What to do (and never do) after you’ve been scammed

What’s worse than falling victim to a scam online? Being scammed again while dealing with the original crime.

There’s a booming industry of criminals who target people at their worst moments, squeezing more money or information out of them in exchange for false hope. They’ll promise to get you back into a hacked Facebook account or reclaim money you lost to some other third party. They’re often lurking in legitimate-looking search results or your social media replies.

We’ve given lots of advice about what to do to avoid being scammed, but what about right after it happens? You’re still vulnerable and in a heightened emotional state, something that online criminals often count on.

“People are especially digitally vulnerable after facing a cyberattack or when they need support after a cyberattack,” says Allie Mellen, a principal analyst at Forrester. “For those that may not be technically savvy or may not have a technically savvy family member or friend to help, an offer for tech support can be very welcome, right up until it turns out to be a fraud.”

Americans lost nearly $8.8 million to scams in 2022, according to Federal Trade Commission data. So far in 2023, online shopping scams are the most common, followed by criminals impersonating businesses, but tech support scams have cost consumers $157.8 million in the first three quarters of the year.

Here are some guidelines to get you through the rough patch without losing more money — and be better prepared for next time.

In the immediate aftermath of a scam, your priority is to prevent any additional damage. If you’ve handed over financial information or given money to a scammer, call your bank, credit card company, payment app or other financial institution. Many banks and cards will cover scams and return lost money, so ask them for a refund or to reverse the transaction.

If you’ve only given personal information, it could still be used to steal your identity. Turn on credit fraud monitoring or, if you’re able, freeze your credit.

If it’s a specific account that’s been hacked, report it to the company and — if you can — message your friends and family to let them know. Scammers who take over one account can then pose as you to get money or information from people you know.

Change the passwords on any compromised accounts, following the golden password rules: Never reuse a password, don’t pick anything obvious, and record it someplace safe such as a password manager. Next, turn on multifactor authentication for all your key accounts: financial, email, messaging and social media.

If you’re not confident in your tech skills or need help, contact a friend or family member. Don’t worry about feeling embarrassed; just pick up the phone. They may also be able to use their own social media accounts to report yours as hacked.

Try a company’s official customer support options. You’ll get help from banks and credit cards, but large tech companies with free products, such as Facebook and Google, typically don’t provide a way to speak to a person or get more than a support document or automated reply.

Look out for recovery scams

Do not rely on search engines to find help. Scammers will often buy search ads for keywords about falling for scams, getting into hacked accounts, or recovering money or cryptocurrency. Others will automatically reply to any public social media post about being scammed, offering help.

Skip them all. Especially any company you’ve never heard of or one that asks for a fee upfront. They don’t have any special back channels to tech companies or all-powerful hackers on staff to undo what’s been done, experts say. The most a service can do is walk you through securing your accounts or do some of the reporting for you.

“If it’s very high up in search, that doesn’t mean it’s real. It means they paid for it,” said Iskander Sanchez-Rola, director of privacy innovation for Norton.

Look out for long, overly specific URLs, sites that haven’t been around for very long and offers that seem too good to be true. For example, if a company is not asking for money upfront, that could mean it is in the information-gathering phase, says Sanchez-Rola. Do a search of the company’s name on Google, Reddit, Trustpilot and the Better Business Bureau, and remember that positive online reviews can be faked (look closely at the language and the dates the reviews were posted). Look out for any company asking for nontraditional payment methods such as gift cards, Venmo or PayPal, or wire transfers.

After you’ve handled all the emergency matters, report any scam or scammers to help protect other people. There’s an overwhelming number of options for where to report things, and they vary by country or state, what methods the scammers used and how much money you lost.

If a crime has taken place, you can report it to your local law enforcement first. There’s usually a non-emergency number or site, and you might be able to fill out a form.

Next, look up your state’s resources on where to report scams, starting with the attorney general’s office or the department of consumer affairs. Use keywords such as “cybercrime” or “ecrime” when searching for the best agencies, and be extra careful of sites posing as official government agencies — look for sites ending in .gov or .us. You can also report scams to private organizations that track cybercrime. Here is a list to get you started:

To spread the word less officially, start with your social networks. Make a quick post about what the scam looked like to warn your friends and relatives, especially if you think scammers collected any of their information. If you’re comfortable, you can share information more widely on public accounts and sites such as Reddit.

Finally, report any website, phone number or social media account belonging to a scammer to relevant tech companies — search engines, social media companies and cell carriers.

Scams can affect anyone, no matter your age. If you do fall for one, use it as a learning experience so it won’t happen again.

Leave a Reply

Your email address will not be published. Required fields are marked *