In the early 2010s, cybersecurity trainers told people to “look for the padlock” when browsing. That advice is now actively harmful. The padlock means exactly one thing: the connection between your browser and the server is encrypted. It does not mean the server is run by honest people, your data is handled responsibly, or the site is not a phishing page. In 2025, a majority of phishing sites use HTTPS — often with genuinely valid certificates.

Why phishing sites have valid certificates

Let’s Encrypt is a free, automated certificate authority that issues TLS certificates to any domain that can prove it controls that domain. That “any domain” is the problem. If a scammer registers paypa1-secure-login.top, they can get a valid Let’s Encrypt certificate for it in under a minute. Their phishing site now has a working padlock.

The certificate proves the scammer controls paypa1-secure-login.top. It does not prove anything about PayPal, about the scammer’s intent, or about what happens when you enter your credentials.

The padlock’s original purpose

HTTPS encrypts the network link so an attacker sitting between you and the server can’t read or tamper with the traffic. This is a real, valuable property: when you’re on public wifi, HTTPS prevents the person at the next table from reading your passwords.

It does not prevent the server on the other end from being a scammer’s credential-harvesting page. Once your data reaches the server, encryption stops protecting you — the server has the cleartext.

What actually matters

Ignore the padlock. Focus on these instead:

The domain name

Is the domain actually what it claims to be? Is it paypal.com or paypa1-secure.top? Run suspect URLs through our Phishing Link Checker.

How you got to the site

Did you type the URL yourself (safe) or click a link in an email/text/DM (risky)? 95% of credential-harvesting happens on sites the user reached via a link, not by typing.

Domain age

Was the domain registered last week? Use our Domain Age Lookup. Brand-new domains are a strong phishing signal — legitimate brands have domains that are years or decades old.

The certificate itself

Our SSL Certificate Checker pulls the actual cert and shows its issuer. Let’s Encrypt is fine for legitimate sites too, but on a site claiming to be a bank or major retailer, a 90-day Let’s Encrypt cert is unusual — big brands almost always use long-term extended-validation certificates.

The old advice that still works

• Type URLs yourself rather than clicking links in messages.
• Use a password manager — it won’t autofill on a spoofed domain, which tips you off.
• Enable MFA — even if the scammer gets your password, MFA blocks the login.
• Hover before clicking — see the actual destination URL.
• Trust domain names, not page content — any designer can copy a bank’s login page in an afternoon.

The security industry’s quiet pivot

Major browsers stopped showing the padlock prominently in 2023-2024 for exactly this reason. Chrome replaced the padlock with a neutral icon; Firefox de-emphasized it. The padlock was misleading users into trusting sites that didn’t deserve it.

The industry is slowly moving toward browsing-safety-by-content (Safe Browsing, Microsoft SmartScreen, Google Safe Browsing’s phishing list). Those services check the URL against known phishing databases — a much more useful signal than “is this connection encrypted.”

FAQ

So should I trust sites without HTTPS?

No — you should treat any site without HTTPS as actively unsafe for typing anything sensitive. HTTPS is necessary but not sufficient. Modern browsers now warn on any plain-HTTP form, which is correct.

What’s EV (extended validation) certificate?

EV certificates require the certificate authority to verify the business behind the domain — paperwork, legal registration, phone verification. Used to show up as the green bar with company name. Browsers mostly stopped highlighting EV because users couldn’t tell the difference, so the value of paying for EV has declined. Banks still use them.

Why did Let’s Encrypt make this worse?

Let’s Encrypt democratized HTTPS — it’s now economically free to run an encrypted site. That’s a net good for the internet. The side effect is that the padlock stopped meaning anything about the site’s identity. The solution is better user education, not ending free certificates.

Among the darkest corners of online fraud is a scam that targets people who have already been scammed. Crypto recovery fraud — the promise to get back your lost crypto for a fee — is one of the fastest-growing scam categories of 2024-2025. The FBI estimates it cost victims more than $1.5 billion in the last two years. This article explains exactly how it works, why victims fall for it a second time, and what to do instead.

The setup

You lost money to a crypto scam — pig butchering, rug pull, fake exchange, something. You posted about it in a forum, filed a complaint on IC3, or just searched Google for “how to recover lost crypto.” You’re now on a list.

Within days, you receive a message. It might be an email, Telegram DM, reply under your forum post, or a Facebook comment. The sender claims to be a “blockchain forensics firm,” “ethical hacker,” “recovery specialist,” or sometimes a “law enforcement unit.” They’ve seen your case. They can get your money back. They have done it for others.

The pitch

Their website is professional. Reviews on the site look genuine. They might even show you a “tracker” dashboard showing your stolen crypto’s movement through the blockchain. (Those dashboards are fake — just images.) They know technical terms. They’re patient. They understand.

After a few days of conversation, they make the offer. They can recover your crypto. They’ll take 15-30% of the recovered amount as a fee. Before they can begin, though, they need a small upfront payment to “unfreeze” or “release” the funds. Or to “bribe a prosecutor.” Or to “pay the exchange’s legal fees.” Or to “deploy the forensic software.”

The first fee is often $300-$800. You pay it. They make progress. They show you more evidence. The funds are “about to be released.” Just one more small fee.

