How to Stay Safe Against Scams
Last updated on June 13th, 2022
How to Stay Safe Against Scams
Website security does not exist in a vacuum. The entire scope of cybersecurity is interconnected. A compromised device can quickly lead to a website or network compromise and vice versa, so, it is important that we try to keep our entire online life as secure as possible.
Educating our customers about website security includes, by extension, educating them about their personal online security. In that spirit, this article will look at something that can target anyone, anywhere in the world: a scam.
Let’s talk about different types of online scams and pinpoint a few indicators that can be used to identify when you are dealing with a scam.
Scams can take many forms and function globally, while some can be country specific. The attackers may just want the scam to run in a specific country, or to target a specific demographic, or group of people, or even a particular person.Protect Your Site from Phishing
What is a Scam?
A scam is basically a term used to describe a fraudulent business or scheme that aims to take money or other goods from an unsuspecting target.
With the world becoming more connected thanks to the Internet, scams have increased in both scope and intensity. Because of advancements in technology (including cryptocurrencies), it’s much easier to move money around, and it’s often up to you to remain cautious with people in your connected life.
First, let’s take a look at a few examples of scams.
This message here was easily flagged by Android as spam because it doesn’t have a specific target. It was sent to anyone/everyone on the scammer’s target list.
What if the message hadn’t been flagged? What if you knew someone named Ken and this message could have been potentially truthful so you contacted that email?
Looking around the web, we can see reports from people who received the exact same message but with different email addresses, for example email@example.com.
Why do they want you to drop them an email?
Their objective is to get something from you. It could be money, or credit card information, or something else. If you reply, you would be pulled into a black hole with the attacker or cause your email address to be added to several other spam and scam target lists.
Now, let’s take a look at a few more country-specific examples. These scams are specific to Portugal.
Translation: “We are trying to reach you. You have earned 5th place on our Worten anniversary campaign’ (02-2020). Your prize: hxxp://g4k.us/loPq”
In this case, the message comes supposedly from “Worten”. This store chain is one of the largest home appliance store chains in Portugal, similar to US’s HomeDepot. It is known by everyone in the targeted demographic, increasing its chance of success.
With the popularity of URL shorteners, the link included for many will look “okay”, and since there’s no warning from android, no possibility to reply, and the message looks legitimate, it’s easy to fall for this. This specific scam is psychologically clever. And since we seemingly just won a prize, most won’t dwell on the “realness” of the message. Our mind jumps to thinking about what prize it may be.
Accessing that URL, we would get indeed a page from that “Worten” brand:
Translation: “A new year has begun! To celebrate we are offering several prizes! Congratulations! This week you are one of our 10 lucky customers who have just won one of our prizes (value ranging from €100 to €2689)”
Then, we get the list of prizes which are a store gift card for €2000, an iPhone 11 Pro, a Samsung Galaxy S10 and a €100 store gift card.
This is the first sign that something is amiss. On the message we received it was clearly saying we had gotten 5th prize, and now it’s saying that we got one of these. Maybe it will ask for information to verify exactly what we got, but, still, this is quite an odd way to work.
Contradictory information is one of the common denominators of a shady situation. We should proceed with extreme caution.
We even get a few comments on the bottom from legitimate looking people and written in the correct language (I have blurred the photos because the actual people from the photos probably have nothing to do with this page).
The comments for the most part say how awesome this is, but also include a few typical negative comments to make it look more legitimate, for example:
“Initially I thought this was a scam but I already received the confirmation of the delivery details. Thanks!” – this is a funny one.
“Sadly, I only won the 100€ gift card :(. Can I try again?”
“Oops, I refreshed the page by accident and now I don’t have access, can you help?!!! :’(”
As you can see, the scammers are doing all they can to instill trust in the page. This leads us to another common denominator.
There is always something somewhere in the scam that tries to instill trust in you. A legitimate service would have no need to do this, right?
For now, let’s proceed with this process and see what’s next. Since there’s only 1 button there, that’s what we press.
