Select Page

We would love to hear your feedback

THE DAILY SCAM NEWSLETTER  |  FEBRUARY 14, 2024

Co-Founder/Content: Doug Fodeman  |  Co-Founder/Creative: David Deutsch  |  V04N01

You Won Love and the Lottery!

Wow, have we got an amazing love story with a money twist to share with you this week! Our dear friend Rob had an amazingly positive turn of fate! We all get random emails in our inboxes, but how many of us can honestly say that a randomly received email can so dramatically and positively improve one’s life? Rob now can! It all began when our friend opened his email on January 9 to find an email from ht6@i365ms[.]com. The sender, a 35 year old Turkish woman named Anyuta or simply “Anna,” randomly found Rob’s email address and sent him a short, but invitingly sweet, email summarized by her claim that she was eager to chat with Rob. Trust us, you’ll be surprised how serendipitous this random connection will be for Rob!

Besides being passionate about history and culture, Anna likely has a strong interest in international travel because her email domain, i365ms[.]com, was registered in February 2020 using a Registrar in Singapore. The person who registered the domain name said they were from Lima, Peru. Of course our intrepid friend responded to Anna! Afterall, it’s not often that a man in his later decades of life gets such a lovely invitation to chat with an interesting and beautiful young woman like Anna! Here’s just one of the many photos Anna shared with Rob…

    Rob tells us that he and Anna chatted back and forth about 5 times over email, getting to know one another.  Oddly, Anna’s email quickly changed to “Anna <badgirl221@bddooo[.]com>” but that’s not important, is it? (Bddooo[.]com appears to be a Turkish Independent audit and consultancy service. Their ‘About US’ page says that this firm came together in 1973 and now has more than $13 Billion dollars in assets, and more than 1800 offices in 166 countries. Did we mention that their domain, bddooo[.]com was registered less than 2 months ago on December 21 by someone named “Emma Retter.” Not that it really matters, but Emma listed her address as a lovely little home in a residential neighborhood in Blissfield, Michigan. But we digress…) Their friendship grew and a bond began to form between them! This was obvious because Anna began to refer to Rob as “my dear” and end her emails with “Kisses, Anna.” Their online relationship grew so quickly that, on a whim, Anna decided to purchase a Turkish Lottery Ticket as a gift for Rob only a few days after they first met via email. You’ll never guess what happened to that lottery ticket! IT WON! That’s right. Rob won more than $440,000 from the lottery ticket that Anna bought for him! 

    Anna purchased Rob’s lottery ticket from a website called “Turkish Lottery of Fate” at turkishlotteryoffate.com.tr. It’s a fairly new and interesting website. It was just registered on December 6, 2023, about 5 weeks before the ticket was purchased. It is being hosted on a server in Southern Switzerland. The website shows 8 faces and names of recent winners. These faces and names change periodically and it is nice to see that. (On January 2 on Quora.com a man named Huw Pritchard posted a detailed description why he believes turkishlotteroffate.com.tr is a scam website, and that it is identical to another scam lottery site in Kazakhstan called astanaluck.kz.)

    After winning this awesome lottery, Rob was contacted by a personal manager from the Turkish Lottery of Fate website by the name of Kurt Kaplan (Email: assistance@turkishlotteryoffate.com.tr) Mr. Kaplan congratulated Rob and told him that his winnings were now moved to a Bank called Turkish Financial Phoenix Bank, tfpb.com.tr and using the phone number +905087744238. We also found this bank very interesting, and  suspicious too. For example, their Management Team is shown on their About page. It shows a photo of Deputy CEO named Mehmet Yilmaz. But a reverse image search of this woman’s photo tells us that her name is also Anna Svoboda, a Marketing & Communications Specialist for Unilever and employed by another bank in Ukraine. Also, the CEO of the TFPB.com.tr bank is named Ali Akgul. A reverse image search of the image shown for Mr. Akgul revealed the identical photo can be found under multiple names on more than 5 other websites in countries around the world, including Ukraine. In fact, all members of the management team at this Turkish bank can be found with different names on this Ukrainian Bank’s website

    But nevermind these oddities. Our friend Rob is a very generous man with a heart of gold! He told Anna that he wanted HER to have all of his lottery winnings!  Below is Anna’s reply on January 20th.  We can’t help but wonder if Anna’s English is, perhaps, not as good as we thought it might be.  Her responses feel like they’ve been generated by a poor translation tool from her native Turkish language. But most importantly, it’s lovely to read that Anna tells Rob how much their email interactions have helped her to “open up” and followed again by “Kisses, Anna.”  Awwww.  Unfortunately for Anna however, the lottery ticket was taken out in Rob’s name. And so Mr. Kaplan informed Rob that only he can collect the winnings! But that’s OK. Rob can certainly collect them and give them to Anna, right?