And another. And another. Until you stop paying.

Why it works on victims

The psychology is brutal. You already lost money. You feel foolish, angry, and desperate. You’d do almost anything to get it back. A recovery scammer knows this and leans on it.

The initial loss creates a sunk-cost distortion: “I already lost $40,000, what’s another $500 to get it back?” The recovery “work” creates hope: they’re actually making progress, they have tracking data, they know things. Each additional fee feels like the last — we must be close now.

The truth about crypto recovery

No private service can recover stolen cryptocurrency. Not one.

Here’s why: cryptocurrency transactions are immutable by design. Once a transaction confirms, it’s in the blockchain forever. No one — not even the original exchange — can reverse it. The only way to recover stolen crypto is for the attacker to voluntarily return it or for law enforcement to seize their wallet. Neither happens because a paid recovery service asked.

Law enforcement (FBI’s IC3, international partners) do sometimes recover crypto from seized addresses. It happens rarely, takes years, and costs victims nothing. Blockchain analytics firms (Chainalysis, TRM Labs) work exclusively with law enforcement — they don’t take private clients.

Every “recovery service” is a scam

If you search for crypto recovery, every single result for a paid service is a scam. Every testimonial is fake. Every case study is fabricated. Every “tracker” dashboard is a static image.

Run any suspect message through our Crypto Scam Detector — it flags the linguistic patterns these recovery pitches always share.

What to do instead

1. File a report with FBI IC3 at IC3.gov. Include wallet addresses, transaction hashes, and any communications. This is the actual path to possible recovery if the attacker is ever caught.
2. Report to the exchange you used (Coinbase, Binance, Kraken). They can sometimes freeze the destination wallet if the funds haven’t moved.
3. Freeze your credit and enable MFA everywhere — see our Identity Theft Risk Score. If the attacker has your identity, they’ll use it.
4. Accept the loss. This is the hardest step. Paying recovery scammers just doubles it.
5. Block the recovery scammer and report their profile wherever you found them.

A warning about “law enforcement” imposters

A variant of this scam involves someone claiming to be from the FBI, Secret Service, or a foreign equivalent. They say your case is “under active investigation” and they need your help to complete it — for a fee, or a “cooperation deposit.” Law enforcement never charges victims. The FBI does not ask for money. Nor does any legitimate agency. Anyone claiming to be from one who asks for payment is a scammer.

FAQ

What about “white-hat hackers” who offer to recover?

Scammers sometimes adopt the “white-hat” branding. The fact pattern is identical: fee before service, vague methodology, pressure to stay quiet. All variants are scams.

Is there ever a legitimate paid service that can help?

A qualified attorney (one you find, not one who finds you) can sometimes pursue civil action if the attacker is identifiable in a friendly jurisdiction. The legal fees are usually more than the recovery. That’s the only legitimate paid path, and it’s vanishingly rare to be cost-effective.

How can I tell a legitimate news article about recovery from a planted one?

Legitimate news stories name specific law-enforcement agencies, specific prosecutors, and specific case numbers. Planted articles are vague (“authorities recovered funds from…”) and always link to a paid-service homepage. If the article is the only source, it’s promotional.

Every email carries a set of headers — metadata fields that trace the path the message took from sender to your inbox. Email headers are the closest thing email has to a forensic audit log. You don’t need to be a sysadmin to read them; you need to know five fields. Here they are.

Getting to the raw headers

First, find them. Your email client hides them by default:

• Gmail: open the message, click the three-dot menu (top right), choose “Show original.”
• Outlook (desktop): File → Properties → the “Internet headers” box at the bottom.
• Outlook (web): open message → three-dot menu → View → View message details.
• Apple Mail: View → Message → All Headers, then Command+Shift+H.

You’ll see 50-100 lines of text. Most of it is noise. Skim for the five fields below.

1. Authentication-Results

The most important header. Looks like:

Authentication-Results: mx.google.com;
  spf=pass smtp.mailfrom=yourdomain.com;
  dkim=pass header.d=yourdomain.com;
  dmarc=pass header.from=yourdomain.com

Three verdicts: SPF, DKIM, DMARC. Any “fail” is a strong signal something is wrong. “pass” across all three is necessary but not sufficient — it means the message was correctly authenticated by SOMEONE, not necessarily the claimed sender.

2. Return-Path

The “envelope sender” — where bounce messages go if delivery fails. Should match or align with the visible From address for legitimate mail. Scam mail often has a Return-Path at a throwaway domain while the From says “ceo@yourcompany.com.”

3. From vs. Reply-To

The From address is what you see in your client. The Reply-To is where your response goes. In Business Email Compromise scams, these often diverge: From says ceo@yourcompany.com while Reply-To points to ceo@y0urcompany.com (the lookalike). Your reply goes to the attacker.

4. Received chain

Each mail server that touched the message adds a “Received” line. The most recent server is at the top; the original sender at the bottom. Read from the bottom up.

Look for:

• Unexpected countries. An email claiming to be from your US vendor, with the first Received line from Nigeria or Russia, is suspicious.
• Suspicious hostnames. Mail from a legit company goes through their well-known mail servers (google.com, outlook.com, mimecast.com). Mail from a compromised mailbox or a scam shop goes through random or residential-ISP hostnames.
• Time-zone jumps. Unusual if mail routes through a server in a country the sender never mentions.

