Hmm. I hovered my cursor over the sender’s address to see if it matched the display name. It appeared authentic: Service@PayPal.com. Still, I knew not to click through the email itself and instead logged directly in to my PayPal account. There it was—an invoice from a company I’d never heard of.

My heart began racing. In my adrenaline-fueled panic, I made a huge mistake. I returned to the email (which I now trusted), saw the line that said, “Don’t recognize this invoice?” and called the number for reporting fraudulent charges listed underneath.

That’s when the trap was sprung.

The man who answered my call said he’d help me after verifying my identity. Like the perfect mark, I dutifully gave him my email address, along with the code PayPal then texted to my mobile phone.

“Someone in Miami is trying to purchase an iPhone with your PayPal account,” he said. “Your financial information and credit cards have all been compromised.”

Suddenly, I realized what I’d done. I’d called the number on an unsolicited email, and the man I was talking to was a crook trying to draw more information from me.

I hung up and tried to log back in to PayPal, but the scammer had already changed my password, using the code I’d provided. Requesting another code to my phone, I was able to access my account. By then, he had sent 26 more invoices to PayPal for bogus services totaling more than $20,000.

With shaking hands, I called the customer service number on PayPal’s website. A representative promptly locked down my account, emailed password reset links, confirmed my contact information and walked me through canceling each fraudulent payment request.

Luckily, I’d acted quickly and reached a real agent on time. Had I hesitated, the scammer could have changed the mobile number on my account and locked me out while approving fake charges. I would have had to work through PayPal, my bank and credit card company to recoup money.

Aside from my rattled nerves, I was unscathed. My money hadn’t left my account, and after a brief review of the original invoice, PayPal closed the case in my favor.

Until this, I’d prided myself on being wise to phishing scams. I know to check a sender’s email address and not to click links. I delete all texts from unknown numbers and go directly to the source whenever I’m notified of problems on my accounts. But this criminal tricked me into responding by alerting me to his own fraudulent activity. Along with spoofing the sender’s domain to appear as a trusted source, this was a new level of deception.

Darius Kingsley, head of consumer banking practices at Chase Bank, says scammers even use AI (artificial intelligence) to replicate the voice of a loved one in trouble. “They can also spoof a contact’s phone number so it looks like a friend or family member is calling, making the scam believable,” he says.

McAfee’s Global Scam Message Study, released late last year, cited a huge uptick in scams. A key finding: People receive an average of nearly 12 fake messages or scams daily, via email, text or social media.

Roma Majumder, a senior vice president at McAfee, says scam artists wait for people to take security shortcuts for speed or convenience, then take advantage. Advanced technology has made it even easier for cybercriminals, she says, but companies are using that technology to try to stay ahead.

For example, Scott Knapp, director of worldwide buyer risk prevention for Amazon, says a passkey—a newer two-factor authentication method—is more secure than a password. It creates an encrypted connection between a website or app and your device using the same biometrics you’d use to unlock your device, such as a fingerprint or face ID. 

Companies work constantly to outsmart scammers. “Last year, we took down over 40,000 phishing websites and over 10,000 fraudulent phone numbers,” Knapp says. “So reporting can make a real difference.”