Tag Archives: Scams

Watch out for fake utility workers

It seems like as good a time as any to once again remind everyone to beware of burglars posing as utility company workers.

The usual setup starts with a knock on the door. The person standing on your doorstep claims to work for the electric or gas company, telephone company, or some other utility. They tell you they are in your neighborhood working on some or other problem, or performing routine maintenance, and ask to be shown to your circuit breaker (or whatever piece of hardware makes sense). Often they’ll even look like a real utility company employee, with a clipboard, nametag and possibly even a uniform.

While you’re showing them to the circuit breaker-or-whatever, an accomplice you didn’t see slips into your house looking for valuables or money.

It doesn’t really matter which type of company they claim to represent, the important thing to remember is that if a utility provider is going to need access to the inside of your house (which they almost never will), they will contact you ahead of time. They will not show up unannounced.

If someone is at your door and you were not contacted in advance, ask to see a badge or official identification, which they should gladly provide. Then politely ask them to wait while you close your door, lock it, lock any other doors, and call the utility company to ask if they’ve sent people to your house. Whatever you do, don’t let them in or call them out on being a crook. This type of scam differs from most in that it involves actual, physical proximity to the perpetrators, which can put you in danger of bodily harm.

Utility worker scams often target senior citizens, so make sure your friends, family and neighbors are aware of this type of crime, what to watch for and how to respond.

Beware of unsolicited offers

The phone rings. A caller identifies himself as representing a well-known and trusted local business. He’s calling to offer you a discount on their services.

“Hey, great, I need those services anyway,” you think, and agree to the offer and arrange for the work to take place.

And another scam is set in motion.

It’s been happening here in Northwest Indiana. A heating/cooling contractor from Illinois (with an F rating at the Better Business Bureau, maybe not-quite-incidentally) has  apparently been calling homeowners and claiming to be a well-known local business (with an A+ rating, also maybe not-quite-incidentally), with an offer for discounted duct cleaning. Workers show up, perform a shoddy duct-cleaning, then ask for more than the agreed-upon price.

So my fraud prevention tip today is this: be wary of unsolicited offers from local businesses. If you get a call, make sure to double-check with the actual business before you agree to anything. Use an official, published number from the real company’s website or trusted online source (or the phone book, if you didn’t just carry it directly from your front porch to the recycling bin) instead of the number that shows up on caller ID or the number given by the caller. If there’s a discrepancy, it could be a different (and unscrupulous) business posing as the real one.

Play Along at Home: Fake Target ‘Order Confirmation” Email

Here’s a picture of a fake “Order Confirmation” email I received recently. How many clues can you spot that indicate something is not quite right?


Here’s what comes up if you hover the mouse over the word “link”:


How many fraud indicators did you find?

Here are the ones I found:

  1. Very vague subject line: if this were an actual delivery confirmation, the subject line would usually refer to it in some way. It wouldn’t just say “Order Info.”
  2. The “From” information: support@yummy.cookiesmadeeasy.com is not a Target email address.
  3. The logo is wrong. No bullseye anywhere.
  4. “As Thanksgiving nears…” Thanksgiving was a couple weeks ago. Wrong holiday, dummies.
  5. The (attempted) conversational tone of the email: if you had an actual order to pick up, the email would begin with this information. Whichever holiday is approaching is absolutely irrelevant (for the store) to the fact that they’ve got merchandise they want you to pick up as soon as possible.
  6. The excruciatingly bad grammar. Go ahead, read it out loud. It’s beyond horrid.
  7. This isn’t even how in-store pickup orders work…the customer chooses which store to have their purchase shipped to, and that’s where it goes. That’s the only place it goes. You don’t just go to any random location because they don’t ship one to every single store when an order comes in.
  8. And what happens if I don’t “pick it” within four days? Again, not how online orders work.
  9. The stores aren’t called “Target.com.”
  10. When you get a real order confirmation email, the order information is almost always included in the message. You don’t have to click a link to get to it.
  11. Speaking of links: makingteamsrock.com? Not a Target website.
  12. “Always yours, Target.com.” Pretty sure they don’t refer to themselves as “Target.com.” Or use “Always yours” as a closing.
  13. Not one single item in the “privacy policy” line at the bottom is an actual link.

So, I found thirteen. Did you catch any that I didn’t?

New phishing attack poses as PayPal email…

…and it’s convincing.

I mean, I hate to sound almost impressed by some cruddy email scammer, but as far as “click here to log in and verify your account” phishing attempts go, this one is devoid of broken English, and uses information taken from a recent data breach at eBay to ratchet up the realism by using the target’s actual name. If there is a spectrum of phishing attacks that ranges from “laughable” to “frighteningly realistic,” this one falls much closer to the latter than the former.

The Consumerist blog has a full article that discusses it in greater detail. I strongly suggest you read it. In the example they use, the recipient only used that email address for eBay and PayPal, which added to the realism. It’s a good idea to have separate email addresses used only for online transactions because it helps weed out phishing (if you get a message on your OTHER account that supposedly comes from PayPal, you know it’s fake right away). However, as soon as there is a data breach, your specific-purpose email address can be targeted as well. My guess is that this guy is going to start seeing a ton of spam hitting his eBay/PayPal-only email, and he’ll have to abandon it for a new one.

At its core, this phishing attack was just another “click here to verify” attempt, but by using data from a breach, its success rate is bound to be higher than usual. It’s why you can never stop paying close attention to everything you click on.

Overpayment scams affect businesses, too

I thought I was onto some clever application of the “duck test” for the title of this post, about how “if it looks like a scam and quacks like a scam,” but I really couldn’t make it sound anything other than monstrously insane, so I dropped it and went with the title you see above.