5. Message-ID

A unique identifier for this specific email. Usually ends in the sender’s mail server domain: <abc123@mail-server.yourdomain.com>. If missing entirely, or if the domain doesn’t match the sender, that’s a red flag. Scammers sometimes forget to include it; sometimes include a generic one.

The 30-second triage

Paste the whole header block into our Email Header Analyzer. It parses all five fields, flags the red flags, and gives you a verdict: critical, high, medium, or low risk.

Do it for any email that asks for money, credentials, or urgent action. Before you reply. Before you click. Before you do anything.

What headers can’t tell you

Headers prove who signed the message and what path it took. They don’t prove what’s in the body is true. A legitimately authenticated email from a compromised mailbox will pass every header check — because it really did come from that mailbox. The attacker just has the password.

For any high-stakes request (wire transfer, password change, credential share), use out-of-band verification: call the sender on a known phone number. Headers are a necessary check, not a sufficient one.

FAQ

Can the attacker forge the headers?

They can forge some fields (From is trivially forgeable). They cannot forge Authentication-Results because those are added by the receiving server, not the sender. SPF and DMARC checks are honest.

What if Authentication-Results is missing entirely?

That’s unusual for major email providers (Gmail, Outlook all add it). Missing Authentication-Results often means the message was routed through an unusual server or relayed in a way that bypasses standard checks. Treat with suspicion.

Should I forward suspicious emails to anyone?

For business: forward to your IT security team or security@yourcompany.com alias. For consumer phishing: report to reportphishing@apwg.org (industry anti-phishing group). For attacks impersonating a specific brand, report to that brand’s security team — they’ll issue takedowns.

If you’ve applied for a remote job in the last year, you’ve probably received at least one fake offer. The most common variant — the “$40 software fee” scam — is costing Americans hundreds of millions a year, and hitting new graduates and mid-career workers hardest. Here’s how it works, how to spot it, and what to do.

The setup

A “recruiter” messages you on LinkedIn. Their profile has a corporate headshot, a reasonable work history, and maybe even connections you recognize. Their company name is real — often a large company that was genuinely hiring recently. They say they saw your profile and think you’d be a fit for a remote entry-level or data-entry role. The pay is great. The hours are flexible. No experience needed.

You reply. They schedule an interview — often over Microsoft Teams or, more suspiciously, over Telegram. The interview is short. They ask a few generic questions. A day later you get an “offer.” Base pay: $35/hour, up to 40 hours/week. You’re thrilled.

The sting

Before you start, the “recruiter” says you need to install the company’s “internal productivity software” — or more recently, buy “training materials” or a “secure laptop kit.” The cost is modest: $40 to $150. They’ll reimburse you on your first paycheck. All you need to do is Zelle / CashApp / bitcoin the payment, or use a gift card.

You pay. Sometimes there’s a second payment a few days later for “additional software” or “hardware shipping.” Sometimes the recruiter then stops responding and disappears. Sometimes they ask for your bank details for “direct deposit setup” and drain your account.

The job was never real. The company name was stolen. The recruiter doesn’t work there.

The nine tells every fake offer shares

1. Unusually high pay for an entry-level or no-experience role.
2. “No experience required” — real companies want skills.
3. Interview on Telegram, WhatsApp, or Signal instead of a standard video platform.
4. Offer within hours of a brief conversation — real hiring has background checks and reference calls.
5. Request to purchase software, training, or equipment before starting. Legitimate employers provide all of this. Always.
6. Payment via Zelle, CashApp, bitcoin, or gift cards — never refunded, never recovered.
7. Requests for banking details, SSN, or ID before a signed offer letter. Real onboarding requires these; real hiring doesn’t.
8. Generic email domain (Gmail, Yahoo) when the “recruiter” claims to be at a large company.
9. No LinkedIn connections at the target company even though they claim to work there.

Run any suspect recruiter message through our Fake Job Offer Detector — it scores the nine patterns in seconds.

How to verify a real recruiter

1. Google the recruiter’s name + “LinkedIn.” A real recruiter has a history — multiple roles, endorsements, posts.
2. Check the email domain. Is it @company.com or @company-recruitment.net? The second is a scam.
3. Call the company’s main HR line (find the number on the company’s real website, not from the recruiter). Ask if the recruiter works there. Real HR departments confirm this in seconds.
4. Look for the job on the company’s careers page. If it’s not there, it’s not real.
5. Check the offer letter. Real offers are on letterhead, signed, with contractual terms. They are not Word docs with your name in bold.

If you paid the fee already

Most payment methods scammers prefer are non-recoverable. But try:

• Zelle: call your bank within 24 hours — some reverse it, most don’t.
• CashApp / Venmo: same as Zelle — fast call, low chance.
• Credit card: dispute the charge, high chance of refund.
• Gift cards: call the card issuer; if the card hasn’t been used yet it can sometimes be frozen.
• Bitcoin / crypto: unrecoverable. Do not engage with “crypto recovery services” that contact you afterward — they are a second scam layered on the first. See our Crypto Scam Detector.

