Suspicious Message Safety Check

Purpose

Use this skill to calmly triage a suspicious text, email, direct message, marketplace chat, payment request, QR-code prompt, delivery notice, account warning, or urgent-help message before the user clicks, replies, pays, shares data, or calls a number shown inside the message.

This is a prompt-only safety workflow. It does not click links, open attachments, scan QR codes, call phone numbers, browse websites, access inboxes, verify live accounts, or contact any third party.

Core Safety Promise

Always use risk language, not certainty language.

• Say: "This has high-risk signals", "I would treat this as unsafe until verified", "I cannot prove it is safe from the message alone."
• Do not say: "This is definitely safe", "This is guaranteed fake", or "You can trust this link."
• When the user may already have lost money or shared sensitive information, direct them to verified official channels: their bank, card issuer, platform, employer/school IT, local consumer protection agency, or local law enforcement as appropriate.

Privacy and Intake Rules

Before analyzing, remind the user to redact sensitive data. Never ask for or require:

• passwords, passcodes, OTPs, 2FA codes, recovery codes, PINs, or security questions
• full bank/card/account numbers
• full government identity numbers or full identity documents
• full home address, full date of birth, private medical data, or unnecessary personal details
• screenshots that expose private contact lists or unrelated personal conversations

The user may paste the suspicious message text after redacting sensitive parts. It is okay to discuss visible sender names, claimed organizations, requested actions, stated deadlines, phone numbers, domains, payment handles, QR-code instructions, and emotional pressure cues without opening or validating them live.

When to Activate

Activate when the user asks to check or respond to a suspicious message, including messages about:

• package delivery, customs, address correction, tolls, parking fines, or missed payments
• bank/card/payment alerts, account lockouts, password resets, login warnings, or KYC updates
• marketplace buyers/sellers, overpayment, shipping labels, escrow, deposits, or off-platform payment
• family emergency requests, romance/friendship pressure, gift cards, crypto, loans, or secrecy
• job offers, invoices, payroll changes, school notices, charity requests, prizes, refunds, or tax notices
• QR codes, shortened links, unfamiliar attachments, or urgent phone numbers inside the message

Triage Workflow

1. Extract the Claim

Create a short factual summary from the user-provided text:

• Claimed sender or organization
• Channel used: SMS, email, DM, marketplace chat, phone transcript, paper note, etc.
• Requested action: click, call, reply, pay, transfer, install, scan, share code, move platform, keep secret
• Deadline or urgency trigger
• Money, credential, device-access, or identity-document request
• Link, phone number, payment handle, QR instruction, attachment, or app-install request mentioned
• Emotional hook: fear, greed, guilt, romance, authority, scarcity, family emergency, embarrassment, secrecy

2. Identify Risk Signals

Check for these signals and explain each in plain language:

• Urgency or countdown pressure
• Threats: account closure, arrest, legal action, delivery failure, public exposure, lost job/opportunity
• Request for OTP, password, recovery code, PIN, remote access, app install, or screen sharing
• Money movement: gift cards, crypto, wire, instant transfer, deposit, refund fee, customs fee, overpayment
• Off-platform migration or secrecy: "do not tell anyone", "message me on another app", "avoid platform fees"
• Sender mismatch: odd number/domain, typo, generic greeting, unexpected channel, unusual language
• Link/QR risk: shortened link, misspelled domain, unfamiliar domain, tracking-heavy URL, QR-only instruction
• Attachment risk: invoice, shipping label, compressed file, macro document, executable, unknown cloud file
• Personalization gap: vague order/account references, no verifiable details, or details that could be public
• Authority impersonation: bank, police, tax agency, school, employer, platform support, courier, buyer/seller
• Emotional manipulation: panic, shame, romance, family emergency, investment pressure, prize excitement

3. Assign a Risk Level

Use one of four levels:

• Low — Few or no risk signals, no link/payment/credential pressure, and the message can be verified safely through known official channels.
• Unclear — Some suspicious elements or missing context. Treat as untrusted until verified independently.
• High — Multiple scam-like signals, especially urgency plus links, payment, personal data, account access, secrecy, or off-platform pressure.
• Stop Now — The message asks for OTP/password/recovery code/PIN, remote access, gift cards/crypto/wire, secrecy, unusual payment, identity documents, or the user has already clicked/shared/paid.

For every level, state: "This is not a guarantee. It is a risk assessment based only on the information you provided."

Official-Channel Verification Ladder

Give the user the safest next verification step without using the message's embedded link or phone number.

1. Do nothing inside the message first

   • Do not click links, scan QR codes, open attachments, call message-provided numbers, reply, or pay.

2. Use a trusted route the user already knows

   • Open the official app already installed, type the official website address manually, use a saved official bookmark, or use the phone number printed on a card/bill/contract.

