The most common scams you should know about

Scams are increasingly convincing and easier to mass produce. Learn how to avoid them. With global losses surpassing $1 trillion annually, scams now rival the economies of entire countries. Nearly half the world encounters a scam every week! In the U.S., losses average $3,520 per victim—among the highest globally. Fraud affects people of all ages, spreading via email, social media, phone calls, and even QR codes on streetlamps.

Scams are everywhere—learn to spot them before you take the bait with this list of common scams. The scam list

Phishing

Phishing scams trick individuals into downloading malware or giving away sensitive details like passwords, banking info, or other personal data. Scammers often impersonate trusted sources, creating a sense of urgency—like fake alerts about expired accounts or unpaid fees—to prompt quick action. Variations include QR-code phishing (quishing), SMS phishing (smishing), and voice phishing (vishing).

Description: Phishing email impersonating ESET.

Description: One of the top phishing variants of scam emails, as seen by ESET telemetry in H1 2023. The attached PDF impersonates an American Express notice, with a prominent "Verify Here Now" button that links to a phishing site.

Watch out for homoglyph and typosquatting Homoglyphs use similar-looking characters to mimic legitimate URLs or email addresses. Typosquatting involves registering domain names that closely resemble popular websites—often with minor spelling errors. These two methods are commonly used in phishing and shopping scams. For example, "℮s℮t.com" uses two "estimated" symbols—"℮," instead of the letter "e"— imitating "eset.com." Nigerian Prince scam (419 scam)

An old, infamous type of phishing attack in which scammers promise large sums of money in return for victim’s assistance. A swindler typically poses as a high-ranking official or prince from an exotic country, needing help to transfer a head-spinning amount of money. They ask the victim to provide personal information or to make an advance payment to facilitate the transfer.

Description: The sender of this email fraudulently claims that he is a U.S. Army sergeant deployed in Afghanistan. He requests assistance transferring 15kg (33.069 lbs.) of gold bars and $1 million cash in exchange for a reward. Online shopping scam Here, scammers pose as legitimate online sellers using fake websites or even deceptive ads on real retail platforms. Promising huge discounts or too-good-to-be-true deals, they trick shoppers into purchasing fake or nonexistent products. Some scams also target personal information and banking details.

Description: Cheap bags commonly available on Chinese online marketplaces presented as premium handmade products offered on sale.

Marketplace scams

These schemes often rely on advanced fee fraud, charging users up front for non-existent goods and services. Making matters worse, bots and toolkits are available on the dark web, helping scammers create fake item listings, phishing websites, fake payment gateways, SMS notifications, translating

chats with victim real-time, and more—essentially giving them the tools to scale up their scam campaigns.

Description: Interface of Telekopye bot used to run marketplace scams—scammer can generate phishing pages, payment gateways, delivery notifications and send the links to victims with only a few clicks.

Investment scams

Investment scams can take many forms—venture businesses, cryptocurrencies, nonexistent financial products or properties, etc.—but the underlying characteristic is the same. Despite investment opportunities promising breathtaking returns, victims end up with empty pockets. Sometimes, they are encouraged to make financial contributions over a long period of time, resulting in even bigger

losses. Investment scams are among the most widespread, misusing social media platforms, deepfakes of well-known personalities, fake reviews, and ads abusing brand logos to appear more trustworthy.

Description: Examples of cryptocurrency-themed scam websites seen in ESET phishing feeds.

Fake lottery scams In this type of fraud, scammers pose as lottery officials, claiming you’ve won a prize. To collect it, you’re asked to pay fees, taxes, or share personal info—often leading to fraud or identity theft.

Description: A fake lottery win notification that uses the World Cup 2022 as bait. The scam requests a variety of personal identification details. In order for you to receive the “ATM card,” you are asked to contact the agent, who requests an advanced fee to claim the winnings.

Business Email Compromise (BEC) In this high-risk scam, attackers impersonate trusted figures—like a company’s CEO or finance manager—to trick employees into transferring money or sensitive data. They may also pose as subcontractors, partners or inject themselves into real communication threads to appear legitimate.

With AI and deepfake technology—including audio, video, and live calls—these scams are becoming even more convincing. In one case reported by Hong Kong police, scammers used a deepfake conference call to trick an employee of an international firm into paying out $25 million.

