Funeral Notification Email Phishing Scams

There seem to be endless variations on phishing scams, but the goal is always the same: to convince victims to click on a link that takes them to a different website than they were expecting. Sometimes that website is designed to harvest personal financial information, sometimes it is set up to infect victim computers with malicious software, and sometimes it does both.

One variation is the fake funeral notification. A message with the subject line “Funeral notification” will appear to come from a funeral home, informing the recipient of the death of a friend and instructing him or her to click a link for visitation times or other information. If the link is clicked, the victim is directed to a website that attempts to install malware.

If you get such an email out of the blue, do not click any links. If you think it might be real, do a web search for the contact information of the funeral home the email appears to come from, and call them to find out if they sent the notification. Don’t call any phone numbers from the email itself.

There are other ways to spot this scam up front, though. If it does not contain the name of the deceased, and instead only refers to “your friend,” that’s a sign that it’s a generic email being sent to lots of people. Also, how would a funeral home have a list of a deceased person’s email contacts in the first place? They might publish a notification on their website, or publish viewing times in the local newspaper, but for the most part it’s up to the family and/or friends of the departed to contact individual people.

Here’s What a Debt Collection Scam Call Sounds Like

I was able to get my hands on the audio from an actual debt collection scam robocall recently, and it’s kind of interesting to listen to and pick apart.

Here is the audio, left on a friend’s mobile phone:

And here is a transcript of that voicemail:

[sharp inhalation] Yes! This is Jessica Thompson. I’m calling in reference to your federal student loan. Um, I need to discuss your repayment options with some new changes that have taken effect recently, so… [sharp inhalation] If you could please [unintelligible] just give me a call back, my number is 866-371-3232…um, I’m gonna go [ahead] and give you a reference number, if you would have this number handy when you call back, it just makes things a lot easier. Your reference number is 909902. Thank you.

A few points about this robocall:

  1. The caller never states the name of the organization calling. Is it a lender? A collection agency? The federal government? Is Jessica Thompson an independent student loan wrangler?
  2. If you search online for the phone number (in quotation marks) along with the reference number (also in quotes), you’ll find a lot of people who have received this exact same message with the exact same reference number. You’d think the reference number would be unique to each individual.
  3. It ends with a little bit of “electronic noise” (including a small beep) that wouldn’t usually occur with a live caller, which is a sign of a prerecorded robocall.
  4. Most telling of all: the person who received this has had their student loans, federal or otherwise, paid off for around 13 years now.

In any case, if you get a call like this, it’s safe to hang up or delete the voicemail. It’s nothing but a phony debt collector.

How to Identify a Debt Collection Scam

Debt can be unpleasant even if you’re making your payments in a timely manner without much trouble. It can become especially unpleasant if something interrupts your capacity to repay, because it doesn’t take long for the calls from debt collectors to start. Even if they’re courteous and helpful, being reminded that you owe money is seldom fun.

However, debt collectors are a reality, and they serve an important purpose. They are also required to play by certain rules, on both the federal and state level. Most states require a license. And there are a LOT of fraudulent debt collectors, who either use personal information gleaned from data breaches and other sources, or who simply make cold calls to random people, in hopes of frightening someone into sending a payment or two.

How can you tell the difference?

First, know what you owe. Go to three times per year and download your credit report from one of the three major bureaus (Experian, Equifax, Transunion)—they should all have the same information, so it doesn’t matter which one you choose when. Use these to check for errors, but also use them to keep abreast of your actual debts. That way, if someone calls with a claim that you owe an unpaid amount, you will know whether or not they’re telling the truth.

Fraudulent debt collectors almost always use fear to motivate victims into paying up. One way is by threatening the victim with arrest, sometimes by claiming to represent some arm of the criminal justice system. Remember that local, county or state police officers do not make phone calls on behalf of lenders seeking to recoup an unpaid loss. Nor do FBI, CIA, ATF, DEA or Homeland Security agents, or judges at any level of government. As soon as the caller claims to be one of these, or tells you that the cops are on their way to your house, hang up and move on with your life—it was a scam.

