Interested in Global Entry Program? Don’t Do This! — On Sunday, December 4, we were contacted by a woman who had just signed up for the Global Entry program online, or so she thought. For those not familiar with it, Global Entry is a program run by the United States Government through the U.S. Customs and Border Protection (CBP) service. It allows expedited clearance for pre-approved travelers upon returning to the United States. Anyone traveling internationally can appreciate any effort to make it easier to get through Customs. Unfortunately, the woman made a serious mistake. She began her effort by using Google to search for the Global Entry program website. The top link returned to her was an Ad and not the official US Government Global Entry website! The consequences of that choice may have been bad. Here’s her story…
The woman in this story prefers to remain anonymous. We’ll call her Angela. On the afternoon of December 3, Angela sat down to begin a Google search for the Global Entry program. The top link returned to her was a Google Ad for a website called ttp.globaltraveler.us.com (If Google Ads are returned in your search, they appear at the top of the list of returns and begin with 2 bold letters: Ad) Angela visited the GlobalTraveler.us.com website, thinking it was the official site, and started an application. She told us that during the process she saw several grammatical errors that made her feel odd about the quality of this service. Nonetheless, she completed the application, providing very personal and detailed information, including her passport, driver’s license, birthday, home address and phone number. She paid the $260 fee using her American Express credit card. It’s important for readers to know that the OFFICIAL U.S. Government Global Entry website resides with the Department of Homeland Security (DHS) website: https://ttp.dhs.gov/ This official site charges $100 for the Global Entry application. (“ttp” stands for Trusted Traveler Program.” It is CRITICALLY important to notice that this fully qualified domain ENDS with DOT-gov just before the first single forward slash.)
A couple of hours later, Angela was contacted by the fraud department of American Express. They had flagged a suspicious purchase made against her credit card from Argentina and wanted to know if this was a legitimate and known purchase. Angela said that she had not made any purchases in Argentina. She also thought this attempted fraud was a strange coincidence occurring just hours after using her American Express card on globaltraveler.us.com to apply for the Global Entry program. Their business address was listed in Florida. But she became more suspicious during the next few hours and contacted us the next day for our opinion of the website globaltraveler.us.com.
While we did some research about this website, we advised Angela to try calling the phone number offered on their site for support. She told us that she called multiple times on Sunday, December 4 and again on Monday, December 5, after 9:00 am EST. No one answered any of her calls on Sunday (not surprising). However, on the 3rd call on Monday morning, she heard a recorded message in Portuguese and hung up. It startled her, in part, because she expected English and because Portuguese is spoken in Brazil, also located in S. America, like Argentina. From our research globaltraveler.us.com does not appear to be a fraudulent website. For example, they very clearly state in multiple locations that they are not affiliated with the US Government Customs and Border Team or their Trusted Traveler programs. They state that they are a “B2B” fast track travel service, assisting employers to register employees.
However, our search turned up information that made us suspicious and confused about this service and other similar services as well. We recommended to Angela that she immediately protect herself against identity theft and use Norton Lifelock or a comparable service, to help her do that quickly. Also, during our investigation we found another HIGHLY SUSPICIOUS website offering the same services to help people apply to the Global Entry program. Here is a review of what we found that gave us doubts…
- The domain globaltraveler.us.com is a new website, registered anonymously just 3 months ago on September 8, 2022 with very little information provided. It is our experience that newly registered websites can be very suspicious.
- Websites often contain “meta” tags holding information meant for search engines to use for search results. Looking under the hood of globaltraveler.us.com, we found a meta tag identifying another website called globalentryapplication.immi-gov.com. The domain “immi-gov.com” was originally registered anonymously through a proxy service on November 12, 2020 and is currently not in service.
3. We wondered if the exact information found on globaltraveler.us.com could be found on any other websites. At the bottom of their web pages is the text “EIN 87-2743516 as a located at 7087 Grand National Drive Ste 104 – Orlando, Fl.” An EIN number is a US Federal Employer Identification number. We used Google to search for that EXACT statement and discovered that it was also found on another website called ttp-fasttrack.com. (Notice the grammatical error in the search sentence we copied.) It turns out that both of these websites are owned by the same company. Ttp-fasttrack.com was registered anonymously through a proxy service on November 1, 2021. We wondered why a business would create multiple versions of itself, as if competing with itself on the Internet.
4. In consideration of what we were seeing, we decided to select reasonably unique sentences from globaltraveler.us.com and search for those EXACT sentences on the Internet with Google. When we searched for “We offer a B2B solution allowing your employees to access our exclusive Global Entry for Business service” Google provided only one link to a website called globalentry.services. This domain was registered anonymously on December 7, 2021 and appears to have a website that is nearly identical to globaltraveler.us.com.
