Select Page
Weekly Alert  |  December 27, 2023

Scammer Tricks Recently Used to Target Sellers If nothing else, we are often impressed by the cleverness of scammers. This week we have several clever tricks to show you that were used to target a 32-year old man who was selling a used car on Facebook Marketplace and Craigslist. The young man was very savvy and recognized most of the scam efforts. However, he asked us our opinion about one interested buyer that even surprised us because it turned out to be a very clever and HUGE phishing scam extending so deep that we finally gave up before hitting “bottom.” Scams targeting the man also included a bizarre email that wreaks of fraud, though we can’t exactly see why. Please buckle your seatbelt, grab your helmet and safety goggles and let’s take a ride…

Bobby (not his real name) was happy to get rid of his 2011 Toyota Corolla as it was showing lots of signs of trouble. Certainly, he thought, someone would want it who might be better skilled at fixing the growing signs of an aging car with 121,000 miles on it. He had good maintenance records, and posted them with lots of photos, on both Facebook Marketplace and Craigslist on Sunday, December 3. Bobby is not a “newbie” to online sales and knew many of the signs of fraud. He tells us that more than half of the inquiries he received about his car were scams, such as these two emails from Gmail accounts named henryatforthes and sexandthecitymusic. (Notice that the man using the email account “Henry Forthes” identifies himself as “Jimmy.” A bit odd, don’t you think?)

From: Henry Forthes <henryatforthes@gmail.com>

Date: Sun, Dec 3, 2023 at 11:17 PM

Subject: Re: Car Inquiry

To: [EMAIL REDACTED]

Thanks for getting back to me.. I’ve been working really long weeks at work. So I won’t be able to meet with you but I am OK with the price and condition as shown on the advert, I’ll go ahead and issue a check to you and when you receive the payment and it clears, I’ll make arrangements for pickup. So please kindly get back to me with the below details ASAP

Full Name:

Address:

City, State, Zip Code:

Your Cell Phone Number:

Last Asking Price:

As soon as the above information is provided, payment will be overnight to you and I’ll let you know once it’s mailed out with Tracking # sent to you. I’ll also add an additional $50 for holding it for me till the Check gets to you and please delete the posting that it has been sold.

Thanks and many Regard

Jimmy

From: Sex and the City <sexandthecitymusic@gmail.com>

Date: Mon, Dec 4, 2023 at 8:57 AM

Subject: Re: Car Inquiry

To: [EMAIL REDACTED]

Thanks for returning my husband’s message regarding your item. We are satisfied with the price & the condition listed on the CL, so kindly withdraw the advert and consider it sold. I would have come in person for it but can’t due to my tight work Schedule and we are also busy because we are in the process of moving.  My husband will proceed in issuing a Certified Cashier’s Check Or USPS Money Order to you and when received and cleared your bank, We will make arrangements for the pick up. Additional $90 will be added with the original price for reservation till the check gets to you.

 I’ll need the following information to overnight the Payment today.

Name to issue out the check to……

Mailing Address to overnight the check….

Final Asking price and the Cell # to contact you ….

Thank you in anticipation of your understanding and awaiting the information requested to overnight out through UPS and delivered to you within 48 hours.

Regards

No doubt, our readers can spot ALL the red flags screaming FRAUD in those emails!  They include…

  • Buyers say they’ll purchase the car without even seeing it! (MAJOR RED FLAG!)
  • Buyers provide excuses why they can’t see the item being sold
  • Buyers offer a check in advance, and even adding more money that the asking price! (Seriously? Who does that?!) Keep in mind that scammers can easily create fake money orders and “cashier’s checks” that will serve their advance-check scams. Typically, these checks are sent for more than the item being sold. The victim is asked to refund the difference. But the checks are often so well-crafted that it may be a week or more before it bounces!
  • The buyer wants to overnight a check through UPS. This is highly suspicious and not typically what someone does who lives in your area and is interested to buy a used item you are selling.
  • Neither of these buyers even tried to negotiate a better price for a used car. 

The next scam text to Bobby opened our eyes to a whole new type of phishing fraud with deep roots across the Internet. On Sunday night, December 3, someone sent a text to Bobby inquiring about the condition of the car and if there were any history concerning possible accidents.  This text seemed reasonable and legitimate. However, the person suggested that Bobby register his used car on a website called OnlineAutoInspection[.]com. We found a few subtle English errors on this website. But more importantly, when we entered Bobby’s vehicle VIN number (Thanks for trusting us, Bobby!) into this website, we were surprised to learn that the site claimed to have a full report on Bobby’s vehicle, available for just $27, and it included lots of information about the car!

