🛡️ Frequently Asked Questions

According to the FBI's Internet Crime Complaint Center (IC3) 2024 report, the most common online scams include phishing and spoofing (accounting for over 298,000 complaints), personal data breaches, non-payment/non-delivery fraud, extortion, and investment scams. These scams cost victims billions of dollars annually and continue to grow in sophistication.

• Phishing emails impersonate banks, government agencies, or popular services to steal credentials
• Fake e-commerce websites mimic legitimate retailers to collect payment information
• Romance scams cost victims over $1.3 billion in 2023 according to the FTC
• Investment fraud, particularly involving cryptocurrency, generated the highest dollar losses at over $4.57 billion
• Tech support scams trick victims into paying for unnecessary computer repairs
• Business Email Compromise (BEC) targets companies through compromised executive email accounts
• Government impersonation scams use fear of arrest or deportation
• Job scams promise high-paying remote work requiring upfront fees

Each scam type exploits different psychological triggers—urgency, fear, greed, or loneliness—making awareness of these tactics your strongest defense.

Identifying a scam website requires checking multiple indicators. First, examine the URL carefully: scam sites often use misspellings (amaz0n.com), extra subdomains (login.paypal.security-check.com), or uncommon TLDs (.xyz, .top, .buzz). Check the domain age using WHOIS lookup tools—most scam sites are less than 6 months old. According to research by the Anti-Phishing Working Group (APWG), the average lifespan of a phishing site is under 48 hours.

Key warning signs to look for include:

• No HTTPS padlock icon in the browser address bar
• Missing or fake contact information and no physical address
• Unrealistically low prices (often 70–90% below market value)
• Stock photos instead of original product images
• No social media presence or extremely low engagement
• Copied or generic legal pages
• Pressure tactics like countdown timers
• Payment only through wire transfers or cryptocurrency

Verify the business through the Better Business Bureau (BBB), check for reviews on Trustpilot, and search for the site name plus "scam" or "review." Use our IsItAScam analysis tool as an additional verification layer alongside your own research.

Phishing emails have become increasingly sophisticated, but several telltale signs remain. According to the Verizon 2024 Data Breach Investigations Report, phishing is involved in over 36% of all data breaches. Key red flags include:

• Generic greetings ("Dear Customer" or "Dear User") instead of your name
• Mismatched sender addresses that don't match the claimed organization (e.g., [email protected])
• Urgent or threatening language demanding immediate action
• Requests for sensitive information like passwords or Social Security numbers
• Suspicious links that don't match the displayed text (hover to check)
• Unexpected attachments, especially .exe, .zip, or macro-enabled Office files
• Grammar and spelling errors or unusual formatting
• Offers that seem too good to be true

Advanced phishing emails may use real company logos, formatting, and even reference recent transactions. Always verify requests independently: call the company using a number from their official website—never from the email. Enable multi-factor authentication on all accounts so even if credentials are compromised, attackers cannot gain access. Report phishing emails to [email protected] and your email provider.

No automated scam detection tool achieves 100% accuracy, and any service claiming otherwise should itself be viewed skeptically. Our tools analyze multiple data points including:

• Domain age and registration details
• SSL certificate validity and configuration
• URL pattern analysis against known scam templates
• Blacklist databases (Google Safe Browsing, PhishTank, APWG)
• Website content analysis for scam indicators
• Hosting infrastructure reputation

According to a 2024 study published in the Journal of Cybersecurity, the best automated phishing detection systems achieve 95–98% accuracy on known threat patterns, but accuracy drops to 60–85% for zero-day phishing sites. Scammers constantly evolve their techniques—creating new domains, rotating hosting providers, and using legitimate services to host malicious content.

False positives also occur: legitimate new businesses may trigger warnings due to young domain age. We recommend a layered defense approach: use our tools as one input alongside checking independent reviews, verifying contact information, testing customer service responsiveness, and trusting your instincts when something feels off. No single tool replaces critical thinking and healthy skepticism when navigating the internet.