We have found exact sentences, word for word, from globaltraveler.us.com on several other websites. Some are related to the Global Entry program, others are related to the TSA PreCheck program and a few are even found on websites claiming to manufacturer and sell viagra. These facts did not make us feel confident about these services, in general. Were they all created and owned by the same people? Was content from one of these sites stolen and used on the other sites? Though we cannot be certain of the relationships between all of these sites, these facts did not give us confidence to share exceptionally personal and private information required for the Global Entry program with them. That’s why we advised Angela to take immediate steps to protect her identity.
Finally, we wondered how easy or hard it might be to actually find a TRULY SUSPICIOUS website offering visitors Global Entry application services. On December 4, we opened Google again and searched for the words global entry application. The top advertisement was for a website called globaltraveler-apply.com. A WHOIS lookup of this domain told us that it was registered anonymously through a proxy service just 5 days earlier on November 29. The website is similar to the others mentioned above. There are also very obvious grammatical errors on this site such as “Our forms has no time constraint.” In our experience, these details are red flags and highly suspicious. Oddly, there were other design features of this site that were similar to some of the other sites mentioned.
The Internet landscape appears to be littered with lots of services offering to help applicants with Global Entry and TSA Precheck applications. However, many range from suspicious to odd in a variety of ways. For example, on the Better Business Bureau website is a business called I.B.I./ International Bureau of Investigation. Their domain is globalentry.us.com. This business claims to offer the types of services we described above, and also charges a $260 fee. The BBB gives them a C+ rating but 16 reviewers give them a 1-star rating out of 5. Most importantly, the BBB.org website recommends, as do we, that travelers should ONLY use the United States Government website to apply for these trusted traveler programs!
If you believe that you have been a victim of identity theft, we recommend doing the following:
- Visit the non-profit Identity Theft Resource Center For example, they have an article on how best to respond if your Passport information is stolen.
- Many State governments have website resources about how to respond to Identity Theft. E.g. Massachusetts Government website.
- Consider using a paid service such as Norton Lifelock.
- Notify ALL of your financial institutions (banks, credit card companies, stock/mutual fund companies, etc.) that your personal details have been stolen and you are concerned that someone might use them in fraudulent transfers. Ask your financial institution what advice they have for you to better protect your accounts.
- Contact both the US Passport service and your Department of Motor Vehicles to notify them as well. They’ll likely suggest that a new license/passport be issued for you.
FOOTNOTE: We’ve begun to use new research tools for our work to investigate websites. These tools were provided by a service called WHOISXMLAPI. This service is outstanding and has enabled us to do very complex searches of website domain names with ease, and pull in lots of information all at once. We highly recommend them if you are investigating online fraud! WHOISXMLAPI helped us conduct our research for the above article and we’re grateful for their assistance.
Phishing for the World Cup? – Scammers are up to their usual tricks and looking to scam people out of their personal information with this World Cup-themed phishing scam. Read on to learn everything you need to know and protect yourself with this FREE, all-in-one tool:
The Fraud Department IS THE FRAUD! – Our friend Rob received a phone call from someone who identified himself as working for Amazon. This was, of course, a lie. The man claimed that a charge for more than $1700 was made to Rob’s Amazon account for a computer purchase, but Amazon suspected that it was likely fraudulent. The caller asked Rob what bank he used with his Amazon account because it appeared that the charge had gone through. He said “Bank of America.” The fake “Amazon representative” then told Rob that he would notify Bank of America about the fraud and have them call him directly. The sound file below is most of the conversation Rob had with a woman scammer who pretended to be with the Fraud Department for Bank of America. Listen to the VERY inappropriate questions that she asks Rob about how much money he has in his accounts! If she were with the real BOA, she would know that! (We’ve cut out Rob’s responses to very personal details like social security number, phone number and birth date, even though Rob didn’t use his real information! He’s too smart for that! We’ve also removed the long wait times, especially when Rob was on hold.)
This scam can seem so real because the scammer tries to convince Rob that she and her team have actually identified fraud against his account and are working to correct it! All the while, THEY are the FRAUDSTERS! Listen how the woman claims that they are filing a lawsuit against someone on behalf of Rob and that Rob is NOT ALLOWED to talk to anyone about any of this during the days ahead because it is an active lawsuit. This is meant to prevent a victim from telling friends or relatives what happened because the friends/relatives might help the victim understand that he/she is being defrauded by this phone call! The scammer also tries to convince Rob “with evidence” that it was likely someone in his own Bank of America branch who illegally began a transfer of $35,000 out of his bank account that morning! This is another excuse by the scammer to keep Rob from actually contacting his local, trusted Bank branch! (The call was dropped after about 12 minutes.)
Amazon and Bank of America scam call
In true “you can’t believe everything you read online” fashion, a man posted the Facebook Ad you see below to Reddit and asked people if they thought that this INCREDIBLY cheap price for cookware was a scam. We said hell yes! Apparently, the man was conned out of $65 buying the $3 cook sets plus “shipping costs.” We want our readers to notice the website domain that appears at the bottom of the advertisement: MBHOGL[.]info.