Report the fraud to the FBI IC3 at IC3.gov and to LinkedIn (Report the profile). Freeze your credit using our Identity Theft Risk Score checklist if you shared PII.

FAQ

Is every remote job offer a scam?

No — most remote jobs are real. What’s almost always a scam is a remote job that DMs you first, pays unusually well, doesn’t require experience, and asks for any money before starting.

Should I report the recruiter’s LinkedIn profile?

Yes — LinkedIn removes reported scam profiles within a day or two typically. Report, then block. If the profile impersonates a real company, also notify that company’s security team so they can send takedown notices.

What about Indeed and other job boards?

The scam exists there too, though LinkedIn is the current hotspot. Same rules apply — real companies don’t ask candidates to pay anything, ever.

Business Email Compromise (BEC) is what the FBI calls the $50-billion problem. In 2024 alone, U.S. companies lost more than $2.9 billion to BEC scams — more than ransomware, more than consumer fraud combined. Most attacks don’t even involve malware. They’re pure social engineering. Here’s the full script, step by step, and the two controls any business can implement this week to shut it down.

The attack, step by step

Step 1: Recon. The attacker identifies your CEO, CFO, or controller on LinkedIn. They note the org chart, the accounting software you mention in case studies, and any vendors you’ve publicly announced. Often they go further — a breached mailbox elsewhere gives them real email threads to mimic.

Step 2: Spoofed sender. They register a lookalike domain — y0urcompany.com with a zero instead of an “o”, or yourcompany-accounting.com. They send email from this domain that looks exactly like mail from your CEO. Or they compromise the CEO’s actual mailbox via phishing and send from there.

Step 3: The ask. A message arrives at your accounts-payable team or a junior finance staffer: “Hi, I need you to process an urgent wire transfer. It’s for a confidential acquisition — please don’t discuss with anyone. The details are below. I’m in meetings all day, please text me when it’s done.”

Step 4: The follow-up. Urgency and authority do the work. The staffer doesn’t want to bother the CEO. They process the wire. By the time anyone discovers the transfer was fraudulent — often days later when the CEO mentions it in passing — the money is gone through a chain of intermediary accounts.

The vendor-payment variant

Equally common: an attacker compromises your vendor’s email (or yours) and sends a “bank details have changed — please route future invoices to this new account” message. Nothing urgent, nothing dramatic. Your AP team updates the record. The next invoice payment goes to the attacker. This variant often takes 3-6 months to notice.

Run any suspect message through our Business Email Compromise Checker — it scores the common BEC linguistic patterns in seconds.

The two controls that kill BEC

1. Out-of-band verification for every wire or banking change

Rule: no wire transfer or change of banking details is processed without a phone call to a known number. Not the number in the email. Not a number provided in the email. The number you already have — from the vendor’s website, their contract, your contacts list.

This single rule defeats every variant of BEC. The attacker has control of the email thread; they don’t have the real person’s phone. One two-minute phone call breaks the attack.

Document this as company policy. Make it mandatory. Train AP staff that they will never be in trouble for insisting on a verification call — they will be in trouble for skipping it.

2. DMARC at p=reject + domain-lookalike monitoring

DMARC prevents attackers from sending email that appears to come from your domain. If you have p=reject published, the fake “CEO” email never reaches your staff’s inbox — it’s rejected at the gateway. Check your current DMARC with our DMARC Checker.

Separately, monitor for lookalike domains. Services like DMARC.org, EasyDMARC, or even regular manual checks against our Fake Brand URL Detector surface the “y0urcompany.com” registrations that attackers spin up.

Train your team on the patterns

Every staff member who handles money or vendor data should recognize:

• Urgency — “I need this done right away”
• Secrecy — “Please don’t discuss with anyone”
• Authority — email appears to be from CEO, CFO, general counsel
• Banking change — “New account” in an otherwise-normal message
• Unreachable sender — “I’m in meetings, text when done”
• Slight domain difference — hover every From address and verify

If you were hit: the first hour matters

If a wire went out and you suspect BEC:

1. Call your bank immediately. Ask for wire recall. If within 72 hours, there’s a meaningful chance of recovery.
2. File a complaint with FBI IC3 at IC3.gov. FBI has a “financial fraud kill chain” that works across international correspondent banks.
3. Notify the other party (vendor or customer) — they may be compromised too.
4. Preserve evidence — full email headers, the original message (run through our Email Header Analyzer to extract metadata), any attachments.
5. Change all relevant passwords and force MFA on all finance and exec accounts.

FAQ

My company is small — are we a target?

Yes. BEC attacks scale down — small businesses are easier to compromise and rarely have verification controls. The median loss for small businesses is $15k-$50k per incident. Worth more to the attacker than it sounds.

Can insurance cover BEC losses?

Some cyber policies cover social-engineering losses explicitly, many don’t. Check yours — look for “social engineering fraud” or “fraudulent instruction” coverage with an explicit sublimit. Our Cyber Insurance Readiness Tool covers the controls underwriters look for.

What about AI deepfakes over video?

