Alison Giordano just wanted to help out a friend, but instead, she almost lost her Instagram account.
The scam was pretty sneaky: A friend messaged Giordano (who, full disclosure, is a friend of mine) on Instagram asking if she could help her win a contest. The friend would send her a text with a link, and all Giordano had to do was take a screenshot of the text and send it back to her friend. Giordano did as instructed. Moments later, she got an email from Instagram saying someone logged into her account from a different location on a different device.
A screenshot that causes your account to be hacked sounds like a lower-stakes but higher-tech version of The Ring, but what happened to Giordano is actually quite simple. There was no contest, and the text didn’t come from her friend. Giordano’s friend (or, almost certainly, someone who took over her friend’s account and was pretending to be her friend) went to Instagram’s password reset page and requested a reset link for Giordano’s account. That prompted Instagram to send a text to Giordano with a link to access her Instagram account. The URL of the link was in the text, so when Giordano took the screenshot and sent it back, the scammer simply entered the URL in their device, and that let them access Giordano’s account — no password or supernatural curses necessary.
Fortunately for Giordano, she saw Instagram’s email almost immediately and was able to get back into her account before the scammer took it over. She blocked her friend’s account, changed her password, and enabled two-factor authentication.
“I was just very naive and trusting,” Giordano tells me. “I felt pretty stupid when all was said and done.”
She shouldn’t have. The Instagram messages came from what appeared to be a friend, and Giordano’s other friends have asked for her help with (real) social media-based contests in the past, so of course she didn’t think much of it. She certainly didn’t think sending a screenshot could compromise her account. Until we spoke, she didn’t even know how it happened — it took me a while to figure it out too, until this tweet warning about this kind of scam clarified things. If Giordano hadn’t seen that email from Instagram, her account might have been lost to her forever, probably going on to try to scam all of her friends.
We’d like to think that scams happen to other people who aren’t as smart or savvy as we are. Many people who get scammed believe this, which is why the vast majority of them will never report it: Either they don’t know they were scammed or they’re ashamed to admit that it happened to them.
But it could happen to anyone, including you.
“The reason why these scams work is because some of them are good,” Yael Grauer, content lead for Consumer Reports’ Security Planner, tells Vox. “Even though I think education is important, there’s a reason social engineering is a thing. You can’t be perfect and on guard all the time.”
Scammers prey on our biggest fears and strongest desires. They get better all the time, so it’s worth your time to learn how to recognize their tactics. The mediums scammers use may change, but many of the underlying strategies stay the same — which means the recommendations for how to protect yourself from them do too.
Don’t panic …
When I got an email saying there was a new login to my Twitter account from Moscow, my initial response was abject terror (My checkmark! My DMs! My reputation!). At first glance, the email looked a lot like the login confirmation emails that Twitter actually sends. Even the email address it was sent from was very close to the one Twitter uses for such notifications. I admit that I almost clicked on the account restoration link. Then the adrenaline wore off, and I realized that the email came from “twitter-act.com” and not “twitter.com.” It was sent to my work email, which isn’t attached to my Twitter account, and it had a typo. Most importantly, I remembered that some of my co-workers had gotten similar phishing emails only a few days before. I actually knew to expect this one, but all of that fell out of my head for a few seconds — which was exactly the point.
“It’s really, really hard for us to access logical thinking when we’re in a heightened emotional state, and it’s so hard to get out of that state once you’ve engaged,” says Kathy Stokes, director of fraud prevention at the AARP. “If you feel an immediate sort of visceral, emotional reaction to something coming your way, try to let that be your red flag.”
Scammers know that emotions make their job easier. People get careless or let their guard down, which is why so many scams start with urgent messages asking you to do something immediately: dispute an erroneous charge on your Amazon account, fix your hacked social media account, avoid being arrested by the IRS police by settling a bill that for some reason can only be paid off in gift cards. In almost every case, a legitimate message doesn’t need you to respond within the next 30 seconds. So take that 30 seconds to calm down and think before you click anything.
