Wrong Numbers, Fake Invoices, and Catfishing: How to Spot and Avoid the Top Internet Scams

Our phones have made us hyperconnected. You can use them to check your email, answer calls, respond to text messages, chat on any number of platforms, check your dating profile, and so on. All those means of communication are increasingly being taken over by online scams.

“​​The internet is a wonderful thing,” long-time cybersecurity analyst and independent journalist Graham Cluley told me in an email interview. “But it’s also home to many, many criminals and fraudsters.”

With that in mind, we’re here to walk you through some of the most common internet scams so you can avoid falling victim to them.

---

How Scams Find You

In a video call, Bogdan Botezatu, Bitdefender’s director of threat research, warned that despite the numerous ways scammers go after their targets, spam email remains the most prevalent. Using telemetry from Bitdefender customers, Botezatu was able to give me a high-level view of what email scams people are most likely to encounter. 

“We have seen that roughly 96% of worldwide email traffic was spam,” said Botezatu, citing statistics from June 2020 to 2021. He explained to me that much of this was commercial spam—harmless, if irritating advertisements. Of the spam that was in some way malicious, the most common type was phishing messages, which aim to convince targets to simply hand over important information by pretending to be a company or authority figure. The least common type was spam that included malware. Extortion spam—where the attacker claims, usually falsely, to have obtained explicit photos or videos of the target—was right in the middle.

“We have seen spam evolving and sticking to us for the past 20 years,” said Botezatu. “These kinds of attacks are here to stay.”

Email is an enormously popular vector for scams, but SMS text messages and phone calls are also frequently used by scammers. You probably know this instinctually. When was the last time you received a phone call or text message from someone not in your address book that wasn’t a scammer or telemarketer? 

“You’re not paranoid, they are after you.”

Security companies like Bitdefender and Sophos primarily sell products that sit on machines and watch for dangerous files, links, and emails. That gives them limited insight into scams happening on social media, dating sites, or messaging platforms. Botezatu shared with me some new data from Bitdefender’s Scam Alert feature, which is included in its mobile application and is currently running on about 1 million devices. Of the unwanted messages Bitdefender detected on mobile, Botezatu said they were 44.9% spam, 4.8% phishing links, 6.6% malware, and 0.4% fraud attempts. 

Some of these scams originate on social media, where an attacker uses a fake or hijacked account to make contact with a target. The FTC reported in early 2022 that these attacks siphoned at least $700 million from targets in 2021, with the caveat that many scams go unreported.

In my video call with Chester Wisniewski, Principal Research Scientist at SOPHOS, he pointed out the limitations of hard data for scams. “It’s impossible for me to give you a feel for how prevalent [these attacks] are, except we do hear from a lot of victims after they are being socially scammed,” he told me.

Phishing sites are designed by attackers to trick targets into supplying personal information.
(Credit: PCMag)

Social media—such as Facebook, Twitter, Instagram, etc—can be particularly attractive to scammers because their targets volunteer lots of personal information in their posts and profiles. A scammer might know your bank, that you’re on vacation, or the names of your friends and family and use that information to craft a more convincing approach.

Scammers will make use of whatever means are available to contact people making use of messaging services like WhatsApp, Telegram, and so on. In the brief time I was using WhatsApp while reviewing it for PCMag, I was surprised how many scammy messages appeared in my inbox. 

---

Wrong Number (But Not Really) Scams

A common tactic is the “wrong number” scam, with which you are likely very familiar. In this attack, the scammer sends a seemingly innocent or flirtatious text message to their target, and then declares, “Whoops, wrong number.” The apparent serendipity is meant solely to get you to interact with the scammer, Wisniewski told me.

From the faux-accidental introduction, the wrong number scam can go in a number of different directions. For a crypto or investment scam, Wisniewski told me the scammers might pivot into offering you the “deal” they had intended for someone else. It can also veer into a romance scam, where the scammer tries to strike up a friendship or romantic relationship with the target.

Wisniewski told me that some wrong number scammers convince their target to download a malicious app. That’s doable on an Android device, but Wisniewski explained that scammers have developed a tactic for iOS as well. For iPhone users, scammers have been abusing the TestFlight app on iOS. Normally, the app developers beta test their apps. Scammers use it to convince targets to install malicious applications on their devices, avoiding Apple’s review process.

“I have been contacted by a worrying number of women who genuinely believe that they are having an online romance with Hollywood hardman Jason Statham.”