Time is critical after discovering you've been scammed. Follow these steps immediately:

1. Stop all communication with the scammer and do not send additional money, even if they promise to return your funds
2. Document everything—save emails, screenshots, chat logs, transaction records, and phone numbers
3. Contact your bank or credit card company immediately to dispute charges or freeze accounts; the FTC reports that victims who act within 24 hours recover funds at significantly higher rates
4. File official reports with the FTC at reportfraud.ftc.gov, the FBI's IC3 at ic3.gov, and your local police department
5. Change passwords immediately on all affected accounts and enable two-factor authentication
6. Place fraud alerts with the three major credit bureaus (Equifax, Experian, TransUnion) if you shared your Social Security number, and consider a credit freeze
7. Visit identitytheft.gov for a personalized recovery plan if identity theft is suspected
8. Monitor your credit reports weekly through AnnualCreditReport.com for at least 12 months

If the scam involved cryptocurrency, also report to the platform and the Commodity Futures Trading Commission (CFTC). Remember: being scammed is not your fault—these are sophisticated criminal operations designed to exploit trust.

Gift cards have become the preferred payment method for scammers, and the FTC reports that consumers lost over $217 million to gift card scams in 2023 alone. Scammers favor gift cards because they are:

• Virtually untraceable once redeemed
• Irreversible unlike credit card payments which can be disputed
• Convertible to cash or cryptocurrency through secondary markets
• Anonymous—no identification required to purchase or redeem
• Instantly accessible from anywhere in the world

Common gift card scam scenarios include IRS impersonation calls demanding tax payments, tech support scams requesting payment for fake repairs, romance scammers asking for "emergency" help, fake prize notifications requiring "processing fees," and boss/CEO impersonation emails asking employees to purchase cards. The most frequently requested cards are Apple/iTunes, Google Play, Amazon, and Steam Wallet.

Remember this absolute rule: no legitimate business, government agency, utility company, or law enforcement entity will ever request payment via gift cards. If anyone asks you to buy gift cards as payment, it is 100% a scam—no exceptions. If you've already shared gift card numbers, contact the card issuer immediately as some funds may be recoverable if reported quickly.

AI-powered scams represent a rapidly growing threat in the fraud landscape. Criminals now use generative AI to create deepfake videos, clone voices with as little as 3 seconds of audio, and generate convincing phishing emails free of the grammatical errors that once served as warning signs. According to the FBI's 2024 advisory, voice cloning scams have surged over 300% since 2022, with scammers impersonating family members to request emergency money transfers.

Common AI-powered scam techniques include:

• Deepfake video used in fake celebrity endorsement scams and business meeting impersonation
• Voice cloning to impersonate relatives, executives, or authority figures
• AI-generated phishing emails personalized using data from social media profiles
• Chatbot-driven romance scams that maintain convincing conversations for weeks

To protect yourself: establish a family code word for verifying emergency calls, be skeptical of unexpected video calls requesting money, and verify any urgent financial request through a separate communication channel. Watch for subtle deepfake signs like unnatural blinking, lip-sync mismatches, or inconsistent lighting. Use reverse image search on suspicious profile photos. If an investment opportunity features a celebrity endorsement video, verify it through the celebrity's official channels. The technology is advancing rapidly—awareness and verification habits are your best defense.

A phishing kit is a pre-packaged set of tools that allows even non-technical criminals to launch sophisticated phishing attacks. These kits are sold on dark web marketplaces for as little as $50–$300, and some are available for free. According to research by Akamai Technologies, over 120,000 unique phishing kits were detected in the wild in 2024.

A typical phishing kit includes:

• Cloned versions of legitimate login pages (banks, email providers, social media)
• Backend scripts to capture and exfiltrate stolen credentials
• Hosting configuration files for quick deployment
• Evasion techniques to avoid detection by security tools
• Built-in Telegram bots that send stolen data to the attacker in real-time

Modern phishing kits incorporate adversary-in-the-middle (AiTM) proxies that can intercept multi-factor authentication tokens, making even MFA-protected accounts vulnerable. Kits are designed to be disposable—attackers deploy them, harvest credentials for 24–48 hours, then move to a new domain. This is why traditional blacklists struggle to keep up.

To protect yourself, use hardware security keys (FIDO2/WebAuthn) which are resistant to AiTM attacks, always navigate to websites directly by typing the URL rather than clicking links, and enable login notifications on all important accounts so you're alerted to unauthorized access immediately.

