Financial Handbook

Fraud & Identity Theft

How scams work, how to spot them faster, and what to do if someone gets through.

The Big Idea

Most fraud is not sophisticated in the movie sense. It's pressure, urgency, impersonation, and a bet that you'll respond before you stop to think. The good news is that a lot of it is preventable once you know the patterns.

Why It Matters

This matters because even a "small" scam can burn hours, wreck your sense of safety, and take months to unwind. And when the loss is large, it can upend a family fast. A little skepticism up front is much cheaper than recovery on the back end.

The Breakdown

Common Scams and How to Recognize Them

Scams evolve constantly, but most fall into familiar patterns. Knowing the patterns helps you spot scams regardless of the specific story:

  • Phishing (email/text/phone): Scammers impersonate legitimate organizations (banks, IRS, Amazon, employer) to steal login credentials or personal information. Red flags: urgent threats ("account will be closed"), requests to verify personal information, suspicious links, generic greetings ("Dear Customer"), spelling errors. Legitimate organizations won't ask for passwords or sensitive info via email/text. When in doubt, contact the organization directly through official channels, not through the message you received.
  • Impersonation scams: Scammers pretend to be someone you trust: grandchild in jail needing bail money, friend stranded abroad, utility company threatening to shut off service, Social Security Administration claiming your number was suspended. Red flags: urgent requests for money, pressure to act immediately, requests for unusual payment methods (gift cards, wire transfers, cryptocurrency). Verify by contacting the person or organization directly through known numbers, not the contact info provided by the caller.
  • Romance scams: Scammers create fake online dating profiles, build emotional relationships over weeks or months, then invent emergencies requiring money (medical bills, plane tickets to visit, business problems). Victims lose an average of $10,000+. Red flags: relationship moves quickly, person can't video chat or meet in person (always has excuses), profession requires overseas travel (military, oil rig, doctor), requests for money or gift cards. Never send money to someone you haven't met in person, no matter how compelling their story.
  • Investment and cryptocurrency scams: Promises of guaranteed high returns with little or no risk. Ponzi schemes, pump-and-dump schemes, fake cryptocurrency exchanges, romance scams that pivot to investment "opportunities." Red flags: guaranteed returns (legitimate investments carry risk), pressure to buy immediately, unsolicited investment advice, complex strategies you don't understand, requests to send crypto to wallets you don't control. If it sounds too good to be true, it's a scam. Legitimate wealth building is slow and boring.
  • Employment and business opportunity scams: Fake job offers requiring upfront fees for training or equipment. Pyramid schemes disguised as "multi-level marketing." Work-from-home scams (envelope stuffing, reshipping scams). Red flags: employer asks you to pay for anything upfront, job promises unrealistic pay for little work, vague job descriptions, requirement to recruit others. Legitimate employers don't ask you to pay to work for them.
  • Wire fraud and real estate scams: Scammers hack email accounts of real estate agents, title companies, or attorneys and send fake wire instructions to home buyers. Victims wire closing funds to scammers and lose the money permanently. Red flags: last-minute changes to wire instructions, slight variations in email addresses, requests to wire to unusual accounts, pressure to wire immediately. Verify wire instructions by phone using a known number, not by replying to the email. Never wire money based solely on email instructions.

Protecting Yourself: Security Best Practices

Prevention is infinitely easier than recovery. Adopt these practices:

  • Freeze your credit: A credit freeze prevents new creditors from accessing your credit report, making it nearly impossible for identity thieves to open new accounts in your name. Free to place and remove at all three bureaus (Experian, Equifax, TransUnion). Keep accounts frozen by default; temporarily lift only when applying for legitimate credit. Children can also have credit frozen (child identity theft is common because parents don't monitor). This is the single most effective protection against financial identity theft.
  • Use strong, unique passwords: Don't reuse passwords across sites. Use a password manager (1Password, Bitwarden, Dashlane) to generate and store complex passwords. Enable two-factor authentication (2FA) everywhere, especially on email, financial accounts, and password managers. Use an authenticator app (Google Authenticator, Authy) rather than SMS 2FA, which can be SIM-swapped.
  • Monitor your accounts: Check bank and credit card statements weekly for unauthorized charges. Set up account alerts for transactions over a certain amount, new payees, or balance changes. Review your credit reports annually at AnnualCreditReport.com (free weekly reports through 2025). Consider credit monitoring services if you've been breached, but know they're reactive, not preventive.
  • Secure your devices: Keep software updated (enable automatic updates). Use antivirus software on Windows (Windows Defender is fine; free options like Malwarebytes for supplemental scans). Be cautious with public Wi-Fi—use a VPN or avoid sensitive transactions. Don't click links or download attachments from unknown senders. Verify sender email addresses carefully—scammers use slight misspellings.
  • Protect your mail and documents: Use a locked mailbox or PO Box. Shred documents with personal information before discarding (credit card offers, bank statements, medical records). Don't carry your Social Security card in your wallet. Keep important documents (birth certificates, passports, wills) in a fireproof safe or safe deposit box.
  • Be skeptical: Develop a healthy skepticism toward unsolicited contact. The IRS doesn't call demanding immediate payment. Tech companies don't call about computer viruses. Your bank won't email asking for your password. When in doubt, hang up and call the organization directly using a known number. Trust but verify.
  • Have a data breach response plan: If you're notified of a data breach: Change passwords immediately on the affected account and any other accounts using the same password. Enable 2FA if not already on. Freeze your credit if not already frozen. Monitor accounts closely for unauthorized activity. Consider credit monitoring for a year. File your taxes early (prevents tax refund fraud). Most breaches result in no direct financial loss if you respond promptly, but vigilance is required.

