Select Page

We would love to hear your feedback

THE DAILY SCAM NEWSLETTER  |  FEBRUARY 28, 2024

Co-Founder/Content: Doug Fodeman  |  Co-Founder/Creative: David Deutsch  |  V04N03

God Grant Me The Wisdom to Know If This is a Scam

Our friend Rob receives and responds to scam emails every single day. On February 19, he randomly received an email from Susan I. Beers telling him that his “funds have been approved” and to contact her to arrange a  wire transfer. Of course her email came from a domain that was registered just six days earlier and called GlobalInsights[.]online. However, what was surprising came in Mrs. Beers’ second email. She sent Rob a link to a website that offers grants to businesses and individuals, called sbagrantus[.]com. When we investigated this site, which encourages people to apply for loan-free grants, we opened another deep rabbit hole into Scamland! It revealed many scammy, or highly suspicious websites offering grants for individuals and businesses. But what, exactly, is the scam associated with these sites? Help us figure it out as we reveal why we believe these sites are a fraud, including the use of stolen images!

Mrs. Susan Beers’ email, infomaz @ globalinsightsjobs[.]online, was highly suspicious because the domain was less than a week old. In her email she told Rob that she would “deduct all transfer charges and taxes from the principal amount” that was being granted to him. This was very inviting! All he needed to do to start his application for a grant was to provide the following in his email reply:

  1. his current address.
  2. his phone number.
  3. his bank account details.
  4. A copy of his identification card.

After Rob responded with fake information, Susan Beers replied again, using a completely different email address (as is customary for scammers.) She said she had “Good News!!!” (Her second email came from susan.beers@aol.com). She told Rob that she had confirmed that he was “one of the lucky few that are entitled to the grant” and added “please complete the form below to receive your grant.” The link to the application form was: sbagrantus[.]com/form/  This website claims to be the “U.S. Small Business Administration” website and uses a stolen logo from the real US Government Small Business Administration website found at SBA.gov! Also, further exposing this fraudulent website is the fact that sbagrantus[.]com was registered in the European Union just days earlier (on February 18) and is hosted on a server in Saarland, Germany!

After completing the application form using fake information, Rob was told to contact a “Dr Kingsley at drkingsleyobiora@gmail.com for further instructions.” It was crystal clear that this “Small Business Administration” website was a fraud. But what, exactly, was the fraud? Susan Beers told Rob that he wouldn’t have to pay any fees to receive his grant. Were they just using this site to collect LOTS of personal details?  The application form collected full name, address, phone number, email, social security number including front/back images of your social security card! And that wasn’t all. They also asked for date of birth, location of birth, mother’s maiden name, driver’s license number and expiration date and even your bank account and routing numbers! (Presumably so they can wire you your funds.) These personal details are extremely dangerous to hand over the criminals and can be used in many types of fraud! 

We wondered if there were other bogus websites like sbagrantus[.]com? We searched for some of the exact sentences that appeared in this bogus website. We also noticed testimonials that appeared at the bottom of sbagrantus[.]com and we conducted reverse image searches using some of the photos found in these testimonials as well, and searched for some of the odd statements made in these testimonials. Again, we were shocked by what we discovered!

    For example, when we conducted a reverse image search using the photo of “Cynthia R. Conrad” in the screenshot above from sbsgrantus[.]com, we discovered that this exact photo appeared on a website called GrantifyFundings[.]com. However, this woman’s name was listed as Alice T. Merlin, a “Medical Assistant.” Also, in the above screenshot from sbsgrantus[.]com you can see both Michael M. Gonzalez and Michelle J. Robbins.  Both exact photos were also found on GrantifyFundings[.]com but using different names. In fact, the reverse image search turned up a total of 5 highly suspicious or completely fraudulent websites, all offering Grants to individuals and businesses. Check out the two screenshots below!

    These bogus testimonials are not the only obvious fraud we were able  to spot on these websites.  For example, GrantifyFundings[.]com displays about a dozen photos showing lucky grant recipients celebrating their grants, often holding huge oversize checks in their hands. But these are all lies! We discovered that these are stolen and photoshopped images. We were able to trace several of these photos back to their original sources. Check out the manipulated photos below. The first photo shows 8 women celebrating their grant from GrantifyFundings[.]com, including a woman crouched lower left with extended arms. This photo (and many others) were stolen from a non-profit called ImpactAustin.org. (<– click this link to see the original photo of these 8 women.) The second example below shows a group called Partnerships for Children receiving a check for $94,000. That photo is also found on ImpactAustin.org and was manipulated and placed on GrantifyFundings[.]com!

