TLDR
Most scam prevention advice is generic and outdated. These five steps are derived from ScamVerify™ analysis of 8 million+ threat records, including 7.7 million FTC complaints, 74,032 URLhaus malicious domains, and 60,758 ThreatFox indicators. They address the specific patterns behind America's most common scams: 935,542 debt reduction complaints, 684,045 impersonation complaints, and the 5x surge in QR code phishing. Each step targets a documented attack vector that accounts for thousands of successful scams.
Step 1: Check Phone Numbers Before Answering
Why This Works
The top seven most-complained-about area code prefixes in the FTC database are all toll-free numbers, each with 66,000+ complaints. Toll-free numbers (800, 833, 844, 855, 866, 877, 888) are the primary vehicle for organized scam rings because they are cheap to acquire in bulk and impossible to trace to a physical location.
ScamVerify data shows that the most prolific scam ring operates 132 numbers in the 844-523 prefix alone, generating 4,086 complaints. Five identified rings collectively account for over 24,000 complaints from fewer than 400 numbers.
How to Do It
- Let unknown calls go to voicemail. Legitimate callers leave messages. Robocallers rarely do.
- Check the number before calling back. Go to ScamVerify and enter the number. If it appears in the FTC or FCC complaint database, do not call back.
- Enable carrier spam filtering. AT&T ActiveArmor, Verizon Call Filter, and T-Mobile Scam Shield provide free baseline filtering that catches many known scam numbers.
- Be especially cautious of toll-free numbers. While legitimate businesses use toll-free numbers, every identified scam ring in the ScamVerify database operates on toll-free prefixes.
The Data Behind It
| Toll-Free Prefix | FTC Complaints | Known Rings |
|---|---|---|
| 800 | 100,000+ | Multiple |
| 833 | 85,000+ | 833-487, 833-588 |
| 844 | 78,000+ | 844-523 |
| 855 | 72,000+ | 855-909 |
| 866 | 80,000+ | 866-959 |
| 877 | 95,000+ | Contains #1 reported number |
| 888 | 66,000+ | Multiple |
Step 2: Forward Suspicious Emails to scan@scamverify.ai
Why This Works
AI-generated phishing now accounts for 56% of all reported attacks (SlashNext). The old advice of "look for grammar errors" is obsolete. AI writes perfect English, uses your name, references real companies, and mimics legitimate email formatting. Human detection has failed, but AI can fight AI.
The ScamVerify email analysis system checks forwarded emails against:
- 74,032 URLhaus malicious domains (every link in the email)
- 60,758 ThreatFox indicators of active threats
- 684,045 FTC impersonation complaint patterns
- AI content analysis for manipulation tactics and urgency signals
How to Do It
- When you receive a suspicious email, forward it to scan@scamverify.ai
- No app needed, no account required for basic analysis
- AI analyzes the sender, content, links, and headers
- You receive a reply with a plain-English risk assessment
This is the single lowest-friction way to verify a suspicious email. No copying text, no navigating to a website, no uploading files. Just forward and get an answer.
What It Catches
| Threat Type | How Email Analysis Detects It |
|---|---|
| Phishing links | URL check against 74K+ malicious domains |
| Sender spoofing | Header analysis reveals true origin |
| Brand impersonation | Pattern matching against known impersonation templates |
| Urgency manipulation | AI identifies pressure tactics |
| Credential harvesting | Link destination analysis |
For a step-by-step guide, see our complete email forwarding guide.
Step 3: Never Pay Upfront for Promised Services
Why This Works
The single largest FTC complaint category is debt reduction, with 935,542 complaints. These scams follow a consistent pattern: the caller promises to reduce your debt, eliminate your balance, or consolidate your loans, and then requests an upfront fee before any work begins.
Legitimate debt management organizations, accredited by the National Foundation for Credit Counseling, do not charge fees before providing services. Requesting payment before work begins is a federal red flag.
How to Do It
- Never pay upfront fees for debt reduction, credit repair, job placement, grant assistance, or prize delivery. Legitimate services charge after work is performed.
- Be skeptical of "government programs" that require a fee. Actual government programs do not require upfront payments through third parties.
- Verify any debt management company through the NFCC (nfcc.org) or your state attorney general's office before sending money.
- Never pay by gift card, wire transfer, or cryptocurrency. These are irreversible payment methods favored by scammers specifically because they cannot be recovered.
The Data Behind It
| Payment Method | Recovery Rate | Scammer Preference |
|---|---|---|
| Credit card | Moderate (chargeback possible) | Low |
| Debit card | Low (limited dispute window) | Moderate |
| Wire transfer | Near zero | High |
| Gift cards | Zero | Very high |
| Cryptocurrency | Near zero | High |
| Cash apps (Zelle, Venmo) | Near zero | Growing |
If someone insists on gift cards, wire transfer, or cryptocurrency as the payment method, it is a scam. No legitimate business or government agency uses these methods for fee collection.