Disconcertingly, sometimes the scammer isn’t actually trying to scam their target—at least not yet. In her look at wrong number scams, PCMag’s Chandra Steele wrote, “Then there are times when the misdirected text conversation goes nowhere, but that doesn’t mean that the receiver has escaped scot-free. If they responded, they are likely on a list of active numbers that the scammer will hold onto for future attempts or will sell to others of their ilk.”

Like most scams, the wrong number scam can rely heavily on social engineering. Instead of relying on exotic software vulnerabilities or even carefully crafted phishing pages, a scammer will use social engineering to simply convince a target to provide some information or take some action. In the wrong number scam, the scammer relies on a rapport with the target, but other social engineering scams will have the scammer posing as an authority figure—like a CEO or government official.-

---

War as a Scam

Whether you’re hoping to score the hottest Prime Day deals, find out the latest COVID-19 information, or simply pay your taxes on time, scammers have figured out ways to capitalize on the internet’s omnipresent status in our lives. Scammers are also savvy and will quickly change tactics. “We see lots of experimentation,” remarked Wisniewski. “They’re almost A/B testing,” he said, referring to the web development practice of testing different site layouts to see which performs better. One such example were scams related to Russia’s invasion of Ukraine. Both Wisniewski and Botezatu said that these scams were rare, but significant.

Exploiting empathy is nothing new for scammers. In 2021, the FTC reported that it had shut down a robocall charity scam that went after 67 million individuals. After ten years and over 1 billion robocalls, the bad guys reportedly netted $110 million in fake donations. 

“[It’s] not that prevalent, but important in the geopolitical context,” said Botezatu. Bitdefender’s research showed that these were mostly spam emails asking targets to send bitcoin donations directly to scammers’ digital wallets. Botezatu said that scammers used the names of familiar organizations, such as CNN or the BBC, to give legitimacy to their efforts.

Botezatu was able to examine how much crypto was being harvested by examining some of the wallet addresses used in the scam. In one week, he saw $20,000 worth of crypto moving through the wallets he could monitor. “It’s a very lucrative business, which is why criminals continue to use them even seven months into the war,” said Botezatu.

“That’s why we hate this kind of business so much,” said Botezatu. “Playing people to fill your account on behalf of a real war and suffering is something I don’t take very well.”

Perhaps lucrative but not widespread. According to Wisniewski, Ukraine-related scams peaked in February of 2022 and then quickly dropped off. “When I talk about scams, members of the public reach out a lot,” said Wisniewski. People who have seen the scams or fallen victim to them recognize them and say something. “When [Sophos] did publish a few of the Tweet threads, there was almost no response from the outside.” 

Still, the scams are making some impact. “I no longer get Russian bride scam emails,” said Wisniewski. “I now get Ukrainian bride scam emails.”

The war in Ukraine has produced an enormous amount of online disinformation, so for anyone looking to support causes that they care about, Botezatu said to ignore unsolicited requests. “Find a legitimate organization that you have worked with or has a big presence in your area.” Otherwise, Botezatu warned that your well-intentioned dollars could go towards cause you don’t like “Behind the scam, there could be anybody.”

---

Fake Invoice Scams

Scammers are not only quick to change how they disguise their scams, they also change tactics. “The trend is toward having you retrieve the bad thing instead of them sending the bad thing in,” said Wisniewski. He described a “fake invoice” scam, where attackers send their targets emails posing as a bill or invoice of some kind. These emails don’t have malicious attachments or even phishing links. Instead, they simply include a toll-free number. “You have to call the criminals on the phone, who tell you to go to a [malicious] URL.”

Coincidentally, I had received just such a scam message shortly before I spoke with Wisniewski. The email message was titled “Membership Renewal Receipt Attached,” followed by what appeared to be an account number. Attached to the email was an official looking invoice from NortonLifeLock with the day’s date and a charge for $349.99. In large, bold letters, the message said I could contact customer support by calling a number. 

(Credit: PCMag)

This was a clever attack, partly because I do have a working relationship with NortonLifeLock and manage subscriptions to its products for reviews, but mostly because it required me to call a number to start the attack. It also takes advantage of urgency and money—the target probably wants to get rid of this large charge as quickly as possible.