If You Become a Victim: Recovery Steps

If you fall victim to fraud or identity theft, act quickly:

  • Immediate financial fraud: If you sent money to a scammer: Contact your bank or wire transfer service immediately—some transfers can be reversed if caught quickly. File a police report (needed for insurance and recovery efforts). Report to the FTC at ReportFraud.ftc.gov. If you gave credit card info, contact your card issuer to dispute charges and get a new card. Monitor accounts obsessively for follow-up fraud.
  • Identity theft: If your identity is stolen: Place fraud alerts or credit freezes with all three bureaus immediately (freezes are stronger). File an identity theft report with the FTC at IdentityTheft.gov (creates a recovery plan and official report). File a police report. Contact affected creditors to dispute fraudulent accounts. Change passwords on all accounts. Review credit reports and dispute fraudulent accounts. Continue monitoring for years—identity theft often involves multiple attempts over time. Keep detailed records of all communications and steps taken.
  • Account takeover: If someone gains access to your accounts: Change passwords immediately on the affected account and any others using the same password. Enable 2FA if not already on. Contact the company/financial institution to report unauthorized access. Dispute any unauthorized transactions. Check for changes to account settings (email address, phone number, security questions) and revert them. Review account activity for the past 90 days. Consider placing a fraud alert or credit freeze if financial accounts were involved.
  • Tax identity theft: If someone files a tax return using your SSN: File your legitimate return as soon as possible (the IRS rejects duplicate SSNs, so first filed wins). Complete IRS Form 14039 (Identity Theft Affidavit). Contact the IRS Identity Protection Specialized Unit. Request an Identity Protection PIN (IP PIN) for future filings. File a police report. Monitor your credit and accounts closely. Tax identity theft often indicates broader identity theft—be extra vigilant.
  • Medical identity theft: If someone uses your identity for medical services: Review your medical records and Explanation of Benefits (EOB) statements from your health insurer for services you didn't receive. Contact your healthcare providers to correct records. Notify your health insurer's fraud department. File a police report. Contact the three credit bureaus to place fraud alerts or freezes. Request copies of your medical records and review for errors. Medical identity theft can be particularly damaging because incorrect information in your medical records can affect your healthcare.
  • Emotional recovery: Beyond the financial and logistical steps, acknowledge the emotional impact. Many fraud victims feel shame, embarrassment, anger, and violation. These feelings are normal. Talk to trusted friends or family—keeping it secret amplifies shame. Consider speaking with a therapist if you're struggling. Remember: scammers are professionals. Being victimized doesn't mean you're stupid or careless—it means you encountered a skilled predator. Focus on what you can control: taking recovery steps, learning from the experience, and helping others avoid the same trap.

Quick Reference

Credit Freeze
A security measure that prevents new creditors from accessing your credit report, making it nearly impossible for identity thieves to open new accounts in your name. Free to place and remove at all three bureaus. Most effective protection against financial identity theft. Keep frozen by default; temporarily lift only when applying for legitimate credit.
Fraud Alert
A notice on your credit report warning creditors to take extra steps to verify your identity before opening accounts. Lasts one year (can be renewed). Weaker than a credit freeze but doesn't restrict access to your credit report. Free to place. Good temporary measure if you suspect identity theft but don't want the full restriction of a freeze.
Phishing
Fraudulent attempts to obtain sensitive information by disguising as trustworthy entities via email, text, or phone. Often includes urgent threats, suspicious links, or requests for passwords. Legitimate organizations won't ask for sensitive info via email. When in doubt, contact the organization directly through known channels, not through the message received.
Identity Theft
The fraudulent acquisition and use of someone's personal information, typically for financial gain. Types include financial (opening accounts, credit cards), tax (filing fraudulent returns), medical (using your identity for healthcare), and criminal (giving your identity when arrested). Recovery requires placing credit freezes, filing reports with FTC and police, disputing fraudulent accounts, and years of monitoring.
Two-Factor Authentication (2FA)
A security method requiring two forms of verification to access accounts: something you know (password) and something you have (phone for text/app code, security key). Dramatically reduces account takeover risk. Enable on all financial accounts, email, and password managers. Use authenticator apps (Google Authenticator, Authy) rather than SMS when possible, as SMS can be SIM-swapped.
Password Manager
Software that generates, stores, and autofills complex, unique passwords for all your accounts. Essential because: (1) you can't remember unique, complex passwords for dozens of accounts, (2) reusing passwords means one breach compromises all accounts, (3) password managers generate truly random passwords resistant to cracking. Examples: 1Password, Bitwarden, Dashlane. Master password must be strong and memorable—this is the one password you need to remember.
← All topics Job Loss Survival