Common online scams and frauds
Note: This article is the second part of our Comprehensive Security Guide.
Here is part 1
Recognize them and know what to do if you’re targeted
Not every scam follows the same pattern, but understanding how different threats typically unfold can make them easier to spot in the moment. This article breaks down the most common scam categories consumers encounter, what they look like up close, and exactly what to do if you think you’ve been targeted, including steps most people don’t know to take.
What we cover in part two of this guide
- Bank impersonation, phishing, and text scams
- QR code scams
- Tech support scams
- IRS and tax scams
- Student loan scams
- Work-from-home scams
- Telemarketing, prize, and seasonal scams
- Small business and business email compromise scams
- What to do if you think you were targeted
- FAQs
Bank impersonation, phishing, and text scams
What these scams look like
Bank impersonation scams typically arrive as a text message or phone call warning you about suspicious activity on your account. The message is urgent by design: a large transaction you don’t recognize, a login from an unfamiliar device, an account hold that takes effect unless you act immediately. The goal is either to get you on the phone with a fake fraud specialist or to get you to click a link that captures your login credentials.
Phishing emails follow the same basic approach, dressed up to look like legitimate bank communications. The right logo, the right color scheme, a sender address that looks convincing at a glance. Smishing, which is phishing delivered by text message, has grown sharply in recent years because people tend to extend more trust to texts than emails and are less likely to slow down and scrutinize them.
The tactics used most often
- Spoofed caller ID displaying your bank’s actual phone number
- Fake fraud alert texts with links to realistic-looking login pages built to steal your credentials
- A “verification” request asking you to confirm your account number, PIN, or a one-time passcode
- Pressure to act before the “fraud window” closes
How to protect yourself
Never provide your PIN, password, or a one-time passcode to anyone who contacts you, regardless of what the caller ID shows. If a message appears to be from your bank, don’t use any link or phone number contained in that message. Call the number on the back of your card directly.
QR code scams
How QR scams work
QR codes are convenient because they remove friction. You scan, you go. That lack of friction is exactly what makes them useful to scammers. A malicious QR code is visually identical to a legitimate one and can be placed directly over real codes in restaurants, on parking meters, in package delivery notices, and on public signage. Scan it and you’re taken to a fake site designed to steal your credentials or payment information, or your device is prompted to download malware without any further action on your part.
These scams also show up in email and text, usually as a message claiming you need to scan the attached code to verify an account, claim a package, or complete a payment. The urgency is familiar. So is the outcome.
Safer habits when scanning QR codes
- Preview the URL before you do anything else. Most phones display the destination link before opening it. Take a second to confirm it matches the organization it claims to represent.
- Be skeptical of QR codes in unexpected places, particularly stickers that appear to have been placed over existing signage.
- If a QR code arrives unsolicited by text or email, don’t scan it. Go directly to the organization’s website instead.
- If scanning a QR code takes you to a login page, stop. Businesses rarely require you to log in to complete a routine action through a QR code.
P2P payment and mobile wallet scams
Common scenarios
Peer-to-peer payment apps like Zelle, Venmo, Cash App, and PayPal are built for speed and convenience, and that’s precisely what makes them attractive to scammers. The money moves fast, the transactions are considered final, and by the time most people realize something is wrong, the window to do anything about it has already closed.
The scenarios vary but tend to follow recognizable patterns. A fake buyer “accidentally” overpays for something you’re selling online and asks you to send back the difference before their payment clears. It never does. The original payment was fraudulent, and the money you sent back was very much real.
In another common version, someone posing as your bank’s fraud department instructs you to transfer funds to a “safe account” via Zelle to protect them from suspicious activity. The safe account belongs to the scammer.
Romance scams follow a slower timeline. A new online connection builds trust over days or weeks before any mention of money surfaces, and by the time a request comes through a P2P app, the relationship feels real enough that sending it doesn’t seem unreasonable.
Straightforward purchase fraud is simpler: you pay upfront for goods or services, and the seller vanishes.
Why are these scams so difficult to recover from?
Unlike a credit card transaction, P2P payments are treated as authorized transfers. Once you send money through Zelle or Cash App to someone you don’t know, recovering it is extremely difficult and often impossible. There is no chargeback process. The money moves instantly and the transaction is considered final.
Best practices
- Only use P2P apps to send money to people you know personally.
- If anyone instructs you to use a P2P app as part of resolving a fraud situation, that instruction is itself the scam.
- Never send money to “receive” a prize, job offer, or refund.
- Turn on transaction notifications so you’re aware of any account activity the moment it happens.
Tech support scams
What they look like
Tech support scams usually begin with a warning. A pop-up on your screen, an alarming audio alert, or an email claiming your computer has been infected or your accounts have been compromised. A phone number is provided for immediate help. When you call, a fake technician walks you through steps that seem to confirm the problem, then requests remote access to your device to fix it.
