised a sizable percentage of the total funds once the transfer is completed. But the big money never materializes, even though victims may be asked to cough up even more cash to cover supposedly unforeseen obstacles and fees as the con artist draws out the process.

The best thing to do if you receive such correspondence is ignore it. Don't send money and don't give anyone your banking information.

2. Remote-impersonation scams

Some scammers victimize people who are only trying to help someone they think they know. That's when you get the email from that old acquaintance, stuck overseas without a passport or wallet. Or when a retirement-home resident gets a call from someone claiming to be his or her nephew or grandchild, asking for help in posting bail. Likewise, you may get a text impersonating your child asking for money.

Don't believe it. If you're truly concerned — and who wouldn't be? — tell the caller or emailer you need to check a few things first. Then contact everyone who knows that person better than you do and see if the story is true.

3. Romance scams

Con artists can also cultivate fake online romances with their victims, then ask for money for travel, medical emergencies or other debts. Such scams often begin with an encounter on social media or a dating platform, and the other person seems wonderful. However, they never seem to be able to meet you face-to-face, or even hold a video chat.   

If you begin a relationship with someone you've only encountered online, and that person suddenly asks you to wire money, send cryptocurrency or gift cards, purchase them an airline ticket or cash a check, it's time to break off contact.

4. Disaster relief/charity/dying baby scams

Scammers often piggyback on natural disasters or tragedies of a more personal nature to fleece unsuspecting victims.

One email scam was run by crooks who borrowed the legitimate #BringBackOurGirls social-media campaign, which aimed to free 200 Nigerian schoolgirls kidnapped by Islamist rebels. The email writer claimed to be the mother of two of the girls, but it was just an old-fashioned con.

Another case involved a young couple who solicited donations online for a baby that wasn't sick after all. Following a devastating typhoon in Southeast Asia in 2013, scammers sent typhoon-related emails asking for donations. More charity scams sprang up in early 2022 following the Russian invasion of Ukraine.

To protect yourself, don't respond to unsolicited email requests from supposed disaster victims. Be wary of donation requests or videos posted on social media by alleged victims. 

If the solicitation comes from a charity, look up the organization to see if it's legit — and then donate through its website or by calling its telephone number. Never give out personal information to strangers via phone, text or email.

5. Sextortion scams

Sextortion, or sexual extortion, begins when an attacker gets hold of, or even surreptitiously takes, sexually explicit photos or videos of someone, and threatens to release them if that person doesn't give into the blackmailer's demands. 

Crooks have used Skype to trick victims into performing online sexual indiscretions, which were recorded and used for blackmail. Creeps have broken into victims' Facebook accounts, found nude photos, then threatened to post the photos online unless the victims sent more nude photos. In one famous case, a hacker turned on computers' webcams while victims were nude, then showed them the recordings and forced them to send more images.

To avoid becoming a victim of sextortion, never text or email explicit photos of yourself or post them online. Once an image leaves your computer or smartphone, you lose control of it forever. Be sure to have a strong, unique password on social-media accounts, preferably with two-factor authentication. And run some of the best antivirus software to stop webcam malware.

6. Account-verification phishing scams

In this type of scam, victims receive legitimate-looking emails, text messages or pop-up windows that purport to be from Apple, Netflix, Facebook, PayPal, LastPass or a bank.

The emails ask the victims to verify their usernames, passwords, credit-card numbers and/or account numbers with the services, and so on. The messages look legitimate, but they're meant to trick users into divulging important personal information so that criminals can steal their identities, hijack accounts or commit other kinds of fraud.

To protect yourself from phishing scams, don't click on web links, especially shortened ones, in email messages or pop-up windows. Phishing emails often have links that don't go where they're supposed to (hover your mouse over the link to check), or have links that are slightly misspelled (mail.gooogle.com) or that have the wrong domain suffix (facebook.cc).

If you get an email, for example, from your bank regarding your account, don't click the included link. Instead, manually type in your bank's URL in your web browser and access your account that way.

Phishing scams can also happen over the telephone, in which case they're called voice phishing or vishing. Don't provide information to anyone who calls or texts out of the blue. 

One brazen new twist on this is the Zelle scam, in which a text message that seems to come from your bank leads to a phone conversation with someone claiming to be a bank employee. The "employee" tells you a crook has moved money out of your account using the Zelle payment app, and that you have to help the employee move the money back in by providing your username and password. Once you do, your money is really gone, and the bank often won't cover your losses.

If a caller claims to represent a specific company, ask for his or her name, then call the company using the phone number on your billing statement or on the company's website. Never call the number provided by the caller.

In this type of scam, which often begins over the telephone, the criminals impersonate police, the FBI, lawyers or the IRS and demand immediate payment of fines. Sometimes the caller says the victims or their family members have active arrest warrants, or that their passport or driver's licenses need to be renewed.

In one case cited by the U.S. Marshals Service, a fake cop told his mark how to pay the "fine" with a prepaid money card. Otherwise, the caller said, the victim would be arrested.