        Over a period of about a week, Rob continued to go back and forth with Mr. Kurt Kaplan, his personal lottery manager about his winnings. The $440,389.00 had now been transferred to the Turkish Financial Phoenix Bank at tfpb.com.tr.  At one point, the conversation becomes a bit confusing because Mr. Kaplan tells Rob that his lottery company is the “National Lottery of Kazakhstan” and NOT Turkey!  Mr. Kaplan wrote…

        “Hello Mr. Robert. I have just received a response from the payment department of our company. The information you provided to register as a winner and receive the winner certificate has been registered. I am sending you a financial certificate confirming your winnings. You can read this in the pdf file attached to the message. Since you are not a citizen of Kazakhstan, and our company is the National Lottery of Kazakhstan, we cannot pay your winnings outside the territory of the jurisdiction of Kazakhstan.”

        Mr. Kaplan also sent Rob an official certificate authenticating his winning lottery from the Turkish Lottery of Fate. But this pdf file also had some oddities to it, such as the fact that when we magnified it, we discovered that the bottom few lines of black text were typed OVER the signature on the document. We would have expected a signature to be written OVER the printed text, not the reverse!

        Unfortunately, on January 25, Rob learned that there was a “small hiccup” to collecting his earnings from the Turkish Lottery. Apparently, ONLY citizens of Turkey were legally able to collect lottery winnings! But thank goodness, Mr. Kurt Kaplan informed Rob of a simple solution which had been successfully used many times in the past with other non-Turkish citizens who had lottery winnings.  Mr. Kaplan wrote….

        “According to the Federal Law of Turkey No. 213-NZ dated December 10, 2019 “Currency regulation and currency control”, all currency transfers to the accounts of non-residents of Turkey must be accompanied by a transaction passport. A transaction passport is a document used for currency control. The Bank, acting as an agent of currency control, oversees the provision of services for the transfer of funds abroad.”

        All Rob needed to do was to purchase a Transaction Passport through the Turkish Financial Phoenix Bank! Thank goodness!  And the cost of issuing a transaction passport by the bank is only $2,100. Given the fact that this bank already had an account for Rob containing $440,389.00, you would think he could just tell the bank to withdraw the $2,100 from his existing account to pay for the transaction passport.  Sadly, he learned that this wasn’t possible.  In the end, he was told that he must first wire $2,100 to the bank in Turkey from a personal account in the US before they could issue the passport. Once purchased, they will then transfer his winnings to his personal bank in the United States.

        When last we checked with Rob, he hadn’t wired any personal money to the bank in Turkey.  However, he and The Daily Scam both did some more digging into this lovely story of luck and love. We discovered that other people have been talking about it online in the past few weeks.  Here are a few of those links referring to Anna as a fraudster…

        • Anna’s badgirl email address and first email sent to Rob are both listed on this Scamaware website. (Then search for “Anna” on the page) Also on this Scamaware website, someone posted this email from Anna and titled it “Lottery Ticket Surprise.”
        • A similar initial email from “Anna” was reported to Scamsurvivors.com at the end of last December, 2023. This included a different email address at bddooo.com.
        • On January 9, someone reported Anna’s email address and the same email Rob received as a scam on RomanceScam.com.

        Dodging a Bullet, Malicious Mimics and More Credibility Problems!

        Just last week we heard from a US Chemical business with an incredible story! The Safety Director at this large company explained how they barely dodged a bullet shot by fraudsters at one of their clients. The scammers pretended to be this officer of the Chemical business. They spoofed her email and reached out to a client of the business to inform them that they now had a new address to which they asked the client to send past due invoices still to be paid. What is also incredibly remarkable about this fraud, is that the scammers had acquired the real employee’s email signature and used it in their fake email to the client! They also followed up by calling the client and pretended to be Safety Director over the phone! This is a LOT of fraud, requiring a lot of knowledge about both the Chemical company AND the client company! We strongly suspect that the client company might have been hacked and scammer’s discovered the overdue invoices and information about the Chemical company.

        The scammers told the client that their past due checks needed to be sent immediately to the new address. The only reason that his fraud was exposed was because an employee of the client company reached out to the Chemical company to say they were not happy with how quickly they were being pressured to make these payments to the new address. The quick investigation that followed revealed that the new “address” to which the past due invoices were to be sent was actually a post office box in a Staples Store! Also, additional investigation into the fraudulent emails sent to the client showed subtle, but important, errors, in the name of the Safety Director who was presumed to have sent them. Police were informed and, after learning the details of this fraud, immediately dispatched an officer to the Staples Store where he was able to recover the checks mailed by the client to the PO Box. It should be obvious to everyone that the police have likely notified the Staples Store employees to closely monitor the PO Box and notify them just as soon as someone attempts to open it. We’re also sure there are security cameras at the Staples Store and we’ll let you know more if we learn anything new.