Before purchasing from an unfamiliar online store, use this verification checklist to protect yourself. According to the FTC, online shopping fraud was the second most reported fraud category in 2024, with losses exceeding $3.5 billion.

1. Domain verification: Check the domain age using WHOIS lookup (legitimate stores are typically registered for years, not weeks), verify the URL matches the brand exactly, and look for HTTPS encryption
2. Website content evaluation: Check for a complete "About Us" page with real company history, verify a physical address exists using Google Maps, test the customer service phone number and email, and read the return and refund policies—vague or missing policies are a red flag
3. Reputation research: Search for reviews on Trustpilot, Sitejabber, and the BBB, look for the store on social media and check follower engagement authenticity, and search "[store name] scam" or "[store name] reviews"
4. Pricing analysis: If prices are 70–90% below retail, it's likely fraudulent
5. Payment options: Legitimate stores offer credit card payments with buyer protection, while scam stores often only accept wire transfers, cryptocurrency, or Zelle

Finally, use our IsItAScam tool to run an automated analysis combining all these factors into a comprehensive risk assessment.

Cryptocurrency scams caused the highest financial losses of any fraud category in 2024, with the FBI IC3 reporting over $5.6 billion in losses. The most prevalent types include:

• Pig butchering scams: Fraudsters build relationships over weeks or months before convincing victims to invest in fake crypto platforms showing fabricated returns
• Fake exchange and wallet scams: Sites mimicking legitimate platforms like Coinbase or MetaMask to steal login credentials and seed phrases
• Rug pull schemes: Developers create a new token, generate hype, then disappear with investor funds—over 117,000 scam tokens were created in 2024 alone
• Ponzi schemes: Disguised as crypto investment clubs promising guaranteed returns of 1–10% daily
• Celebrity-endorsed pump-and-dump schemes using deepfake videos
• Fake airdrops and giveaways requiring you to "send crypto to receive more"

Red flags include: guaranteed returns (no legitimate investment offers this), pressure to invest quickly, requests for your private keys or seed phrase, unregistered platforms, anonymous development teams, and unsolicited investment opportunities via social media or dating apps. Protect yourself by using only well-established exchanges, never sharing your seed phrase with anyone, and remembering that legitimate projects never ask you to send crypto first.

Adults over 60 are disproportionately targeted by scammers, with the FBI IC3 reporting over $3.4 billion in losses among seniors in 2024—a 24% increase from the previous year. The most common scams targeting elderly individuals include tech support fraud, government impersonation, romance scams, grandparent scams (callers pretending to be a grandchild in distress), and investment fraud.

Practical steps to protect elderly family members:

• Have open, non-judgmental conversations about scam tactics—shame prevents many victims from reporting
• Set up call-blocking services and register phone numbers on the National Do Not Call Registry
• Establish a family code word for verifying emergency requests
• Configure email spam filters and enable two-factor authentication on their accounts
• Install ad-blocking software to prevent malicious advertisements
• Set up account alerts for transactions over a specified amount
• Consider adding a trusted contact person to financial accounts
• Teach them to never give remote access to their computer to unsolicited callers

Encourage a "pause and verify" habit: if any call, email, or message requests money or personal information, hang up and call back using a known number. Create a list of trusted contacts they can consult before making financial decisions. Organizations like AARP's Fraud Watch Network (aarp.org/fraudwatchnetwork) offer free resources and a helpline specifically for elder fraud.

Social engineering is the psychological manipulation of people into performing actions or divulging confidential information. Unlike technical hacking, it exploits human psychology rather than software vulnerabilities. According to the Verizon 2024 Data Breach Investigations Report, 68% of breaches involved a human element, making social engineering the most effective attack vector available to criminals.

The core psychological principles exploited include:

• Authority: Impersonating police, IRS agents, or company executives to demand compliance
• Urgency: Creating artificial time pressure so victims act before thinking
• Scarcity: "Only 2 left!" or "Offer expires in 10 minutes"
• Social proof: "Thousands of people have already invested"
• Reciprocity: Offering something free before requesting sensitive information
• Fear: Threatening legal action, account suspension, or arrest

Common social engineering attacks include pretexting (creating a fabricated scenario to extract information), baiting (leaving infected USB drives in public places), tailgating (following authorized personnel into secure areas), and quid pro quo attacks (offering fake IT support in exchange for login credentials). Research by Stanford University found that 88% of data breaches are caused by employee mistakes triggered by social engineering. To defend yourself: always verify identities independently, take time before responding to urgent requests, and remember that legitimate organizations will never pressure you to act immediately.