This is 100% a scammer’s website. Here are two reasons why:
- The domain MBHOGL[.]info was registered just 29 days before we found it, according to a WHOIS lookup. And yet, there are references on that website about blog posts going back to 2016! (Also, the domain was registered in Iceland using Namecheap, which is a FAVORITE registrar of scammers!)
- All the content on this site was stolen from another blogger’s website called “CrazyWithTwins.”
These two facts are a pretty low bar to show fraud. It’s a shame that Facebook can’t do a better job to keep these bogus Ads off their platform. We’re certain that the $3 price on the sign was photoshopped and changed from a higher price.
Many times we say “details matter” when trying to identify fraud or suspicious content. Here are two recent examples of what we mean. In this first example, we ask readers to look VERY carefully at the domain that Mr. Stuart Chatfield’s email came FROM when compared to the email address that any reply will be sent to!
We hope you noticed that the difference was the letter “s” in the name charles. There is a real financial service in the UK that has the website charles-stanley.co.uk. However, the fraudster who sent this email SPOOFED that domain and your reply will automatically be sent to the scammer’s domain at charle-stanley[.]co[.]uk, which was registered in March of this year. Details matter!
Our second example is similar. We received an email at The Daily Scam from “Hamza Omar” and noticed that his urgent request to hear from us would have gone to a different email account than the email he sent us! This is typical scammer behavior!
Netflix, AT&T, and PayPal Account Holders – Though this email claims to have come from the Netflix Support Team, the domain at the end clearly shows this is a lie! Your payment was declined and you are asked to click a link that misuses an email service called sendibt3[.]com. The misused service will be sending you to a suspended account called shaheendesigner[.]com. It was first registered in Pakistan in 2019.
That sounds like Netflix, right?
The simplest explanation for phishing is that it is a scammer’s attempt to trick you into handing over your personal login information, such as this trick to give up your AT&T account information! It was not sent by the “AT&T Service” or “AT&T Team” as the email says. As is often the case, the bogus link in this email will send you to a fake login set up on the free web service at Square site. We reported this fraud to Square site and, fortunately, they took it down pretty quickly.
Paypal account holders are HEAVILY targeted by phishermen! Here are two recent examples. The first is an email telling you that “you access are being restricted.” Nice English! The email came from a crap top level domain called DOT-top and the link points to another DOT-top. We hope YOU stay on TOP of this crap and hit delete!
The second smelly Paypal phish came from a bogus personal Gmail account. The fraudsters are trying to trick you into calling them at 888-827-7293. The email says that there was a $709 order placed on your account by Speedway Armory LLC. Bogus Paypal phish pretending to be charges from “Speedway Armory LLC” have been discussed in this PayPal forum since 2020!
Netflix Gift Card – A standard tool in the scammer’s toolbox are the bogus emails offering cash, prizes or products in exchange for your time to fill out a survey. We believe that upwards of 99% of these offers are scams! Take this CVS “special offer.” (CVS is a pharmacy and general merchandise seller.) It came from trendytrainer[.]com and has links pointing to the bogus website PatternLikeAnnaUnasserted[.]com! This crazy domain was registered in early June, 2022 and is hosted on a server in Punjab, India! (Remember how details matter? Notice the copyright date in the bottom of the email is 2020! These scammers are just reusing an old scam design and forgot to update the “copyright” information.)
This Kohl’s survey actually came from an email account at the University of Basrah in Iraq! Trust us, you will NOT received a FREE Le Creuset pot but you WILL have a surprise visit to malware on a server in Russia! The link in this email points to a domain that ends with “wtf.” Most Americans know that WTF means “What the…” That’s what we said when we learned that visitors will be redirected from a server in France to a malicious server in Russia.
American Express Malware, Attached Audio File and More… –Not all emails that appear to be phishing attempts are for phishing. Check out this email pretending to be from the American Express credit card company. The email was sent from a hacked email account at Kean University in New Jersey to “undisclosed-recipients.” The link to update your account points to a VERY malicious server hosting malware called StrongPointInvestments[.]com.
We frequently tell readers that certain types of attachments are very dangerous to open. The most common ones are files that end with DOT-htm, DOT-html, and DOT-php. These files can contain instructions to control your web browser and tell it, for example, to visit a website and download malware that will cause you significant harm! Here are 2 more recent examples of tricks that were sent to the Safety Officer of a large chemical company in the U.S. The first email claimed to have an attached audio file but the file icon SHOWS it is a DOT-htm file if you look closely! The same is true of the second email which came from a server in Germany. Details matter!
Navy Federal Credit Union, Claim Your Prize and Much More! – Soooooo many bogus texts reported to us and so little space! Here are our recent favorites, all fraudulent and/or malicious. Note the bogus text from the United States Postal Service that we linked to malware! Enjoy!
Until next week, surf safely!
Copyright © 2022 The Daily Scam and Scamadviser. All rights reserved. You are receiving this email because you
have subscribed to it via Scamadviser.com or thedailyscam.com
Keurenplein 41, UNIT A6311 | 1069CD Amsterdam, The Netherlands