Now we need to answer three questions, and the first one is our age. Earlier the messages said we had a prize ready to be claimed, but now it’s telling us we need to answer three questions. (Remember the contradictory information denominator?) It’s definitely starting to stink, but we still want our goodies, right?
So, let’s continue.
It asks us when we last visited the store, either in a physical location or online.
This question seems fairly common, so they are probably just making a profile for us before we can collect our prize.
Let’s continue further.
Now it asks us if we have ever won anything before. Again, nothing strange and even kind of funny.
Let us carry on, and since this is the last question, we must be close to getting our prize! At long last!
The website says it’s validating our answers. Strange, but okay. None of the answers seem to have needed validation.
After a short delay:
It says it successfully validated our answers and even gave me a customer reference ID. It must be legit! Our prize is just around the corner now :).
Apparently, we got a Samsung Galaxy S10!!!
But wait, let’s take a step back. The message said we got 5th prize, which is a store gift card for €100, (again, the contradictory information). That’s odd, but a smartphone like this is better, so we’ll take it, right?
We even get to choose the color we prefer. That’s amazing. Give me a Prism Black please!
It’s checking if they have it in stock. I hope so… I want it in black.
It has been approved, and it is saying it will be delivered in 5 working days!
It wants to confirm my address and just needs €2 to ship it to me with insurance.
Heck, that’s nothing to get such an expensive smartphone. I’m still on board!
Now, we get redirected to another page where it’s asking for our address.
The price even dropped! Apparently, it is now just €1. Okay. Cheaper for us, right? (But yet again, contradictory information)
It now includes a free pair of Galaxy earbuds. This keeps getting better by the minute. But, now it’s telling us there’s only 2 colors available, black and white. What the heck?! Okay, we still got black, so that’s fine.
We fill in our address and all that’s needed, and we get redirected to another website.
Here’s something odd. Let’s say that you messed up some element there and the payment fails, you get redirected to a different page:
It’s 2 Euro again! Now, this is indeed hilarious, but since we can’t move forward anymore without actual payment, let’s do a post-mortem on what we’ve seen.
The Red Flags
We encounter 6 red flags as we are guided to click through the scam campaign:
1 – On the first step, after we click the shortened URL on the SMS we were redirected to hxxp://claimitemswon.com/?cep=[redacted encoded string]&lptoken=[redacted string]&no=18/20/21 .This has no relation with the domain of the brand it is claiming to be. Any campaign involving any web element would be carried on its own domain.
2 – While going through the click processes and prize forms, it does not ask for any kind of identity verification to ensure that we are the recipient of that prize.
3 – The SMS specifically said that we won the 5th place prize, but later it stated we won 3rd place.
4 – They are asking for very little money to ship something that costs around $500 or more. When someone asks for a very small down payment to get something big for free (think of your Nigerian prince scams), it is usually a sign that something is wrong, and someone is out to get you.
5 – The page where you entered your address and phone number etc. is not SSL protected. A trustworthy brand would try to ensure your data is protected.
6 – Something that probably no one noticed is the small fine print that is present on the page. This is where the secret of the whole scam is hiding. This is on the URl hxxps://tengalxy.mixnmatchnow.com/pt/ where we are first asked for address information:
All new customers participate in the prize draw for the campaign product presented. If you are the lucky recipient, you will be contacted directly by email. This special offer comes with a 4-day trial period for an associated subscription service, after which the monthly subscription fee (65 EUR) will be automatically deducted from your credit card. If, for any reason, you are not satisfied with the service, you can cancel your account within 4 days. The service will be renewed monthly until canceled. This campaign will end on December 31, 2020.
One important thing to take note here that can also be used as a scam indicator is that European Union regulations state that you have a 14-day cooling off period on purchases made online. This means you can back down within 14 days without penalty. Here they are giving you 4 days, which is not legal.