        And, as a final example of their fraud, GrantifyFundings[.]com has a video on their website showing a success story narrated by grant recipient Thad Oviatt, CEO of Parkent Cycling. Thad talks about receiving a business grant in this video.  BUT Thad actually received a grant from the real funding site at Grantify.io and NOT from Grantifyfundings[.]com.  The original video of Thad, without the inserted logo for GrantifyFundings[.]com, can be found here on YouTube.com!  Our friends at Scamadviser.com give GrantifyFundings[.]com a low rank of 27 out of 100, marking it as “Risky, Dubious, Perilous.”  By contrast, Grantify.io is a legitimate service and has a high trust rating from Scamadviser.  It was registered in London in August, 2020.

        As we continued to dig deeper, searching for more websites connected to this type of fraud, we had no problem turning up more and more suspicious or absolutely fraudulent websites! For example, the “About Us” page of GrantifyFundings[.]com is IDENTICAL to the “About Us” page at GrantifyFinancial[.]com. They both use the same exact logo and the websites are essentially IDENTICAL! GrantifyFinancial[.]com was registered on November 10, 2023! Additional fraudulent/suspicious websites concerning grant money that turned up in our search included:

        • udpgrantsupport[.]com
        • brightusgp[.]com
        • wcbrelief[.]com
        • undpgovfunding[.]com
        • undgosupports[.]com
        • usaprogram[.]com

        In all, we turned up thirteen websites that we believe are completely fraudulent or highly suspicious. And ALL of them claim to offer government grants to individuals and businesses. So what do you think? Are these advance fee scams?  We think not! The reason is because few of these sites were found to have complaints leveled against them for stolen money. We think they are designed to steal personal information! Think about it… If you provided a lot of personal information to apply for a grant and were then told you were not selected, you would likely just let it go. You would never realize that the information you just provided to criminals is now going to be used against you! 

        IMPORTANT FOOTNOTE: ALL official websites associated with the U.S. Government have a domain that ends with .gov  E.g. sba.gov  So, if a site claims to be a US Governement website, it better use the global top-level domain DOT-gov!

        Hacking Your Home Router, Failed Package Deliveries & More!

        Last week, on NextDoor.com, a woman named Lisa reported a nasty scam in which cybercriminals pretended to be the Internet service provider Xfinity (Comcast). Here’s what Lisa described: “I received a scam call from 740-251-4575. Caller said they were from Xfinity and there was a problem downloading Xfinity’s latest security update. [for her router] The issue was my router. If we didn’t resolve it, I could possibly lose my internet connection. He wanted to troubleshoot my router. Very polite, not aggressive, heavy accent. He knew my name, email address, phone number. I refused stating I couldn’t verify who he was, and I would call Xfinity directly, and hung up. I spoke with Xfinity this morning, and it was not them. Xfinity stated they will NEVER call you unless you have arranged for them to call, which is what I assumed.” We ask ALL our readers to spread the word about this scam!

        If you read last week’s newsletter, you’ll recall the scam in which cybercriminals were using hacked social media accounts to spread the lie that “Simon Cowell” has died. This was a trick to get people to give account access to the hackers. The post included a link that looked like it pointed to the shortcut for Youtube, but we couldn’t verify the link. Check out this recent article from a outstanding company called the Media Trust. Apparently, there is a piece of malware known as Ghostcat that can redirect video links. Hmmmmmm…. We can’t help but wonder if that Ghostcat ruse was used in YouTube link about Simon Cowell.

        For most of the latter half of 2023, we saw how scammers used fake texts to try to trick people into clicking malicious links disguised as problems associated with a package delivery. Those texts have essentially disappeared but the email versions have not!  Check out this screenshot taken from one user’s inbox over a few days….

        Scammers often use “redirects” to send people to malicious websites without them realizing what is about to happen. The most common way they do this is by using link-shortening services, such as one below in the fake Endurance insurance email of our “Your Money” column. Other times they simply create a redirect using software on a website. When you go to visit the website, the site itself will send you on to another website. However, a third way to redirect you to a malicious website is to hide the redirect within a link itself. You look at the start of the link and think you are headed off to one website, but buried in the link is another website that you are really going to! Check out this malicious email sent to a business recently. A mouse-over of the link shows that you’ll be sent to a website called spently[.]com. But buried in that link is another “https” followed by a VERY MALICIOUS website called r20.rs6[.]net!  If you see a second “http” or “https” buried inside of a link, it means it is a redirect to the website that follows it! Sometimes this is OK but often it is not! (For example, a redirect to amazon.com within a link for amazon.com is OK.)

        We recently helped confirm for a woman that the man she met on Hinge was a low-life romance scammer and NOT the man he claimed to be. One of the ways we did this was to point out a bizarre discrepancy in a document that he sent her. The scammer claimed to be a man named Louis Chanson, from Australia, and working overseas in Malaysia. As proof to support his story, “Louis” sent the woman a jpg photo of his Malaysian Visa. But we were able to peak under the hood of this photo and show the woman that the document was created more than a month after the Visa was issued! EXPLAIN THAT ONE, LOUIS!