Anyway, the old repayment scam has been explained a thousand times here, there and everywhere. You’re selling something on Craigslist (for example), and a buyer contacts you, usually from out of state. They send their payment, but instead of $200, it’s a cashier’s check for $3,200. “Cash it and use the extra for shipping, then wire the rest back to me,” they say when you contact them.

What happens next is fairly predictable: you cash the check, send the item, wire the excess money (thousands of dollars) to someone, then find out a week later that it was a counterfeit check and that you’re on the hook for the loss caused to your financial institution.

But did you know that scammers also target businesses with the same tactic?

And if you’re a business owner, you might fall for it because what might strike you as suspicious during a private sale might seem less so in a business context. I’ve heard of several cases where retail businesses, attorneys and rental property owners have been victimized by this scam.

However, the principle applies in every context, whether in a person-to-person or a business transaction: if someone sends you a cashier’s check and tells you to cash it and wire money back to them, you’re almost always dealing with a con artist.

How law enforcement doesn’t operate: scam alert from the BBB

If you live in the United States (I can’t vouch for other countries), there are certain ways in which law enforcement is carried out, and ways in which it generally is not.

Here’s one way law enforcement doesn’t work: if there’s a warrant out for your arrest, they usually don’t call you first and tell you.

Here’s another: if you’re accused of a crime, you can’t pay a fine to avoid charges (if you can, it probably means you’re bribing someone, and they’re accepting the bribe, and you’re both in a lot of trouble, mister. Bribing the police. That’s not right!). The fines (and other consequences) generally happen after you’ve been convicted, which is supposed to occur via due process.

The Better Business Bureau is warning of an active scam that has already claimed several victims. The fraudulent phone calls use spoofed caller ID to extort “fines” from victims, by money orders and prepaid debit cards. They’ve got the full lowdown here, but the proper response is one you’ve seen before: don’t give any money or personal information (even if they have some already—victims have reported the callers having information about loans), hang up, call the real police (because others are likely getting the same calls).

The problem is that such phone calls can incite a moment of panic, and panic makes it hard to think rationally. But if you’re aware that such scams exist, you’ll be able to stop, take a breath, calm down and remember how reality works before you become a victim.

How to spot a disguised link in an email message

I’ve written quite a few posts about phishing over the last few years, and I’ve probably been guilty at times of assuming everyone knows what is meant by “mouseover,” or that everyone knows offhand how to spot a disguised link in an email message.

I made this graphic to clarify. The email example here was a run-of-the mill “Your debit card has been deactivated, click here to verify” phishing attack (extremely easy to see through if you happen to NOT have an American Express debit card, which I don’t). Some phishing attacks aren’t as obvious, but the method to spot a disguised link (one that says “americanexpress.com” but actually leads to a look-alike website designed to harvest account numbers, passwords and other personal information) is the same:


Not every email program will have this exact same layout, but for the most part the actual link will be seen somewhere near the bottom of the page, on the left.

File Under “Things That Were Just a Matter of Time.” New scams using Affordable Care Act to harvest personal information.

Okay, so if you live in these United States, you may have heard of a controversial little thing called the Affordable Care Act.

Yeah, okay, before you head to the bottom of the page to sound off, I’ve already turned comments off for this post. I’m not here to express my opinion of the legislation, and I’m not fielding others’, either. Our opinions are irrelevant for the moment. Besides, certain post topics generate TONS of bot-generated spam comments, and I have a hunch this might be one of them (you should’ve seen how many came in when I wrote about Açaí berry scams a few years ago…it was seriously ridiculous).

Here’s all we need to know, and it’s pretty easy to agree upon: The Affordable Care Act is a Thing That Exists. (That’s only a matter of opinion if you’re into really fabric-of-universe-level philosophical discussions.)

And, as a Thing That Exists, it was only a matter of time before someone started up a scam based upon it.

Lo and behold, the FTC is reporting exactly that. Scammers are calling potential victims to “verify” information. For example, “So I see here that your routing number is __________, is that correct? Okay, good, so now we just need your account number…”

Here’s the deal with the Affordable Care Act: if you’re one of the people who is going to need to use the exchanges to obtain insurance, you’re going to be the one contacting them. According to the FTC report, “If someone who claims to be from the government calls and asks for your personal information, hang up. It’s a scam. The government and legitimate organizations you do business with already have the information they need and will not ask you for it.”

That sums it up pretty nicely, both in this specific instance and as a general rule.

2 people are not spying on you

Have you seen this (or something similar) show up on a website lately?

I said DON'T click on it!

If you use MyFitnessPal, WeightWatchers Online, YouTube, or any of about a million other sites, chances are that you have.

Here are some things about which you can rest assured:

  • It’s just a stupid banner advertisement
  • It seems to be showing up a lot more often since this whole mess with the NSA started and got everyone paranoid about their online privacy
  • Nobody is spying on you*
  • It probably leads to a website that will infect your computer with spyware, at which point someone will be spying on you
  • Even if it doesn’t, you don’t want what they’re selling
  • It tells EVERYONE they have “2 people” spying on them
  • YouTube, MyFitnessPal, WeightWatchers, etc., have no way of knowing whether anyone is spying on you or not
  • Do not click on it, whatever you do

*Actually, there might be people spying on you. I mean, I have no idea who’s reading this. Spies do exist, right? You might be involved in all kinds of international espionage, sabotage, subterfuge, the works. You might be tuning in to those weird “numbers stations” every night and actually have the key to decode them for all I know. But in that case, you’d probably say, “Two? Ha! More like two hundred!” if you saw this particular ad.