Pig butchering (translated from the Chinese shā zhū pán) is a sophisticated long-con investment fraud where scammers build a genuine-feeling relationship with the victim over weeks or months before introducing a fake cryptocurrency investment platform. The FBI estimates this fraud caused over $3.5 billion in US losses in 2023.

How the scam unfolds:

1. Initial contact: A "wrong number" text, dating app match, or social media connection from an attractive, engaging stranger
2. Relationship building: Weeks of genuine-seeming conversation, building emotional trust and even affection
3. Investment introduction: The scammer casually mentions their remarkable success on a specific investment platform
4. Small wins: Victim is encouraged to invest small amounts; the fake platform shows impressive fabricated returns
5. Escalation: Victim invests increasing sums, sometimes withdrawing savings, selling assets, or taking loans
6. The "slaughter": When the victim tries to withdraw, invented taxes and fees block the withdrawal; eventually the platform disappears entirely

Warning signs: the investment platform isn't available on official app stores; there's no regulated exchange registration; you can "see" profits but cannot withdraw them; and customer service always invents new fees to block withdrawals. Many operations are run from forced-labour compounds in Southeast Asia. Report to FBI IC3 at ic3.gov immediately if you suspect this scam.

Romance scams cost victims over $700 million in 2023 according to the FBI IC3, with the median individual loss exceeding $10,000. The FTC found that people who met their scammer on social media lost more money than those who met on dating apps. Early recognition is essential — the longer the relationship continues, the harder it becomes to accept the truth.

Key warning signs:

• Lives or works abroad: Claims to be on military deployment, an offshore oil rig, or an international medical mission — anything preventing an in-person meeting
• Rapid emotional escalation: Professes deep love or strong feelings after just days or weeks of online contact
• Avoids video calls: Always has technical problems; offers photos instead or uses pre-recorded video clips
• Reverse image results: Profile photos return a different person's name in Google Reverse Image Search
• Financial requests: Eventually asks for money for an emergency, travel, medical costs, or an "investment opportunity"
• Moves to private messaging: Pushes to communicate only through WhatsApp or Telegram rather than the original platform

Protect yourself: never send money to someone you haven't met in person regardless of how well you feel you know them; video call early in any online relationship; discuss the relationship with a trusted friend; and contact the AARP Fraud Helpline (877-908-3360) if you think you may be targeted.

Job scams cost North American job seekers an estimated $2 billion annually according to the BBB 2023 Employment Scams Study, with a median individual loss of $1,995. Fraudulent job offers appear on LinkedIn, Indeed, and other legitimate platforms, making them particularly deceptive.

Major red flags:

• Unsolicited offer: You receive a job offer for a position you never applied for
• Unrealistic compensation: Pay is dramatically higher than market rate for simple tasks (data entry, product testing, app review)
• No real interview: Entire "hiring" process happens over text, WhatsApp, or Telegram — no phone or video interview
• Upfront payment required: Asked to pay for training, equipment, software, or background checks before starting
• Money handling: Job requires receiving transfers and forwarding funds — this is money mule recruitment
• Unverifiable company: Company has no LinkedIn presence, website, or address that matches official records
• Pressure to decide immediately: "We have to fill this role today" — legitimate employers give time for consideration

Verify any offer independently: look up the company on LinkedIn, call the official HR number from the company's real website (not from the offer email), and search the recruiter's name + company online. Report fake job listings to the FTC at reportfraud.ftc.gov and to the platform where you found the listing.

SIM swapping is an attack where a fraudster calls your mobile carrier, impersonates you using personal information gathered from data breaches or social media, and convinces a customer service representative to transfer your phone number to their SIM card. The FBI reported 1,611 SIM swapping complaints in 2023 causing over $48 million in losses. High-value cryptocurrency holders are disproportionately targeted.