Then on the checkout page itself we got another non-related URl:hxxps://twindu[.]com/pt/gateway.html/a>:
Right at the bottom, we see that this is actually a company from Cyprus. This makes absolutely no sense because we are dealing with a company from Portugal. We then have another set of fine print on the side which translates to:
Refunds for purchases or recurring charges can be requested by contacting customer support. No refunds or credits will be issued for partially used Member Registrations. You may be asked to cancel all recurring billing in accordance with Article 8 – Cancellation. MelodyWays.com reserves the right to grant, in its sole discretion, a refund or credit applicable to purchases on the Site. The decision to refund a charge does not imply an obligation to issue additional refunds in the future. If a refund is issued for any reason on MelodyWays.com, it will be credited only by the payment method used in the original transaction. MelodyWays.com will not issue cash refunds.
All new customers participate in the prize draw for the campaign product presented. If you are the lucky recipient, you will be contacted directly by email. This special offer comes with a 4-day trial period for an associated subscription service, after which the monthly subscription fee (65 EUR) will be automatically deducted from your credit card. If, for any reason, you are not satisfied with the service, you can cancel your account within 4 days. The service will be renewed monthly until canceled. This campaign will end on December 31, 2020
So, the amount we are paying is actually for a subscription service where maybe we will be entered into a prize draw to maybe receive the prize that was supposedly already ours.
What we are winning is just four days of service as a trial – right after which we will be charged 65€ / month. That doesn’t sound like a deal.
We now also have another website involved, MelodyWays.com. If we search around the web for information on this domain/service, we see that this is their tactic. They reach you saying you won something to get you enrolled/subscribed into something that you would not otherwise subscribe to.
When we input invalid payment information, we were redirected to another website. This time we were sent to hxxps://thediggishop.com/pt/gateway.html which appears to be a computer shop with no connection. This domain was possibly compromised and used as another gateway for the scam to operate without the owner’s knowledge. This is another indication of the scan’s shady operating tactics.
SMS Scam II
This scam is like the previous one, but this time it says you are getting the 2nd place prize and gives you a date. Since this is an older message, the URL is no longer valid but it is possible that this was run by the exact same website/people/group.
Here, we have another message from a different company also saying that you supposedly received a prize and should click the link provided to claim your prize.
Unfortunately, this link is also down already so we can’t explore it.
This one is still recent, so let’s take it further.
First, we immediately get pushed into a URL that seems to just pretty much check if we are using an iPhone. Because this currently only works for iPhones, this becomes a form of targeting a specific demographics/group of people, in this case iPhone owners:https://backscratchhop.com/eb9a2726fdfd91800//04c2504fb6744fd2b833ed1f3e7970a8/
From there, it sends us off to different random looking websites that show different offers like:
Notice how similar it is to the example above? I even had to blur the pictures here as well. But let us carry on with this clicking process to see where we land. Also, do you notice how the website is saying in red letters that we have 16 seconds to reply to the questions?
This is another commonly used denominator in scams, they need to instill a sense of rush in you so that you don’t have time to properly analyze what you are seeing or think on what you are doing, increasing the chances of success.
It has asked us 3 questions all about Google for some reason, even though we use an iPhone, and we got them all wrong on purpose and the result is quite funny.
3/3 right and we got an iPhone 11 as a prize, so, let’s go grab it.
Next, it leads us to hxxp://app.trkings.com to win something else. This time, the questions are about Apple. Where is my iPhone?!!
But, since we don’t know many more steps this will take, let’s cut to the chase and take a look at the fine print.
Subscribe to the JuicyWin.com competition today! The competition winner is drawn weekly at midday every Friday. Answer the weekly question to be in with a chance. This service will cost £4.50 per week. Age 16+ only. To end the service, you should cancel your payment on PayPal. Questions will be sent by email to you & will need to be replied to by email correctly to be in the draw. JuicyWin.com is a brand of SB7 Mobile – 03301340181.
We can see already that this is to enroll us in yet another recurring payment service through paypal that will cost £4.50 per week, about $5.51 USD.
This page at least checks for the right answers, and there is only 1 question this time.
Notice the part where it even says it’s a “chance” and not a certain win?
Now that we’re on the PayPal page, ready to hand them our money, we can see who we are actually sending it to. We can look up the company SB7 Mobile Ltd on Google to find more information.
We find many red flags directly on trustpilot thttps://uk.trustpilot.com/review/sb7mobile.com People are complaining about charges for services they didn’t sign-up for. Some people say they have lost hundreds of dollars to this “service”.
