This Scam is Music to Our Ears! — There is a lot of research that supports the value to our brains for learning to play a musical instrument. But musical instruments, and lessons, can be terribly expensive! That’s why I was initially overjoyed when I received a random email in my inbox last week from a woman named “Katie Vaughan.” Katie was offering her late husband’s Yamaha Piano to anyone for free! All I had to do was cover the shipping cost. She asked me if I wanted it and I responded immediately, saying “YES, please!” After waiting 3 days for Katie to reply, she finally sent me details about the piano. She also said that I needed to consider this offer quickly because she was moving to France soon. (She later told me that she was about to have surgery and would be unavailable.) The piano was in storage in Little Rock, Arkansas, USA and she gave me the contact information of the shipping company that had her piano. Can you see where this is going? Well, I have my own curve ball to add to this story. I tricked Katie into clicking a tracking link, showing me exactly where in the world she was located when she offered me her free piano. Can you guess where? It wasn’t Arkansas! Join me as we make music together!
Below are screenshots of the first two emails I received from Katie. It’s important for our readers to note that Katie Vaughan sent her email from a Gmail address named davidmbaya86 AND set up that email so that my reply-to would go to a different address, kjvaughan1 @ outlook.com. This is typical scammer behavior! Katie’s second email also included 4 photos of her piano. Notice that one of these photos happened to have a red cone and picture frame in the upper left corner of the photo. This makes the photo quite unique and therefore easy to find it elsewhere on the Internet through a Google image search.
As a result of our Google image search for the photo with the red cone, I had no problem identifying this offer as a fraud. This scam has been described by multiple people across the Internet for a few years. Several people reported losing $2059 each to this scam in 2023 alone. They reported nearly the exact same story of a woman giving away her late husband’s piano for free. The only cost, they say, is for the shipping company to deliver it. And of course, any payments made to the shipping company never produce a piano, but result in a financial loss! Here are some of these descriptions I found….
- Multiple people in 2023 have posted about this scam on Scampulse.com, all orchestrated through a fake moving company called “EverBestMoving[.]info”
- October 7, 2023 post on Facebook from Jon the Piano Tuner’s Facebook page. He and a person named Terry say that they get this scam email almost once per month
- December 5, 2022 Facebook post from Mannington Music School. One on the page, search fo the word “SCAM.” The account owner says that he has received 6 – 12 of these scam emails
- November 30, 2022, this scam was reported on Scamwatcher.com and coming from a woman named Maria Mcguire. The website name of the moving company used in this scam was again EverBestMoving[.]info
- September 1, 2022 Twitter post by Father Johannes Nobel. He described this scam as an offer to his church from a woman who called herself Elizabeth Wallace.
- August 11, 2022 Facebook post from Irene Aranda, a musician. (Search for PIANO SCAM) She told the woman who was giving away the piano that she had her own piano movers who would come get the piano. That was the last time she heard from the scammer! Two other people reading her post said that they had also received this offer.
- This piano scam was also posted on the Graff-Reinett Community Newspaper website and the Knysna-Platt Herald website, both from S. Africa, in January, 2023, as well as at least 3 other S. African local newspapers.
- This scam has also been posted on the FishBowlApp.com website by a man identified as “Ben Khalid.” He claims that a friend is offering the piano for free and asks those who are interested to contact “Deborah” using her email address 9020da@naver[.]com Naver[.]com happens to be a Korean telecommunications company and search engine, offering free email as well. We think an email address for Deborah at Naver[.]com is very suspicious!
It was crystal clear to me that I was communicating with a scammer, who statistically-speaking, was likely a man pretending to be a woman. I wanted him to reveal all the details of his scam and, hopefully, show me where in the world he was located! I continued my email exchanges with “Katie” and she told me that the moving company that had her piano in storage was called Imperial Logistics Freight (imperiallogisticsfreight[.]com)
With this information, I immediately contacted the shipping company to ask about the cost to ship Katie’s piano. The shipping company quickly responded, telling me that the cost for shipping varied based on how quickly I needed the piano. I chose the cheapest and slowest delivery method, at a cost of $1,280. However, I also sent Katie an image of a $100 Apple Gift Card to thank her for her generosity! The gift card was linked to a tracking service and a redirect as well. When “Katie” clicked the gift card, I was immediately informed where in the world she was located. She was also redirected to a website called Thatsthefinger.com, demonstrating to Katie exactly what I thought of her ploy. Two unexpected things happened! First, “Katie Vaughan” clicked the link several times, twice revealing that she was located in Lagos, Nigeria!