The attack's impact:

• All SMS messages — including one-time passwords for two-factor authentication — now go to the attacker
• Immediate account takeover on banking, email, cryptocurrency exchanges, and any account using SMS-based 2FA
• Password reset emails route to accounts the attacker now controls via your email

How to protect yourself:

• Set a SIM PIN: Contact your carrier and set a unique passphrase or PIN required before any account changes — do this proactively today
• Switch from SMS to app-based 2FA: Use an authenticator app (Google Authenticator, Authy) or hardware key (YubiKey) instead of SMS for all important accounts
• Minimize public phone exposure: Avoid publishing your real phone number on social media profiles
• Enable carrier-level SIM lock: T-Mobile, Verizon, and AT&T all offer "number lock" features — enable them
• Monitor for loss of signal: Sudden loss of mobile service is an early warning sign of a SIM swap in progress — contact your carrier immediately

Business Email Compromise is a sophisticated fraud targeting organizations, causing $2.9 billion in losses in 2024 according to the FBI IC3 — the second-highest fraud category by total loss. BEC attacks impersonate executives, vendors, or business partners to trick employees into authorizing fraudulent wire transfers or disclosing sensitive data.

Common BEC scenarios:

• CEO fraud: An executive "urgently" requests a wire transfer via email while supposedly in a meeting or travelling
• Vendor email compromise: An attacker intercepts a real vendor invoice and changes the bank account details before forwarding it to accounting
• Payroll diversion: Fake request to HR to change a direct deposit account before the next payroll run
• Attorney impersonation: A "legal counsel" requests a confidential wire transfer for a pending acquisition or settlement

Organizational defences:

• Implement DMARC, DKIM, and SPF email authentication to prevent domain spoofing
• Require verbal verification via a known phone number for any payment instructions received by email
• Enforce dual authorization for wire transfers above a threshold amount
• Conduct regular phishing simulation training that includes BEC scenarios
• The FBI's IC3 Recovery Asset Team (RAT) recovered $560M in BEC losses in 2024 — but only when notified within 48 hours of the transfer

Quishing (QR code phishing) uses QR codes instead of hyperlinks to direct victims to malicious websites, bypassing email security filters that scan text-based URLs but typically cannot decode QR code image content. The FBI issued a warning about quishing in 2023 citing exponential growth. Quishing now appears in emails, physical mail, and even placed physically over legitimate QR codes in restaurants, parking meters, and public spaces.

Why quishing is particularly dangerous:

• Smartphones handle QR scanning natively — users often proceed directly to the URL without scrutiny
• The small URL preview on mobile screens makes it harder to spot spoofed domains
• Email security tools typically cannot analyze image content to detect malicious URLs within QR codes

How to protect yourself:

• Preview the URL first: Your camera app shows the destination URL before you tap — always read it carefully
• Check the domain: Ensure the destination matches what the context suggests (e.g., a "parking payment" QR should go to the city's official domain)
• Inspect physical QR codes: Look for stickers placed over original codes — edges and misalignment indicate tampering
• Be suspicious of email QR codes: Banks, government agencies, and employers rarely ask you to scan a QR code to verify account information
• Never enter credentials on a page reached through an unexpected QR code

Pretexting is a social engineering technique where an attacker fabricates a convincing backstory to manipulate a target into providing information, access, or money. The Verizon 2024 DBIR identified pretexting as a primary vector in 40% of social engineering incidents. Unlike phishing (which relies on technical deception), pretexting relies entirely on a researched, believable scenario.

How scammers build pretexts:

• Open-source intelligence (OSINT): LinkedIn reveals employer, colleagues, and recent projects; social media reveals relationships and interests; public records reveal address and assets
• Data broker aggregation: Sites like Spokeo, WhitePages, and BeenVerified compile detailed profiles used to answer security questions convincingly
• Recent news: Corporate announcements, mergers, or public events provide natural conversation hooks

Common pretexts include: an IT contractor who "needs access credentials to fix an urgent server issue"; a vendor's billing department "confirming banking details"; a hospital administrator "verifying patient insurance"; and the classic grandparent scam ("Grandma, I'm in trouble and need bail money — please don't tell Mom"). Defences: always verify the identity of inbound callers independently before sharing any information; call back using numbers from official sources; and ask your organization to run pretexting simulation drills, not just email phishing simulations.

