It’s easy to assume scams only happen to people who are careless with their security. But even the most experienced and tech-savvy individuals have been caught off guard. This post shares real-world examples, red flags to watch for, and practical ways you can avoid becoming a victim yourself.

1. Even Security Experts Can Get Caught

Troy Hunt, the creator of HaveIBeenPwned.com, recently admitted he fell for a phishing scam impersonating Mailchimp. Despite using strong passwords, a password manager, and two-factor authentication, he still ended up typing his credentials into a fake login page while tired while traveling.

The red flag? His password manager didn’t autofill the login fields. This was a sign something was off, but in a distracted and tired moment, he manually entered his credentials, and that was enough.

2. Use Your Tools—But Don’t Ignore Their Warnings

Password managers do more than store your credentials, they act as a quiet form of protection. If a site's login form doesn’t trigger the autofill, it could be fake. That’s a moment to stop, not push forward. It’s worth mentioning that your password manager will only autofill forms if the browser extension is enabled.

Let your password manager do the work. Don't trust the page if you have autofill enabled and it doesn’t autofill. Manually typing passwords should be the exception, not the habit. Always access sensitive accounts by typing the URL directly or using a saved bookmark.

3. How to Respond to Suspicious Emails

One common phishing tactic is to send official-looking emails claiming suspicious activity on your account. The link inside the message is fake, but the fear and urgency can make anyone click.

In a recent example, someone received a message about odd login attempts on their Microsoft account. Instead of clicking the link, they went directly to account.live.com/activity. There, they confirmed multiple login attempts from countries like South Africa, Brazil, Ukraine, and France, but because the hackers didn't have the 2FA codes, the account stayed secure.

4. Sophisticated Scams Go Beyond Email

Some of the most convincing scams now arrive by text and phone call. In one alarming case, a scam started with a fake fraud warning via SMS. It was followed by a phone call from someone pretending to be a bank representative.

The scammer instructed the victim to withdraw cash and then “secure” it by depositing it into an ATM using a debit card tied to Apple Pay. The catch? The scammer issued the card, and the money was gone once deposited.

This scam worked because it felt real. The scammer used urgency, technical language, and just enough truth to seem legitimate. The victim was never given a chance to stop and verify what was really happening.

5. Tips to Stay Safe

• Avoid clicking links in many emails or texts. Navigate directly to the site in a browser or use a saved bookmark. If you’re not sure, don’t click it. Having said that, you can always view any of my posts at my website, KevinTheTechGuy.Substack.com. It’s easy enough to type that into your browser manually.

• If you have their browser extension installed, let your password manager autofill credentials. If it doesn’t autofill when it should, something’s wrong.

• Never respond to messages claiming to be from your bank. If you need to act, call your card number or visit the bank’s official website. Never click on the link in the email to go there.

• Don’t bypass two-factor authentication or security warnings. If something feels unusual, stop.

• Phone numbers can be spoofed (faked). If someone calls claiming to be from your bank, tell them you will hang up and call the proper number. They won’t get upset if they’re legit.

• Assume anything urgent or emotionally charged might be a scam tactic. They are depending on your initial reaction. Step back and take a breath before acting.

6. Use Two-Factor Authentication And Choose the Right Kind

Two-factor authentication (2FA) is one of the most effective ways to protect your online accounts. But not all 2FA methods are equal.

Whenever possible, use an authenticator app like Google Authenticator, Authy (my preferred choice), or Microsoft Authenticator. These generate time-based one-time codes and are far more secure than receiving codes by text message, which can be intercepted through SIM swapping or phone number hijacking.

If app-based codes aren’t an option, SMS is still better than nothing, but treat it as a last resort. No matter the method, enabling 2FA adds an extra layer that makes it much harder for attackers to access your accounts, even if your password is compromised.

7. Compromised Facebook Accounts

Facebook account takeovers are increasingly common, especially through phishing links or reused passwords. Once someone gains access, they may lock you out, send spam, impersonate you to scam friends, or run unauthorized ads using your payment methods.

If your Facebook account has been hacked or you're locked out, go straight to facebook.com/hacked. This is Facebook’s official recovery tool. It will walk you through verifying your identity, securing your login, and restoring access.

Steps you should also take:

• Immediately change your Facebook password (and any others using the same one).

• Review your login activity and authorized apps.

• Turn on two-factor authentication to prevent future issues.

If someone else is reporting that your account is posting spam or impersonating you, direct them to this support page to file a report on your behalf.

8. Scam Call Prevention

New iOS 18 and Android phone features offer a powerful new tactic: call recording. On iPhones running iOS 18, users can tap the waveform icon at the top left of the screen during a call to begin recording. The system will announce, “This call is being recorded,” out loud to both parties as required by law, which is often enough to scare scammers into hanging up immediately.

This feature has already proven effective in real-life tests. It’s also available on:

• Pixel phones, under “Call Assist” → “Call Notes”

• Samsung phones (One UI 7), via an icon that looks like a cassette with the letter “T”

If you’re unsure whether a phone call is legitimate, especially if it claims to be from your bank, credit card company, or any financial institution, hang up and contact the company directly using a trusted number on their website or your bank card. Never trust an unsolicited (unexpected) call, no matter how convincing it sounds.

Conclusion: Think Before You Click

Scams today don’t look like scams. They come dressed up in polished emails, texts, and even legitimate-looking websites. They’re designed to make you act quickly, before you have time to think.

You can stay ahead by pausing, verifying, enabling strong security tools like password managers and app-based 2FA, and using new features like call recording to protect yourself on the phone. Even the pros make mistakes, which is exactly why all of us need to stay sharp.

If you found this information valuable and useful, please strongly consider upgrading to a paid subscription for $5/month. My work is possible because of your support.