Some of those rules I mentioned earlier have to do with how a debt collector is allowed to address you over the phone. A legitimate debt collector is not allowed to threaten or harass you in any way, and they nor to use abusive or profane language. They’re not allowed to call before 8 in the morning or after 9 in the evening, and if you ask them not to call again, they’re required to stop. (That doesn’t mean the debt is gone, though…you’re basically saying, “I know I owe this amount, but you calling every day isn’t causing money to magically appear.”)

Any violation of these is a sign that something isn’t quite right, and of course if you know you don’t have any outstanding debts, or are aware of exactly how much you owe and to whom, it’s easy to spot the deception when someone calls out of the blue.

Choosing Answers to Online Security Questions

When you set up online access to a financial institution or credit card company, many of these providers include a step in which you pick from a list of two or three “security questions” and then type in your own answers.

It’s an extra authentication step, so that if you log in later from a different computer or location, the system can show you one or two questions as a safeguard to make sure you’re the person who is supposed to be logging in, and not someone trying to gain unauthorized access.

However, there are a few important points to be made about the way you answer these questions. First, they’re usually case-sensitive. If you type in “Sycamore Street” and then try “sycamore street” later when the question pops up, it’s going to reject your login. You have to remember exactly how you typed it the first time.

More importantly, however, is the fact that a lot of the answers to these questions may not be all that obscure due to the widespread use of social networks like Facebook. How many people have posted photos of their first car online? That’s one of the more common security questions. There are even images that look like fun, nostalgic discussion prompts, but might actually be social engineering campaigns designed to get large numbers of people to publicly reveal security question answers. Some of these ask about first cars, streets grown up on, or schools (revealing mascots, school colors, etc.).

The first thing is to avoid commenting on such items when they make the rounds on Facebook. Make sure your profile is set to that only friends can view your posts, in case you want to put up any old photos.

But also remember this: nobody says you have to answer security questions honestly.

As long as you can remember your answers, there is nothing stopping you from typing “Batmobile” for your first car, or “Electric Avenue” for the street you grew up on. You can even answer the questions as a favorite fictional character, but it might be a good idea not to pick too popular of one…if you’re a known Harry Potter fanatic, “Privet Drive” isn’t going to be very obscure if you’re answering as the title character.

Of course, you also have to remember which fictional character you’ve answered as for each website. The real point is, anything you can do to make your security question answers harder for someone else to guess (but still easy to remember yourself) can help prevent unauthorized access.

Why You Can’t Keep Funds from a Bad Check

We sometimes get questions from members who deposited a check that turned out to be fraudulent (such as a counterfeit check used in some form of overpayment scheme), or was returned for non-criminal reasons (nonsufficient funds being the most common scenario). The question is: “Why don’t I get to keep the funds?”

The short answer is: because there were no funds to begin with.

The longer answer has to do with what a check is, and what happens when one is written and deposited.

A check is essentially a symbol of money. It is not money itself—even in the old days when a cashier’s check was assumed to be “as good as cash,” a check was still a symbol.

(If you really want to get into it, money is also a symbol, of stored labor or stored value, but that’s outside the scope of today’s article.)

I’m going to oversimplify and leave out the details like electronic transfers and intermediaries, but the story is pretty much as follows. We’ll start with the standard-issue case with no problems: Person A writes a check to Person B.

At the start, Person A has money in an account at Bank A. He writes a check to Person B, who takes it to his Credit Union B.

At Credit Union B, the check is taken in, and a deposit is made to Person B’s account. However, Credit Union B does not make all of those funds immediately available from that check, because it needs to make sure the check is good first. A “hold” is placed on some or all of the funds, depending on if the check is local, non-local, the type of check, etc.

Credit Union B presents the check to Bank A, who looks at Person A’s account and says, “Yes, these funds are available.” Bank A gives the money to Credit Union B, who then makes the funds available to Person B. The money has now successfully moved from Person A to Person B.

Now let’s see what happens if a check is fraudulent.

Person A writes a check to Person B. The check appears to come from an account at Bank A, but in fact Person A has simply created a fake check on a computer. He has no account at Bank A whatsoever.

Person B presents this check at Credit Union B. The check is deposited, and the standard hold is placed on the funds. Credit Union B presents the check to Bank A, who responds, “No, this account does not exist, and we have no customer with that name.” The funds are NOT transferred from Bank A to Credit Union B, and the hold is NOT lifted from Person B’s account. The deposit is reversed. When Person B calls to ask why it’s taking so long for the check to clear, he will find out that the check he deposited turned out to be counterfeit.