Fake charity complaints spike by 50–80% following major disasters and news events according to the FTC, as fraudsters exploit donor generosity. Verification is essential before donating, especially in response to an emotional appeal.

Charity verification steps:

• Check watchdog registries:
  • Charity Navigator: charitynavigator.org
  • GuideStar/Candid: candid.org
  • BBB Wise Giving Alliance: give.org
• Verify legal registration: Search the IRS Tax Exempt Organization Search (apps.irs.gov/app/eos) to confirm 501(c)(3) status for US charities; provincial registries for Canadian charities
• Be suspicious of pressure tactics: Legitimate charities don't demand immediate donations over the phone or via social media DM
• Check payment methods: Legitimate charities accept credit cards and issue receipts; be wary if only wire transfers, cryptocurrency, or gift cards are accepted
• Verify the URL: Fake charities use names nearly identical to established organizations — verify the domain is the official one
• Search for complaints: Search "[charity name] scam" or "[charity name] complaint" before donating

Best practice: donate directly through the official website of a well-established organization rather than through links or phone numbers provided by solicitors.

Subscription traps (negative option billing) lure consumers with a "free trial" that automatically converts to a recurring paid subscription, with cancellation made deliberately difficult. The FTC estimates subscription billing fraud generates over $1.4 billion in annual consumer complaints, and finalized the "Click to Cancel" rule in 2024 requiring cancellation to be as easy as sign-up.

How subscription traps work:

• Subscription terms hidden in fine print, low-contrast text, or pre-ticked checkboxes
• Free "sample" shipped with a hidden membership enrollment buried in the terms
• Cancellation requires calling a phone line available only during limited hours
• Automatic re-enrollment after a supposed cancellation
• "Loyalty retention" scripts designed to make you feel guilty for cancelling

Prevention strategies:

• Use virtual card numbers for free trials — your bank may offer single-use or merchant-locked virtual cards that can't be charged after the trial
• Set calendar reminders two days before any trial period ends
• Screenshot cancellation confirmation and keep a record with the date
• Review statements monthly for unrecognized recurring charges
• Dispute immediately: Credit card issuers can issue chargebacks for unauthorized recurring billing — act within 60 days of the statement date

Speed is the most critical factor in fraud recovery. The FBI's Recovery Asset Team (RAT) recovered approximately $560 million in fraudulent transfers in 2024 — but only when notified within 48–72 hours of the transaction. Acting immediately gives law enforcement time to freeze funds before they are moved internationally.

Step-by-step reporting guide:

1. Contact your bank immediately — request an emergency wire recall; for credit card fraud, initiate a chargeback; banks have dedicated fraud lines available 24/7
2. File with FBI IC3 within 24 hours at ic3.gov — specifically flag as financial fraud for RAT referral if a wire transfer was involved
3. File with the FTC at reportfraud.ftc.gov — feeds the Consumer Sentinel database used by 2,000+ law enforcement agencies
4. File a police report with your local department — get the report number for insurance claims and bank disputes
5. For cryptocurrency fraud: Report to the exchange used and file with the CFTC at cftc.gov/complaint
6. For gift card scams: Call the card issuer immediately — some can freeze unredeemed balances if reported quickly
7. Report phishing emails to [email protected] and your email provider

Documentation to gather before reporting: all communications (emails, texts, chat logs), transaction IDs and amounts, dates and times, phone numbers or email addresses used by the scammer, and website URLs. Even if full recovery is impossible, every report contributes to intelligence that helps law enforcement disrupt criminal networks affecting other victims.

Selon le rapport IC3 2024 du FBI, les arnaques en ligne les plus courantes incluent : hameçonnage et usurpation d'identité (plus de 298 000 plaintes), violations de données personnelles, fraudes de non-paiement, extorsion et arnaques à l'investissement. Ces arnaques coûtent des milliards de dollars aux victimes chaque année.

