• United States




How to spot a scam: 14 red flags to watch for

May 23, 20197 mins

Does your security awareness training program help your employees learn when someone is trying to scam them? It should.

security firewall breach hacker privacy battle id work getty
Credit: idWork / Getty

I recently received an email from yet another victim of a Craigslist scam. It’s one of the hundreds I’ve read over the last 20 years. In this case, he was selling a valuable cactus plant. The email thread he sent me had all the classic scam tip-offs. The scammer agreed to pay full price and cover shipping, but then had a sudden family death of the person who was supposed to pick up the plant and pay in cash. This type of emotional pull is called a stressor event. 

The scammer said he needed the seller to accept an “emergency” check for larger than the sales price, and then send the overage to someone else to complete the transaction. Anyone in our field would know this was a scam, but only because we’ve seen it before.

What fools the victims is that they mistakenly believe that they are safe once they deposit the check and the bank clears it. This is not true! The bank can reclaim the money at any time if it doesn’t get it from the fraudulent check. “Cleared” in the banking industry doesn’t mean safe to spend.

The banks are up-front about what their initial “clear” means, and they are under a lot of pressure to let the people who deposit checks spend “their money” as soon as possible. Still, I wish when a bank confirms a check has cleared that the check depositor no longer needs to worry. When transactions, checks and bank accounts can be checked in seconds, why is it taking two to five days to verify if a check is truly valid? It isn’t a technological reason…or it doesn’t have to be. Unfortunately, this is unlikely to change soon.

Defending against scams starts with awareness

I’ve interacted with hundreds of people who have lost money. Many are smart and excel at their jobs.  Victims come from every slice of society, including doctors, lawyers, engineers, Nobel Prize winners, mechanics and even IT security workers. So, don’t shame victims thinking that they were dumb or a patsy. Intelligence has nothing to do with it.

The deciding factor whether someone can be scammed is awareness of the scam presented to them. Many people have no idea that Microsoft doesn’t call you to let you know your computer is infected with a virus. Most don’t know that they can still be held responsible for a “cleared” check.

The number one scam defense is awareness education. Banks are doing it. Employers are doing it. Craigslist is doing it. Many people and businesses try their best to inform people about the various scams. Consider adding the following information to your company’s security awareness training program.

Types of scams

Here are a few examples of the most common scams I’ve seen.   

Business services scam

Someone on Spiceworks, a very cool and technical computer-related blog, needed help to determine if a proposed business deal was a scam. He and his wife run a small business, usually advertising online and interacting with nearly every customer online. They got an email request for work to be performed for someone that contained five common scam email techniques, including the claim, “I’ve been scammed in the past, so I want to do things a little bit differently.” This always equates to some bogus transaction method.

Everyone told him and his wife to run away from the scam. I always say, “When in doubt, chicken out!” I also have other ideas I’ll share below.

Rental scams

My daughter is looking for a new place to rent and received a scam email. I was not aware of this type of rental scam, but she was skeptical enough to send it my way to see if I thought it was a scam. It was.

The emailer said he owned an attractive property and he was not only offering lower-than-market monthly rent terms, but my daughter’s deposit and every month’s rent thereafter would go toward actually owning the house (“without having to pay unnecessary taxes and fees to the greedy banks”). The “landlord” told my daughter and her husband to drop by the house and look in the windows. He said they would see for-sale signs in the yard, but to ignore them because the “landlord” had been scammed by the real estate firm and no longer wanted to do business with that firm. Further, the “landlord” was out of the country on National Guard tour of duty and would be unable to show them the house. Wow! Who could have guessed?

If my daughter and son-in-law needed any more proof, they could look at his email address. It was an email address that “exactly” matched the legitimate owner on record using an domain. We know how official that is, right?

Romance scams

I continue to get email from friends and family members about romance scams. A lot of lonely hearts are being scammed. Romance scam victims will give away every cent they have, break every long-lasting friendship they have, break off contact with any skeptical family members until the money and assets are gone. Even then, they still have hope that their online lover will come through. 

Wire fraud

Wire fraud shows no signs of abating and appears to be growing. Several cities and businesses have been scammed out of millions of dollars this year alone. Google admitted to being defrauded out of tens of millions of dollars from fake Dell invoices.

How to spot a scam

Here are 14 red flags that any scam awareness training should cover:

  1. Buyer’s willingness to pay full price without haggling and pay shipping and other costs
  2. Landlord’s inability to show you inside of property
  3. Scammer uses unusual stressor events, including:
    • Claim that transaction must happen ASAP or the deal is off
    • Claim you must take a check and no other payment method will work
    • They want to send you a check for more than what is owed and have you remit the excess to someone else
    • Death of a family member is impacting the deal somehow
    • You will be arrested if you don’t send money now
    • Someone in your family is hurt, arrested, or detained and so you need to send money
  4. They offer to let you pay in gift cards
  5. They are out of town so they can’t meet with you
  6. Claims of having been scammed by previous buyers before, so they want to do the transaction in a strange, unexpected way that, if examined, gives them every opportunity to financially benefit
  7. Adamant you must use their escrow person for payment
  8. Adamant you must send them your banking or identity details to get payment
  9. Adamant they will not use online service’s mandatory payment service
  10. Cannot take your phone call
  11. You can’t find their company name or email address on the internet
  12. Their company name is very similar to a very well-known, global company name, but not quite the same (e.g., P&G Printing, GE Electricians, Amazing Books)
  13. A request that you need to send them money so they can send you even more money
  14. They are in love with you, but for some reason, just can’t speak to you on the phone (or take a picture showing today’s date on a newspaper)

I’m sure there are dozens of other signs that you and every person in the world should be aware of, but this list of red flags is a good start.


Roger A. Grimes is a contributing editor. Roger holds more than 40 computer certifications and has authored ten books on computer security. He has been fighting malware and malicious hackers since 1987, beginning with disassembling early DOS viruses. He specializes in protecting host computers from hackers and malware, and consults to companies from the Fortune 100 to small businesses. A frequent industry speaker and educator, Roger currently works for KnowBe4 as the Data-Driven Defense Evangelist and is the author of Cryptography Apocalypse.

More from this author