Safe Browsing Check.
SAFE BROWSING CHECK · CHATBOT SCAMS Friendly, polite, and after your card number. A real company never asks for your card number or password in a chat. The request itself is the tell.

When a Chatbot Asks for This, It's Already the Scam

By Marta Lane · Updated January 19, 2026 · 7 min read

A chat window feels different from a form. It talks back. It says "please" and "thanks for your patience," it apologizes for the wait, it remembers your name two lines later. That friendliness is doing a job, and the job is to lower your guard.

So here is the one rule that does most of the work, the rule you can lean on when you can't tell a real chat from a fake one:

A legitimate company will never ask for your most sensitive information through a chat: your Social Security number, your full card number, your account password. The moment a chat asks for any of those, you have already found the scam. You don't have to spot the fake logo or the misspelled web address. The request itself is the tell.

That matters more than it used to. Americans reported losing $12.5 billion to fraud in 2024, a 25 percent jump in a single year, according to the Federal Trade Commission. And the chat-shaped corner of that world is growing because most people don't see it coming. In one Security.org study, 58 percent of adults said they had no idea a chatbot could be turned against them.

The short list: what you never type into a chat

Real companies build chatbots that already know who you are once you've logged in. They don't need you to recite the secret stuff back to them. If a chat pushes for any of the following, close the window:

You would never read your Social Security number aloud to check on a package. The same logic holds in a chat box. No real delivery company, bank, or store needs it to help you.

How the trap actually gets set

Scam chats rarely start in the chat. They start with a message that hands you a reason to click, and the chat waits on the other side of the link looking official.

Two real cases show the pattern.

A delivery scam built around DHL reached people by email first. The note claimed a package was stuck and a small shipping fee would release it. Click the link, and you landed in a chat that looked the part: a security checkbox, a photo of a damaged box, fields asking for your card to cover the fee. The chat was convincing; the details around it gave it away. The sender's "from" line was blank, and the web address read dhiparcel.com instead of DHL's real site. Security researchers at Trustwave documented the whole flow.

A Facebook version leaned on fear instead of a fee. The email warned that your page had broken the rules and would be deleted in 48 hours unless you appealed. The appeal link opened a support chat inside Messenger that asked, plainly, for your username and password. The giveaways were all there for anyone who slowed down: the sending address wasn't Meta's, the support page wasn't official, and the page running the "support" had no posts and no followers.

Both scams share the same skeleton. A message you didn't expect. A clock ticking. A link that takes you somewhere you didn't choose to go. The brand name on top is borrowed; right now the brand scammers borrow most often is Microsoft, which alone accounts for more than a third of brand-impersonation phishing, per Check Point Research. Apple, Google, and Amazon are never far behind. The logo means nothing. The behavior means everything.

Anatomy of the chat that asks The friendliness is the costume. The ask is the tell. Support chat Thanks for your patience! To release your package, please confirm your full card number. Card number… Illustration — not a real chat. 1 · It came from a link An unexpected message gave you a reason to click. The chat waited. 3 · It asks for secrets A real company's chat never needs your full card number or SSN. 2 · It sounds human Please and thank-you and your name: warmth to lower your guard. 4 · It hurries you A fee due right now, a 48-hour deadline. Urgency is a tactic. THE MOVE — get there yourself Close the window, open a new tab, and type the company's address. A genuine problem will still be there when you arrive on your own.
The friendly trap, with its four tells. Case studies: Trustwave (DHL-themed phishing chat); FTC consumer alerts.

Three checks before you trust any chat

Three habits beat this, and none of them require anything technical.

  1. Get there yourself. Don't reach a company's chat by clicking a link in an email or text. Open a new tab, type the company's address, and find the chat from their real site. A genuine package problem will still be there when you arrive on your own.
  2. Read the address, not the name. The display name is easy to fake; the actual sending address and the web address are harder. If a "Walmart" email comes from a domain that isn't Walmart's, or the link points somewhere odd, that's your answer.
  3. Refuse the rush. Real companies do not delete your account in 48 hours or demand a fee in the next ten minutes. Urgency is a pressure tactic, and pressure is the scammer's favorite tool. When a message hurries you, slow down on purpose.

If something still feels off, search the company's name along with the offer or warning you received. A real promotion shows up on the company's own site. A scam shows up in other people's complaints, or nowhere at all.

Share less, even when the chat is real

Most chatbots are legitimate, and most days they're as safe as any app you use. Fake chats are only half the risk. The other half is how much you volunteer to real ones, because anything stored in a chat can be exposed later if that company is breached. In 2024 alone, the personal data of roughly 1.7 billion people turned up in breaches, by the HIPAA Journal's count.

The fix is a quiet habit called data minimization: give only what's asked, and not a word more. If the chat needs a ZIP code, it doesn't need your street address. If it asks for the last four digits of your card, it doesn't need all sixteen. Answer the question in front of you and stop there.

Your home assistant is a chatbot too

The same conversational technology lives in Amazon's Alexa, Google's Home, and Apple's Siri, and roughly 120 million Americans already talk to one. A voice assistant has something a website chat doesn't: an always-on microphone and, often, a line into your accounts and even your locks. It also skips the password screens that slow a scammer down, which is why researchers have shown these devices can be pushed around in ways that sound like science fiction but aren't. The FTC took it seriously enough that in 2023 Amazon agreed to pay $25 million to settle claims it held onto children's Alexa recordings.

A few minutes in the settings closes most of the gap:

If you're dating online, assume bots are in the room

Romance scams are the cruelest version of this, because the "person" is patient and the goal is your money. Reported losses run over a billion dollars a year, and a growing share of them now begin on social media before moving to a private chat, the FTC reports. AI writing tools let one scammer run many fake profiles at once and keep every conversation flowing.

The tells are consistent:

If you can, drop one of their photos into Google Images to see whether the face shows up on a dozen other profiles. And keep the money rule absolute: someone you've never met in person never needs your cash.

The whole guide in one line

You can forget the rest and keep this: a real company will never ask for your sensitive information in a chat, so the moment one does, you're done. Get to chats on your own instead of through links, refuse to be rushed, and share the least the conversation will accept. The friendly voice on the other end is sometimes a helpful tool and sometimes a trap, and you don't have to tell them apart. You only have to know what you'll never hand over.

You might also like