Select Page

We would love to hear your feedback

THE DAILY SCAM NEWSLETTER  |  JUNE 26, 2024

Co-Founder/Content: Doug Fodeman  |  Co-Founder/Creative: David Deutsch  |  V04N20

Victim Loses $3450 to BOA Text Scam

If we sampled all of our readers to ask if they have ever received a text that appears to come from their Bank, Credit Card Service, or a financial service like Venmo, Zelle or Paypal, we’re pretty certain more than half of you would say yes. Cybercriminals send out these bogus texts by the hundreds of thousands. Eventually, one will hit someone who has such an account, at just the right moment, and she/he will respond. That’s what happened to a woman on May 17 as she was preparing to get on the road for a trip to New York. And yet, her $3,450 loss could have been completely avoided if she recognized one simple, but very important fact, about the big businesses that send texts. This woman was victimized in less than 40 minutes.

To protect her identity, we’ll call her Zoe. (Zoe is 68 years old.) On Friday morning, May 17 she and her partner were getting ready to drive a few hours to New York. They were eager to get on the road early to beat the weekend traffic and so when she received the text you see below at about 7:38 am, she was in a rush and did not think critically about what she was looking at.  The text has a MAJOR red flag that screams of fraud!  Can you spot it?

We’re sure you noticed the subtle English errors in the text, right? For example, there were multiple capitalization errors. However, the critical red flag in the text that targeted Zoe is that it did not come from a Short Code. “Short codes” are 5-6 digits codes used by large established businesses to send SMS messages. (Explanation on Wikipedia / US Short Code Directory) Zoe’s text came from the unknown phone number 805-710-9518. Big businesses, like Bank of America ALWAYS and ONLY send texts using the Short code system. A search for the Bank of America short codes in Google will show you that they have registered and own a variety of them for different purposes. The Short Code system costs money and requires a business to jump through hoops to register and own these codes. Cybercriminals don’t use short codes. They use either email addresses, or random phone numbers, like 805-710-9518. But Zoe didn’t notice that in the moment.  She replied “No”  which triggered a response to speak to a representative.  After replying “1” Zoe got a phone call from the 805 phone number.

It’s important for readers to understand that Zoe was accustomed to Bank of America Alerts.  She told us that she had Alerts turned on for her account and, in fact, had received some alerts from Bank of America in November, 2022 that were legitimate concerns about the misuse of her debit card. The fraud alert on her BOA account will also let her know, for example, when a large transaction occurs on her account. She now found herself speaking to a woman who, she said, had a bit of a Southern accent and identified herself as Ashley, a Bank of America Representative. (Zoe now realizes that it would have been safer if she had called the help phone number on the back of her Bank of America card instead of trusting the number in the text.)

Ashley asked Zoe if she recognized a large payment of $1,700 to someone named David Bland. Of course, she didn’t and said so. Keep in mind that Zoe was in a rush. She needed to be on the road in an hour, and so her mind wasn’t focused as much on the potential fraud as it was on getting packed and ready to head out. Also, she had experience with BOA helping her avoid a fraudulent transaction back in 2022 so she wasn’t overly concerned now. This is exactly the type of circumstance that cybercriminals hope for! Ashley told Zoe that her account had two fraudulent transactions against it. One was a Zelle transfer and the other was to her debit card, each for about $1700. Under the guise of helping Zoe, Ashley asked her to share her iPhone screen. (This is possible through Facetime.)  Zoe remembers briefly seeing Ashley’s face. She said that Ashley was a Black woman, not young nor old. Zoe is not sure what happened over the next few minutes, or how it happened. But she does remember getting a notice on her phone saying “Welcome to Zelle” followed by an alert for a money transfer from Zelle. The Zelle alert was legitimate because it came from a short code used by Zelle.  Unfortunately, Zoe was not able to describe any details about how this transfer happened, or what Ashley said or did to talk her into making this payment. But, using Zelle through her Bank of America account, Zoe saw that she had made a payment to someone named “JOE TRIGUERO” for $3,450.82. (There is a lot of missing information as to how this happened. Unfortunately, Zoe was not able to recall any of it.)