Wisniewski told me that scammers are likely embracing this tactic because of security features in commercial email services. “[Email providers all have] reasonably good filtering for keeping this stuff out of your mailbox when there’s a file attached that’s really dangerous,” Wisniewski told me. “But if they can convince you to go out and retrieve the dangerous thing, they’re getting around the email filter.”

We saw what might be the most elaborate version of this scam earlier in 2022, when a UK resident received a USB stick in the mail that appeared to be from Microsoft. When they plugged it into a computer, a fake antivirus message appeared telling the recipient to call a tech support number. On the other end of the phone was a scammer, who then tried to get the caller to install remote control software onto the computer.

---

Costly Cryptocurrency Scams

The rise of cryptocurrency has made an enormous impact on online scams. At first, it was merely a means for bad guys to gather money directly from their targets without having to rely on intermediaries who might cut off their efforts. Perhaps because cryptocurrency is now more widely known, scammers are getting more creative with their crypto scams.

For example, Botezatu told me that Bitdefender had seen an enormous uptick in scams where the bad guy might try to convince their target to purchase a bogus cryptocurrency or enroll them in contests where the target pays .1 BTC to receive 1 BTC in return.

“It depends how you feel about cryptocurrencies, but I consider all of them to be a scam,” quipped Wisniewski. “However, if we pretend that they’re legitimate, then there’s the rug-pull scams and other ways people try to get people to invest in them.” But some, he pointed out, don’t actually involve crypto payments. 

He gave examples of fake invoices from crypto exchanges or NFT companies that led to phishing forms that lure people into filling in their personal information. In these cases, crypto is just a lure.

---

Love and Money Scams

Scammers often use strong emotions to trick their targets, and few things are greater motivators for the human animal than the desire for love and money.

On the love end, a frequent tactic is the romance scam, a form of catfishing(Opens in a new window). This relies on the very human desire for love and sex to, again, lead targets into making bad decisions. Many of the other scams discussed here may have a romance scam element. Anecdotally, I can say I have noticed many scammers using the “wrong number” tactic on WhatsApp will have a young, attractive woman as a user icon.

What’s particularly insidious about romance scams is that they can be highly personal, and they can go on for a very long time. Ashley Rose, CEO of Living Security, told PCMag’s Kim Key, “Getting to know you, empathizing, really spending that time to build a connection before coming in and asking for a loan, or funding, or an investment. It’s really causing smart, savvy, highly technical people to break down their guard and unfortunately get victimized.”

“Some of the most heartbreaking scams are those where people have been duped into believing they are in a romantic online relationship with someone, which may last for many months, and end up sending large amounts of money to a scammer,” Cluely told me.

“I have been contacted by a worrying number of women who genuinely believe that they are having an online romance with Hollywood hard man Jason Statham.” The Statham scam is widespread enough that Cluley has written about it twice(Opens in a new window) in two years on his site.

When scams don’t offer love, they sometimes offer money, or even just the opportunity to spend money. Wisniewski told me criminals come out of the woodwork for shopping holidays such as Black Friday and the newer Amazon Prime Day. Scammers, he explained, know that people are inundated with ads around both these shopping events and impersonate brands to lead unsuspecting people to phishing sites. These are sites built by scammers and designed to look exactly like trusted brands, such as banks, shopping sites, PayPal, and so on. Targets enter their personal information—even logins—into the phishing site, thinking it’s safe. Really their data is being sent to the scammers.

While shopping scams like this trade on the familiarity of the brands they impersonate, they also take advantage of the urgency surrounding these shopping holidays—much as the retailers do. Limited quantities! Limited time offers! Buy now in time for Christmas! When something feels urgent, people may ignore their better judgment.

---

A Good Scam Isn’t Hard to Find 

Not too long ago, I would have advised people to watch out for unusual grammar, misspellings, or strange punctuation as signs of a scam message. In the fake invoice scam I received, there weren’t any misspellings, but the wording was too awkward for a message delivered from a company that wants to retain my business. 

However, that’s becoming a less reliable indicator. Wisniewski told me that scammers are professionalizing and building more complex operations to deliver more convincing scams. Scammers, he said, are hiring professional money launderers, call center employees, and English translators. The result is scam messages that are nearly perfect.

“Playing people to fill your account on behalf of a real war and suffering is something I don’t take very well.”

There might occasionally be an unusual idiom, or a British spelling like “colour” appearing from a scammer impersonating an American company, but those are much harder to spot than near-nonsense messages. 