We take NOTHING for granted! Seeing that OnlineAutoInspection[.]com says they have a Trustscore of 4.8 on Trustpilot.com, we decided to visit that rating on December 6 to see why others thought so highly of this website. Instead of a 4.8 rating, we discovered that Trustpilot.com had ZERO ratings for this service! So we gave them a 1-star rating, especially after Virustotal showed us that FOUR security services have identified OnlineAutoInspection[.]com as phishing scam and malicious. On December 7 another person also added a 1-star review saying…

“This is a scam website. They email people selling cars and pretend to be buyers, they then demand that the seller buy a report from this website before they’ll see the car. After the seller buys a report, they demand that additional reports be purchased. Eventually, the “buyer” disappears.”

Additional “red flags” are easily found once you start looking. For example….

  1. The domain OnlineAutoInspection[.]com was registered at the end of October, just 5 weeks before it came to our attention.
  2. Our friends at Scamadviser give them a low trust rating for several reasons…

     https://www.scamadviser.com/check-website/onlineautoinspection.com

  1. Scamvoid confirms that this service is NOT to be trusted!

      https://www.scamvoid.net/check/onlineautoinspection.com/

You may think that’s the end of this phishing story concerning OnlineAutoInspection[.]com but, remarkably, this fraud goes MUCH, MUCH deeper!  The phone number listed on OnlineAutoInspection[.]com is 866-593-4553. When we used Google to search for that phone number we unearthed a deep collection of more than 48 related websites, and all are highly likely running the same scam! ALL of these had the same phone number listed on them. They included…

  • CanadaVINStatus[.]com
  • CarFax4Less[.]com
  • CheckAutoStatus[.]com (A spot check shows it was registered July 23, 2023 / VirusTotal identifies it as phishing!)
  • CheckMotorcycleInfo[.]com
  • CheckTitleStatus[.]com
  • CheckTitleSummary[.]com
  • DetailedServiceReport[.]com
  • DetailedTitleCheck[.]com
  • DetailedTitleHistory[.]com
  • DigitalAutoAudit[.]com
  • DigitalCarRecords[.]com
  • DigitalTitleAudit[.]com
  • DigitalTitleRecords[.]com
  • DigitalVINRecords[.]com
  • DigitalVINSummary[.]com
  • GetAutoAudit[.]com
  • GetDigitalHistory[.]com
  • GetMotorcycleSummary[.]com
  • GetServiceRecords[.]com
  • GetTitleAudit[.]com
  • GetVINData[.]com
  • ImperativeVINReports[.]com
  • LienAndLoss[.]com
  • LienAndLossChecks[.]com
  • LienAndLossVerifier[.]com
  • MotorcycleSummary[.]com
  • MotorcycleVINHistory[.]com
  • MotoVINStatus[.]com
  • NationalAutoAudit[.]com
  • NationalAutoInspection[.]com
  • NationalTitleChecks[.]com
  • NationalVehicleData[.]com
  • NationwideChecks[.]com
  • OnlineTitleRecords[.]com
  • OnlineTitleReports[.]com
  • OnlineVehicleInfo[.]com
  • OnlineVehicleSummary[.]com
  • RevealVehicleInfo[.]com
  • SearchMotoHistory[.]com
  • ServiceHistoryReport[.]com
  • TitleLienHistory[.]com
  • TitleLienVerifier[.]com
  • TrueCarFax[.]com
  • UnlockVINReport[.]com
  • VehiclesInspection[.]com
  • VehiclesResearch[.]com
  • VINReportHistory[.]com
  • VitalVINReport[.]com

…and more!

On Scampulse, we found someone had reported CheckMotorcycleInfo[.]com as a scam and detailed how they got taken for a $27 report. The person reporting this scam said “sure looks like a ‘take the money and run’ scam, or a known ‘Vehicle Info. Scam’.”

Finally, Bobby also received an email inquiry for the used car from a fellow named Otelia Inslbyaew on Craigslist, simply asking if it was still available and that he was interested. Two things made this email HIGHLY suspicious and a likely faud…..

  1. Otelia asked Bobby to email him back at a Gmail account named “Ryan Brandon 325.”
  2. There was a LOT of white space after the Gmail address. When Bobby dragged his cursor through it, he discovered a long bizarre paragraph, all in WHITE TEXT, that began with “I am a proactive young woman of 24 years old….”

    You might find it interesting to know that Bobby was able to sell his used Toyota Corolla to a used car dealer about a week later. The dealer met him in person in a publicly visible area, with video cameras nearby, and paid cash for the vehicle! Kudos to Bobby for selling his car safely and avoiding the maelstrom of scams that targeted him. In the end, he told us that about 60 – 75% of the many contacts he received expressing interest in the vehicle were likely or definitely scammers!

