Recognise scam indicators
Scams rely on urgency, impersonation, and exploiting trust. The same handful of warning signs show up again and again across every channel. Watch for these red flags:
- Websites and domains. Look-alike addresses (for example, paypa1.com with a digit in place of a letter), sites that were registered very recently, free hosting, or unusual address endings such as .xyz, .top, or .click.
- Emails. A sender address that does not match the company it claims to be from, urgent language such as "act now", requests for passwords or payment, and generic greetings that never use your name.
- Social accounts. Recently created profiles, very few followers, bios copied from a real account, and direct messages that arrive with links or unsolicited "investment opportunities".
- Crypto. Guaranteed returns, pressure to send funds to a specific wallet, and "recovery services" that ask for an upfront payment to get your lost money back.
- Phone. Caller ID that can be spoofed, people impersonating a government department, and requests for remote access to your computer or payment in gift cards.
None of these on its own is proof. Two or three together is almost always a scam. When something feels off, check the entity with AVA before you engage. A thirty-second check can prevent a significant loss.
Verify before you trust
Trust should be earned through verification, not assumed. Before you transact or share information:
- Check the entity. Paste the domain, URL, wallet address, or social handle into AVA for an instant risk assessment.
- Check how old the domain is. Legitimate businesses usually have domains registered for years, not days. A brand-new domain pretending to be an established company is a warning sign.
- Do not trust the padlock alone. A padlock icon in the address bar only means the connection is encrypted, not that the site is honest. Anyone can get one for free.
- Cross-reference. Search the name alongside words like "scam", "review", or "complaint" before engaging.
- Verify independently. Contact an organisation through its official website that you navigated to yourself, never through a link in the message you received.
Protect your digital identity
- Turn on two-factor authentication everywhere. Prefer an authenticator app over text-message codes for important accounts, and a hardware key for your highest-value accounts.
- Use a password manager. A long, unique password for every site means one breach can't unlock the rest. Bitwarden (free) and 1Password are both strong choices.
- Separate your email identities. Use different email addresses for banking, social media, and subscriptions so a leak in one place does not expose the others.
- Watch for breaches. Check Have I Been Pwned from time to time and change any exposed credentials straight away.
- Limit what you share publicly. Oversharing on social media hands attackers the answers to your security questions.
- Keep software updated. Turn on automatic updates for your operating system, browser, and apps.
Report and respond to scams
If you suspect you have been targeted, or you have already fallen for a scam, act immediately. Speed matters most in the first hours:
- Contact your bank first. Ask them to freeze the transaction or attempt a chargeback as soon as possible. The sooner you call, the better the chance of recovery.
- Change any exposed credentials. Start with your email and banking passwords, then anything that reused the same password.
- Report to the authorities. Australia: ScamWatch and ReportCyber. United States: IC3 and the FTC. United Kingdom: Action Fraud.
- Preserve the evidence. Screenshot the messages, emails, transaction records, and web addresses before they disappear.
- Warn other people. Report the scam on the platform where you found it and share it with the AVA community so others can be warned.
For organisations: enterprise security posture
Organisations operating in Australia face growing obligations under the Scams Prevention Framework Act 2025. The same habits scale up:
- Build scam prevention into your products. Banks, telcos, and digital platforms are expected to take reasonable steps to prevent scams, with significant penalties for those that do not.
- Add real-time checks. Verify entities inside your payment, onboarding, and messaging flows through the AVA API.
- Keep an audit trail. Retain a record of every check for compliance reporting. AVA provides exportable audit logs.
- Have an incident response plan. Document how you will notify people of a breach, communicate with customers, and preserve evidence.
For enterprise API integration and compliance questions, contact [email protected].
When in doubt, check
You will not catch every scam by eye, and you do not have to. The habits above make you a much harder target than the average person, and AVA is there for the moments something still feels off. Paste the link, email, wallet address, or social handle into the main check tool and see how AVA scores it. Free for the first five checks a day, no signup required. If you have already handed over details, change the affected passwords on the real site, tell your bank, and report it so others can be warned.