I didn’t expect this scammer to be from Nigeria. Moreover, I figured that since my redirect sent him on to a website showing a rather rude gesture, I figured that my cover was blown and he knew that I knew he was a scammer. But hours later I got my second email from the bogus shipping company, with detailed information about the cost for shipping the piano to me. It included an attached invoice informing me how to make payment for this delivery charge in advance. The attached invoice was a pdf file.
Did you know that a pdf file contains some interesting hidden information about its construction/creation? I peeked under the hood of this pdf file and discovered that the AUTHOR of this pdf file was named THE GREAT GATSBY! This author’s choice of name is very interesting! According to Brittanica online (scroll down to the paragraph called “Analysis”), F. Scott Fitzgerald’s storyline is “At its centre is a remarkable rags-to-riches story, of a boy from a poor farming background who has built himself up to fabulous wealth.” I think it is highly likely that the scammer who created that pdf comes from a poor farming background in Nigeria and is determined to build his wealth by scamming others! And, he seems to take some pride in comparing himself to the character in The Great Gatsby!
By the way, this “shipping company” wanted me to wire my payment to a Chase Bank account that was NOT owned by the shipping company, but owned by a woman named “Linda Rothrock” from Tampa, Florida!
It was crystal clear that sending any money to this bogus shipping company would have been a complete loss to me! It would likely have been immediately transferred somewhere else, and then Linda’s account shut down. I also know this for a fact because in December, 2023 someone posted this exact same piano shipping scam and NAMED this bogus shipping company, imperiallogisticsfreight.com. This is what was posted on the bbb.org website…
“We were sent an email from a trusted source who in turn received what we know now was a hoax offer to give away a used but good Yamaha piano. “All we had to do” was pay for the shipping. $1250 dollars for 3 week delivery. Then this week after we had paid that we received suddenly an email from the mover saying they had “found” a large some of cash hidden in the piano. To get the piano released we would have to pay another type of fee which was all nonsensical. It is what made me recognize that this was a scam all along.”
LOTS of scammers use fake shipping companies as a critical part of their scam. (Our Top Story in our December 13, 2023 newsletter was all about this fact!) It took just a few minutes to find multiple reasons why this shipping business is a fraud! Starting with the fact that this big shipping business website was registered less than 6 and ½ months ago AND their business address, listed as 8405 Stanton Road in Little Rock Arkansas, is a tiny single floor strip mall with about 4 businesses in it. NONE of them are Imperial Logistics Freight shipping company.
The imperiallogisticsfreight.com website contains LOTS of red flags such as….
- Their “About Us” webpage shows a huge container ship with a logo on its side showing that it belongs to the shipping company called Hartmann Shipping, and not to Imperial Logistics Freight!
- Their website says they have been in business for “10+ years” and yet their business domain was registered 6 ½ months earlier!
- The website was filled with English errors! (See the screenshot below for some examples.)
There was one more surprise to this scam that has left me scratching my head, wondering….. After sending “Katie” off to a rude website pointing “the finger” at him, I was certain I wouldn’t hear from these scammers again. But on Friday morning, January 19, I got a follow up email from “Christopher McAstocker” (“McAstocker” ???? Mc Ass Stocker?). He was asking when I would be sending him payment so they could deliver my piano! Thirty minutes later, I sent Chris an email, claiming that I tried to transfer the money to the Chase account in Tampa, but got an error message. I sent him a small photo of the error message. The image was also tied to another tracking link. The scammer who received this email clicked the link and showed that he was located in Chicago, Illinois. However, this is very likely not true, and it wasn’t a surprise either. Lots of scammers use VPN services (Virtual Private Networks) to log into networks all over the world in an effort to hide their exact location. What was surprising was that he clicked our tracking link at all! It told me that he was not likely the same scammer pretending to be “Katie Vaughan.” This second click indicated that this scam is likely run by a group of scammers, and some who are more sophisticated than others!
