Scams now begin through phone calls, SMS, email, social media, search ads, matching apps, and payment apps.
The practical defense is not to memorize every suspicious phrase, but to decide in advance how to verify a request through a separate trusted route.
Recent public information from Japan’s National Police Agency, the Council of Anti-Phishing Japan, the Consumer Affairs Agency, and the Financial Services Agency points to three priorities.
- Losses from social media investment scams and fake police scams remain large.
- Compromised real accounts and domains can make phishing look more credible than a simple fake message.
- Everyday touchpoints such as public payments, telecom bills, financial services, parcel delivery, and payment apps are being used to push victims toward payment.
This article summarizes what individuals, families, site operators, and businesses should check before trusting a request.
The Core Rule
When a message or call creates urgency, do not use the link, phone number, QR code, transfer destination, or payment screen supplied in that contact.
Verify through an official app, a bookmarked official site, a number printed on a contract or card, or a public agency website.
This extra step matters because current scams combine familiar organization names, convincing screens, and pressure to act quickly.
What Current Public Warnings Show
Social media investment scams and fake police scams are high-impact risks
According to provisional figures published by the NPA SOS47 project for the end of May in Reiwa 8, the table total shows 18,067 recognized cases and 151.47 billion yen in losses.
Within that table, social media investment scams accounted for 5,099 cases and 70.04 billion yen in losses, while fake police scams accounted for 3,667 cases and 40.32 billion yen in losses.
Investment scams often build trust with claims that a well-known person recommends the scheme, that small deposits can grow, or that profits are visible inside a dedicated app.
Fake police scams use phrases such as an arrest warrant, asset verification, or proof of innocence to isolate the target and remove time for consultation.
Even when the first contact is a phone call or social media message, the flow may move to private chat, video calls, bank transfers, crypto assets, precious metal purchases, or payment apps.
Phishing sent through misused ISP credentials has been reported
The Council of Anti-Phishing Japan has warned about phishing emails believed to have been sent after domestic ISP credentials or mail accounts were misused.
Examples include subjects that imitate card-use restrictions, Amazon account restrictions, and parcel delivery trouble.
A natural-looking sender or subject line is not enough to make a message safe if it moves the user toward login, payment, or personal data entry through an embedded link.
The council advises users of affected services to consider changing passwords and to access services through official apps or bookmarks rather than links inside messages.
Public-payment themes are being used to push app payments
A phishing case impersonating national pension payment requests has been reported as leading users from email to payment through the PayPay app.
Taxes, insurance premiums, utility charges, parcel delivery, and card restrictions are common themes because they create urgency and feel close to daily life.
Before opening a payment screen, verify the request with the official site, the municipality, the pension office, or the financial institution involved.
Telecom and fake-police transfer schemes need special caution
The Consumer Affairs Agency has warned about operators that impersonate major telecom companies and police officers, then demand fictitious administrative fees by claiming that an arrest warrant has been issued.
The agency describes consultations in which a call from an international number first names a major telecom company and then transfers the victim to someone impersonating police.
If a caller claims to be a telecom company or police officer, end the call and call back using an official public number.
Checks Individuals Should Decide in Advance
| Situation | Dangerous flow | What to verify |
|---|---|---|
| Email or SMS | A link asks for login, card, or personal information | Do not use the link; check through the official app or a bookmark |
| Phone call | The caller demands payment for unpaid bills, arrest warrants, account freezes, or identity checks | Hang up and call the official number from a contract or public site |
| Social media | Investment, romance, side work, or job offers move to a private chat | Verify identity, registration status, and payment recipient through another route |
| Payment app | A public payment, refund, or fee request pushes an app transfer | Confirm whether the official organization lists that payment method |
| Accounts | One reused password leads to multiple account takeovers | Stop reuse and enable multifactor authentication with a password manager |
Pressure phrases such as act now, do not tell anyone, keep the video call open, or share your screen should be treated as warning signs.