Let’s now look at another campaign being operated at the same time, this one takes us to:
(Who doesn’t want to be a millionaire today right?)
After we spin it twice it says we have received 100 free spins. Let’s go grab them as well.
After, we are redirected to freespinswizard website.
We must verify our phone number through a code that will be sent to us. Nothing is mentioned about a charge, but it’s probably safe to assume that that will either enroll us into a subscription as well, or just add our number to a list for further targeted communications.
Now, freespinswizard appears to be a legitimate online casino. I was unable to find anything that leads me to believe that it’s a fake casino, but that’s not what we’re investigating at this point anyway, so let us leave it at that.
Retrospective on the SMS Scam 2 and Pop-up Scam
Looking at all the bits and pieces found in the browser requests involved in these two campaigns, I can see they are being delivered by “National Research Rewards”. They are a service provider whose mission is to get these offers into the hands of people. If we take a look at their website, we can see how they operate pretty quickly.
If it’s still not clear for you, this is directly from their support page:
“How can you give away free rewards? The Silver, Gold and Platinum advertisers are willing to pay us for the new users that sign up for their product or service. The premium that they pay offsets the cost of the reward.”
Basically, advertisers pay this company for every new user they get to sign-up to the advertiser’s service and maybe after you sign-up to enough services, you may get the supposed iPhone.
We have touched on a very specific kind of scam/attack whose end goal is to have you directly pay for something as a service. There are also plenty of other scams that rely on getting direct communication to you. It’s important that we are aware of them so we can better protect our online lives.
Since I’m a bit of a privacy advocate, always remember this tip: The first step in staying secure online is to be mindful of everything you do online. Online security starts and ends with you. The user is often the most insecure link, and the easiest to target.
Now that we’re warmed up, let us talk a bit about other types of scams:
This is the most common attack you will encounter online. You receive a message, usually in the form of an email, from someone pretending to have authority. It may be your bank or some other entity saying that there’s an issue that requires urgent action from you. You also get a URL to click that asks for confidential information. Once input, the information is stolen. We touch on Phishing scenarios quite a bit on our blog so please have a look at our phishing attack examples.
Key phishing takeaway: verify the elements you can directly see, such as the URL and the green padlock to try to understand if you are on the legitimate website and if the data being transmitted is secure.
99% of the phishing pages that you will come across can immediately be identified as phishing by looking at the URL you are visiting:
The Donation Scam
This is one that many of us witness quite often, but do not notice. Someone claims to be in dire need of a donation due to a life-threatening situation for themselves or a small child. It is important to note that some of these claims could be real, but there’s a large number of fake claims. The scam may attempt to contact people directly either by SMS, facebook posts, or fundraising websites like GoFundMe.
Important to note: this scam can also take the form of catfishing, which we will touch on next.
A cat fish scam is when someone creates a fake online profile with the intention of deceiving someone and getting something out of them (usually money). This can also have more targeted goals like getting information about a company. This scam falls right into the category of social-engineering.
After the profile is created and the target(s) is located, they engage in communication in the attempts of peaking that person’s interest. They create a virtual relationship with the target(s) and then attempt something similar to the Donation Scam where a scenario is created and the person claims to have a sudden need for money.
Important to note: the scammer operating this can be more than one person. They can be a criminal enterprise where multiple people are involved.
Let’s go over a practical and real example:
Let’s say that the scammer is named Nicole. Nicole sets up an online profile and uploads some photos on it to be more appealing to the potential targets. This part usually works best if the pictures are of the actual scammer as it helps when it comes time for video calls etc. This gives the scam a lot more legitimacy and makes it easier to pull off.
From there, she engages with the target and they develop a form of virtual relationship. This step can take a varied amount of time, from days to weeks, or even months as she tries to ensure that the target will cooperate with her plans.
As they start to get closer she arranges to meet with the target so that the target becomes excited. This is a common denominator of many kinds of scams. They get you excited about something so that you stop thinking clearly. When the actual trap is laid out, you are not noticing the red flags.)