    From everything we understand about iPhones, we don’t think it is possible to give control of an iphone to someone else remotely. So we have to assume that Ashley somehow talked Zoe into making this transfer of money as part of a “test.” Zoe only remembers that this was necessary, according to Ashley, in her effort to investigate the two other fraudulent transactions. Zoe does remember that Ashley told her that both of the fraudulent transactions originated from Hempstead, Florida. This is likely just part of the fake story that Ashley used to manipulate Zoe.  When all was said and done, Ashley told Zoe that she would be sending her a new debit card and would change the routing number of her account. Zoe now realizes that it is not possible to change her routing number and that Ashley meant to say she was going to change her account number!  That was also another red flag that Zoe missed. As odd as it all seemed, Zoe truly felt like this woman was helping her address the two fraudulent charges to her account.

    On Monday, May 20, after returning from New York, Zoe called Bank of America just to follow up with the Support call with Ashley from Friday. That’s when she was shocked to learn that there was no record whatsoever of any BOA support call and that $3,450.82 had been moved via Zelle payment out of her account. Zoe says she was “beyond upset.” And exacerbating her feelings was the fact that the real Bank of America was only able to give her back $200 for her fraud claim after spending a few days to investigate it. We asked Zoe if she had thought to contact Zelle Customer Support to report this fraud and, hopefully, regain some of her loss.  She hadn’t!  We encouraged her to do so. 

    Zoe also reported this fraud to her local town police station. However, the local police told her they get 3 – 4 of these types of fraud reports every day and can’t do anything about them. For Zoe, that was “salt on an already open wound” making her feel even worse. We feel it is terribly irresponsible of Bank of America, and all banks everywhere, not to teach there customers to trust ONLY texts that come from their shortcodes, or emails that come from their bank domains! In fact, when you open a bank account, they should provide the short codes and domains that are used by the bank to communicate with their customers! This type of education is critically important and would have a significant impact to help reduce this type of fraud. If only….

    FOOTNOTE: After closing the fraud case, Bank of America told Zoe they would send her information to help her avoid fraud in the future. They sent her 3 emails and all three emails had no content at all!  I looked at one of these emails on Zoe’s phone and the email was completely empty. Too bad they don’t send emails prophylactically explaining to their customers how to determine when a text or email from them is legitimate vs a fraud!

    Scam Victim Compensation, Scammer and Scambaiter Tricks, and More!

    We were recently surprised by something that happened in a scam that we never expected to see as a result of a fraud case. One of our longtime readers recently decided to play with scammers. (See the Phish Nets column below.) He received an email from “Bank of Holland” of Holland, New York and recognized that it was a fraud because it came from a free Gmail account, not the bank’s real domain. This gentleman is in his 70’s and decided to play a beautiful serenade with the scammer, who identified himself as Mr. Richard W. Smith. Over the course of a week full of many email exchanges, Mr. Smith was trying to help our friend get $50 million dollars in compensation from the “Bank for Africa Plc” that was supposedly due to him because he was a “scam victim.” (Oh, the irony!) This money was to be transferred to the Bank of Holland, in Holland, New York from the African Bank. Our friend strung this absurd scam on for days, racking up about 70 emails until finally the scammer told him how he had to pay the cost to transfer the funds from Africa. (See below.) That’s when we were totally surprised by the direction this fraud went!

    Below are the options given to the gentleman to pay for the transfer of his $50 million dollars. Mr. Smith said “The courier delivery companies listed below do not operate on cash upon delivery (COD). Below are the delivery charges that you required for the shipment of your ATM card to you……” (Our new scambaiter had offered to pay cash upon delivery of this funds.)

    DHL: Mailing $130.00 and Insurance $170.00, TOTAL $300.00 USD
    Delivery duration ………………….Two (2)working days delivery

    UPS: Mailing $100.00 and Insurance $150.00, TOTAL $250.00 USD
    Delivery duration………………. (3) working days delivery

    FEDEX: Mailing $110.00 and Insurance $100.00, TOTAL $210.00 USD
    Delivery duration …………………Four (4) to Seven (7) working days delivery

    EXPRESS COURIER SERVICE: Mailing $100.00 and Insurance $50.00, TOTAL $150.00 USD
    Delivery duration …………………..Four (6) to (one week)delivery

