The field guide
Spot it.
Stop it.
Report it.
Scammers run a few dozen plays on millions of people. Once you know the plays, the same email that would have fooled you yesterday looks ridiculous today. Read this once. Send it to one older relative.
Six red flags that work every time
"Your account will be closed in 24 hours" — real companies never do this.
These are unrecoverable. Nobody legitimate will ever ask for them.
"PayPal Security <pp-secure-team@mailserve.io>" — look at the part after the @.
From a dating app to WhatsApp. From LinkedIn to Telegram. Always a tell.
Unsolicited remote jobs paying $80/hr, refunds you didn't request, inheritances from strangers.
"Don't tell anyone, even your bank." Always the scam. Always.
The personal-defense playbook
- 01
Slow down
Urgency is the entire game. Real organizations expect you to take a beat. Wait one hour before clicking, calling, or paying anything. Most scams die in that hour.
- 02
Verify out-of-band
Never use the phone number, link, or email reply-to in the message. Open a new tab and type the company's domain yourself. Call the number on the back of your card. If the FBI ever "calls," hang up and call your local field office directly.
- 03
Lock down your accounts
Turn on two-factor authentication everywhere — but use an authenticator app, not SMS, for your email and bank. Your email is the master key; protect it like cash. Use a password manager so every site has its own password.
- 04
Freeze your credit
Free at all three bureaus (Experian, Equifax, TransUnion). Takes 10 minutes total. Stops new credit being opened in your name. Unfreeze briefly when you need to apply for something.
- 05
Assume your phone number is public
Because it is. Anything texted to you that includes a code, link, or money request gets verified separately. Anything calling you with caller-ID matching your bank is suspect — banks fake their own caller ID all the time, and so do scammers.
- 06
Report — even if you didn't fall for it
Reports are the only way patterns get caught early. Forward to SlamThatScam, file with the FTC, and warn one older relative. That's the public good. That's the slam.
If you already got hit
- Call your bank immediately. Use the number on the back of your card. Dispute the transaction. Ask for a new card number.
- Change passwords for any account that may be compromised — start with email, then bank, then everything reused.
- Freeze your credit at all three bureaus if anything personal was exposed.
- File reports (see below) so the case enters the federal record. Even small losses help build patterns.
- Tell people. Embarrassment is the scammer's last weapon. Naming what happened protects the next person.
Where to report a scam
File in more than one place. Each agency catches different patterns.
For online crime, especially wire fraud, ransomware, business email compromise.
Go to FBI IC3 →Call the number on the back of your card. Dispute charges within 60 days for chargeback rights.
If your SSN or ID was exposed, freeze your credit at all three bureaus. Free, takes 10 minutes.
Go to AnnualCreditReport.com →Forward phishing emails as attachments. Used by browsers and email providers to block sites.
Go to ReportPhishing@apwg.org →Forward the scam to us. We scrub your info and publish a public warning so the next target Googles it and finds the truth.
Go to SlamThatScam →Slam the next one
Forward any sketchy email or text to report@slamthatscam.com. We strip your personal info, extract the scam, and publish a public warning in seconds.