How Well Does Your Country Fight Scams? — Readers of this newsletter live all around the world. Your experiences with online fraud and threats are very similar. However, we suspect that the choices and tools available to fight back against these threats vary by country. We would love your input on this subject to share in an upcoming newsletter. Please tell us your experiences with how your country is fighting scams.

Last Friday was “Black Friday.” In the U.S. it is the traditional start of the Christmas season by retailers and is typically marked by lots of special deals and discounts. As expected, cybercriminals also sent their malicious clickbait disguised as a “Black Friday” deal last Thursday evening. Look at this email made to look like another “exclusive offer” for taking a survey, this time from T-Mobile. Except it wasn’t from T-Mobile, though you see T — M o b i l e written in the text area of the email address.  But within the brackets <> and after the @ symbol you can clearly see that this email came from a server in Germany (“.de” = Deutschland = Germany).  This clickbait also employs a common trick to urge readers to click quickly without thinking by stating at the bottom that there are only 9 rewards remaining. Better hurry and click so you can get hit with malware before anyone else!

Another trick often used by cybercriminals to engineer YOUR clicking behavior is to send fake news that is SHOCKING! Such as this email informing readers “BREAKING: Sad News for Prince William.” Recipients are told it is “unbelievable.” Citizens of the UK will especially be susceptible to this clickbait!  It is important to look carefully at both the sender’s domain and the domain name found in the link of the email.  Unless you see a KNOWN and CREDIBLE news source, do not click without first using a WHOIS tool to check on the domains associated with the email.  Look below at what we discovered by using our favorite WHOIS tool! The link points to a website that was registered about 2 months earlier in India by a registrant called “Diet Vita Health.”  How credible does this news source sound now? Yeah, that’s what we thought.

All Staff/Student Email Accounts Have Been Updated and Norton LifeLockLast week we saw a very unusual phishing attack. A teacher from a school in Massachusetts received an email from another teacher at a school in Connecticut informing him that “all staff/student email addresses will be transitioned” from Outlook to Gmail.  Email recipients were asked to click a link to a Google form to submit their updated information “or You can’t send Mail.”  Or you can’t send mail?  Now THAT is a major red flag! Check out the questions asked in the Google form below! Please notice that the form contains German words, further confirming this rotten phish! BOTTOM LINE: Never enter your password into a Google form! It is, afterall, a collection basket of information for the people who control the form!

Trust us, your Norton LifeLock subscription didn’t just renew for about $250 because this smelly phish came from a server in Czech! (Notice the 2-letter country code “.cz” at the end of the address!) Another way to see through this fraud is when you consider that any LEGITIMATE email confirmation of a $250 purchase WILL LIKELY CONTAIN your full name, address, credit card name and last few digits of the account.  Do you see any of those things? This email only contains the user’s email name which is found in front of the “@” symbol. Deeeleeete!

Your Home Warranty Has Expired –  This scam is extremely unique because it came through “snail mail,” otherwise known as the U.S. Postal Service. In late September, a home owner received this “TIME SENSITIVE” notice from “HHS Service Activation, Home Warranty Division.” The homeowner tells us that he has never heard of this service and doesn’t use “SOUTH COASTAL BANK,” the lender listed on this notice. He also looked up “HHS Service Activation” online and found only one reference to this “company” on the Bizapedia website.  He couldn’t even find this company listed on the Better Business Bureau website. The homeowner DID see a red flag on Bizapedia which showed that this company was registered by an agency in Delaware and NOT by anyone from the company itself.

Additionally, if you look at this letter, by our count it contains at least 8 phrases meant to GRAB YOUR ATTENTION and raise your level of anxiety that this is something you should be responding to.  Phrases like “time sensitive,” “immediate response requested,” and “extremely urgent” are part of this manipulative language.  The homeowner tossed the letter into recycling but it wasn’t the last time he heard from them…

About six weeks later, the same homeowner received a large heavy-weight card in the mail from the same service to inform him that his “property’s home warranty… may have already expired.” “Without a home warranty in place, you are at risk of being financially liable for any and all repairs.” Like the previous letter, this card notice prominently featured “SOUTH COASTAL BANK” but used a different phone number than what appeared in the first letter.

This time the homeowner conducted two additional searches in Google.  The first was for “South Coastal Bank” which turns out to be a real bank located in Rockland, Massachusetts. However, the toll-free phone number was not associated with this bank.  In fact, a Google search for the phone number, 888-307-2037, turned up multiple links to home warranty scams and spam, including these links:

https://scammer.info/t/home-warranty-division-scam-888-307-2037/82609
(This link includes a letter similar to the first letter above BUT with a different name in the upper left corner, as well as a different bank.)

https://www.reportedcalls.com/8883072037

Finally, we also found the Main Street Bank posting information about Home Warranty Scam letters that we believe apply to these mailed notices.  CommunityBankNet has also posted a similar fraudulent letter for their members.