Once they have that access, the options available to them are considerable. They can install malware, pull saved passwords, access financial accounts, or lock your device entirely and demand payment to restore it.
Some tech support scams skip the fake warning altogether. A cold call arrives claiming to be from Microsoft, Apple, or your internet provider, with news of a problem you had no idea existed.
How to respond
Close the pop-up without calling the number. If it won’t close, force-quit your browser or restart your computer, which resolves most fake warning overlays immediately. Never grant remote access to your device to someone who contacted you unsolicited. If you have genuine concerns about your device’s security, reach out to your device manufacturer or a trusted local technician directly.
IRS and tax scams
How these work
IRS impersonation scams peak during tax season but run year-round. The scammer claims you owe back taxes and will face arrest, deportation, or license suspension unless you pay immediately, typically by wire transfer, gift card, or cryptocurrency. They may spoof an IRS phone number to make the call appear official and sometimes follow up with fake emails or letters designed to look like government correspondence.
A related scam involves tax refund fraud. Someone files a fraudulent return using your Social Security number before you do and collects your refund. You find out only when your legitimate return gets rejected as a duplicate.
What to know
The IRS initiates contact by mail, not by phone, text, or email. It will never demand immediate payment by gift card, wire transfer, or cryptocurrency, and it will never threaten arrest over unpaid taxes on a first contact. If you receive a call claiming to be from the IRS and you’re uncertain whether you have an outstanding liability, hang up and call the IRS directly.
To protect yourself against refund fraud, consider filing early each year and setting up an IRS Identity Protection PIN on your account. A credit freeze at all three bureaus adds another layer of protection worth considering.
Student loan scams
Common forms
Student loan scams tend to be most active during periods of policy change around forgiveness or repayment programs, when borrowers are already anxious and actively looking for information. That anxiety is the opening scammers look for.
The most common version involves companies charging upfront fees to help you apply for forgiveness or income-driven repayment programs that are entirely free to access through the Department of Education directly. Others go further, asking for your FSA ID, which is the login credential for your federal student aid account, effectively handing over control of your loan account to a stranger. Fake forgiveness programs that promise immediate cancellation in exchange for a fee round out the category.
What to know
Legitimate student loan help is free. Federal repayment and forgiveness programs are managed through studentaid.gov and your loan servicer, and there is no reason to pay a third party to access them. Never share your FSA ID with anyone under any circumstances. If someone contacts you unsolicited about your student loans, treat it with skepticism regardless of how official or urgent they sound.
Work-from-home scams
Common forms
Work-from-home scams promise easy money for simple tasks: product reviews, data entry, reshipping packages, mystery shopping. Some go further, posing as legitimate companies hiring remote workers and requesting personal information, including your Social Security number and bank account details, as part of a fake onboarding process.
The reshipping variant deserves specific attention. You’re hired to receive packages at your home and forward them to another address. What you’re actually doing is handling stolen goods, and depending on how it plays out, you may face legal liability for your involvement.
Warning signs specific to this category
- The job requires you to pay for a starter kit, certification, or training materials before you’ve earned anything.
- The pay is dramatically higher than market rate for the work being described.
- You’re asked for bank account information before doing any actual work, usually framed as setting up direct deposit.
- The company has no verifiable web presence, reviews, or contact information beyond the initial recruiting message.
- The hiring manager communicates exclusively through messaging apps rather than a company email address.
Telemarketing, prize, and seasonal scams
Telemarketing and prize scams
Unsolicited calls offering free vacations, extended warranties, or exclusive investment opportunities are rarely what they claim to be. Prize scams follow a familiar pattern: you’ve “won” something, but collecting it requires paying taxes, fees, or shipping costs upfront. The prize never arrives and the fees are gone.
Holiday and seasonal scams
Scam volume rises predictably around the holidays, tax season, and major news events. During the holiday season, the most common forms include fake online storefronts selling heavily discounted goods that never ship, charity solicitation fraud, and fraudulent shipping notification texts designed to steal credentials. After major disasters or crises, fake charity scams tend to appear almost immediately, targeting people who want to help.
Simple rules for both
You cannot win a contest you didn’t enter. Legitimate prizes never require payment to collect. If a charity contacts you unsolicited, look them up on Charity Navigator or GuideStar before giving anything, and donate directly through their official website rather than through a link or phone number the caller provides.
Small business and business email compromise scams
What these scams look like
Business Email Compromise, commonly called BEC, is among the costliest forms of fraud targeting organizations of any size. In a typical attack, a scammer hacks into or spoofs a business email account, often an executive’s, and uses it to request a wire transfer, change vendor payment instructions, or redirect payroll deposits. The request looks like it originated from inside the company. The urgency feels completely legitimate.
