The Verify First Rule
Hang Up, Call Back, Confirm -- The Universal Defense Against Every Phone and Email Scam
Open interactive version (quiz + challenge)Real-world analogy
Imagine someone knocks on your door wearing a UPS uniform and says 'I need to come inside to deliver your package.' Do you let them in just because of the uniform? Or do you check through the peephole, look for the UPS truck, and maybe call UPS to confirm? The Verify First Rule is the same idea for phone calls and emails. Just because someone says they're your bank doesn't mean they are. The uniform (caller ID, email header, professional voice) can be faked. The only thing that can't be faked is what happens when YOU call THEM back at a number you already trust.
What is it?
The Verify First Rule states: Never take action based on an incoming call, email, or text message. Always hang up and contact the person or organization directly using a phone number or website you already have and trust. It works because an attacker controls the incoming communication (spoofed caller ID, fake email, manufactured urgency), but they cannot control what happens when you hang up and call a real number yourself. This single rule, applied consistently, stops approximately 95% of all phone and email scams.
Real-world relevance
A man received a call from what appeared to be his bank. The caller knew his account number and said there was fraudulent activity. He was 'transferred' to a 'fraud investigator' who asked for his PIN and the last four digits of his SSN. He was about to give the information when he remembered: hang up and call back. He said 'I am going to call my bank directly.' The caller objected. He hung up, found the real number on the back of his credit card, called it, and learned there was no fraud, no investigation -- the entire thing was a scam. Three minutes of verification saved him from potential financial catastrophe.
Key points
- The Core Principle: Attackers Control Incoming, You Control Outgoing — The Verify First Rule is simple: Never take action based on an incoming call, email, or text. Always hang up and contact the person or organization directly using information you already have. An attacker controls the incoming call -- they choose the number, the story, the urgency. You control the outgoing call -- you use a number you trust. When you call someone using a known-real number, the attacker cannot intercept it, cannot control the conversation, and cannot pretend to be someone they're not. This single rule stops 95% of scams if applied consistently.
- Real Case: One Decision Saved Thousands — A man received a call from his bank -- caller ID showed his bank's name. A professional woman said fraudulent activity was detected on his credit card. She transferred him to 'the fraud department.' A man asked him to verify his PIN and last four digits of his Social Security number. He was about to comply when he remembered the Verify First Rule. He said 'I am going to hang up and call my bank directly.' The caller objected -- 'Sir, that will delay the process.' He hung up, found his bank's number on the back of his credit card, and called. His real bank confirmed: there was no fraud, no investigation. The call was a scam.
- Why Scammers Fight So Hard to Prevent Verification — Scammers use four tactics to stop you from verifying. (1) Artificial urgency: 'Your account will be locked in 24 hours,' 'I need this now,' 'If you hang up, you'll lose your connection.' (2) Explicitly telling you not to hang up: 'Stay on the line,' 'Hanging up will trigger a security lock.' (3) Sunk cost fallacy: After 10 minutes invested, hanging up feels like wasted effort -- 'Just one more thing and we'll be done.' (4) False rapport: 'I know this is stressful, I'm here to help you through this.' Every one of these is a manipulation tactic designed to keep you from the one action that would expose the scam.
- How to Verify: Phone Calls — When someone calls claiming to be from a company or organization: (1) Thank them and say 'I'm going to hang up and call you back. Can you give me a case number?' (2) Hang up. (3) Find the real phone number -- on your credit card, on a past statement, or on the company's official website (type the URL yourself). (4) Call that number and reference the case number. If the call was legitimate, the case will be in their system. If they have no record of it, you just avoided a scam.
- How to Verify: Emails and Texts — For suspicious emails: Never click the link. Open a new browser tab, type the company's URL directly (amazon.com, chase.com), log in, and check for alerts. If the email was real, the issue appears in your account. For suspicious texts (like 'USPS: package undeliverable'): Never click the link. Go to USPS.com directly or call USPS customer service. Check if you have a real pending package. The verification must always happen through a different channel than the one the message arrived on.
- What Legitimate Companies Actually Do — Real banks will NOT call unsolicited asking for PINs, passwords, or SSNs. They won't ask you to transfer money to 'verify' your account. Fraud alerts show up when you log in. They provide case numbers and are fine with you calling back. Real tech companies (Microsoft, Apple, Amazon) never cold-call about problems and never ask for remote access. Real government agencies don't demand payment via gift cards or wire transfer, don't threaten immediate arrest, and handle issues through official mail. Any caller who violates these norms is a scammer.
- Practice, Reference Cards, and Pushback — Help your parent create a phone reference card with real numbers (bank, Medicare, SSA, your number). Practice verification scenarios regularly. When scammers push back ('You will lose your place!'), your parent should simply say 'Thank you, goodbye' and hang up. They owe the caller nothing. The book includes a printable reference card template and detailed practice schedules.
Code example
THE COMPLETE VERIFY FIRST SYSTEM
================================
FOR PHONE CALLS:
1. Someone calls claiming to be your bank/company/family?
2. Say: 'Thank you. I'll call you back to verify.'
3. HANG UP (ignore protests -- you owe them nothing)
4. Find the REAL number:
□ Back of your credit card (banks)
□ Official website (type URL yourself)
□ Your phone contacts (family)
□ The reference card by your phone
5. Call the REAL number
6. Ask: 'Did your company just call me about [issue]?'
7. Act only on what the REAL representative says
FOR EMAILS:
1. Suspicious email from a company?
2. DO NOT click any links in the email
3. Open a new browser tab
4. Type the company's URL directly (or use bookmark)
5. Log in to your actual account
6. Check for alerts or issues
7. If no issue → delete the email (it was phishing)
FOR TEXT MESSAGES:
1. Text about a package/account/payment?
2. DO NOT click any links in the text
3. Go to the company's website or app directly
4. Or call their official number
5. Check if the issue is real
6. If not → delete the text (it was a scam)
THE 5-SECOND RULE:
When pressured → Pause 5 seconds → Breathe →
Ask 'Real urgency or fake?' → Then verify.