Best Ways to Identify Smelly Phish! –

Last week we motored through a sea of smelly phish. They used lots of tricks to lure victims into revealing their login credentials to banks, credit card services and retail accounts such as Amazon.  We thought it was time to review the most important ways to identify these rotting carcasses. Before we do that, let’s start with this LEGITIMATE email sent from the real Chase Bank, a service commonly targeted by cybercriminals. 

There are 5 sure-fired observations to make that will confirm an email you receive is legitimate. 

    1. First, look for the <> symbols in the FROM address. The business domain name is found between these brackets (NOT in front of them) but after the “@” symbol. A correct domain will be separated by a period from a “global top level domain” such as “com.”  Make sure this domain matches the service it claims to represent.  For example, chase.com is legitimate but both chase.login-alert.com or chasebankus.com are not!

       

    2. Do you see an account name and number that matches you? Especially your full name and the correct last 4 digits of your account.  Don’t accept your name along with “last digits ending with xxx4.” Millions of people must have an account ending with a 4!

       

    3. Most importantly, does the link you are most expected to click point to the correct domain for your service? Mouse-over the link, but do NOT click it yet. Look in the lower left corner of your window to see where the link points. Locate the first single forward slash as you read left to right. What is the full domain name that immediately precedes this single forward slash? In our sample, it is chase.com.

    4. Does the email make sense to you? If it is UNEXPECTED then proceed with caution by checking out the embedded links and the FROM address.

       

    5. Finally, you’ll never find errors in company emails such as errors in grammar, punctuation, or capitalization! You won’t find awkward English sentences as if the sender doesn’t speak English well.

    By contrast, can you spot the six English errors we found in this smelly carp that was sent from the free email service at mail.com? And it is easy to spot that the green link points to a shortened link through a service called Hootsuite (ht.ly).  When we used Urlex.org to unshorten that link, we found that visitors will be redirected to a phishing page at ChaseIconDebitCard-com[.]preview-domain[.]com! “Preview-domain[.]com was regis-tered in Cyprus in November, 2019 and is still being used for malicious purposes.

      Check out this very sophisticated phishing scam example from “Apple.”  The sender’s REAL email address is a bizarre name from Venmo.com! There are NO English errors and the email appears to include a legitimate link for apple.com.  But does it really? When we moused-over the link we discovered that it appears to point to a website called disq[.]us. Further investigation into the link, however, reveals a redirect built into it that will send people to a malicious domain at bom[.]to!

      Our final examples pretend to be emails representing Amazon. But instead of posting content in the body of the email to trick recipients into clicking, BOTH emails contain an invoice or receipt as attached pdf files! The REAL AMAZON business doesn’t do this! This first email came from an Amazon wannabe-domain called goyangamazon[.]com while the second phish came from a Gmail account!

      The next time you receive an email asking you to click through to a service that requires your login credentials, stop! Then proceed by going through your check list of steps.  And if you are still not sure, we invite you to forward that email to us to help assess it.  Remember, we’ve always got your back!

      Your Mailbox is Full and We Are Unable to Deliver Your UPS Package – Oh no! Our inbox is so full that we won’t be able to receive any more email! Well, except for this email telling us we can’t receive any more email. Should we be worried that this notice came from a server in Slovakia? Or that it points to a web server spelled “wwebserveerr[.]repl[.]co” located in Columbia? Or the fact that the copyright for this informative email is more than 18,000 years into the future?  Naaaaawwwww…. We’re ready to click and update!

      Like clockwork each week, we are informed that UPS is unable to deliver our packages. Boo hoo! We want to reschedule that delivery but we can’t get past the fact that online security services keep telling us the link is malicious and DOESN’T POINT TO ups.com

      If You Are An Adult… – This text came via Whatsapp from an international number starting with +62.  That’s the calling code for Indonesia! We applied the “smell test.” Anytime someone from Indonesia asks us if we are an adult and want to earn $2000 per day, we lunge for the delete key! The bad smell from this text is overwhelming.

      Until next week, surf safely!

      Copyright © 2021 The Daily Scam and Scamadviser. All rights reserved. You are receiving this email because you
      have subscribed to it via Scamadviser.com or thedailyscam.com

      Keurenplein 41, UNIT A6311  |  1069CD Amsterdam, The Netherlands

      Contact Webmaster