Growing concern. In 2024, a Hong Kong finance worker wired $25M after a deepfake Zoom call with “the CFO.” The out-of-band verification rule still applies: even a live Zoom request for a wire needs a callback to a known number before execution.

Most people obsess over password strength and ignore password reuse. The math says they have it backward. A 12-character random password used uniquely across every account is more secure than a 30-character password reused on two sites. Here’s why — and what to do about it.

The math of password breaches

Every year, somewhere between 5 and 20 major services get breached. 2024 alone saw LinkedIn, Ticketmaster, AT&T, Snowflake, and dozens of smaller services. When a breach happens, the attacker gets a database of email addresses and password hashes. Within days those hashes are cracked (most are), and the email+password pairs are traded on criminal forums.

What happens next is called credential stuffing. Attackers take the leaked pairs and try them against every major service — Gmail, Amazon, your bank, Facebook, Netflix, Instacart. Any service where the same email+password combo works, the attacker gets in. The attack is fully automated, runs across millions of accounts, and costs the attacker almost nothing.

If you used the same password on the breached site and another site, you are now compromised on both. It doesn’t matter how strong the password was — it’s known now.

Why strength still doesn’t save you from reuse

Imagine you have one 30-character password: j#9K$mN2pQ!vX@8rT&5wL*3zH!7bF%cY. It would take centuries to brute-force. And then LinkedIn gets breached, and the cleartext of your password appears in a credential dump. It’s now worthless. The attacker doesn’t need to brute-force it — they have it.

If you used that password on Gmail, your bank, and Amazon — all three are now compromised. One breach, three accounts gone. Strength doesn’t matter once the password is leaked.

Unique passwords: the only real defense

Unique passwords turn every breach into a local event. LinkedIn gets breached, your LinkedIn password leaks, you change it on LinkedIn, nothing else is affected. The attacker’s credential-stuffing runs against Gmail and your bank fail because the password you used on LinkedIn never existed on those sites.

Unique passwords are the single most important thing you can do for your online security. Not strength, not complexity, not length — uniqueness. The only reason most people don’t have unique passwords everywhere is that remembering 200 unique passwords is impossible. Which is why password managers exist.

Password managers: the solution that actually works

1Password, Bitwarden, and Dashlane all solve this problem the same way: you memorize one strong master password, the manager generates and stores unique passwords for every site you visit. It autofills on login, so you never type (or even see) the actual password. The password is unique per site and long enough that it’s effectively uncrackable by brute force.

Bitwarden has a free tier that is enough for most individuals. 1Password costs about $3/month per user. Both are better than any spreadsheet or text file, and immensely better than password reuse.

How to move off of reuse

You don’t have to fix every account at once. Do this in order:

1. Install a password manager. Today. Bitwarden is free, takes 5 minutes.
2. Set a strong unique master password. 14+ characters. Write it down on paper in a safe place.
3. Enable MFA on the password manager itself. Especially for cloud-synced ones.
4. Pick 3 accounts to fix first: your email, your primary bank, your password manager itself. These are the crown jewels.
5. Generate a unique password for each using the manager’s built-in generator. Or use our Password Generator.
6. Continue for the next 20 accounts over the next week. Focus on anything that touches money, identity, or work.
7. Check your existing passwords against breach data using our Password Leak Checker. Anything that’s been leaked needs to be changed.

Audit what you currently have

Most password managers export a CSV of everything they know. Run it through our Password Audit Tool — it’s 100% browser-local (we never see your passwords) and flags weak, reused, and short passwords so you know what to fix first. Then walk through the Password Reuse Checker as a self-audit across the accounts you use most.

FAQ

Isn’t using a password manager a single point of failure?

Yes, which is why you protect it with a strong master password plus MFA. Even in the rare event a password manager is breached (LastPass 2022), the vaults are encrypted with your master password — attackers get encrypted blobs, not cleartext passwords. Password managers are not a perfect defense but they’re dramatically better than reuse.

What if I already used the same password on 50 sites?

Assume that password is compromised and change it everywhere you used it. Prioritize email, bank, and any service with a stored payment method. Work through the list over a week or two — you don’t have to fix them all at once, but the longer you wait the bigger the exposure.

What about passkeys?

Passkeys are better than passwords for sites that support them (Google, Apple, Microsoft, 1Password, and growing). They’re phish-proof and breach-proof. Enable them wherever offered. Until every site supports them, unique passwords-plus-MFA remains the fallback.

The grandparent scam has existed for decades — a voice on the phone claims to be a grandchild in trouble and begs for money “before mom finds out.” In 2024 it got a lot worse. AI voice cloning means the voice on the phone now sounds exactly like your grandchild, because it was generated from a three-second clip of their TikTok.

How the scam actually works in 2026

The scammer finds a family online. Public Facebook profiles, LinkedIn, Instagram — enough to figure out grandchildren’s names and voices. They use a free voice-cloning tool to copy the grandchild’s voice from any short audio clip. Then they call the grandparent, often at 3am when fear and confusion are high. The voice says: “Grandma, it’s me. I’m in jail. Please don’t tell mom. I need $4,000 for bail.”

A “lawyer” or “bail bondsman” gets on the phone. The lawyer is calm and authoritative. The lawyer sends a courier to pick up cash, or walks the grandparent through a wire transfer, or instructs them to buy gift cards.