NO LEGITIMATE COMPANY WILL EVER PUNISH YOU
FOR TAKING 3 MINUTES TO VERIFY.Line-by-line walkthrough
- 1. FOR PHONE CALLS: When someone calls claiming to be from a company or family member needing action, your first response is 'Thank you, I'll call you back to verify.' Then hang up -- ignore any objections about losing your place or account locks.
- 2. Find the REAL phone number from a trusted source: the back of your credit card for banks, an official website you type yourself, or your saved phone contacts for family. Never use a number provided by the caller.
- 3. Call the real number and ask: 'Did your company just call me about this issue?' If yes, they'll have records. If not, you just avoided a scam. Three minutes of verification prevents thousands in losses.
- 4. FOR EMAILS: Never click links in suspicious emails from companies. Open a new browser tab, type the URL directly (amazon.com, chase.com), log in to your real account, and check for alerts. If there's no issue in your real account, the email was phishing.
- 5. FOR TEXTS: Same principle. Never click links in texts about packages, accounts, or payments. Go to the company's official website or app directly, or call their real number. Verify the issue through a completely separate channel.
- 6. THE 5-SECOND RULE: When you feel pressure or urgency, pause for 5 seconds. Take a breath. Ask yourself: is this real urgency or manufactured urgency? That brief pause shifts your brain from emotional reaction to rational thinking.
- 7. No legitimate company will ever punish you for taking 3 minutes to verify. If someone gets upset when you say you want to call back, that reaction itself is proof it's a scam. Real customer service representatives encourage verification.
- 8. Create a phone reference card with real numbers and place it by your parent's phone. Bookmark important websites. Practice scenarios monthly until verification becomes automatic -- not a decision they have to make, but a habit they follow without thinking.
Spot the bug
Your father tells you about a call he received today:
'The bank called about suspicious activity on my credit card. The caller ID showed the bank's name. The woman knew my account number and the last transaction I made. She was very professional and said she was transferring me to the fraud department. The fraud investigator asked me to confirm my PIN and Social Security number to verify my identity. I gave him my PIN but then felt uncomfortable about the Social Security number. He said if I didn't provide it, my account would be frozen within the hour. I gave him the last four digits. Then he said they'd issue a new card and asked me to cut up my old one. I told him I'd think about it and hung up. Did I do the right thing?'
What red flags did your father miss, and what damage may have been done?Need a hint?
Think about what information was revealed, what a real bank would and wouldn't ask for, and what the scammer can do with a PIN and partial SSN.
Show answer
Red flags missed: (1) Real banks never call unsolicited asking for PINs -- ever. (2) Knowing the account number and last transaction likely came from a data breach, not proof of legitimacy. (3) 'Transferring to fraud department' is a classic scam tactic -- it was just another scammer. (4) Threatening to 'freeze the account within the hour' is artificial urgency. (5) Asking him to cut up his card would leave him unable to find the real bank's phone number on the card back. Damage done: The scammer now has his PIN and last 4 of SSN -- combined with the account number, this may be enough to access the account or commit identity theft. Immediate steps: Call the REAL bank using the number on the card (don't cut it up!), report the compromised PIN, request a new card and PIN, set up fraud alerts, and monitor credit reports.
Explain like I'm 5
Imagine someone knocks on your door and says 'Hi, I'm the pizza delivery guy! Give me $20!' But you didn't order pizza. Would you just give them the money? No! You'd say 'Wait, let me call the pizza place and check.' And if you called the pizza place and they said 'We didn't send anyone to your house' -- you'd know the person at the door was lying. That's the Verify First Rule: when someone contacts you asking for money or information, don't just believe them. Hang up, call the real company yourself, and check if the story is true. It takes 3 minutes and saves everything.
Fun fact
Caller ID spoofing is so advanced that scammers can make any phone number appear on your screen -- even your own bank's real number, your grandchild's cell phone, or 911. In 2023, the FCC reported that spoofed robocalls accounted for over 50 billion calls in the US alone. This means the phone number you see on your screen is essentially meaningless as a trust signal. The ONLY reliable way to know who you're talking to is to hang up and call them yourself on a number you already trust.
Hands-on challenge
Create a Verify First Kit for your parent this week. Step 1: Write out a phone reference card with real phone numbers (bank, credit card, Medicare, SSA, your number) and the reminder 'When in doubt, hang up and call back.' Place it next to their phone. Step 2: Help them bookmark their 5 most important websites on their browser. Step 3: Practice 3 scenarios via role-play: (a) Call pretending to be their bank asking for their PIN, (b) Show them a mock phishing email and have them go to the real website instead of clicking, (c) Call pretending to be a grandchild needing money. Did they hang up and verify each time?
More resources
- Phone Scams: How to Spot and Avoid Them (Federal Trade Commission)
- Spoofing and Caller ID (Federal Communications Commission)
- How to Protect Yourself from Scams (USA.gov)
- Report Phone Scams (FTC)