A few weeks ago I told them: "I will never be offended or hurt if you ask suspicious questions to check my identify if I suddenly need sketchy wire-transfers or a pile of Amazon gift cards."

Sometimes the best way to defang scams is to attack the social-factors and artificial-urgency they try to exploit.

In a similar vein, no legitimate institution should ever act punitively if you tell them that you're going to call them back through their official number/e-mail/site only.

Keep it very simple: never give an SMS authentication code to anyone on a phone call, in response to a text message or email, or as part of any checkout or purchase. They are only to be used when logging in to an online account. Anything else is a scam.

Even that may be too complicated, now that I read it back.