• E-mails de hameçonnage — usurpent banques, agences gouvernementales ou services populaires pour voler des identifiants
• Arnaques à l'investissement — promettent des rendements irréalistes sur crypto, forex ou autres investissements
• Arnaques aux rencontres — construisent des relations émotionnelles avant de demander de l'argent
• Arnaques au support technique — faux appels de « Microsoft » ou « Apple » prétendant que votre ordinateur est infecté
• Arnaques aux achats en ligne — produits qui n'arrivent jamais ou articles contrefaits

Signes d'alerte d'un site frauduleux : URL avec des fautes d'orthographe ou des caractères inhabituels, absence de HTTPS, coordonnées manquantes ou fausses, prix trop bas pour être vrais, politiques de retour ou de confidentialité absentes, pression à payer par virement ou cryptomonnaie. Utilisez des outils comme WHOIS pour vérifier depuis combien de temps le domaine existe et VirusTotal pour analyser les URL suspectes.

Principaux signaux d'alerte dans les e-mails : adresse de l'expéditeur ne correspondant pas au domaine officiel, salutations génériques (« Cher client »), mauvaise grammaire, création d'urgence ou de peur, demande d'informations sensibles, liens dont l'URL ne correspond pas au texte affiché, pièces jointes inattendues, offres trop belles pour être vraies.

Non. Les outils de détection d'arnaques utilisent plusieurs méthodes (listes noires, analyse IA, signaux d'alerte) mais peuvent avoir des faux positifs et des faux négatifs. Les nouvelles arnaques peuvent contourner les systèmes de détection jusqu'à ce qu'ils soient signalés. Utilisez ces outils comme première ligne de défense, mais combinez-les avec votre jugement critique et d'autres méthodes de vérification.

1. Contactez immédiatement votre banque pour arrêter tout virement ou annuler les transactions
2. Signalez à la police et obtenez un numéro de rapport
3. Signalez à FBI IC3 (ic3.gov), FTC (reportfraud.ftc.gov) ou Centre antifraude du Canada
4. Changez tous les mots de passe des comptes compromis
5. Placez une alerte de fraude sur votre dossier de crédit
6. Documentez tout — conservez captures d'écran, e-mails, journaux de transactions

Les cartes cadeaux sont des cibles privilégiées pour les escrocs car les paiements sont instantanés, irréversibles et quasi impossibles à tracer. Une fois les codes transmis, les fonds sont récupérés immédiatement, souvent via des réseaux internationaux. Aucune organisation légitime — gouvernement, banque, support technique — ne demande jamais de paiement par cartes cadeaux.

Les arnaques alimentées par l'IA utilisent : le clonage vocal (recréer la voix d'un proche avec quelques secondes d'audio), les deepfakes vidéo (faux appels vidéo), les chatbots IA (conversations d'arnaque automatisées), les e-mails de hameçonnage générés par IA (texte personnalisé et sans fautes). Pour vous défendre : établissez des mots de passe hors ligne avec vos proches, vérifiez toujours par un deuxième canal, soyez sceptique face à toute demande financière urgente même de la part de « personnes connues ».

Pour vérifier une boutique en ligne : vérifiez l'âge du domaine (les arnaques utilisent souvent des domaines récemment créés), recherchez des avis sur des sites tiers (Trustpilot, Google Reviews), vérifiez les informations de contact, regardez les politiques de retour et de remboursement, utilisez des méthodes de paiement sécurisées comme les cartes de crédit (plus de protection que les virements), recherchez le numéro SIRET ou d'entreprise pour les sites canadiens/européens.

Le « pig butchering » (Sha Zhu Pan) est une arnaque combinant romance et investissement. L'escroc construit d'abord une relation émotionnelle (parfois sur plusieurs mois), puis présente une opportunité d'investissement sur une plateforme crypto frauduleuse. Les premières « transactions » montrent de faux profits pour encourager des investissements plus importants. Quand la victime tente de retirer ses fonds, des frais multiples apparaissent. L'arnaque se termine quand l'escroc disparaît avec tout l'argent.

Agissez rapidement :

1. Contactez votre banque immédiatement — certains virements peuvent être rappelés dans les 24 heures
2. Déposez une plainte au FBI IC3 (ic3.gov) dans les 24 heures
3. Signalez à la FTC (reportfraud.ftc.gov)
4. Déposez une plainte de police locale
5. Pour la fraude crypto : signalez à l'échange et à la CFTC (cftc.gov/complaint)
6. Documentez tout : communications, transactions, dates, coordonnées des escrocs