      Suspicious Crypto Websites and Scam Fighter of the Year Awards! Have you seen these 4 suspicious crypto websites recently? Be careful! Check out and protect yourself with this 100% FREE, all-in-one tool

      It’s time again for the Scam Fighter of the Year Awards! The awards are organized annually by the Global Anti-Scam Alliance (GASA) together with ScamAdviser to bring more attention to the importance of fighting online fraud worldwide. Last year, a substantial 25.5% of world citizens lost money to scams or identity theft, culminating in financial losses estimated at $1.026 trillion.

      The Awards are organized to bring recognition to exceptional individuals, organizations and tools dedicated to turning the tide on scams. Previous winners include Peter Depuydt (Ex-EUROPOL), Donna Gregory (Ex-FBI) and Ayleen Charlotte (Romance Scam Speaker) among other notable scam fighters.

      You are invited to nominate your picks in the following categories:

      Best Scam Fighting Individual

      Best Scam Fighting Organization

      Best Scam Fighting Tool

      Puppy-Selling Scammers and Some Browser Protection! — Welcome to all our new subscribers who either read the WGBH article about Doug or heard his radio interview on GBH Boston radio recently and signed up! We’re happy to have you on our team and we encourage you to report any scams that turn up on your doorstep so that we can share them with our readers. Everyone benefits by learning about these scams. Last week, we heard from a woman who had just been victimized by a dog-selling scam website.  She said Unfortunately I think I have been victim of a scam. I found what seemed like a legitimate dog breeder in North Carolina. They built a contract, covering the shipping cost too, and I paid them $600. Now I am getting an email saying the dog cannot be delivered without a special Electronic Thermal Crate and I would need to pay an $850 “refundable” fee. When I try calling them the number continuously rings and no one answers. I haven’t paid this other fee as they asked for me to pay with Visa Gift Cards, which was weird to me. The website I bought this dog from was: https://marryjohndachshund.com/available-puppies/   The second website asking for me to pay for the crate is: https://airflightvets.com/

      Unfortunately, we had to tell the woman that the website MarryJohnDachshund[.]com selling dogs was a scammer’s website! We’ve reported on this type of scam before and our article about this scam lists more than 65 similar scam websites! However, we also wanted to show you that Guardio.io provides device apps and browser extensions that can offer some protection against fraud. Notice in the screenshot above that the Guardio browser extension we checked out told us that this doggy-selling website was newly created!  Newly registered website domains are a MAJOR red flag! However, what really shocked us was when we decided to select a reasonably unique sentence from that scam site MarryJohnDachshund[.]com and asked Google to search for that exact phrase! Google returned links to 6 more puppy-selling scam websites! This result, and the long list of scam sites noted above in our Top Story, should make it clear to our readers that ONLINE FRAUD IS RAMPANT! 

      Speaking of online fraud, here are a few more tips based on two recent, lovely emails. Check out this important business proposal from Mr. Philip Roger that we received. It is CLASSIC for 419 Scammers to send you an email from one address but ask you to contact them at a different address. And by the way, before you think that “Chemist.com” gives Mr. Roger any credibility, think again!  Chemist.com is another free email domain offered through Mail.com. Scammers LOVE using the free email domains offered by this service, such as accountant.com or usa.com. Check out their full list at: https://www.mail.com/mail/domains/

      This next scam was recently shared with us by a TDS reader and contains LOTS of warning signs of fraud. We thought it would be fun to point them out….

      1. Country code: UK – This email was sent to an American citizen from a server in the UK
      2. Fear the White Space! Most of the white empty space in this email was clickable!  Real legitimate emails don’t typically do this!
      3. Though sent to a US Citizen, the date in the email used the European standard of posting the day / month / year, instead of month / day / year, as it typical in the US.
      4. Lack of Personal Details: The recipient isn’t identified, other than “User#3564”
      5. The links for Payout Verification point to GoogleApis services. But these services cannot be trusted!  Fortunately, Virustotal.com was able to find two security services who identified the link as a phishing scam!

      If you use DropBox, you may want to protect your privacy better now that Dropbox has partnered with OpenAI:

      https://www.cnbc.com/2023/12/13/how-to-stop-dropbox-from-sharing-your-personal-files-with-openai.html

      Finally, below are links to several articles that our readers may find of interest…

      If your business, organization or school is interested in a training workshop titled “Find the Fraud” with Doug Fodeman, please contact me at doug@thedailyscam.com to inquire!

      Spearphishing Example, Bank of America, and Paypal Last week, one of our new subscribers told us about a spearphishing story that targeted his employer, resulting in him becoming a victim of fraud! He said…

      “I work at a small independent grocery store. This past Friday, December 15, my boss received an email from a scammer asking him to change the routing and account number for direct deposit of my account. He forwarded it to the HR person who works remotely. I also received a text from the Paychex company saying that they changed the direct deposit. I didn’t look at it because I thought it was a scam or mistake. This past Tuesday (one of my days off) December 19 the funds usually show up in my account, but they didn’t. I received a call from my boss/owner asking me to call my credit union and check to see if my accounts have been compromised. I called and the customer service representative said all looks good, it’s probably an isolated incident. 