And here’s the real kicker: if Person B took out funds equal to the amount of the check, either because he already had enough money at Credit Union B to cover the amount, or because he bullied a teller into lifting that hold prematurely (it used to happen quite often!), that cash is now lost. If he simply held onto it, no harm done: he can re-deposit the money. If he wired it back to Person A, or spent it himself, it’s gone. If his account has been drawn negative, he now owes money to Credit Union B, because he essentially withdrew funds that did not exist. He doesn’t get to keep it because it was never his to begin with—money cannot be created out of nothing.

From Credit Union B’s perspective, Person B came in with a check that turned out to be fraudulent. Bank A will never cover that check, because all Bank A did was exist for Person A to create a fake check for. Credit Union will not cover it, because from their perspective, here is what it saw: Person B presented a check that turned out to be fake.

Credit Union B did not see Person A make that fake check, or give it to Person B. Person B might have made that fake check himself, or even fabricated Person A from whole cloth. If Credit Union B gave Person B money for a fake check and then said “oh, just keep it,” nothing would stop Person B or anyone else from simply making fake checks, cashing them, then claiming to be a fraud victim and keeping the money.

Check holds absolutely exist to protect the financial institution that places them, sure. But they also absolutely exist to protect consumers from taking out nonexistent money, and ending up on the hook for thousands of dollars.

Avoiding Pet Adoption Scams

Emotions can be manipulated, and every scammer knows it.

Usually, they go for fear. Sometimes, they try greed. But pet adoption scams target a different set of feelings: love for animals, sympathy, and the instinct to want to take care of something.

These scams tend to follow the same pattern: put a listing on the internet for a puppy that needs a home, convince everyone who answers the listing to wire money (repeatedly if they can), disappear.

(For whatever reason, these scams usually involve puppies.)

The short version of avoiding these scams is this: only adopt locally. If you can’t see the animal in person, and meet its current caretaker in person, don’t do it.

Getting into the details a bit more, these fraudulent ads will usually be posted on classifieds websites or social networks. Sometimes they entice victims with a too-good-to-be-true price (a couple hundred dollars for a purebred), or after a few emails, tell the victim they need only pay for the dog to be transported on an airplane.

In any case, payment will be requested either by wire (Western Union) or by prepaid gift card, where the victim purchases the card and then relays the numbers to the scammer.

In some cases, it ends there. In others, the scammer will create new complications that need to be paid for in advance; the puppy needs shots before traveling, they need to purchase an expensive crate, there is a third-party courier involved, etc. They’ll say anything to get the victim to continue sending money until the point when the scammer disappears entirely.

Not all online pet adoption listings are fraudulent, but stick to local listings only, or contact a local organization that helps find homes for pets. Any stranger asking you to wire money or purchase prepaid gift cards is trying to take your money. There are plenty of people looking for pets everywhere—there is no reason a dog would need to be flown thousands of miles to find a home.

Remember: The IRS doesn’t threaten you with arrest over the phone

As April 15th nears, fraudulent IRS robocalls are bound to proliferate. Many of people get a tax refund around this time of year, and the scammers want a chunk of that money for themselves before it gets used for something else.

Consider this your yearly reminder: if someone claiming to represent the IRS calls you, informs you that you owe unpaid taxes, and then threatens you with arrest if you don’t pay up, that’s a scam.

Every single time.

Just hang up the phone.

Every single time.

The IRS doesn’t call people on the telephone as a first point of contact—if someone does contact you by phone, it’s regarding an issue you are already aware of and are in the process of resolving.

They also don’t keep the police waiting on the other line, ready to storm your house as soon as they get the word that you didn’t pay.

They also also don’t accept payment by wire transfer, prepaid gift card, iTunes card, or over the phone with a debit or credit card.

(They’re really not even all that big on throwing people in jail, other than for crimes related to tax evasion. If you owe money, they want the money.Putting people in jail would be counterproductive.)

Don’t let anybody trick you into a fear response over the phone.

