Tag Archives: Scams

Play Along at Home: Fake Target ‘Order Confirmation” Email

Here’s a picture of a fake “Order Confirmation” email I received recently. How many clues can you spot that indicate something is not quite right?

2014-12-08-spam-01

Here’s what comes up if you hover the mouse over the word “link”:

2014-12-08-spam-02

How many fraud indicators did you find?

Here are the ones I found:

  1. Very vague subject line: if this were an actual delivery confirmation, the subject line would usually refer to it in some way. It wouldn’t just say “Order Info.”
  2. The “From” information: support@yummy.cookiesmadeeasy.com is not a Target email address.
  3. The logo is wrong. No bullseye anywhere.
  4. “As Thanksgiving nears…” Thanksgiving was a couple weeks ago. Wrong holiday, dummies.
  5. The (attempted) conversational tone of the email: if you had an actual order to pick up, the email would begin with this information. Whichever holiday is approaching is absolutely irrelevant (for the store) to the fact that they’ve got merchandise they want you to pick up as soon as possible.
  6. The excruciatingly bad grammar. Go ahead, read it out loud. It’s beyond horrid.
  7. This isn’t even how in-store pickup orders work…the customer chooses which store to have their purchase shipped to, and that’s where it goes. That’s the only place it goes. You don’t just go to any random location because they don’t ship one to every single store when an order comes in.
  8. And what happens if I don’t “pick it” within four days? Again, not how online orders work.
  9. The stores aren’t called “Target.com.”
  10. When you get a real order confirmation email, the order information is almost always included in the message. You don’t have to click a link to get to it.
  11. Speaking of links: makingteamsrock.com? Not a Target website.
  12. “Always yours, Target.com.” Pretty sure they don’t refer to themselves as “Target.com.” Or use “Always yours” as a closing.
  13. Not one single item in the “privacy policy” line at the bottom is an actual link.

So, I found thirteen. Did you catch any that I didn’t?

New phishing attack poses as PayPal email…

…and it’s convincing.

I mean, I hate to sound almost impressed by some cruddy email scammer, but as far as “click here to log in and verify your account” phishing attempts go, this one is devoid of broken English, and uses information taken from a recent data breach at eBay to ratchet up the realism by using the target’s actual name. If there is a spectrum of phishing attacks that ranges from “laughable” to “frighteningly realistic,” this one falls much closer to the latter than the former.

The Consumerist blog has a full article that discusses it in greater detail. I strongly suggest you read it. In the example they use, the recipient only used that email address for eBay and PayPal, which added to the realism. It’s a good idea to have separate email addresses used only for online transactions because it helps weed out phishing (if you get a message on your OTHER account that supposedly comes from PayPal, you know it’s fake right away). However, as soon as there is a data breach, your specific-purpose email address can be targeted as well. My guess is that this guy is going to start seeing a ton of spam hitting his eBay/PayPal-only email, and he’ll have to abandon it for a new one.

At its core, this phishing attack was just another “click here to verify” attempt, but by using data from a breach, its success rate is bound to be higher than usual. It’s why you can never stop paying close attention to everything you click on.

Overpayment scams affect businesses, too

I thought I was onto some clever application of the “duck test” for the title of this post, about how “if it looks like a scam and quacks like a scam,” but I really couldn’t make it sound anything other than monstrously insane, so I dropped it and went with the title you see above.

Anyway, the old repayment scam has been explained a thousand times here, there and everywhere. You’re selling something on Craigslist (for example), and a buyer contacts you, usually from out of state. They send their payment, but instead of $200, it’s a cashier’s check for $3,200. “Cash it and use the extra for shipping, then wire the rest back to me,” they say when you contact them.

What happens next is fairly predictable: you cash the check, send the item, wire the excess money (thousands of dollars) to someone, then find out a week later that it was a counterfeit check and that you’re on the hook for the loss caused to your financial institution.

But did you know that scammers also target businesses with the same tactic?

And if you’re a business owner, you might fall for it because what might strike you as suspicious during a private sale might seem less so in a business context. I’ve heard of several cases where retail businesses, attorneys and rental property owners have been victimized by this scam.

However, the principle applies in every context, whether in a person-to-person or a business transaction: if someone sends you a cashier’s check and tells you to cash it and wire money back to them, you’re almost always dealing with a con artist.