        We OFTEN describe scammers as low-life, subhuman, disgusting creatures who couldn’t give a damn about other people! They couldn’t care any less about the pain and suffering they cause people in order to make money. Check out these two recent articles that support our point. The first is about a Vermont hospital that suffered a ransomware attack, and that attack put innocent people’s lives at risk!  The second article is about scammers who specifically targeted people who had just lost a family member and were in the middle of funeral arrangements when targeted…

           https://www.nytimes.com/2024/02/18/us/cyberattack-vermont-hospital-guilty.html

           https://www.newsweek.com/facebook-funeral-livestream-scam-money-1872483

        We often warn readers about how easy it is for cybercriminals and legitimate businesses to acquire LOTS of personal information about you. That information is bought and sold, used to target you with advertising, promotions and yes….malicious threats! (Read our newsletter article from January 31: Your Personal Information Online Puts You at Risk!) We mention this again but just recently the Federal Trade Commission fined the antivirus company Avast because they used their AV protection software to gather personal details about consumer’s browsing activity and sold it without getting permission or informing people! Shame on them! Check out…

        https://www.darkreading.com/cyber-risk/ftc-orders-avast-to-pay-16-5m-for-selling-consumer-browsing-data

        Here’s an article we never would have thought possible… Would you believe that Mexican cartels are involved in Timeshare scams?  Read…

        https://www.yahoo.com/news/addiction-thousands-americans-fall-prey-110449963.html

        And remember to check out the first two episodes of Doug’s Podcast series with SecureWon!

        https://www.securewon.com/resources/podcasts/

        Real Businesses DO NOT Speak Like This…

        Thank goodness most cybercriminals are not native English speakers!  If they were, it would likely be harder to detect various forms of online fraud. Take this lovely phishing email sent by “Lauren Moore” but using a free Gmail address called “nRodriquezBarnacle4odhi.”  It begins very informally as you might expect any business email to begin…. “Hey there” (said dripping with sarcasm!) Try reading the paragraph that follows and then plant palm to forehead!

        Here’s another scam email that drops a fake phone number into the body of the email. Like so many phishing scams these days, it was also sent from a free Gmail account and not a business! And what legitimate business would ever spell “bill” as “bil Real ling” ????  Lunge for the delete key!  And remember to report your smelly phish!  https://safebrowsing.google.com/safebrowsing/report_phish/

        Sirius XM Subscription Expired, Discount Insurance and What’s This?

        One of our readers sent us this “automatically” generated message pretending to be from Sirius XM radio. But it really came from a server in Mexico! Like so many other malicious clickbait, the link in this email points to the misused services at GoogleApis! Will Google Apis ever be trusted again?  We think not! Delete!

        Cybercriminals often disguise clickbait as discounted insurance offers of varying kinds. This one pretends to be from Endurance Insurance, but came from another free Gmail account! Links point to a link-shortening service that Google knows nothing about at ahf[.]pw.  The “pw” indicates that this service is either registered to or hosted on the Island of Palau. In any case, you’ll be redirected to a malicious website.

        Deeeeeleeeeete!

        One of our readers just sent us this lovely “myster box” that came via an email from Montenegro, in southern Europe, bordering Serbia. The sender is from New Zealand so it is a total mystery why he should get this mystery box! Did we say it is malicious? Pick a key!

        QR Code Tricks and Signature Requested

        Last week we wrote about clever scammer tricks to get you to install malware, including the increasing use of QR codes. Well, a business that is heavily targeted by cybercriminals showed us this clever trick but with another additional trick. The email showed a completely fabricated email thread between the “HR” department and the victim being targeted by this threat.  The person told us that their business doesn’t have an email account called “hr.”  This same trick was also used to target another business in New Jersey because the lazy scammers didn’t change all of the text in the email! They left text identifying at least one other business (and possibly another one as well.)  The QR code pointed to a website that was registered on the day this email threat was sent!

        Scammers frequently target people and businesses with emails claiming to require a signature on official documents. But the links in these bogus emails are always dangerous!  Check out this “Settlement Agreement” sent to a CPA firm. The attached document was a DOT-htm file, meaning that it contained instructions to take over the recipient’s browser.  It was designed to send the victim’s browser to a very malicious website called xellicho[.]shop! This website was registered on the day this email was sent! 

        Here is another example of a malicious email that claimed to come from a docusign service and asking the recipient to sign the documents. A Signature is required!  But the QR code in the attached pdf file points to a VERY MALICIOUS website called strivedepot[.]com!  Step away from the ledge!

        Until next week, surf safely!

        Copyright © 2024 The Daily Scam. All rights reserved.
        You are receiving this email because you have subscribed to thedailyscam.com

        Marblehead, MA 01945

        Contact Webmaster