Much of the focus on identifying online scams focuses on the elderly. The logic is often that older people are not well-versed enough with the internet to spot a scam in action. A 2021 FTC report(Opens in a new window) on scams and older adults, however, reports that’s not entirely true. According to the report, “younger consumers were more likely to report losing money to fraud than older adults, but older adults who did report losing money reported much higher individual losses.”

Cluley stressed to me that everyone is a potential victim. “I believe that if anyone believes that they cannot possibly be fooled or scammed then that’s a sure sign that they could,” he said. “The truth is that we’re all vulnerable to making poor decisions at some points in our life.”

Phishing sites are sometimes extremely high quality, and difficult to spot.
(Credit: PCMag)

---

How to Avoid Online Scams

Fortunately, there are still things people can do to protect themselves from online scams. The experts I spoke to offered the follwing nine suggestions for thwarting scammers:

1. Remember That It’s a Numbers Game

Don’t assume that just because you’re not rich or important, you won’t ever cross paths with an online scam. The experts I spoke with emphasized that scammers are sending out as many messages as possible to as many people as they can.

“Cybercriminals rarely target people when it comes to scams,” Botezatu told me, describing scammer tactics as a “shotgun approach.” He added, “Their success rate is small, so the further they reach, the more people they are likely to convince.”

2. Beware of Messages That Play to Your Emotions

Scammers use urgency, excitement, and even empathy to try and short-circuit their targets’ better judgment. “Nobody gives you that much money for a part-time job,” said Botezatu, referring of phoney job offers on WhatsApp. “If an offer looks too good to be true, it probably is.”

Cluley put it more bluntly: “There’s no such thing as a free lunch, you don’t have a distant relative who has left you 68 million dollars following a disaster in West Africa.”

3. Pay Attention to Your Correspondence

With the quality and complexity of scams increasing, people should be careful with all the messages they receive on any platform. “The clue is that it’s unexpected,” said Wisniewski, meaning that messages from surprising sources out of the blue—such as Jason Statham—should be regarded as suspicious. This can be difficult, especially when scammers use urgency and emotion to pressure their targets.

4. Verify Information Before Taking Action

As more scams move to a model that relies on the target to reach out to the scammers through phone or other means, people shouldn’t trust the contact information provided.

In the case of my fake invoice, the safe play would be for me to look up a number for Norton LifeLock from their official website to inquire about the charge and not use the number on the fake invoice. This is especially true when you receive urgent messages purporting to be from the IRS, government agencies, or law enforcement.

“The criminals succeed when they can exploit that trust,” said Wisniewski. “It’s not a bad thing to be suspicious and to question things.”

5. Keep It to Yourself

Cluley advises readers not to give out money or personal information to strangers online, but to also be wary even when you do know the person.

6. Consider Adding Security Software to Your Online Arsenal

Both Wisniewski and Botezatu work for companies that sell services that protect customers from malware and scams. Unsurprisingly, both suggested people buy some kind of security product (think antivirus or security suites) to keep themselves safe but also acknowledged their biases.

“The best thing is still automated tools,” Botezatu told me. These are designed to filter and block malicious URLs and spam messages and will protect against at least some of the attacks.

Botezatu also suggested consumers layer tools and tactics to protect themselves. Backing up antivirus software with multi-factor authentication, for example, can greatly reduce the likelihood that a bad guy will successfully take over a target’s attack, even if the target has handed over their login information.

7. Stay on Top of Device Updates

While consumer technology has opened us up to many new attacks, Wisniewski said that our technology can also protect us. He said that people should ensure that their devices are updated with the latest security patches and updates. “Keep all the stuff updated so that even if you trip you don’t fall, you stumble,” he said.

8. Keep Your Guard Up

Scammers will make use of every platform they can reach, be it email, text message, phone, chat apps, dating sites, and so on. Keep your guard up, even when you’re scrolling through TikTok videos or looking for dates.

9. Ask for Help

Don’t try to take on the entire scammer industry on your own. “If in doubt, speak to your friends,” Cluley said. “Tell them what’s happened. Ask them to truthfully tell you what they think. Listen to them.”

---

Despite this wealth of good advice, all three of the experts I spoke with were clear: These scams aren’t going away, and we need to adapt to that fact.

When I asked Wisniewski what he wants people to understand about online scams, he went quiet and looked into the distance for several moments. “You’re not paranoid,” he finally said, “they are after you.”