How law enforcement doesn’t operate: scam alert from the BBB

If you live in the United States (I can’t vouch for other countries), there are certain ways in which law enforcement is carried out, and ways in which it generally is not.

Here’s one way law enforcement doesn’t work: if there’s a warrant out for your arrest, they usually don’t call you first and tell you.

Here’s another: if you’re accused of a crime, you can’t pay a fine to avoid charges (if you can, it probably means you’re bribing someone, and they’re accepting the bribe, and you’re both in a lot of trouble, mister. Bribing the police. That’s not right!). The fines (and other consequences) generally happen after you’ve been convicted, which is supposed to occur via due process.

The Better Business Bureau is warning of an active scam that has already claimed several victims. The fraudulent phone calls use spoofed caller ID to extort “fines” from victims, by money orders and prepaid debit cards. They’ve got the full lowdown here, but the proper response is one you’ve seen before: don’t give any money or personal information (even if they have some already—victims have reported the callers having information about loans), hang up, call the real police (because others are likely getting the same calls).

The problem is that such phone calls can incite a moment of panic, and panic makes it hard to think rationally. But if you’re aware that such scams exist, you’ll be able to stop, take a breath, calm down and remember how reality works before you become a victim.

How to spot a disguised link in an email message

I’ve written quite a few posts about phishing over the last few years, and I’ve probably been guilty at times of assuming everyone knows what is meant by “mouseover,” or that everyone knows offhand how to spot a disguised link in an email message.

I made this graphic to clarify. The email example here was a run-of-the mill “Your debit card has been deactivated, click here to verify” phishing attack (extremely easy to see through if you happen to NOT have an American Express debit card, which I don’t). Some phishing attacks aren’t as obvious, but the method to spot a disguised link (one that says “americanexpress.com” but actually leads to a look-alike website designed to harvest account numbers, passwords and other personal information) is the same:

2013-10-01-mouseover

Not every email program will have this exact same layout, but for the most part the actual link will be seen somewhere near the bottom of the page, on the left.

File Under “Things That Were Just a Matter of Time.” New scams using Affordable Care Act to harvest personal information.

Okay, so if you live in these United States, you may have heard of a controversial little thing called the Affordable Care Act.

Yeah, okay, before you head to the bottom of the page to sound off, I’ve already turned comments off for this post. I’m not here to express my opinion of the legislation, and I’m not fielding others’, either. Our opinions are irrelevant for the moment. Besides, certain post topics generate TONS of bot-generated spam comments, and I have a hunch this might be one of them (you should’ve seen how many came in when I wrote about Açaí berry scams a few years ago…it was seriously ridiculous).

Here’s all we need to know, and it’s pretty easy to agree upon: The Affordable Care Act is a Thing That Exists. (That’s only a matter of opinion if you’re into really fabric-of-universe-level philosophical discussions.)

And, as a Thing That Exists, it was only a matter of time before someone started up a scam based upon it.

Lo and behold, the FTC is reporting exactly that. Scammers are calling potential victims to “verify” information. For example, “So I see here that your routing number is __________, is that correct? Okay, good, so now we just need your account number…”

Here’s the deal with the Affordable Care Act: if you’re one of the people who is going to need to use the exchanges to obtain insurance, you’re going to be the one contacting them. According to the FTC report, “If someone who claims to be from the government calls and asks for your personal information, hang up. It’s a scam. The government and legitimate organizations you do business with already have the information they need and will not ask you for it.”

That sums it up pretty nicely, both in this specific instance and as a general rule.

2 people are not spying on you

Have you seen this (or something similar) show up on a website lately?

I said DON'T click on it!

If you use MyFitnessPal, WeightWatchers Online, YouTube, or any of about a million other sites, chances are that you have.

Here are some things about which you can rest assured:

  • It’s just a stupid banner advertisement
  • It seems to be showing up a lot more often since this whole mess with the NSA started and got everyone paranoid about their online privacy
  • Nobody is spying on you*
  • It probably leads to a website that will infect your computer with spyware, at which point someone will be spying on you
  • Even if it doesn’t, you don’t want what they’re selling
  • It tells EVERYONE they have “2 people” spying on them
  • YouTube, MyFitnessPal, WeightWatchers, etc., have no way of knowing whether anyone is spying on you or not
  • Do not click on it, whatever you do

*Actually, there might be people spying on you. I mean, I have no idea who’s reading this. Spies do exist, right? You might be involved in all kinds of international espionage, sabotage, subterfuge, the works. You might be tuning in to those weird “numbers stations” every night and actually have the key to decode them for all I know. But in that case, you’d probably say, “Two? Ha! More like two hundred!” if you saw this particular ad.