Right before that meetup is supposed to happen, she lays the trap. For example, she says she has a child who is now in the hospital with very high medical bills that she cannot pay.
Immediately, the target would offer help in any way they can, usually monetary, and this is where the scam happens, because there is no child in need of help.
This kind of scam can drag on for a long time, involve multiple money transfers, have different targets at the same time, and even involve a 3rd or 4th person who is a supposedly “relative” of the scammer to give it extra credibility.
Key catfishing takeaway: Be cautious when someone you have never actually met starts asking for money. Remember the common denominators to try to properly determine if it’s a scam or not.
Similar to catfishing, a very common scam on social media, particularly Facebook, is the sextortion scam.
The way it works is very simple:
You log into Facebook and find a new friend request notification. You check out their profile and are greeted with an attractive picture. If your gut tells you that this is too good to be true, you’d be correct.
The way the scam works is very simple:
Once the friend request is accepted, a line of communication is established between the victim and the scammer.
They begin exchanging illicit messages and engaging in explicit conversation, then set up an audio or video call with you or just ask for videos to be exchanged. These videos or audios end up being explicit as well.
What you don’t know is that they are recording everything that is exchanged between the two parties.
Once they have enough incriminating evidence, they threaten to tell the victim’s spouse or family about the illicit messages and demand a ransom, effectively blackmailing the victim. Some victims of this scam have reportedly been driven to suicide.
Preventing this scam is in its essence quite simple:
In addition to doing due diligence in not accepting friend requests from people you do not know you could also just not be unfaithful to your spouse.
You may think that this looks similar to catfishing, but there is one small difference, catfishing’s objective is to get the victim to willingly give the scammer something, while sextortion has the clear objective of extorting or blackmailing the victim.
Cold Call Scam
A popular cold call scam involves someone claiming to be technical support from a computer company like Dell. They say they have received information telling them your computer is infected with a virus or hacked. They offer to remotely connect to your computer and fix the problem. Additional information about this type of scam is found on Dell’s website.
In recent years, this kind of scam has evolved from just getting access to your computer to install malware, to other kinds of objectives. They may try to steal your personal information. It could be in the form of a call from the IRS requesting your Social Security Number (they never call). It could be someone claiming that you have a refund waiting to be processed, but first they require your assistance logging into your banking website. From there, they could take control of your accounts and syphon all your funds or carry out several other kinds of actions.
Key cold call spam takeaway: If you receive a call you are not expecting, put in your due diligence to verify the legitimacy of it.
One good method for this is to reverse what companies do to verify you. Ask the caller for information about you. You can also contact that same company through an official channel to verify the legitimacy. This tactic can also be easily applied to scammy text messages.
419 or The Nigerian Prince
419 or the Nigeria scam gives the impression that you can gain a large amount of money just by providing your bank information. The scammer claims they will then deposit the money into your account or you need to deposit money into their account. In reality, the bank information is used against you or the deposits you made are kept with no reward. You can read more information about this directly from the FBI’s website.
Usually harmless, this scam spreads through emails that tell people if they forward the email to all their contacts, they will get money back from someone like Mark Zuckerberg.
This email can be just to create publicity for something, but it can also have a scam within itself such as making people share some personal information or sign up to something. This kind of scam is not very common and is usually picked up by email providers’ spam filters.
Online Survey Scams
Online survey scams are survey sites that say they offer money or gift vouchers to participants. This is a type of social engineering scam that asks the victims to fill in a survey with the promise of a large sum of money or other kind of gift. But the objective of the scammer is to steal your information or to install malware on your computer.
This kind of scam usually has a few immediate tell-tale signs that make it easy to identify:
1 – They ask for money up front. This usually takes the form of you being asked for money to take part in further surveys or even receive the information about them. It can also just offer to give you money before you even do anything at all.
2 – You are offered too much money. Many survey scams will offer you over $20 or even an iphone per survey completion. Real surveys only go as far as offering you the chance of entering into a drawing to maybe win those 20s.