Even when the explanation sounds plausible, the pressure to prevent verification is itself a risk signal.
Rules for Families and Teams
Scam prevention fails when it depends only on one person’s attention.
Families and teams should decide simple operating rules before a crisis.
- Do not decide alone on money, identity checks, account recovery, police, taxes, or investment requests.
- If a caller or chat contact pressures you, end the contact without debating.
- Set a family verification phrase or an internal approval flow.
- Require a second person to confirm bank transfers, crypto purchases, gift card purchases, and payment app transfers.
- Save screenshots, phone numbers, dates, payment destinations, and account names when suspicious contact occurs.
Younger people are also targeted through investment, matching apps, side jobs, recruitment posts, and social media ads.
Standard verification routines are more reliable than confidence in personal digital literacy.
What Businesses and Site Operators Should Check
Businesses need to make it easy for customers to distinguish official contact from impersonation when a company name or domain is abused.
The NPA recommends that organizations consider sender authentication technologies such as SPF, DKIM, and DMARC as part of phishing countermeasures.
DMARC is important because it lets senders specify how receiving systems should treat mail that fails authentication.
- Limit official sending domains and publish them clearly for customers.
- Configure SPF, DKIM, and DMARC, then review DMARC reports regularly.
- Avoid shortened URLs and unnatural external domains in login or payment guidance.
- Prepare notice templates, support workflows, and FAQ pages for phishing incidents.
- Review ads, affiliates, and partner campaigns so urgency-based copy does not resemble a scam.
- State clearly that support staff will not ask for passwords, one-time codes, or full card numbers.
Even if the company itself has not been breached, leaked credentials, look-alike domains, ad placements, and social media accounts can be abused.
A clear official verification route is a trust and security control.
If You Already Entered Information or Sent Money
Action after the fact can still reduce additional harm.
- Contact the card issuer, bank, or payment service and request suspension or investigation.
- Change reused passwords from a separate device and enable multifactor authentication.
- Review login history and recovery contact details for email, social media, ecommerce, and financial accounts.
- Contact the appropriate consultation channel, such as police consultation number #9110, Consumer Hotline 188, the FSA, or the Securities and Exchange Surveillance Commission.
- Report suspicious messages or sites to organizations such as the Council of Anti-Phishing Japan.
Delaying because of embarrassment can let the damage spread to accounts, workplaces, and family members.
The sooner the issue is reported, the more options remain.
FAQ
What if the message might really be from a company or public office?
Do not use the link or phone number inside the message.
Check through an official app, bookmarked official site, contract document, or public agency website.
Is a URL safe if it looks similar to the real one?
No.
Look-alike domains, subdomains, misleading characters, and ad-driven fake sites can all look plausible.
When should I stop an investment or side-job conversation?
Stop if you cannot verify registration, if profit is guaranteed, if the conversation moves to an external chat, if borrowing or payment is rushed, or if a fee is required before withdrawal.
What should businesses publish for customers?
Publish official domains, official apps, payment methods, information that support will never ask for, and emergency contact routes.
Also prepare sender authentication and an incident notice process.
Summary
Scam prevention is not about memorizing suspicious wording.
It is about verifying through a separate route, refusing rushed payment or credential requests, and setting consultation rules before pressure begins.
Individuals should use official routes, and businesses should make those routes clear.
Together, those habits improve resilience against phishing, social media investment scams, fake police scams, and fictitious billing.
References
- NPA SOS47: Recognized and cleared special fraud cases through the end of May in Reiwa 8
- NPA SOS47: Distinctive fake police scam methods
- NPA: Phishing countermeasures
- Council of Anti-Phishing Japan: Phishing emails sent through misused domestic ISP credentials
- Council of Anti-Phishing Japan: Phishing impersonating national pension payment requests
- Consumer Affairs Agency: Warning about telecom and police impersonation
- Financial Services Agency: Names of unregistered financial instruments business operators