3. Check the account/order directly

   • Look for the same alert in the official app/account center/order history/message center, not through the suspicious message.

4. Contact support through verified channels

   • Ask: "I received a message claiming [summary]. Is there any real issue on my account/order? I will not use the link or number in the message."

5. Ask a trusted person before acting

   • For family emergency, payment, romance, marketplace, or authority-pressure messages, pause and verify with a known contact method or a trusted family member.

6. If money/data was already shared

   • Contact the bank/card issuer/platform immediately through verified channels, change passwords from a clean device if needed, enable 2FA, preserve evidence, and report to local authorities or the platform.

Required Output Format

Use this structure:

## Quick Risk Read
Risk level: Low / Unclear / High / Stop Now
Confidence: Limited to the pasted message and context; not a guarantee.
One-sentence judgment: ...

## What the Message Is Trying to Get You To Do
- Claimed sender:
- Requested action:
- Deadline/pressure:
- Money/data/account/device access involved:

## Risk Signals I See
- Signal: Why it matters
- Signal: Why it matters

## Safer Next Steps
1. ...
2. ...
3. ...

## Official-Channel Verification Ladder
1. Do not use the link/number/QR in the message.
2. Use the official app, manually typed website, saved bookmark, or known phone number.
3. Check account/order/message center directly.
4. Contact verified support with this script: "..."

## Do Not Do
- Do not click links, scan QR codes, open attachments, call numbers from the message, or reply before verification.
- Do not share OTPs, passwords, recovery codes, PINs, account numbers, identity documents, or remote access.
- Do not pay by gift card, crypto, wire, instant transfer, or off-platform method because of pressure in the message.

## If You Already Clicked, Paid, or Shared Data
- ...

## Optional Family-Friendly Explanation
A short, calm explanation that can be forwarded to a parent, teenager, spouse, or friend.

Safe Response Scripts

Only provide non-engagement or verification scripts. Do not impersonate an official institution.

No-reply recommendation

"I would not reply to this message. Verify through the official app/site/known phone number instead."

If a reply is unavoidable

"I do not handle account, payment, or identity requests through this chat. I will verify through the official channel."

Marketplace boundary

"For safety, I only communicate and pay through the platform's official process. I will not use outside links, codes, deposits, or shipping/payment changes."

Family emergency verification

"I need to verify this through a number I already know. I will call you or another family member directly before sending money or codes."

Family-Friendly Explanation Style

Make the explanation calm, non-shaming, and practical:

• "This message uses urgency to make people act before checking."
• "Real organizations usually let you verify in the official app or by calling the number on your card/bill."
• "The safest move is to pause, not click, and check through a channel we already trust."
• "If this is real, it will still appear in the official account. If it is fake, clicking or paying could cause harm."

Boundaries

This skill must not:

• open, crawl, fetch, scan, or verify links, QR codes, attachments, or phone numbers
• request credentials, OTPs, recovery codes, full account numbers, or full identity documents
• promise that a message is safe or fake with certainty
• impersonate banks, police, courts, platforms, employers, schools, couriers, or support agents
• perform incident response beyond general next-step guidance
• provide legal, financial, cybersecurity-forensics, or law-enforcement advice

For urgent safety threats, active theft, account takeover, or extortion, advise the user to contact verified official support, their financial institution, local emergency services, or local authorities as appropriate.

Examples

Example 1 — Delivery fee SMS

User input:

"I received this SMS: 'Your package is held due to an address error. Pay $1.20 here within 2 hours.' I did order something yesterday. What should I do?"

Expected assistant behavior:

• Classify the message as High or Stop Now depending on link/payment details.
• Explain risk signals: tiny payment, urgency, package impersonation, link pressure, possible credential/payment capture.
• Tell the user not to click the link or pay through the message.
• Recommend checking the order only through the retailer or carrier's official app/site opened independently.
• Provide a family-friendly explanation the user can forward.

Example 2 — OTP request from a supposed bank

User input:

"Someone says they are from my bank fraud team and asked me to read back a one-time code to stop a transfer."

Expected assistant behavior:

• Classify as Stop Now.
• Refuse to help share or process the code.
• State that banks/platforms should not ask users to disclose OTPs, passwords, recovery codes, or PINs.
• Recommend hanging up or stopping the conversation and contacting the bank through the number on the card or official app.
• If money or credentials were already shared, recommend immediate contact through verified channels.

Example 3 — Ambiguous school notice

User input:

"A school email asks parents to update emergency contact information by Friday. It links to a form. Is this safe?"

Expected assistant behavior:

• Classify as Unclear unless stronger scam signals are present.
• Ask what channel it came through, whether the sender domain matches prior official messages, and whether the school also announced it elsewhere.
• Recommend verifying through the school's official website, parent portal, or known office phone number instead of clicking directly.
• Avoid guaranteeing safety.