3 – They want to pre-qualify you with hundreds of questions. Some surveys ask you to respond to a few hundred questions before even telling you if you qualify for any sort of reward, these questions have only the intention of stealing your information and after you fill it up you end up finding out that you did not qualify for any kind of reward and thinking that was the end of it, but actually all the information you have input has been stolen and will be used to attempt to steal your identity, or your data will be sold to advertising agencies.
4 – They can ask you to install some program or sign-up to some service in the end. Some surveys before telling you if you qualify for any reward or if you will get any reward they tell you that you have to install some program or subscribe to some service to qualify for the reward.
Fear Test: Blue Whale Game / Momo Challenge
By now, many people have probably heard of the blue whale game or the Momo challenge and the effects it has had around the world. This is something that can be easily classified as a scam.
The story goes that users (often young adults or children) are targeted and lured into playing a game with different challenges. They start very simple, like “watch a horror movie” or “wake up at 4:30 AM” and get progressively darker.
Ultimately, the victims are asked to commit suicide as the final challenge to win the game. It is unclear whether the “game” has resulted in anyone taking this action. Some believe it to be a hoax with an ultimate motive of stealing sensitive information from the players.
During the pandemic-induced down time of the past two years, online purchases have skyrocketed. For the secondary market and scammers, this is a perfect combination of factors to score big.
This scam can take many forms and depends on:
● the country it’s being done in
● its secondary markets
● payment technologies available to users
It can be as simple as a scammer buying something on the secondary market, and saying he’ll only pay after receiving it. It can also be a seller who says he’ll only ship after he’s been paid, but then doesn’t end up shipping anything.
These types of scams often get extremely more prevalent during times where certain items are in short supply. For example, when Nintendo Switches were completely unavailable to purchase in early to mid 2019, many scammers posted fake sale pages on item exchange boards and demanded that the victim pay using a method where refunds were impossible and it could not be linked back to them. If they demand a certain payment platform be used that is not the norm, be wary.
Recently some governments have caught up with these kinds of scams and have been implementing more digital mechanisms like mobile applications to make the payment process easier and more digitally based. They have also been working together with post offices to allow buyers to pay after they have verified the state of the item, while in the presence of an official from the post office. This ensures safety for both the buyer and the seller.
Many of the usual common denominators here still apply. If a price seems too good to be true, it probably is. The scammer will attempt to reassure you (almost too much) that everything is fine. They will apply a sense of urgency and pressure to avoid giving you much time to think things through properly.
There are variations of purchase scams, but they typically go like this: you purchase an item that you think is the real deal, but when it arrives, you find out that it’s a fake item. The degree of similarity with the real product that you intended to buy can vary. It can range from knock offs to complete rubbish. There is very little recourse for a buyer in this situation.
Buying medicines online comes with a big risk of being scammed. You may buy a product but get something different, or the product may have different components than you wanted. Sometimes the medicine is a cheap placebo made with filler material like house plants or garlic. Other times, the medicine can be dangerous, cut with unknown substances and made with very little regard for consumer safety. Of course, like most scams that are related to purchases, if you buy it from an official representative or store, the risk of this happening is severely minimized.
Fake certificates and essays
We have recently talked about essay spam on our blog, but the art of buying something online that ends up being fake is so deep and vast that sometimes it deserves its own section.
Many of the shoppers of fake certificates and essays don’t really have the notion that what they are buying is fake and wouldn’t pass any kind of actual verification process, but this doesn’t stop the sellers and the buyers from going through with this.
With the recent rise of work-from-home situations and opportunities rising, this opens up a huge market for scammers to target. If someone is just now starting their journey into remote work, they most likely are not very experienced in the ins and outs of what to expect.
In this scam, a scammer will pretend to be from a specific company and target individuals open to employment opportunities in that sector. Here’s the example of a scammer approaching someone for a bogus job:
Nothing really stands out regarding this, except for the position of “Data Entry”. This is the sort of position that scammers lean towards. It is general enough for any potential applicant to have the skill set and could also have the possibility of being an extra job on the side.
This scam takes a page from a very old job scam about letter folding, where the scammer wants to hire you to fold letters and claims you will make loads of money from it. You just need to send them X amount of money so that they can send you the starter package.