Smaller businesses are targeted just as frequently as large ones, and usually with less protection in place. A bookkeeper who receives what appears to be a message from the owner requesting an urgent wire transfer may have no clear protocol for verifying it, especially if the owner seems to be unavailable.
Why they work
BEC scams succeed because they exploit trust in established relationships and institutional authority. When the CEO is asking for something, questioning it feels uncomfortable. The request is framed as urgent and confidential, which discourages the person receiving it from looping in colleagues who might otherwise catch the problem.
Basic protections
- Require verbal confirmation for any wire transfer or change to payment instructions, regardless of how legitimate the email appears.
- Train anyone who handles payments to treat urgency and requests for secrecy as warning signs, not reasons to move faster.
- Use multi-factor authentication on all business email accounts.
- If you receive a request to change vendor payment details, call the vendor at a number you already have on file, not one provided in the email.
What to do if you think you were targeted
If you clicked, responded, or shared information
Act quickly, but don’t panic. The steps you take in the first few hours matter most.
- Change your passwords immediately, starting with your email account, then financial accounts, then anywhere else you use the same password.
- Enable multi-factor authentication on any account that supports it.
- Contact your bank directly using the number on the back of your card to alert them and review recent activity.
- Place a fraud alert with the three major credit bureaus: Equifax, Experian, and TransUnion. A fraud alert is free and requires creditors to verify your identity before opening any new accounts in your name.
If you sent money
Your recovery options depend largely on how the payment was made.
- Bank wire transfer: Contact your bank immediately. If the wire hasn’t settled yet, there may be a narrow window to recall it.
- P2P payment (Zelle, Venmo, Cash App): Contact the app’s support team and report the transaction as fraud. Recovery is often not possible, but reporting creates a record that may matter later.
- Gift cards: Call the card issuer immediately and report the fraud. Keep both the card and the receipt. Recovery is rare but occasionally possible if the balance hasn’t been drained yet.
- Cryptocurrency: Recovery is extremely unlikely. Report to the FTC and to your state attorney general.
- Credit card: You have chargeback rights. Dispute the charge with your card issuer immediately.
If your credentials or device were compromised
- If you handed over login credentials, change them immediately and look for any changes made to your account, including forwarding rules, linked accounts, and recovery email or phone numbers.
- If you allowed remote access to your device, treat it as compromised. Run a full malware scan, and if you’re not confident it’s clean, take it to a trusted technician.
- If your Social Security number was exposed, consider placing a credit freeze at all three bureaus. A credit freeze is stronger than a fraud alert and prevents new accounts from being opened in your name entirely.
One sign of compromise most people miss
After a phishing attack, go into your email account’s rules and filters before you do anything else. Scammers who gain access to an email account will often set up automatic forwarding to quietly receive copies of your incoming messages, or create inbox rules that delete security alerts from your bank or email provider so you never see warnings about suspicious logins. It’s a way of maintaining access while staying invisible. Look for any rules you didn’t create and remove them immediately.
AI-powered scams and the road ahead
Why AI changes the picture
For years, the most reliable way to spot a scam was to look for the seams: clumsy grammar, awkward phrasing, a robotic voice on the other end of the line, an email that didn’t quite sound like a real person wrote it. Generative AI has erased most of those tells. The same tools that draft polished emails and clone voices in seconds are now available to anyone, and scammers were among the earliest adopters.
The result isn’t a brand-new category of fraud so much as a sharpening of every scam already described in this guide. Phishing emails now read flawlessly. Fake fraud specialists sound calm and competent. Impersonation is more convincing, more personalized, and produced at a scale that wasn’t possible just a few years ago. The underlying playbook hasn’t changed. The polish has.
What these scams look like
The most striking development is voice cloning. With only a few seconds of audio, often pulled from social media, a voicemail greeting, or a brief phone call, a scammer can generate a convincing replica of someone’s voice. The classic version is a distressing call that appears to come from a family member: a grandchild claiming to be in jail, a child stranded after an accident, a relative in some sudden emergency that requires money right now. The voice sounds right, the panic feels real, and the request for an immediate wire transfer or gift card payment follows the familiar pattern of urgency.
AI is also being used to generate realistic video and images. Deepfake videos of public figures, executives, or even people you know are now used to lend credibility to investment pitches, romance scams, and business email compromise schemes. A scammer running a fake investment platform might produce a video of a well-known financial personality endorsing it. A BEC (Business Email Compromise) attack might escalate from a spoofed email to a video call featuring a synthetic version of an executive.
Chatbots have made romance and investment scams more efficient as well. Where a scammer once had to manage each conversation by hand, AI now sustains dozens of relationships at once, responding naturally and around the clock, building the kind of trust that eventually leads to a request for money.
