All Financial Education

What Scammers Don’t Want You to Know

September 28, 2023

In many ways, the world’s progress has never been better. Every year we make strides in civics, technology, information, and nameless other realms. We truly have more resources at our fingertips than ever before.

Some use those resources for good. Others … not so much.

Don’t let others’ misuse affect your life. Scammers might be out to get you, but we’re out to get the scammers. Here’s how to protect yourself by catching fraudsters in the act.

Check the URL

Scammers use sophisticated techniques to trick people into going to their sites, and with the rise of AI, it likely won’t get any easier to recognize the fakes. But no scam is perfect. Some website components are harder to replicate than others — that’s what you want to investigate first.

The URL is a great place to start, particularly when you’re sent a link.

What is a URL? A URL stands for Uniform Resource Locator, which is a fancy way of saying “web address.” It’s made up of different parts that tell your computer how to get you what you need. You should know two specific URL components: the protocol, which dictates how you access the site (like “https://”), and the domain, which shows the site’s location on the internet (like “”).

Here’s how to check a URL:

Know what makes a site authentic. Just like your home has an address, a website has a domain. It’s an easy way for people to find and visit websites without remembering a bunch of numbers. Google’s, for instance, is “” No one but Google can own that domain.

A subdomain, on the other hand, is a distinct section of a website, like “” (Gmail). You can tell the site is still owned by Google because the domain, “google,” comes right before the phrase “.com.”

Scammers will use subdomains to disguise an otherwise obviously fake website. If you went to “,” for example, you’d actually be going to’s site, not Google’s.

Quick Tip: If you’re on a financial institution’s website, the domain should reflect the official website. Idaho Central’s is “,” not “,” “,” or any other iteration.

Scan the URL for misspellings or small variations. Scammers often create URLs that mimic well-known websites but with slight variations. For example, they might replace the ‘o’ with a ‘0’ or use hyphens and underscores to imitate a legitimate site. The URLs “” or “” (with a lowercase L) are both examples of imposter sites.

Look for “HTTPS.” A legitimate website should use “HTTPS” in its URL, especially when handling sensitive info like login credentials or payment details. The ‘S’ stands for secure, indicating that data exchanged between your browser and the site is encrypted. To check for HTTPS, make sure there’s a padlock icon next to the URL in the browser’s address bar.

Read: Protect Your Small Business from Scams

Don’t be fooled by urgency

In the fast-paced world of the internet, urgency is a red flag that you may be interacting with a fraud. Scammers capitalize on our instinctive reactions to urgent situations, hoping to catch us off guard and pressure us to make rash decisions.

Recognize urgency scams. These often manifest as a pressing pop-up message, email, text, or call. These messages may claim that your account has been compromised or that your computer is infected with a virus. They use phrases like “Act now!” or “Immediate attention required!” to create a sense of panic.

Remember the implications of a rushed decision. When faced with a crisis, our natural response is to act quickly to resolve the issue. But that’s exactly what phishers are hoping for. Rushed decisions can lead to serious consequences, like a virus or identity theft. Fortunately, it only takes a minute or two to confirm if the situation is a true emergency or a fake.

Stay calm and verify. To protect yourself, it’s essential to remain calm first and foremost. Instead of reacting immediately, take a step back and evaluate the situation. Ask yourself whether the message seems like it’s designed to create panic. Legitimate businesses won’t pressure you into making hasty decisions, even when a quick response is needed.

Watch for typos

Imposters make errors, too — both on accident and on purpose. By meticulously paying attention to the details, you can immediately enhance your online security.

Accidental typos

You don’t have to be a grammar nerd to spot typos. Instead, pay attention to your gut. If a site or email seems off for a reason you can’t quite name, follow that instinct. Reputable businesses work hard to maintain their brand’s personality and their content’s accuracy. Fakers don’t always hold themselves to that same standard. Check for errors in the contact information, webpage paragraphs, or even in the site’s URL itself. If you see a concerning mistake or awkward language, proceed with caution.

Purposeful typos

Scammers register domain names that are intentionally similar to legitimate websites. They often choose domain names with common typos, such as substituting a letter with a similar looking one (i.e. “” instead of “”).

They can also exploit your mistakes. If you type a URL in too quickly, for example, your finger might slip and type in “” instead of “” Imposters rely on those mistakes to lead you to decoy sites. Businesses sometimes fight against this hacking technique by purchasing not only their own domain but similar ones as well. That said, it’s best to slowly type in the URL rather than take a needless risk.

When in doubt, verify

“Trust but verify” are words to live by online. If you’re ever uncertain about information, don’t be afraid to ask a company or person to verify themselves. If they’re legitimate, they won’t be offended.

If you have any doubt about a message that appears to be from ICCU, call us during business hours at 1-800-456-5067 or visit your local branch.

How to verify a phone call

Not sure if someone is who they say they are over the phone? Hang up and call back. If the call is from a scammer or solicitor, the number probably won’t work. Politely ask the caller for their full name, organization, and a callback number. A legitimate caller should be willing to provide this information.

If the caller claims to represent a company or organization, use a trusted source to check their identity. Look up the company’s phone number on their official website or a directory service, then call them to ask for more information on the call you received.

How to verify a text message

First things first: Be cautious when you receive an unsolicited text message, regardless of the message’s content. Never click a link or send personal information without first checking the sender’s number.

If you think you’ve received a fake text, don’t reply to it. Responding can confirm to the sender that your number is active, potentially leading to more phishing attempts in the future.

Spread the word

Fraudsters thrive on uncertainty and misinformation. By telling others about the scams you see, you can prevent others from falling victim to something similar. Here’s who you should tell if you believe you’ve found a scam:

  1. Financial scams: Tell your financial institution immediately, even if you didn’t lose money. ICCU members can forward scams to or 1-800-456-5067. If you did share your personal or financial information with the fraudster, shut down your cards with a feature like CardControl, then report the incident to your local law enforcement agency.
  2. Online scams: Report online scams to the Federal Trade Commission or the Internet Crime Complaint Center (IC3), which is a partnership between the FBI and National White Collar Crime Center.
  3. Scam calls and texts: Report fake calls and messages to If you’re receiving unwanted telemarketing calls, you can register your number on the National Do Not Call Registry.
  4. Any scam: Tell your friends and family members about the scams you see. By raising their awareness, you can protect them from similar phishing attempts.

Want to learn more about how to strengthen your cybersecurity habits? Check out our Security Center or watch our latest podcast to discover more ways you can protect yourself online.