Fraudulent Calls that Don’t Make Sense

I am going to present a few fraudulent phone call scenarios that exist in the real world and that claim numerous victims, and you see if you can determine what the scammers are doing that actually doesn’t make sense if you stop and think about it:

  1. A caller claims to be a Social Security Administration representative calls and warns you that your benefits are about to be suspended because of some problem or other. The caller ID shows the correct SSA customer service line. She needs you to verify your Social Security number in order to fix the issue.
  2. A caller claims to represent a credit card company. He says that your card has been deactivated due to suspicious activity. In order to get your card working again, he needs the card number, expiration date, and three-digit code from the back of the card.
  3. A caller claims to be a Medicare representative and informs you that your benefits are going to be suspended because of an issue. Before he can fix the problem, he needs you to verify your Medicare ID number.

Did you catch it?

In every case, the caller is asking for a piece of information that the claimed agency or company would already have…because they created that piece of information in the first place.

  • The Social Security Administration has your Social Security number. They’re the ones who assigned it to you.
  • Your credit card company assigned your card number and other details to you. They already know it.
  • Medicare already knows your ID number because they gave you that number. If there’s a problem with your account, it’s one piece of information they don’t need.

(You could also make the more general observation that these all involve a stranger attempting to alarm you and then asking for personal information, but these specific questions should really tip you off that the caller is not who he or she claims to be.)

Blood and Cocaine Discovered in Your Rental Car (in Texas)?

There are endless variations on the “scare someone over the phone so they give up personal information” scam motif, and most of them are pretty familiar at this point, but every now and then a new angle emerges. This is one.

The scam involves someone posing as a law enforcement agent (usually FBI), calling to inform the victim that they rented a car in Texas, and that the car was found with blood and cocaine inside. The victim is then pressed to give details such as his or her Social Security number, financial account numbers, and so on.

There appears to be another version in which the caller claims to be a Social Security Administration representative, and in addition to the car filled with evidence, they have also found an offshore account in the victim’s name holding a large amount of cash, and that his or her Social Security benefits are going to be suspended. The caller then proceeds to attempt to wheedle the same personal information from the victim.

Regardless of who the caller claims to be, these features appear to be repeated in every case:

  • The car was allegedly rented in Texas
  • Police found blood and cocaine in it
  • We need your Social Security number

These are the details currently used in the scam, but don’t be fooled if they eventually change Texas to Florida or cocaine to heroin (I have a feeling the “blood” part is going to stay…”you’re a murder suspect” is almost guaranteed to get a strong emotional reaction).

Remember these points:

  • If a stranger is trying to make you afraid, then asking for money or personal information to make the fear go away, something isn’t right.
  • The Social Security Administration already has your number. They’re the ones who gave it to you in the first place. Law enforcement agencies easy access to it, too.
  • If the FBI really finds blood and cocaine in a car associated with you, they’re probably not going to call you on the telephone.
  • While the SSA does make phone calls, it’s not generally the first point of contact, and it’s almost always going to be regarding an issue already known to the person receiving the call.
  • This scam hinges on fears about identity theft—most people’s first reaction is “I didn’t rent a car in Texas!” and then make the connection to identity theft themselves. Recognize the tactic for what it is.

Money-Flipping Scams

The “money-flipping scam” started appearing on Instagram and Facebook, among other places, a couple years ago, but given most social networks’ track record when it comes to deleting fraudulent accounts, I’m sure it is still around.

It works like this: someone will claim to have access to a “flaw” in some monetary transferring system, usually Western Union or one of the prepaid debit card providers. All they need is for you to give them $100, wait few minutes, then they will send you back $1,000 (sometimes $300, but usually they go for the larger amount in the pitch).

That’s the whole thing. And you can guess what actually happens: you wire money away (or load up a prepaid card and reveal the digits to the scammer), then you don’t get anything back, ever.

There are a few things to know. First, there is no “flaw” in any of these systems that allows someone to just create money out of nothing. More than any other error, these payment systems are designed specifically to not allow that. Even money that’s been turned into ones and zeroes in a computer has to come from somewhere, and their entire business depends on outgo not suddenly being ten times the input.

Second, if there was a way to make this happen, you would be attempting to commit a crime by exploiting it. There is a persistent myth that any error by a financial provider (like the old “large deposit went into the wrong account” tale) entitles you to keep the money, and it simply is not true. Even if you did find yourself in some magical realm where a software bug allowed this scheme to work, you’d better be able to pay back that $900 when the error was discovered. They’ve probably got Loss-Prevention Wizards working for them over there.