The grandparent hangs up. Nothing happens for a few days. By the time they talk to their grandchild in person and realize the scam, the money is gone.

The red flags, in order

1. The call comes out of the blue, often late at night.
2. The voice sounds off in the first 10 seconds — even good AI clones have brief pauses, flat affect, or unusual word choices.
3. The request for secrecy — “please don’t tell mom” — is the defining tell. Every real family discusses crises together.
4. Urgency with a short deadline — bail in an hour, flight in two hours, surgery tomorrow.
5. Payment by gift card, wire, or courier-pickup cash — no real legal system accepts these.
6. A “lawyer” or “officer” takes over the call to apply authority pressure.

The family protocol that kills the scam

One family agreement defeats this entire scam. Talk to your grandparents now — before anyone calls — and agree on two things:

1. A family safe-word

Pick a word or phrase that only the immediate family knows. It should be something that wouldn’t appear on social media — not a pet’s name, not a hometown. A random word, a memorable phrase, anything. If someone calls claiming to be a family member in trouble, the first question your grandparent should ask is: “What’s the family word?”

The AI voice doesn’t know. The real family member does. Scam dies in one question.

2. A call-back rule

Nothing — nothing — happens without hanging up and calling the relative back on their known number. If the “grandchild” says their phone was lost and they’re calling from someone else’s, the rule still applies: hang up, call the known number, if it doesn’t go through call another family member who would know.

Scammers prevent this by keeping the grandparent on the line (“the lawyer is on the phone, we need to move now”). Train your grandparent to always hang up anyway. They can call back in 30 seconds. A real emergency waits 30 seconds.

What to do if it’s already happened

If you or a relative fell for this scam, move fast:

1. Call the bank immediately. If the transfer was a wire and less than 24 hours old, recall is sometimes possible.
2. File a police report. Local police can coordinate with FBI IC3 for cases over $5,000.
3. Report to IC3.gov (FBI Internet Crime Complaint Center) and FTC at ReportFraud.ftc.gov.
4. If gift cards were bought, call the card issuer (Apple, Google, Amazon) immediately. Some cards can be frozen if you call within the hour.
5. Freeze credit at all three bureaus if any personal details were shared — see our SSN Exposure Safety Guide.

Tools that help

Forward suspicious voicemails through our Is This Voice AI? Detector for basic metadata analysis. Walk through the Elder Scam Protection Checker with your relatives as a conversation starter. And run the AI Scam Detector on any threatening message to score its scam-pattern matches.

FAQ

How much voice does AI need to clone someone?

Commercial voice cloning works with 3-10 seconds of clear audio. TikTok videos, YouTube comments, podcast cameos, voicemail greetings — anywhere the person has been recorded is enough.

Should we delete social media to prevent this?

You don’t have to. The family safe-word and call-back rule defeat voice cloning regardless of how much audio exists. Focus there instead.

What if my grandparent insists the voice was real?

It probably sounded real. Don’t argue the audio. Argue the process: real emergencies don’t require secrecy, don’t take gift cards, and don’t need a decision in the next 60 minutes. If those rules were violated, it was a scam regardless of how real the voice sounded.

If you run a small business with a custom-domain email address, your outgoing mail is being judged by three DNS records you probably haven’t looked at: SPF, DKIM, and DMARC. Together they decide whether your invoices land in inboxes or spam folders, and whether spoofers can impersonate your brand. This article explains each in plain English, then tells you exactly what to check.

Why email needs authentication at all

Email was invented in the 1970s, and the protocol trusted anyone who claimed to be someone. Today you can send an email that claims to be from ceo@yourdomain.com to anyone in the world with zero authentication. SPF, DKIM, and DMARC exist to close that gap — they let receiving mail servers verify that a message claiming to be from your domain was actually sent by someone you authorized.

SPF: who is allowed to send from your domain

SPF (Sender Policy Framework) is a text record in your domain’s DNS that lists the IP addresses and services allowed to send mail using your domain name. A typical SPF record looks like:

v=spf1 include:_spf.google.com include:mailgun.org -all

This record says: Google Workspace and Mailgun are allowed to send mail for this domain. Anyone else is forbidden (-all = hard fail). When a mail server receives a message claiming to be from your domain, it checks your SPF record and either accepts or rejects based on the sending IP.

Check your SPF record with our free SPF Checker. It flags the three mistakes we see 90% of the time: missing -all, too many include: statements (SPF allows only 10 DNS lookups), and records that allow far too wide a sending range.

DKIM: proving the message wasn’t tampered with

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every outgoing email. The receiving server checks the signature against a public key you publish in DNS. If the signature checks out, the message wasn’t modified in transit and was signed by someone with your private key.

Google, Microsoft 365, and most major email services set up DKIM for you automatically — you just need to enable it in the admin console. The record lives at selector._domainkey.yourdomain.com where “selector” is a label your mail service picks (often google, k1, or s1). Check yours with our DKIM Checker.

DMARC: the policy that ties SPF and DKIM together

DMARC sits on top of SPF and DKIM and says: “If SPF and DKIM fail, here’s what to do with the message.” A DMARC record looks like:

v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com

p=reject tells receiving servers to reject mail that fails both SPF and DKIM. rua= tells them where to send daily aggregate reports so you can see how much fake mail claims to come from your domain.