How to spot an investment scam

Wisebread is a pretty great website. They post tons of articles on saving money, being frugal, finding deals, getting more out of life for less cash, and occasionally, scams.

They ran a good one not too long ago: 5 Sure-Fire Signs of an Investment Scam. It’s a topic I haven’t explored too deeply yet, and it’s one I’d like to write more about. For the time being, go read their article and learn from it.

Now think about some iffy investment “opportunities” you’ve heard of. How many of Wisebread’s signs did it fall under?

My favorite investment scam is the Iraqi Dinar scam that’s been running riot for several years (and I mean “favorite” in the most sarcastic way possible, by the way). For the most part, these schemes hit all five points.

Absolute promises that the currency will revaluate? Check. “Opportunity” for beyond-massive profit, yet being offered to everyone in the universe equally? Got it. Affinity groups? Yes, you hear about this stuff in social circles. Business practices? Well, selling a supposed investment without an actual license to do so by calling it a “collector’s item?” How sketchy do they have to be? And look at the comments on any article exposing this scam for what it is: hundreds of people insisting that the author (even when said author is an expert writing for a credible source) is the biggest idiot that ever lived in the history of ever. Some of those may be victims clinging to hope, but a lot of them are people running Iraqi Dinar scams attempting to discredit any suggestion that what they’re doing is tantamount to fraud.

Don’t try to get something for nothing

Sometimes you walk a fine line when you’re writing about how-to-not-get-swindled. On one hand, a victim is a victim, and it’s not nice to place blame on them. On the other, there are scams that prey upon some all-too-human tendencies  (which we all have within us, make no mistake about it) to be a little avaricious.

When it comes to this category of scams, here’s the rule: don’t try to get something for nothing.

Think about all the fake iPad scams you’ve heard about. A guy approaches you at a gas station and offers to sell you a brand new iPad for a super-low price. You find out later that the box contains a mirror or some other non-iPad object.

It’s no fun to get conned, but ask yourself: is there anything about a guy selling iPads at a gas station that doesn’t scream “This is not legit!” when you really think about it? Apple doesn’t sell its products from cars at filling stations.This is either a scam or an attempt to unload stolen goods. You’re almost better off with the mirror.

What about the Pigeon Drop scheme? Forget the whole “Let’s have this person hold your good-faith money while we do this-or-that to divvy up this satchel of cash we found” angle…how many movies do you have to watch to know that “satchel full of money” equals “drug dealers/hit men/bank heists/things you don’t want to get within ten miles of”? Honest people who find big stashes of currency contact law enforcement, because there’s no way that cash is not evidence of some major crime. It couldn’t be more obvious if it was in a big white sack with a huge dollar sign printed on it.

The rule applies to all manner of scams and rip-offs. $437 sounds a bit steep for an hour of work, doesn’t it? Then don’t fall for the secret shopper scams. Brand-name prescription drugs for a tenth of the cost? Sounds too good to be true! That’s because it is.

We’re all looking out for ourselves on some level. If I see a ten-dollar bill bouncing merrily down the sidewalk on a windy day, I’ll pick it up. But I’ll also check around me to make sure nobody was chasing it, or standing there with that distraught look that can only mean one thing: their tenner just blew away. (For the record: this never happens to me…I’m much more likely to be the one with the distraught face.)

However, moving forward, remember this: if someone approaches you offering something for nothing (or next to it), take warning. You’re either about to be scammed or become an accomplice.

Lottery scam originates from 876 area code (Jamaica)

It’s an old scam with a slight twist: lottery scammers based in Jamaica are using threats of physical violence to get victims to wire money.

Usually if you ignore a scam, that’s the end of it. Apparently this group takes it really personally, though; if a potential victim refuses to bite, they make threats. At that point, I suppose the whole “you won the lottery” angle is abandoned and it just becomes pure extortion.

Sometimes I make really general statements, and I’m going to do it again here: unless you personally know someone who lives in Jamaica or own/work for a company that does business in the country, don’t even answer phone calls from the 876 area code. There are exactly zero good reasons you should be getting out-of-the-blue phone calls from random people in Jamaica. The St. Louis BBB has some additional information about this scam.