Beware the Meta Business Support Scam! Is Your Business Safe? — “Your page will be deleted soon…” Did you receive this message from Meta? Don’t click! Check out on this scam and protect yourself with this 100% FREE, all-in-one tool
Share Your Scam Story & Empower Others, and Rob Records a Scammer! — ScamAdviser, in collaboration with The Daily Scam, is excited to announce a groundbreaking initiative: a platform for individuals who have encountered scams to share their experiences through 2-minute video testimonials. These aren’t just stories – they’re powerful lessons that can educate, alert, and empower others to recognize and steer clear of similar scams. Your voice matters, and your insights are invaluable in creating a safer digital world for everyone. Be among the first to share your story on ScamAdviser’s new platform. Your experience with scams, though challenging, has the potential to help countless others. If you are ready to make a difference click here to record or upload your scam testimonial. We thank you for taking this important step! And speaking of telling your story, watch this interview between Doug, from The Daily Scam, and an NECN Reporter about a variety of scams, especially romance scams. (The interview posted on January 19 as a part of Matt Fortin’s NECN article when a victim of a romance scam shared her story with Matt.)
Last week, we pointed out a scammer’s trick to get your attention by sending you a malicious email that looks like it comes from YOU! That happened TWICE last week to our friend, Rob! He received 2 similar phishing emails, (the latest one is below) that appeared to come from himself. In typical Rob fashion, he immediately picked up the phone, turned on his recording software, and called the scammers after he got this second scam….errrr, we mean notification from Paypal Customer Support. He wanted to tell them he had not authorized any cryptocurrency purchase!
Below is Rob’s 6 ½ minute phone call with the Paypal scammer. You can clearly hear that the man he is talking with has a deep Indian accent AND that there is a lot of chatter in the background indicating that this man is in a cybercriminal call center! (Lots of the background chatter sounds like it could possibly be Hindi, the primary language of India, but we’re not certain of this. Can any reader confirm this and let us know?) Most importantly, the scammer tries to get Rob to visit a VERY dangerous website at RKHelp[.]live. This website contains software that will allow the scammer to take control of Rob’s computer. NEVER ALLOW THIS! (See screenshot below showing the top page of this dangerous website and what VirusTotal informed us about this website.) Once Rob informs the scammer that his security software is blocking their tool, the scammer hangs up!
Paypal call with Rob-bitcoin scam
Last week we mentioned that two women, Ann Segers and Jessica, were trying to contact Doug and David at The Daily Scam repeatedly through suspicious emails. Ann Segers is particularly persistent! Since last week, Ann has sent us at least another 6 emails, from at least 2 different “crap” email addresses! We’re both flattered that she’s so interested to get our attention. We’re happy to keep opening them, triggering a tracking link she includes, so that she continues to waste her time to send us more emails.
If you haven’t already seen it, please check out Doug’s January Podcast on SecureWon.com about the Threats Attached to Some Emails and the Risks They Can Cause. Our very special guest is Dolly Ryan, Director of Education, with SecureWon. Dolly and Doug have an interesting connection going back many years. Late one Friday, Dolly arrived like the cavalry to help Doug recover from a serious computer network hack that had attacked his school. The attack likely began with a malicious email to a teacher.
Did you know that hackers can steal data “cookies” stored in your web browser that contain password information? Check out this recent article on Malwarebytes.com about this threat:
Facebook and CVS Phishing Threats, and Your Amazon Prime Account! — In our November 29, 2023 newsletter, we warned readers about a phishing threat spreading rapidly across Facebook that takes the form of a friend’s post, containing a link, and saying something like “I can’t believe he is gone.” This threat is called the “Look who died” scam and is still spreading! Below is another recent example of it, saying “I can’t believe you’re gone…” This scam is detailed on the website MyAntiSpyware.com. Clicking that malicious link gives cybercriminals access to your Facebook account! They can do LOTS of bad things to try to make money, while pretending to be you and targeting your friends and family!