Three policy levels exist:

• p=none — monitor-only. Receivers still deliver everything but send you reports. Good for your first month to discover all legitimate senders.
• p=quarantine — unauthenticated mail goes to spam. Good intermediate step.
• p=reject — unauthenticated mail is rejected at the gateway. Your production target.

Check yours with our DMARC Checker — it surfaces the most common mistakes and tells you what to change.

The 5-minute audit

Right now, for any domain you use for business email:

1. Run our SPF Checker — verify you have a record and it ends in -all or ~all.
2. Run our DKIM Checker — verify your mail provider’s selector is published and the key is at least 1024 bits (2048 recommended).
3. Run our DMARC Checker — verify you have at minimum p=none with a rua= reporting address.
4. If your email is via Google Workspace or Microsoft 365, enable DKIM in their admin console if it’s not on.
5. Commit to moving DMARC from p=none → p=quarantine → p=reject over the next 90 days.

Why this matters for your business

Without DMARC at p=reject, anyone can send mail that looks like it’s from billing@yourcompany.com. That is how wire-fraud attacks start: a fake invoice to your customer saying to update the bank details. Our Business Email Compromise Checker covers the attack patterns in detail. DMARC at reject kills the entire category of attack before the phish reaches anyone.

FAQ

I use Gmail for business — do I still need these?

If you use Gmail at a Gmail.com address, SPF/DKIM/DMARC are handled entirely by Google. If you use Google Workspace with a custom domain (you@yourcompany.com), you do need to set these up yourself. Google’s admin console walks you through each one.

What’s the single most important thing to fix first?

Publish a DMARC record at p=none with an rua reporting address. That gets you daily aggregate reports showing exactly who is sending mail using your domain — both real senders you forgot about and spoofers. From there, you can tighten to quarantine and then reject.

Will tightening DMARC break legitimate mail?

It can, if you have senders you forgot about (a CRM, a support tool, a newsletter service). That’s why you start at p=none and review reports for 30-60 days before tightening. Every legitimate sender needs to be added to SPF or configured to sign with DKIM.

Text-message scams — “smishing” if you want the industry term — are the single most common fraud contact Americans receive in 2026. The FTC logged more than 450,000 SMS-scam complaints in 2025. Almost all of them fit one of seven patterns. Learn these seven and you can triage any suspicious text in under ten seconds.

1. Package-delivery smishing

Example: “USPS: your package is on hold. Reschedule delivery at ustracker-usps.top/r/8392.”

The most common SMS scam by volume. USPS, UPS, FedEx, and DHL never text you about redelivery unless you signed up for that carrier’s notifications — and even then, the links go to the carrier’s real domain. The .top TLD is a tell. So is any domain that is not the actual carrier’s site. Paste suspect URLs into our Phishing Link Checker.

2. Fake bank fraud alerts

Example: “Chase alert: we blocked a charge of $489.12 at Best Buy. If this was not you, reply STOP or verify at chase-alerts.online.”

Your bank does send fraud alerts by text. What they do not do is give you a link in the text. Call the number on the back of your card — never the number in the text, never the link. Our Bank Fraud Message Checker flags the linguistic patterns these messages all share.

3. IRS and tax-season threats

Example: “IRS Final Notice: you owe $2,147.83 in back taxes. Pay within 24 hours to avoid arrest. Pay at irs-payments.xyz.”

The IRS never threatens arrest by text. They never demand payment by gift card, Bitcoin, or wire transfer. Their initial contact is always by physical mail. Ditto HMRC in the UK, CRA in Canada, and every other legitimate tax authority. Our IRS / Tax Scam Checker scores these messages in seconds.

4. Family-emergency scams (stranded / arrested / hospital)

Example: “Hi grandma, it’s me. Lost my phone, this is my new number. I got arrested, please don’t tell mom. Can you help with bail?”

The grandparent scam has been updated for 2026 with AI voice cloning. Rule: anyone asking for money or gift cards as an “emergency” — call them back on their known number. If you can’t reach them, call another family member. The secrecy ask (“please don’t tell mom”) is the defining tell. No real emergency requires keeping it a secret. Our Elder Scam Protection Checker covers the full playbook.

5. “You have been selected” prize scams

Example: “Congratulations! You’ve been selected to receive a $500 Target gift card. Claim at offers-target.click.”

You did not enter a contest. You cannot win prizes you did not enter. Period. The .click TLD combined with an unsolicited prize offer is 100% scam. The link goes to a credential-harvesting form or a credit-card-skimming page.

6. Fake utility disconnection threats

Example: “Con Edison: your service will be disconnected in 30 minutes unless payment is received. Pay at coned-account.live.”

Utility companies send paper bills weeks before shutoff and contact you via their mobile app or mailed notice. They don’t text you 30 minutes before shutoff demanding payment via a web link. When in doubt, log in to your utility’s real website (type the URL yourself) and check your account balance.

7. Romance-scam openers (on SMS or dating apps)

Example: “Hi David, thanks for the match on Bumble last week! Moving the conversation here is easier. How’s your day going?” — sent to someone not named David, not on Bumble.