… and don’t engage
If you get a message or call you weren’t expecting and don’t know, the best thing to do is ignore it. Even what appears to be a perfectly innocent wrong number text could be something more insidious: someone trying to scam you by starting up a conversation. I’ve gotten a few of those wrong number texts, and while I’d like to think they kept texting me back because of my sparkling wit and impeccable conversation skills, that almost certainly wasn’t the reason.
“Someone texts something important enough for you to tell them it’s a wrong number and suddenly they’re like, ‘You sound like a great person,’” Grauer says. “For the most part, it’s almost always a scam.”
Find your meet-cute somewhere else.
That’s especially true for the texts and calls you know are scams. You may think it’ll be cathartic to respond to those by cursing out the people who are trying to steal your money, but the best thing you can do is block the number and move on with your life. Engaging with a scammer tells them your phone number or email address has a real person on the other end of it, which will only set you up to get more texts and calls and emails.
“The basic rule of thumb is simply hang up, and call whatever enterprise you think called you directly,” Alex Quilici, CEO of robocall-blocking software company YouMail, explains. For example, if your “bank” calls, you should hang up, find the number of your bank on your debit card (or another official source, like its website), and call that number back. “That’s the 100 percent safe way to deal with the issue.”
Even better is stopping scam calls and texts from reaching you at all. Phone companies now offer free spam-blocking services, which can identify and stop potential scam or spam calls. Some services can block potential spam texts: iOS devices have built-in text filters, and Google’s Messages app can warn you if a text seems suspicious.
Don’t give out your password
This should be obvious by now, right? Clearly not, since it’s believed that 90 percent of cyberattacks are the result of successful phishing schemes, where a hacker or scammer tricks victims into thinking they’re a trusted or known source to give their sensitive information to. Some are better than others. I’ve seen some knowledgeable people in my own life fall for email-from-your-employer attacks (they clicked the links, but I hope they all stopped short of giving out their passwords).
That’s why most businesses will tell you that they will never ask for your password, and authentication texts will usually say something like “[Company] will never ask you for this code.” Also, you should really stop using two-factor authentication with texts, which are much less secure — use an authenticator app instead. Google makes a popular one for both iOS and Android.
Scammers love to use social media to find victims, too. If you’ve ever so much as tweeted the word “hack,” you’ll get a series of what I like to call Twitter Scam Reply Guys, who will usually recommend that you contact someone they claim to know who can get your account back, as long as you give them your login credentials and/or pay them (don’t do this).
Know where links are taking you
A common way people get hacked or scammed is through malicious links, often in their email, texts, or DMs. Always check where a link is taking you before you click on it, and only go to websites you trust. That’s easier said than done, of course; it can be hard to see where a link is directing you on a smaller mobile device, and shortened link services may make it impossible to know where you’ll end up. If you get a text from FedEx about a package delivery with a link, for example, you may not realize that the website it’s sending you to isn’t FedEx.
The best thing to do is go to a company’s website directly, rather than through a random link in a text you weren’t expecting in the first place. If you get a text that claims to be FedEx or Wells Fargo, go to FedEx.com or WellsFargo.com; don’t click the link on the text. And definitely don’t enter any of your sensitive information — like your credit card, social security number, or your password — on a site if you aren’t absolutely sure that it’s the site you think it is.
Be very careful with payment apps
Overpayment scams — when someone sends you more money than you were expecting and then asks you to give them back the difference — have stood the test of time. Once it was paper checks and wire transfers. Payment apps have made it even easier.
In fact, peer-to-peer payment apps like Venmo, Zelle, and Cash App have made a lot of scams easier because it’s fairly seamless to send money through them, and those transfers are instantaneous. There’s a reason why those apps tell you over and over again to be sure that the person you’re sending money to is who you think they are: Once your money is sent, you often can’t get it back. These services don’t have the same protections as, say, a credit card or, in some cases, PayPal.
One example of how scammers exploit these apps (and human decency) is to send money to random accounts (like yours), then claim they sent it to the wrong person and ask you to please send the money back. Being nice, you send the money back, only to later discover that the money that was sent to you came from a stolen credit card. Now you have to pay it back — all of it.
