The previous lesson covered the shape every scam shares. This one is the field guide: the specific costumes that shape wears most often. The point isn't to memorize a list — new variations appear constantly — it's to learn each family's tell, the structural giveaway that survives even when the names, numbers, and cover story change. Once the tell is familiar, a never-before-seen version of an old scam still feels off.
This is educational content, not personalized advice. Nothing here is a judgment about anyone who's encountered these — they work because they're well-built, not because their targets were careless.
Phishing and smishing: the fake front door
Phishing (by email) and smishing (by text) try to get you to click a link or hand over a login by impersonating something you trust: a bank, a delivery service, a streaming account, an employer. The message creates a small jolt — a "failed delivery," a "suspicious login," a "package held at customs" — and the link leads to a page that looks real but exists only to harvest what you type.
The tell: a link asking you to log in or confirm details you didn't request. Real notifications let you reach the account by opening the app or typing the website address yourself; they don't depend on you clicking their link. A close look at the sender address or the link's true destination (a fake will be a near-miss like amaz0n-secure.com) usually exposes it, but the deeper rule is simpler: navigate to accounts yourself, never through a message's link.
| Lure | What it claims | The tell |
|---|---|---|
| "Your package couldn't be delivered — reschedule here" | A delivery problem | A link to "pay a small fee" or log in to a non-official site |
| "Unusual sign-in to your bank — verify now" | A security alert | Pressure to click their link instead of opening your own app |
| "Your account will be closed — confirm your password" | Account trouble | Any request to type a password or one-time code into a linked page |
The fake-check / overpayment scam
This one preys on the instinct that a check in hand is money in hand. The setup: someone "accidentally" overpays you — for an item you're selling, a job, a rental deposit — with a check for more than the agreed amount, then asks you to refund the difference. The check looks real and may even clear provisionally. Days later the bank discovers it's counterfeit, claws back the full amount, and the "refund" you sent from your own money is gone for good.
The tell: any deal where someone sends you a check and asks you to send part of it back. A genuine buyer pays the agreed amount, full stop. The combination of overpayment plus a quick refund request is the entire scam, regardless of the cover story.
Romance, investment, and "pig-butchering" scams
Romance scams build a relationship — sometimes over months — through a dating app or social media, then engineer a crisis (a medical bill, a stuck shipment, a customs fee) that only money can solve. A newer, crueler hybrid sometimes called "pig butchering" blends romance with a fake investment: the warm contact mentions a crypto platform with amazing returns, walks the target through "investing," even shows fake gains on a slick dashboard — until any withdrawal attempt triggers endless "fees" and the money is simply gone.
Plain investment scams skip the romance and lead with the returns: guaranteed profit, no risk, "get in before it's too late," often dressed in crypto or forex jargon. The tell across all of these: a relationship or opportunity that eventually routes to money you can't get back, plus returns that violate a basic rule of finance. Real investments never guarantee high returns with no risk — that combination doesn't exist, and claiming it is itself the proof of fraud.
Impersonation: IRS, bank, and tech support
Impersonation scams borrow an authority's name to manufacture compliance. Three common faces:
- Government (IRS / Social Security): threats of arrest, lawsuits, or a "suspended" Social Security number, demanding immediate payment. Real agencies contact people by mail first and never take gift cards.
- Your bank's "fraud department": a call claiming your account is under attack, then asking you to "verify" by reading back a one-time code or moving money to a "safe account." A real bank never needs your code and never asks you to move money to protect it — that move is the theft.
- Tech support: a pop-up or call warning your computer is infected, asking for remote access or payment to "fix" it. Real companies don't cold-call about your device's health.
The shared tell: an authority contacting you out of the blue and asking for secrecy, remote access, a one-time code, or an unusual payment. Authority plus those asks is impersonation until proven otherwise — and it's proven otherwise by you calling the real number, not by anything the caller says.
Job and employment scams
These exploit hope and the normal awkwardness of onboarding. A "remote job" or "mystery shopper" role hires you fast, then either sends a check to "buy equipment" (the fake-check scam wearing a work badge), asks you to process payments through your own account (turning you into a money mule), or requests your bank and Social Security details before any real work exists.
The tell: a job that pays you before you've worked, asks you to move money, or wants sensitive financial details up front. Legitimate employers collect tax and direct deposit information after a genuine hiring process — never as the opening move, and never by routing money through your personal accounts.
No one can catalog every scam, but the families are few and their tells are stable. When a new story appears, the useful question isn't "have I seen this exact one?" but "which family does this belong to, and what's its tell?" The next lesson shifts from spotting scams to the layered protections that make accounts and identity hard to crack in the first place.