The “wrong number” text is the opener for a months-long romance-scam playbook. If you reply, an attractive-sounding stranger engages, invests in the relationship, and eventually pivots to a crypto-investment pitch (“pig butchering”). Our Romance Scam Detector flags messages that match the pattern.

What to do when one arrives

Three steps, in order:

1. Don’t reply — even “STOP” confirms your number is real.
2. Report: forward the text to 7726 (“SPAM”) — your carrier has a free scam-filtering pipeline.
3. Delete, then if you’re curious, run the text through the SMS Scam Checker to see which patterns fired.

FAQ

Is replying “STOP” to a scam text safe?

Replying at all tells the scammer your number is active and you read the message. Do not reply. Forward to 7726 and delete.

How did they get my number?

Phone numbers are sold in bulk after every consumer-data breach. Data brokers aggregate them. Many scam operators just try sequential numbers in an area code. Your number being “known” does not mean you personally have been targeted — you are one of millions.

Can I block the number?

You can, but scammers rotate numbers every few hours. Blocking helps for that specific number; it does not stop future scams. Better: report to 7726 and use your phone’s silence-unknown-senders setting.

One last rule: no text message has ever been worth responding to without first verifying via a known channel. If your mom texts you she needs money, call her. If your bank texts you about a charge, open your bank app. The text is the weakest form of identity verification in your life.

Every day, a few billion phishing messages land in inboxes and chat apps. Most of them rely on one thing: you clicking a link before thinking. The good news is that before you click, you can run a quick five-signal check that costs nothing and takes under sixty seconds. This article walks through those signals in the order that matters most, then points you at SafeCadence’s free tools for the cases where you want a second opinion.

1. Hover the link to see where it actually goes

On desktop, hover over the link without clicking — the destination URL appears at the bottom of your browser. On mobile, long-press the link; a preview pops up with the real destination. The visible text (“Verify your account”) and the actual URL are not the same thing, and scammers count on you not checking.

A legitimate PayPal email links to paypal.com. A phishing one links to paypa1-login.com or secure-paypal.top. The eye misses the “1” where there should be an “l”; the brain sees “paypal” and trusts the link.

2. Read the domain right-to-left

Domains are read backward. The part just before the first single slash is the real domain; everything before that is a subdomain that the attacker controls.

In https://paypal.com.secure-login.top/account the real domain is secure-login.top, not paypal.com. “paypal.com” is just a subdomain the scammer picked to make the URL look legitimate. This trick works on roughly one in five first-time readers.

3. Check the TLD

The top-level domain — .com, .org, .top, .xyz — is a cheap but meaningful signal. A handful of TLDs are heavily over-represented in phishing: .top, .xyz, .click, .loan, .work, .rest, .monster. If you got a text from “your bank” pointing to a .top domain, your bank did not send it.

4. Consider the age of the domain

Phishing campaigns use brand-new domains registered minutes before the attack. Domain age is one of the single most reliable phishing signals — if a domain was registered two days ago and claims to be “Amazon Official Refunds,” you have your answer. SafeCadence’s Domain Age Lookup pulls the registration date from free public registries in under a second.

5. Paste it into a link checker (the safety net)

When you are unsure, run the URL through our free Phishing Link Checker. It combines all five signals above (TLD risk, lookalike-brand detection, homograph detection, domain age, and redirect-chain analysis) into one score. We never store the URL you submit.

If the link is shortened (bit.ly, tinyurl, t.co), use the Redirect Chain Analyzer first — it shows every hop the shortened link takes before its final destination.

When to click and when not to

A rule worth tattooing: type the known URL into your browser yourself rather than clicking a link in an email or text. If your bank tells you your card has been frozen, open a fresh tab, type the bank’s URL, and log in there. A real alert will appear inside your account dashboard. A fake alert only exists in the text.

This one habit — “navigate directly, never click the link in the message” — defeats 90% of phishing. The remaining 10% are sophisticated enough that you need either the five-signal check above or a link-checker tool.

FAQ

Does HTTPS mean a link is safe?

No. HTTPS means the connection is encrypted — it does not mean the site is trustworthy. Phishing sites routinely have valid TLS certificates (Let’s Encrypt issues them for free to any domain). The padlock next to the URL tells you the connection is encrypted, not that the owner of the site is honest.

Is it safe to preview the link by long-pressing on my phone?

Yes — long-pressing shows the URL without following it. Both iOS and Android handle this without network activity. You see the destination, cancel, and no request is made.

What if I already clicked?

Don’t enter any information on the page. Close the tab. If you think the site may have dropped malware or a credential-stealer script, run a full antivirus scan and change any passwords that autofilled on the page. If you entered a password, change it everywhere you reused it — start with your email and bank.

Can the phishing checker analyze a link I received by SMS?

Yes. Long-press the link on your phone, copy it, and paste into our Phishing Link Checker. If the link goes to a QR code, use the QR Code Link Scanner first to extract the destination URL.

Bottom line: you do not need to click anything to evaluate a link. The five-signal check above defeats most phishing. Our free tools catch the rest. And when in doubt, type the URL yourself.