        We often talk about domains that are “malicious mimics” because they are registered with a name that appears to be very similar to a real, legitimate business or organization.  Here’s a perfect example taken from a recent email shared by one of our readers.  The email below was sent from the domain mailsync-wordpress[.]org and pretended to be from WordPress.org. The malicious mimic domain was registered just 6 days before this email was sent!  A mouse-over of the link to “Download Plugin” reveals that it points to the link-shortening service at Bit.ly.  Unshortened, we see that it redirects to another malicious mimic called ca-wordpress[.]org. This second mimic was registered less than 6 weeks earlier! Virustotal had NO PROBLEM identifying this link as a phishing scam!  It’s important to look carefully at the domain names displayed on our devices!

        We often talk about people with credibility problems! Their credibility problems always make us pause, and ultimately, decide that we don’t trust the sender. Here’s another perfect example. Last week we received this interesting pitch from Timothy, a Business Analyst with WebTech Research. He tells us that WebTech Research is an “age-old Digital Marketing Agency operating over 10 years.”  If that’s true, why is it that his domain, WebTechResearch[.]com, was registered about 15 months ago?  No thanks, we’ll pass.

        Speaking of credibility problems, last week we received an awesome email from Benjamin Franklin. Mr. Franklin put us in touch with Ronald the Rhino. (Who must be channeling a children’s book?) Ronald Rhino happened to be the CEO of UPS! Apparently, Mr. Rhino had a $3.5 Million dollar certified check waiting for us to pick up. The check was sent by President Biden! People, this couldn’t be any more hysterical!

        Tricks Used by Scammers…

        Many businesses, non-profits, schools and others use antispam servers to try to limit the number of fraudulent emails that drop into people’s inboxes. And scammers use all kinds of tricks to get around their watchful eyes.  Here are a few of those tricks that were used in recent phishing emails. Take a close look at the phone numbers entered into these bogus GeekSquad emails that came from free Gmail accounts.  Scammers substituted letters for numbers, added an invisible white-on-white number (0) and used ridiculous spacing patterns so antispam servers couldn’t read these phone numbers and check them against known scam phone numbers. Of course the very fact that they use these tricks means that these emails are a complete fraud!

        We find it particularly hysterical and heinous at the same time when scammers tell you that their scams are to be trusted!  Check out this crazy phishing scam that targeted us, saying that it was “sent from a trusted source.” When we clicked any of the 14 links in this smelly phish, we were greeted by a fake Webmail login page on a server in Argentina and showing our email address. So we modified our email address that was embedded in the links to something that makes more sense…. I-am-a-scammer@FRAUD-HERE.com!

        Don’t be fooled to login just because you see your real email address already populating a login field that appears legitimate. Do your due diligence and look at the website you’ve landed on or the link BEFORE you click!

        Finally, proper English grammar, punctuation and capitalization matter! Check out this email that legitimately came from scammers who were misusing Paypal services. It contains several suspicious red flags due to poor English! Oh, and the phone provided is not any number associated with Paypal. Deeeeeleeeeete!

        Remember to report your smelly phish!

        https://safebrowsing.google.com/safebrowsing/report_phish/

        Peacock Subscription Services & Facebook Marketplace

        Oh my gosh! Cybercriminals must either love or hate Peacock TV streaming services! We’re just not sure which it is. Our readers have reported dozens of these malicious clickbait disguised as Peacock TV. First of all, Peacock would NEVER offer a year’s worth of streaming for $2! This first email came from a server in France and the link certainly doesn’t point to peacocktv.com! The second example below has links that, once again, point to the very misused services at GoogleApis.com. Lunge for the delete key!

        Speaking of misusing GoogleApis services, check out this email a reader shared with us that pretended to be from Facebook Marketplace.  It didn’t, of course. Technically this is a nasty phishing scam meant to capture your Facebook login and password but the webpage used to create that fake login rests with GoogleApis.com! Fortunately, VirusTotal shows many security services are well aware of this fraud.

        Dangerous QR Codes, Shared and Attached Files

        Periodically we have reported the risks associated with QR codes created by cybercriminals. Below is another example. A reader from an accounting firm sent this to us, recognizing the risk it contained. The subject line, thankfully, made it easy to spot. “Salary Elecontrinic Statement.” The attached pdf file contains a single line of text and a QR code to scan.  Noooooooooo! Step away from this ledge!

        This next email claims to be from a Microsoft account, saying that an Excel file has been shared with you. But mousing over the link shows a strange domain name called onelink[.]me. This is a completely different company and has nothing to do with Microsoft! Like so many legitimate companies, Onelink is being misused by cybercriminals and VirusTotal clearly shows the threat!

        Another one of our readers received this email with an attached pdf file, asking that he review and sign this document. But the pdf file contained a link pointing to X’s (Twitter) link-shortening service called t.co.  When we unshortened that link, we were not surprised to see that that 4 security services had found it to be malicious. You know what to do!

        Until next week, surf safely!

        Copyright © 2024 The Daily Scam. All rights reserved.
        You are receiving this email because you have subscribed to thedailyscam.com

        Marblehead, MA 01945

        Contact Webmaster