If you’re the recipient of extra or unexpected funds, don’t just send the money back to wherever it came from, even if the sender gives you a convincing sob story for why you should. The best thing to do is contact the payment app and deal with the matter through them, rather than directly with whoever sent you the money.
There are ways to protect yourself to a certain extent on these apps. Most will give you a way to verify that you’re sending money to the right person by confirming their email address or phone number first. Use these safeguards. Consumer Reports suggests connecting your peer-to-peer payment apps to a credit card instead of a bank account, as credit cards have more protections for fraudulent transactions. If the app won’t protect you, your credit card company might, though most payment apps make you pay a 3 percent fee on credit card transactions.
It’s also a good idea to put a PIN code on those apps, so even if someone gets into your phone — say, if they ask to borrow it to make an emergency call — they can’t get into your apps and send your money away. This will add an extra step to using your payment app, but an easily remembered four-digit PIN takes about a second to enter and could save you a lot of money.
Don’t use crypto
Even in the best of circumstances, crypto is a loosely (or barely) regulated market that’s as volatile as it is hard to understand. That has helped make it a prime target for scammers and hackers. The decentralized aspect of crypto may be part of its appeal, but it’s a lot less appealing when you check your wallet one day and discover all your apes are gone. Maybe you’ll get lucky and OpenSea will freeze trading of your stolen NFT in time, or Coinbase will reimburse you if your crypto was stolen through its own security flaw. But don’t count on it.
“The advice I give people is that if you don’t understand how it works, don’t get involved in it,” Sean Gallagher, a senior threat researcher at Sophos, says. “Considering that many people who consider themselves educated about crypto still manage to get scammed, it’s probably not a good idea for most people to get into cryptocurrency investing.”
While crypto is relatively new, many people are getting scammed through some of the oldest tricks in the book. Stokes, of the AARP, says she has seen “a ton” of scams where someone gains a victim’s trust and claims they can help invest their money in crypto for a big return. The Federal Trade Commission recently reported that consumers lost $1 billion to crypto-based fraud between January 2021 and March 2022, with most of those losses coming from bogus investment scams — and most of those came from social media posts or ads. And those are just the losses people told the FTC about; again, most people don’t report being defrauded. These days, it’s easy enough to lose money in “legitimate” crypto investments. Why make it even riskier?
Protect yourself from yourself
One way to avoid getting scammed is to preemptively protect your accounts from your mistakes as much as possible. If Giordano had two-factor authentication on her Instagram account, the scammers wouldn’t have been able to get into it through the URL — they’d need the code from her authenticator, too.
There are a few ways you can protect your accounts from getting hacked, including setting up two-factor authentication and using different passwords for everything via a password manager. You can lock things down even more by using hardware authenticators and anti-malware software, which you can get for mobile devices too.
“That’s what security software is supposed to do,” Mark Ostrowski, head of engineering at cybersecurity company Check Point, says. It should protect you from “a lapse in judgment or if the scam is really, really, really, really good.”
At a certain point, your security measures might feel like more trouble than they’re worth. I have to admit, things were easier when I didn’t have to juggle my password manager, two different authenticator apps, and text messages for the accounts where authenticator apps aren’t available. But I’d rather have to take an extra step to log into an account than go through getting hacked and (temporarily) losing $13,000, like I did that time hackers got into my bank account. You never know who has your password or how they got it.
“There’s an ongoing usability versus security thing where it’s not fun, it’s time-consuming, it’s annoying,” Grauer, of Consumer Reports, says.
It’s up to you to decide where the balance between usability and security should be, keeping in mind what you would lose if someone took over your accounts. After that, all you can do is try to keep these tips in mind, hope for the best, and don’t be too hard on yourself if you fall victim to the worst.
“Having a healthy paranoia, I think, is important,” Ostrowski says, before confessing that even he has slipped up and clicked on a few links he shouldn’t have. “I hate to admit it, but I think everybody has, right?”