Step 4: Verify Websites Before Entering Information
Why This Works
URLhaus tracks 74,032 malicious domains, and 81% use .com extensions. The most trusted domain extension is also the most abused. Scam websites are cheap to create (a domain costs a few dollars, hosting costs a few dollars, and professional templates are free), and they can be online for weeks before being taken down.
QR code phishing surged 5x in 2025, adding a new pathway to malicious websites. Scanning a QR code on a parking meter, restaurant table, or in an email can lead directly to a credential harvesting site.
How to Do It
- Check URLs before entering any information. Use the ScamVerify website checker to verify domains against the URLhaus database.
- Scan QR codes before visiting the destination. Use the ScamVerify QR scanner to decode and check QR code URLs.
- Type URLs manually instead of clicking links in emails, texts, or QR codes. Go directly to the company's website by typing the address in your browser.
- Check domain age using a WHOIS lookup. Legitimate businesses have domains registered for years. Scam sites are typically days or weeks old.
The Data Behind It
| TLD | Malicious Domains | Percentage |
|---|---|---|
| .com | 59,876 | 81.0% |
| .top | 2,814 | 3.8% |
| .xyz | 1,628 | 2.2% |
| .net | 1,405 | 1.9% |
| All others | 8,309 | 11.1% |
For more on website verification, see our website safety guide.
Step 5: Report Everything
Why This Works
Every scam report filed with the FTC, FCC, or other agencies feeds the threat databases that detection tools rely on. ScamVerify's 7.7 million FTC complaint records exist because millions of Americans took the time to report. Each report strengthens the ability to identify scam numbers, track ring patterns, and warn future targets.
The FTC estimates that only 5-10% of scam contacts are reported. The other 90-95% represent intelligence that never enters the system. Unreported scams continue to operate undetected.
How to Do It
- Report scam calls to the FTC at reportfraud.ftc.gov. Include the phone number, what was said, and any caller ID information.
- Report scam texts by forwarding them to 7726 (SPAM). Your carrier will investigate.
- Report phishing emails by forwarding to phishing@irs.gov (IRS impersonation), the impersonated company, and the FTC.
- Report scam websites to the FTC and to Google Safe Browsing at safebrowsing.google.com/safebrowsing/report_phish.
- Report on ScamVerify. Submit community reports on phone numbers and URLs to help other users.
The Reporting Impact
| What You Report | Who Benefits |
|---|---|
| Phone number | Every future person who checks that number |
| Scam text forwarded to 7726 | Your carrier's spam filtering for all customers |
| Phishing email | Email providers, law enforcement, threat databases |
| Malicious website | Browser safety filters, URLhaus, Google Safe Browsing |
| FTC complaint | 7.7M+ record database used by enforcement and detection tools |
Reporting takes 2-5 minutes. The impact lasts as long as the database exists.
Putting It All Together
These five steps form a practical, data-backed defense system:
| Step | Threat Addressed | Time Required |
|---|---|---|
| Check numbers | 935K+ debt reduction robocalls, scam rings | 10 seconds per number |
| Forward emails | 56% AI-generated phishing | 5 seconds per email |
| Never pay upfront | 935K debt reduction, all fee-based scams | Zero (just refuse) |
| Verify websites | 74K malicious domains, QR phishing | 15 seconds per URL |
| Report everything | Future victims who check the same number/URL | 2-5 minutes per report |
None of these steps require technical expertise, paid software, or significant time investment. They are habits, and habits become automatic with practice.
If you have already been scammed, see our complete post-scam recovery guide for step-by-step damage mitigation.
Check this number now
Enter any U.S. phone number to check it against 8 million+ federal complaints and real-time carrier data.
FAQ
Which step is the most important?
Step 1 (check phone numbers before answering) prevents the most common initial contact. If you never engage with the scam call, the rest of the attack sequence cannot proceed. However, the steps work best as a system. Scammers use multiple channels (phone, email, text, QR, websites), so protection on one channel without the others leaves gaps.
Do these steps work against AI-powered scams?
Yes. AI makes scam content more convincing (better grammar, personalization, deepfake voices), but it does not change the underlying mechanics. AI-generated phishing emails still contain links to malicious domains tracked in URLhaus. AI voice clones still call from phone numbers that accumulate FTC complaints. AI-written scam texts still link to credential harvesting sites. The detection layer (ScamVerify, URLhaus, FTC databases) works against the infrastructure, not the content.
I already have caller ID and spam filtering. Do I still need these steps?
Carrier spam filtering is one layer of defense, not a complete solution. It catches some scam calls, but sophisticated operations using new numbers, rotating VoIP infrastructure, and targeted (non-bulk) calls bypass carrier filters. Steps 2 through 5 cover channels and scenarios that caller ID and spam filtering do not address.
How do I teach these steps to elderly family members?
Focus on Step 1 first: let unknown calls go to voicemail. This single behavior change eliminates exposure to most phone scams. Then bookmark ScamVerify on their phone for easy number checking. For email, show them how to forward to scan@scamverify.ai. Make the steps as simple as possible and practice them together. See our elder protection guide for detailed strategies.