Important to note: these scammers usually use the name of someone from a specific company they are pretending to be. This is usually the person in charge of recruiting. They will generally attempt to make their email address look legitimate.
You may be asking yourself how you could protect yourself from this. Here’s a few examples of the proper recourse to take if you are approached by someone:
Contact the supposed company through a different channel and confirm the supposed offer.
Unfortunately, people do fall for this because it’s a very touchy subject and these scammers can sometimes spend an entire day “interviewing” an applicant which is a major waste of time when someone is actively looking for employment.
Let’s break apart what happened based on the complaint below:
If they immediately want some information about you to send your home office equipment without even having signed anything, this is odd. The part about him being pushy is also quite odd. Remember, scammers always try to push you in some way, either by putting a time limit in place, or by trying to rush things along.
The above comment also shows how the scammers have no consideration for their victim’s personal circumstances. No one is off limits if they can help the scammer’s bottom line. In the end, the scammers may just want to harvest your information to steal your identity, or they may ask you to send them “initial expense” money that will be “reimbursed” at the end of the month.
In a scenario like this, if you did not approach the company and you were approached, reach out to the company through another channel to confirm the validity of the job offer and the employee who contacted you.
If the offer is the real deal, the company in question can only appreciate your vigilance.
You can see more information about this scam in a warning released by the FBI: FBI Warns Cyber Criminals Are Using Fake Job Listings to Target Applicants’ Personally Identifiable Information
And here you have another case posted by the Edmonton Police Service: Online Employment Scams – Frauds
We have touched on several types of online scams, but there are also several offline scams that can take place in your everyday life. Many people have probably seen cards like these:
It looks legitimate and is even addressed to the target by name, but there is one red flag here. The notice tells you to call a number to pay. Today, we have multiple ways of paying for things, including just going to the post office and paying in cash. Having only one option available doesn’t make much sense.
In this case, if the person called, the scammer would ask for a certain amount of money to supposedly “free” their package. Then, the victim would eventually receive an item of very small value.
Why do the scammers actually send something? This is most likely just to keep the information about this being a scam on the “down low”, if the person received nothing, they would complain about it and even talk directly to the USPS. Since they actually received something, they are less likely to complain even though the value they paid the scammers greatly out values what they received.
Once the scammers have a target that was successfully scammed, that information can be sold or shared with the “scammer network” to allow for other scams to try to target that victim.
This scam is a perfect example of what scammers can just try through other means of communications. These methods can give scammers more “credibility” in the eyes of their targets.
Misinformation can be a similar situation. Whoever is spreading it has an objective of spreading misinformation purposefully, with the objective of creating chaos to rally people behind him and get people to give money for his cause or product, or it could be a personal vendetta with a longer game.
A common element of this kind of scam is that the information is spread in a way as if it is true. It is usually a very controversial or even ridiculous argument. One key point that is vital for misinformation to spread successfully is having multiple people spreading it. Like the chain mail scam, this information doesn’t need to be verified. The more outrageous the argument, the greater the chances are that people will just forward it to everyone they know.
Misinformation spreading or fake news is probably the biggest scam we face today and it is probably the hardest one to spot. Even reputable news agencies can fall victim to this, unless they spend quite a bit of time vetting each piece of information that reaches them. This is time consuming and can be quite expensive, and in a time where people expect free news, this is a very tricky situation.
Let’s go over a practical example of how fake news that is seemingly inconsequential can have a large impact:
A scammer goes on social media and says that your local grocery store chain is giving a special discount of 70% off on electronics to the first 300 people who go there without a mask to celebrate the vaccines. They would even have a nice-looking banner on the post to make it look legitimate.
On first glance, this would seem perfectly reasonable. Many people wouldn’t think twice about it and would go, but this is fake. The grocery is giving no such discount, but at this point it is already too late and there are thousands of people at its’ doors wanting to claim the discount. At a time where social distancing is still recommended, this is a bad scenario.
Why would the scammer do this? Well, there can be many reasons. Maybe he just wants to have his post forwarded to as many people as possible. Maybe he doesn’t believe the virus is real and wants to create a social experiment to try and prove his point. Maybe he just wants to sit in a chair outside the grocery and eat some popcorn while enjoying the chaos and anger of the shoppers when they realize the promotion was fake.