The tactics used most often
- Cloned voices of family members in fabricated emergencies, requesting immediate payment
- Flawless phishing emails and texts with none of the grammatical errors that used to signal a scam
- Deepfake videos or images are used to endorse fake investments or impersonate executives and acquaintances
- AI chatbots running romance and investment scams at scale, maintaining convincing conversations over long periods
- Highly personalized messages that reference real details about you, scraped and assembled automatically from public sources
How to protect yourself
The core defenses haven’t changed, but a few deserve renewed emphasis in this environment.
Treat any urgent request for money as suspect, no matter how familiar the voice or face. If you receive a distressing call from someone claiming to be a relative, hang up and call that person back directly on the number you already have for them. A cloned voice cannot answer a phone you dialed yourself.
Consider agreeing on a family code word with close relatives, a simple phrase that a real family member would know and an impersonator wouldn’t. It’s a low-tech defense that holds up well against high-tech impersonation.
Be skeptical of endorsements and opportunities you encounter through video or audio, particularly anything involving investments. Seeing a familiar face or hearing a familiar voice is no longer proof that a message is genuine. Verify through official channels before acting.
Slow down. Nearly every AI-enhanced scam still relies on the same thing its low-tech predecessors did: pressure to act before you’ve had time to think. The technology has gotten better at creating that pressure, which makes the decision to pause and verify more valuable than ever, not less.
How Alpine Bank communicates with customers
A reminder: Alpine Bank will never contact you to ask for your PIN, online banking password, or one-time passcode. We will never ask you to transfer money to a new account to protect it from fraud. We will never demand immediate action over the phone without giving you the ability to verify who you’re talking to.
If something feels off about a message or call claiming to be from us, trust that instinct. Hang up or don’t respond, and call us directly using the number on the back of your card or at alpinebank.com. We would always rather take a call from you than learn you were defrauded by someone pretending to be us.
FAQs
Q: What do bank impersonation, phishing, and text scams look like?
A: They arrive as urgent texts, calls, or emails about suspicious activity, such as an unrecognized transaction, an unfamiliar login, or an account hold, designed to get you on the phone with a fake fraud specialist or to click a link that steals your credentials. Smishing (phishing by text) has grown because people trust texts more and scrutinize them less. Never give your PIN, password, or one-time passcode to anyone who contacts you, and call the number on the back of your card rather than any link or number in the message.
Q: How do QR code scams work, and how do I scan safely?
A: Malicious QR codes look identical to real ones and can be placed over legitimate codes on signage, menus, or parking meters, sending you to a fake site or triggering a malware download. Preview the URL before opening it, be wary of codes in unexpected places or arriving unsolicited by text or email, and stop if a code takes you to a login page.
Q: Why are P2P payment scams (Zelle, Venmo, Cash App) so hard to recover from?
A: These payments are treated as authorized transfers, so there’s no chargeback process. The money moves instantly and is considered final. Only send money to people you know personally, never send money to “receive” a prize or refund, and remember that anyone telling you to use a P2P app to resolve a fraud situation is themselves the scam.
Q: How do tech support, IRS, student loan, and work-from-home scams operate?
A: Tech support scams use fake warnings or cold calls to win remote access to your device, which you should never grant to someone who contacted you. IRS scams threaten arrest unless you pay by gift card, wire, or crypto, but the IRS initiates contact by mail and never demands immediate payment that way. Student loan scams charge upfront fees or ask for your FSA ID for help that’s free through studentaid.gov. Work-from-home scams ask for payment, bank details, or your SSN before any real work, with red flags like starter-kit fees, above-market pay, and recruiters who only use messaging apps.
Q: How can I avoid prize, telemarketing, and seasonal/charity scams?
A: You can’t win a contest you didn’t enter, and legitimate prizes never require upfront payment. Scam volume rises around holidays, tax season, and disasters. If a charity contacts you unsolicited, verify it on Charity Navigator or GuideStar and donate through its official website, not a link or number the caller provides.
Q: What is Business Email Compromise (BEC), and how do I protect my business?
A: A scammer hacks or spoofs a company email, often an executive’s, to request urgent wire transfers, vendor payment changes, or payroll redirects, exploiting trust and pressure to discourage double-checking. Require verbal confirmation for any transfer or payment-detail change, train staff to treat urgency and secrecy as warning signs, use multi-factor authentication, and call vendors at a number already on file.
Q: What should I do if I think I was targeted, and what’s the sign most people miss?
A: Act quickly: change passwords (starting with email), enable multi-factor authentication, call your bank using the number on your card, and place a free fraud alert with Equifax, Experian, and TransUnion. Recovery depends on payment method, with wires and credit cards offering the best options, while P2P, gift cards, and crypto are hard or impossible to reverse. The overlooked step: after a phishing attack, check your email for forwarding rules or filters a scammer may have set up to silently copy your mail or delete bank security alerts.


