Training quiz
Spot the Scam
Ten realistic messages — some are scams, some are perfectly normal. Decide for each one, and learn the tells as you go. Nothing you answer is stored or sent anywhere.
You receive this text message:
Scam. The CRA never sends refund links by text — refunds happen automatically or through your CRA My Account. The shortened link hides the real destination, and the 24-hour deadline is manufactured urgency.
You receive this text message:
Scam. The tiny "fee" exists to capture your card details, not to collect $1.02. The domain isn't canadapost-postescanada.ca — extra words like "-delivery.info" are a classic lookalike pattern.
You just tried to sign in to your bank, and this text arrives:
Legitimate. You triggered it yourself by signing in, it contains no link, asks for nothing, and even warns you not to share it. The rule: codes you REQUEST are normal; anyone who CALLS or texts asking you to read a code back is a scammer.
You receive this message on WhatsApp from an unknown number:
Scam. The "family member with a new number" opener is a mass-sent script — the affection and urgency are designed to short-circuit your judgment. Always verify by calling the old number or asking something only your real family member would know.
You receive this email:
Scam. You never placed the order — the fake charge exists to make you call. The phone line is the trap: a "refund agent" will walk you into installing remote-access software or reading out codes. Real concerns? Check your orders by going to the site directly.
Mid-month, like every month, this email arrives:
Legitimate pattern. It matches your normal billing cycle, names no scary consequence, and doesn't push a payment link — it tells you to sign in to your own account. Even so, the safe habit applies: type the utility's address yourself rather than clicking.
You receive this email at work:
Scam. The real domain is microsoft.com — "microsoft-security.support" is a lookalike that merely CONTAINS the brand name. Suspension threats with a countdown are pressure tactics; real security alerts let you go check your account yourself.
You receive this text from a number you don't know:
Scam. No legitimate employer hires by cold text, and "which resume, for what job?" has no answer. The too-good pay and zero requirements are the lure; replying YES marks your number as live and leads to "training fees" or money-mule tasks.
You receive this email that looks internal:
Scam. No real IT team asks you to "validate your password" through an emailed link — that's the definition of credential phishing. The external lookalike domain and the same-day deactivation deadline complete the pattern. Report it to IT through a channel you already know.
You sold a chair on Marketplace for $40. The buyer says "sent!", and a minute later this email arrives:
Legitimate pattern — you were EXPECTING this exact transfer, for this exact amount, right after the buyer said they sent it. The safe habit: instead of clicking the email, open your banking app and confirm the deposit there. If it's real, it's in the app. (With auto-deposit enabled, the money arrives with no action needed at all.)
Your result
Scam-spotter! You read messages the way a security analyst does — checking who's asking, what they want, and how hard they're pushing. Keep trusting that process.
Sharp eyes. You catch most tricks — the ones that slip through tend to be the calm, patient ones. When in doubt, verify through a channel you already trust.
Getting there. You spot the obvious pressure tactics; the lookalike domains and "helpful" phone numbers are what to practice. The guides below make those second nature.
Scammers would love you — for now. The good news: the patterns repeat, and twenty minutes with the guides below genuinely changes the odds.