Short, concrete guidance on the scams, phishing tactics, and small-business risks people run into most often. Each topic takes a minute or two to read, includes what to watch for and what to do, and is built to forward to the person who needs it.
Reviewed by TractionGRC Inc., a Washington State IT consulting and ISMS company · Last reviewed April 2026
Guidance here is general and US-focused. Verify specific reporting steps with your IT team or local authorities in your region.
Start here
Skim a topic to quickly recognize common red flags and scam patterns.
Open the checklist and action steps. Each topic lists the concrete moves to make in the first 15 minutes.
Send it to a parent, a teammate, or your board. Whoever will benefit most.
Need a starting point?
Start with phishing, passwords, and MFA.
Start with phone scams, gift card scams, and tech support scams.
Start with BEC, wire verification, and employee offboarding.
Featured topics
These are some of the most useful topics to review first if you are building awareness for yourself, your family, or your team.
If an email feels urgent or asks for sensitive information, pause. Hover over links, do not click. Check the sender carefully.
Long beats complex. Use a password manager and stop reusing passwords across sites.
Someone calls claiming your grandchild is in jail or in an accident and needs money urgently. It is almost always a scam.
No real business, government agency, or family member will ever ask you to pay them with gift cards. Not the IRS, not Apple, not your grandson.
Browse by audience
Choose an audience, then narrow further by topic category below. General topics are shown for every audience.
If an email feels urgent or asks for sensitive information, pause. Hover over links, do not click. Check the sender carefully.
Acting fast in the first 15 minutes makes a big difference. Do not panic, but do not wait either.
Fake delivery notices, bank alerts, and toll-road bills sent by text. This is one of the fastest-growing scam channels right now.
Long beats complex. Use a password manager and stop reusing passwords across sites.
Multi-factor authentication is one of the most effective ways to protect an account. Here is why.
Attackers send a real password reset code to your phone, then ask you to read it back. Never share recovery codes.
Most scams use the same emotional triggers: urgency, fear, and the promise of easy money. Learn the patterns.
Take calm, ordered steps. Start with email, because it is the master key to everything else.
Someone calls claiming your grandchild is in jail or in an accident and needs money urgently. It is almost always a scam.
US government agencies do not call to demand payment or threaten arrest. Ever. If someone says they are from the IRS on the phone, it is a scam.
A pop-up appears saying your computer is infected and to call a number. Microsoft and Apple do not do this.
Someone you have never met in person asks for money. Even if you have talked for months, it is almost always a scam.
No real business, government agency, or family member will ever ask you to pay them with gift cards. Not the IRS, not Apple, not your grandson.
Coffee shop WiFi is not as dangerous as it used to be, but it is still smart to take a few precautions.
Attackers impersonate executives or vendors to redirect payments. It is a common and costly scam targeting SMBs.
Ransomware encrypts your files and demands payment. Backups are your best defense, and often your only real exit.
An email arrives 'from' a real vendor with new bank details for the same invoice you are expecting. The new account belongs to an attacker.
Forgotten access is one of the biggest SMB risks. Have a checklist and run it the same day.
Nonprofit board rosters are public. Attackers know who you are, where you work, and that you can authorize payments. Plan accordingly.
A 5-minute phone call to verify a wire request is the cheapest insurance you can buy. One missed call has cost organizations millions.
These resources are part of our broader cyber safety work. Free, shareable, and aimed at the people outside well-resourced IT teams: nonprofits, small businesses, families, schools, and the general public.
Learn moreWhen your organization is ready to move beyond awareness and put a real compliance program in place, ISO 27001, SOC 2, CMMC 2.0, a supplier assurance response, or something else, TractionGRC is what comes next.