Last week, a woman using the community website NextDoor.com, posted a very unusual phishing threat that is new to us! She warned people in her neighborhood that Indian scammers were posing as employees from CVS Pharmacy and retail store to ask for very personal information from them! CVS is an American retail corporation with stores across the US. However, if scammers pretend to be CVS, we would guess they pick other pharmacies in other countries and possibly run the same scam.
Your Amazon Prime membership is renewing but “we’ve noticed that there’s no payment method associated with your account!” OH NO! But this rotten phish didn’t come from Amazon and the links point to a script in a Google account that is intended to collect your credit card details! Always look closely at the FROM address of an email and mouse-over the links to look at where the link will send you before you click it! Now delete!
Remember to report your smelly phish!
Fake Emails from Streaming Services! — In the last few weeks, we’ve seen a significant increase in malicious clickbait disguised as offers to, or issues with streaming services like Netflix, Paramount and Hulu. Check out these recent additions. Both offer a yearly subscription for just $2! That’s an insane discount and would NEVER happen in real life! Remember… If it seems too good to be true, it is! The first malicious clickbait is an email pretending to be from Hulu but was sent from a server in the UK to an American citizen. The second email below is nearly identical, demonstrating that it was likely crafted by the same low-life criminals who sent the Hulu email. It pretends to be from the streaming service Paramount. Both emails say that you’ve been randomly selected and the links in both are 100% malicious!
Lots of Malicious Tricks to Show You! —This week we have several very malicious tricks to show you, starting with a trick that cybercriminals sometimes use to “encode” a link to make it harder for someone to identify a hidden redirect within that link. If you ever mouse over a link and see lots of percent symbols “%” it means that you are looking at a format called “URL encoding.” (If you are a tech nerd like Doug, you might enjoy reading about URL Encoding format at W3Schools.com.) In URL encoding, for example, the single forward slash is replaced by %2f. There is a tool we use to decode URL coded links to make them easier to read. It is URLDecoder.org. This particular email pretends to be from the US Post Office but came from a server in Argentina, as indicated by the 2-letter country code “.ar” at the end of the FROM address. The embedded link to see why your the post office can’t deliver your package points to the website called embluemail[.]com BUT CONTAINS A HIDDEN REDIRECT pointing to a malicious server in Australia called path2lifecare[.]com[.]au. (“.au” = Australia, not Austria). This link also contains a tracking code so these scammers will know things like who clicked, when, how often and your general location! LUNGE for the delete key!
Speaking of redirects, here’s another email that contains a hidden redirect in the link that is easy to spot. The email claims to be a notification that your Office 365 Mail account is about to expire. But the email didn’t come from Microsoft, maker of Office 365, and the link doesn’t point there either! The link points to a subdomain of app[.]link BUT buried in that link you’ll see https, followed by some url encoded information (%3A%2F%2F). Look what follows it! You’ll be diverted and sent to a website in Argentina called olifant[.]com[.]ar! (“ar” = 2-letter country code for Argentina!) You know what to do!
Finally this week, we wanted to remind our readers that cybercriminals often create popups or webpages that are intended to scare you into making a very bad decision! Check out this recent screen from Rob saying “Your devices are infected with viruses” that resulted when he purposely clicked a malicious link just to investigate it. (He does this in a protected “sandbox.”) The initial email pointed him to a site called enzymathere[.]com, which was registered in Canada in December, 2022. But, buried in that link was a redirect that sent him to another website called inactivtent[.]world. It was this second website that was registered less than a week earlier and gave him this scary web page telling him that 28 security threats were detected on his computer….
We’ve checked twice and VirusTotal.com still doesn’t find inactivtent[.]world threatening. Oh well, no one is perfect!
Until next week, surf safely!
Copyright © 2023 The Daily Scam and Scamadviser. All rights reserved. You are receiving this email because you
have subscribed to it via Scamadviser.com or thedailyscam.com
Keurenplein 41, UNIT A6311 | 1069CD Amsterdam, The Netherlands