For another quick example of the power of misinformation, take Dominion voting machines during the 2020 election. There were accusations by the media that the machines were not trustworthy because they claimed the software had been developed for Venezuela’s prior president Hugo Chavez. Despite this being patently untrue, the wildfire had been set. Dominion voting systems not only lost countless contracts, but its employees faced death threats. They are now working through court suing for defamation charges. Despite the claims being specious, it did not stop the damage to Dominion’s reputation from happening.
If I said that I had secret documents that show illegalities that some company has been doing and I share that accusation across social media and it gets picked up by the news outlets, it will not matter whether I ever present the evidence. The targeted company will have had their reputation damaged, regardless of the truth of the accusation.
How to avoid getting scammed
We have touched on a broad spectrum of scams and their characteristics, but the most important take-away is how to avoid them.
Unfortunately, there is no easy answer. Scammers are constantly finding new ways to scam people, but there tend to be a few key identifiable indicators of scammer behavior.
– They approach you. This is simply because it’s more efficient to find your targets than to let your targets find you.
– They tell you to go to some link or call some number. Most scams ask you to click a link with no apparent connection to the company or call a phone number, where you are then asked for personal information or payment.
– There is a time-sensitive situation. Scammers try to get your lizard brain to look past reason by creating a deadline on a subject that you would want to resolve ASAP. This can take many forms, a prize, or have a refund waiting to be collected, an emergency, or even a package that needs to be cleared from holding.
– They have exactly what you need or better. The scammers always have exactly what you are looking for, or they have even more than that. They offer something that seems too good to be true.
– They pressure you. They need to pressure you so that you don’t have time to think or notice the warning signs.
– They get something from you first. A scam always ends up giving something to the scammer, be it your information, or a financial incentive. They always get something from you before you can cash in on your prize.
– Their language usage is not the best. Most scams are run out of a country that is not the same as the target’s country. In most cases, the scammer’s language usage will have clear errors that a native speaker can easily identify.
Some scammers exhibit all of these indicators, some have a few. Common sense plays a big role in properly identifying what is a scam and what isn’t.
So now let’s go over a few things you can/should look for to keep you as safe as possible.
Smart Consumer Behaviors
– Avoid unexpected links, especially if it’s in an SMS or a strangely composed e-mail. On smartphones its harder to see the complete URL, this makes these devices particularly susceptible to scams that work based on the fact that you will open them on mobile.
– Check the URL. If you follow a suspicious link for any reason, check if the URL seems to have any relation to the company in question. Are they asking for too much information? Are you receiving conflicting information on that website? If you are, then it is a red flag.
– Take a moment, before going through with the action, be it sending money or filling in an online form that was sent to you.
– Google it. Check if anyone else has been reporting similar issues to allow you to better assess the situation.
– Don’t rely on the green SSL padlock to determine if the site is trustworthy or not. The green padlock only secures the communication. It doesn’t mean that the site is trustworthy, or that your data is secure.
– Verify the information/contact directly with the company by reaching out to them through other means.
I’ve been scammed, now what?
First thing to do if you have been scammed, is determine what exactly the scammers have taken from you. Was it money? Was it your personal information? Was it something else?
If you provided your credit card information, cancel your cards. If you provided information like your social security number, then identity theft could be a possibility. Go to the FTC’s website on IdentityTheft. There, you can report information on the exposure you experienced, be it bank information, social security number, credit card, online login and password or even information about your children. After you contact the FTC you can also contact the Internet complaints department of the FBI.
If there is one silver bullet to keep most scams at bay, it would be to tread cautiously. Let’s imagine that your online life is a car, as long as you keep it locked and don’t drive around bad neighborhoods, your chances of getting it stolen are greatly diminished. The same applies to the web. If you keep your accounts secure and stay away from shady spaces, you are safer by a great margin.
Cesar Anjos – Author
Security Researcher | @_jamsec
Technical Account Manager I|@ashley_sand
Graphic Designer | @Maddie_318