If you get such a call, or receive a similar email message, don't believe it. Instead, check with the agency in question by calling it independently. If there's no such outstanding warrant, overdue payment or fine, report the phony call to your local police. 

Remember — government agencies normally take only checks or money orders, not credit-card or prepaid-card payments. They also won't call you to notify you of important matters, as a phone call doesn't have much legal bearing. Instead, they'll mail you a letter.

8. Unexpected email attachment scam

Some scams trick you into installing malware, which may itself steal money or information. In the email-attachment scam, online criminals will send you unsolicited emails with infected attachments masquerading as unpaid invoices, resumes from job applicants or meeting-preparation notes.

Such scams can be very effective. The 2011 database breach at security-token maker RSA, which led to the theft of secret technology from U.S. defense contractors, began with an infected spreadsheet sent to a handful of RSA employees. 

The technique still works. One of the most prolific banking-Trojan strains pulls the same trick by inserting malware-laden email messages into long email threads involving multiple recipients.

Always beware unsolicited emails, and never open attachments from senders you don't know.

9. Hacked/pirated games/software

When a new PC game is hot, cybercriminals distribute pirated copies. But the activation-code, or "key," generators required to run bootleg games are often malware. 

In other cases, "cracked" games that don't require an activation code are themselves infected, as are the ads on the pages where links to such games can be found. Bitcoin-mining software has been found on pirated games, and even mobile games are not immune from malware.

To avoid this type of scam, you could buy a legitimate copy of the game. But that won't protect you from malware that targets honest gamers, such as the botnet that infected a Twitch chatroom, the ransomware that locked up PC gamers' files or the fake support ticket emails claiming to come from 2K. To stop those, you'll need to run serious antivirus software.

10. Fake antivirus scam

Some scams use the threat of malware infection to con victims out of cash. In the fake-antivirus scam, users see pop-up messages in their web browsers that tell them their computers are infected. The only way to clean the machines, the message says, is to immediately buy and install a specific brand of antivirus software by clicking a handy link.

Sometimes the antivirus software seems to be free, but it will pause midway through the "cleaning" and demand that you pay to finish the job. Even some semi-reputable brands have used this marketing tactic.

Don't fall for it. Not only is the software likely useless, but any credit-card number used to buy it may also be passed on to criminals. The fake antivirus software may itself be malware, and since you've just installed it, it can do whatever it wants on your computer.

If a pop-up window says your computer is infected, close your web browser. If the pop-up disappears, it was fake. If it's still there, make sure it's from the antivirus software you already use. If not, then leave it alone. 

Open your Windows Task Manager by pressing the Control, Alt and Delete keys at the same time, and scan the list of running programs. If you see one that shouldn't be there, right-click it to "end" the "task."

Once that's done, have your real antivirus software perform a full system scan. If you don't have antivirus software, go to our antivirus recommendations page and select a product.

11. Tech-support scam

You, or someone you know, has probably experienced this one. You'll get a phone call from a person claiming to be a computer technician working for Microsoft or another well-known tech company. 

Or you might get a pop-up window telling you that your machine has been infected and to call a toll-free number, or to click a link to start a live chat with a technician.

The "technician" explains that he or she has detected malware on your computer — it's usually a Windows machine, but it happens with Macs and Android devices too — and that you'll need to download software that gives the technician remote access so that the "problem" can be "fixed."

At this point, you should just hang up. If you're worried, call the company yourself, using a phone number you know is genuine.

But if you let the fake technicians in, they'll show you all the "infections" on your machine, often by displaying the event logs of routine processes. They may install more software designed to display lots of "error" messages. Sometimes, the fake technicians will present harmless browser-tracking cookies as evidence of infection.

Then, of course, the caller will want to sell you something — either fake antivirus software, or a cleaning "service" that you absolutely, immediately need to buy to clean your machine.

At this point, you can try to end the call or chat, but remember — you've already given this person access to your computer. We've heard anecdotes of tech-support scammers installing ransomware on the PCs of people who've refused to pay for phony tech support.

It might be better to keep the "technician" on the line while pretending to have computer problems — and then suddenly shut down the machine. Hang up, restart the computer and do a thorough malware scan with real antivirus software.

Remember, a caller who calls you out of the blue, then tells you there's an urgent situation that you need to resolve immediately by buying something, is probably a scam artist. Never give an unsolicited caller your credit-card number or allow him or her to install software on your PC.

12. Premium-SMS and fleeceware scams

Some phone-based scams are more unethical than strictly illegal. Some strains of Android malware secretly sign up users to premium-SMS services, which are common in Europe and can cost up to $50 per month. 

Then there's "fleeceware," in which iOS and Android apps sign you up to subscriptions that quickly become exorbitant once the free trial runs out — sometimes amounting to nearly $100 per week

In both cases, the charges being filed are legitimate, even if the way you were signed up for them wasn't, and you may have trouble getting your money back.

Linda Rosencrance is a freelance writer with more than a dozen years' experience covering IT. Her work has appeared on many sites, including Computerworld, TechNewsDaily, Tom's Guide, and more. She has also worked as an investigative journalist, and has written and published five true-crime books. She lives and works in Boston.