       

      When I did check the information on the Paychex website I noticed the account and routing numbers were for a Green dot account located in Pasadena, California. I wish my boss had asked me directly instead of having HR change my direct deposit. I have the routing and account information for the phony account, but my boss didn’t want to pursue any further details. I did get the funds deposited into the correct account which I’ve had for over 15 years. What strikes me about this is the scammer got past 3 people, my boss, HR, and myself!”

       

      We informed the man that this type of fraud is, sadly, very common and almost always targets company owners and their HR or accounting departments.  However, this fraud is easily avoidable!  The solution to prevent these scams is stupidly simple!  Every business and their accounting staff should have a WRITTEN policy in which an employee MUST submit a signed form (preferably in person) before changing/modifying direct deposit accounts. The form must be requested by phone or via a legitimate email on file with the office.  And, If not delivered in person, then the employee should be required to call and confirm the written submission and, in that call, provide verifiable detailed information that is easy to confirm e.g. Social Security number, or provide the name of the direct supervisor, etc.  But most importantly, “disinhibited forms of communication” i.e. texts and emails, are NOT acceptable ways to request a change of banking information in today’s day and age.

      Check out this smelly phish pretending to be an email from Bank of America. It came from a hacked Cox.net account and tells the recipient that his account was suspended. Oh, dear! The login link points to the link-shortening service at Bit.ly.  We know, you’re shocked.  Check out where the victim will be redirected to if he were to click that link!  “Bank0fAmerica”  Can you say “Bank Zero America?”

      Deeeeeleeeeeete!

      This next type of phish has been overflowing the email inboxes of most of us! You are being charged nearly $500 for Norton Internet Security.  Hold on, you didn’t order this? But look closely! Does this social engineering trick include your name? No. Address? No. Payment details like credit card number? No.  So WHY do so many people still pick up the phone and call these bastards, often resulting in financial and emotional harm?  Read the paragraph at the bottom of this email and you’ll have a good idea how manipulative this can be!

      Christmas and New Year’s Malicious Clickbait! In the days leading up to Christmas, our readers reported a significant increase in malicious clickbait disguised as Christmas and end-of-year deals and steals.  Below are just 3 examples, along with WHY these are malicious clickbait scams and not legitimate.  Let’s start with this “QuickCharge” stocking stuffer device that is a real thing. HOWEVER, this email came from a business in the Netherlands (“.nl”) that offers banking services, not electronic gadgets!  The links in the email point to a legitimate, though often misused marketing service, called Sendgrid.net.  Fortunately, VirusTotal can see through the fraud in the link!

        Need a toasty heater to warm your heart and home, while lowering energy bills? Well, DO NOT click the link in this email to get it! This email came from ConsumerLoanSurvey[.]com and this domain was registered just last August and is hosted on a server in Germany. The links in this clickbait oddly point to autowings[.]net but you’ll be redirected to Google!  That usually means you’ve been hit with malware and it is time to kick you to the curb. This content isn’t toasty warm, it’s burning hot!

        Delete!

        Here are two more similar examples. Both came from the same email server in India. (Notice the email address ends with “.in”)  Links in both of them also pointed to the same website in India, but different from the site that sent this clickbait. LUNGE for the delete key, then grab some holiday cheer and celebrate that you dodged another bullet!

        We Couldn’t Process Your Payment — Our friend and scambaiter, Rob, received this gnarly email claiming that the accounting service Quickbooks couldn’t process his payment. But this email obviously came from ArsiMexico[.]com and the links pointed to a legitimate advertizing website called BlueKai[.]com.  HOWEVER, buried on BlueKai[.]com is malware that will hit you and then you’ll be REDIRECTED to a month-old site called MerchantsServicesCenter[.]com.  Six security services listed on Virustotal show this website as malicious!

        Deeeeeeleeeeeeete!

        Are You Free Tomorrow? — Readers may be disinclined to agree with us but we feel very certain that these randomly received texts from unfamiliar numbers are far worse than a text sent to the wrong person.  They are the start of a pig butchering scam that we’ve reported on many times in the last few months. This one was sent to one of our relatives from 409-354-3733. For those who are not familiar with the term, pig butchering scams are described here on Wikipedia. Most often, they begin with a simply “accidental text” that turns into a friendship with a scammer who typically grooms a victim for weeks or months, building trust to finally convince the victim to make a digital investment.  And you can guess how well that investment pays off. ‘Nuf said!

        Until next week, surf safely!

        Copyright © 2023 The Daily Scam and Scamadviser. All rights reserved. You are receiving this email because you
        have subscribed to it via Scamadviser.com or thedailyscam.com

        Keurenplein 41, UNIT A6311  |  1069CD Amsterdam, The Netherlands

        Contact Webmaster