Tech support scam Scammers pretend to be tech support from trusted companies, claiming your device has an issue. To “help,” they request remote access—then steal data, install malware, or carry out other cyberattacks. They may also demand payment for these fake services.

Description: A fake security alert manipulating the targeted user to call fake technical support.

Delivery scams. Delivery scams

Common during peak shopping seasons, these scams involve fake messages about package delivery issues. Victims are tricked into sharing personal information, installing malicious apps, or paying bogus fees to “resolve” the problem.

Description: Delivery scam email reported by ESET telemetry. It claims that the delivery attempt has failed and requests shipping address verification.

Romance scam

Scammers pose as potential romantic partners, building trust over time before asking for money to handle fake emergencies—like medical bills, blocked bank accounts, or threats from criminals.

With deepfake technology, these scams can become even more convincing—for example, generating a realistic video of Brad Pitt doting over your grandmother. A variation of this scam includes impersonating family members in need.

Description: Romance scams can start with a seemingly innocent "wrong number" message.

Sextortion and fake sextortion scams Sextortion occurs when someone is tricked into sharing private images and then blackmailed with threats to release them. In fake sextortion scams, attackers claim to have such material—even when they don’t—and demand payment, often in cryptocurrency. These scams may use deepfakes or mass spam campaigns, falsely accusing victims of illegal activity or viewing inappropriate or embarrassing pornographic content, then threatening to expose them unless they pay.

Description: This sextortion email utilizes hype around Pegasus spyware.

Snakeoil scams

These scams offer fake or nonexistent drugs or medical devices, promising miraculous health effects. They spread through social media, malicious ads, chats, SMS, and forums—often mimicking trusted brands like Viagra or Ozempic. A popular variation involves non-invasive glucose monitors, even though this technology is still in its infancy.

Description: A fake ad for a noninvasive glucose monitoring device, despite there being no such solution on the market.

Legal/law enforcement scams

These scams often target victims of other scams. Cybercriminals pose as law enforcement agents or legal professionals—reaching out via malicious ads, calls, SMS, or chat messages—and offer help for a fee. They may promise to recover lost funds, provide legal advice or consultations, open new cases, or enroll victims in fake class-action lawsuits. Scammers often impersonate Europol, Interpol, or lawyers from fictitious firms to appear legitimate.

Description: Examples of fraudulent ads as listed in the Meta Ad Library. These now-inactive ads were detected by ESET engine as HTML/Nomani and are described in detail in the ESET H2 2024 Threat Report. Ironically, they target people who were previously scammed.

Description: Fraudulent EUROPOL webpage promising the recovery of money lost to scammers.

How to avoid scams

Scams come in many forms—from sloppy to surprisingly sophisticated. Tips on how to prevent all of them would require more than just a single blog, but there are some general rules to follow:

Be skeptical: Be cautious about unsolicited messages and offers. Don’t click on links or provide personal data just because the sender creates a sense of urgency. If an offer, discount, or prize seems too good to be true, it probably is. Verify sources: Always double-check the legitimacy of messages or offers. Look closely at email addresses, URLs, domain names, and product reviews. If in doubt, contact the company directly using verified contact information.

Use strong passwords: Create strong passwords and use unique passwords for different accounts—the ESET Free Unique Password Generator can help. Avoid password fatigue with a password manager.

Enable Multi-Factor Authentication (MFA): Wherever possible, add an extra layer of security to your accounts with MFA.

Use a reliable cybersecurity solution: The right security solution can stop scams at multiple stages—by filtering spam, blocking phishing messages and websites, and securing payment processes. Protect your Android smartphone with ESET Mobile Security or protect the entire household with an all-in-one protection plan like ESET HOME Security. The ESET HOME Security Essential tier was named AV-Comparatives’ Product of the Year 2024, and our Premium and Ultimate tiers offer even more protection!

Update your software: Regularly update your operating system, browser, and security software to protect against vulnerabilities.

Educate yourself: Stay informed about common scams and how they work—knowledge is your best defense.

Scams are here to stay

The harsh truth about scams? It’s no longer a matter of “if,” but “when.” In today’s threat landscape, understanding (at least) the basics of cyber threats and how to prevent them is essential.

Better the devil you know than the one you don’t—so stay informed, stay alert, and protect your digital life with leading cybersecurity solutions.