    This scammer then told the gentleman that after picking his method of delivery, he should send his payment to a woman named in the email. The scammer actually gave our scambaiter a woman’s name and full address in Hempstead, New York!  We’ve NEVER heard of a scammer doing this! They typically want the money wired in an untraceable, unrecoverable account. The gentleman kept playing with the scammer, such as telling him that he sent the payment to the Bank of Holland instead of to the woman. This delayed matters, frustrated Mr. Richard Smith, and dragged this effort on for a week! But this also gave the gentleman time to do the right thing and contact the Police Department in Hempstead, New York. He wanted to explain all the details of this scam and let them know that there is likely someone at this address who is involved in collecting money from scams.  And what was the police response, you wonder? He only got an answering machine, when he called the non-emergency number! There was never any reply to his call so he also emailed the police with details about the scam and the address where the payment was supposed to be directed in Hempstead, NY. Many days later, he is still waiting for a response from the police!  The gentleman left us with this last comment… “One thing I can say, the scammers are better at responding to my emails than any customer service I have ever chatted or emailed with.  So far, there have been 70 communicaes with them in the last week.” 

    We want to raise awareness of a trick used by many scammers when they send out emails to potential victims. This trick is obvious, once you know what to look for.  Check out this email below from Mr. Margret sent to one of our readers on June 13 with the subject line “I NEED YOUR URGENT RESPONSE.” All the text in this email appears in grey and underneath two small dashes. This means that all of this text was dropped into the “signature” field of the email account! That makes it so much easier, and takes less time for the scammer to create hundreds of these scam messages to send out!  If you only see grey text, under a double-dash, lunge for the delete key because that is NOT normal behavior of someone you can trust!

    We would like to congratulate our friend, and professional scambaiter, Rob! He has hit a milestone by getting scammers to click his tracking links over 5000 times (5017 to be exact). He began this effort sometime last September, 2023, lless than 10 months ago! By clicking his tracking links, the scammers revealed their exact locations in the world. Can you guess which country accounted for nearly 88% of all 5017 clicks? (We’ll give you a moment to think about it.) Coming in at second through fifth place, scammers were located in… United States (3.0%; but most likely many of these scammers used VPN services to appear as if they were in the US), Ghana (2.3%), Netherlands (2.1%), and the UK (1.1%). And the winner? 4,402 clicks came from Nigeria! (FYI, the number of clicks does not indicate the number of individual scammers. Some scammers clicked Rob’s tracking links as many as 5 – 7 times!) We’ld rather not publish how Rob accomplished his magic out of concern that some of these scammers may read this! We want Rob to continue to have fun, waste their time, and reveal where in the world these low-life, nasty people are really located! Coincidentally, the very real FBI Director, Christopher Wray, visited the President of Nigeria June 14 – 16 to discuss better ways that our countries can work together to fight fraud! It’s about time!

    On June 16 we heard from an angry gentleman about an online service called PDFGuru[.]com. The gentleman needed to produce a pdf file from another type of file on a Windows computer, which led him to PDFGuru. It appeared to him that he would have to pay 99 cents for his pdf conversion, and he was willing to do that. However, upon paying for his converted document he discovered that he was auto-enrolled in the monthly subscription service for this pdf service! Though he didn’t recall the exact monthly rate, it was much higher than 99 cents per month. Also, he didn’t ask to subscribe! Making him angrier was the fact that he couldn’t find anywhere on the site how to cancel his new subscription. (He is a Physician and a smart man. But this trick is called a “dark pattern” and purposely done to make it hard for people to unsubscribe. Here is a good article on Vox.com about dark patterns.) The now angry man called PDFGuru and complained to them over the phone. Fortunately, they cancelled his subscription, and sent him an email to confirm the cancellation. A quick search for reviews of PDFGuru[.]com show a lot of pissed-off consumers with the same complaints!  One person just posted this not long ago on SlashDot.org, where PDFGuru has a 1-star rating by 17 reviewers. He said…

    Bunch of thieves… nothing clear about their charges… bunch of liars… they claim a good service… reality is way far from that… they suck people’s money and that’s their goal… when I tried to download the merged PDF file, it failed maybe 10 times before succeeding finally… what a scammy website!

    We found similar complaints on SiteJabber.com and as well as a 1-star rating. But oddly, TrustPilot.com has more than 4500 reviews that give PDFGuru an average 4-star rating out of 5! That’s practically glowing!  And yet, on June 15, someone posted this on SiteJabber…. “The system hides the fact that the 99cent one time option is actually a sign up for a subscription. $50 a month. It is extremely difficult to cancel. You must email a request. The system worked fine but it cost me $51 to convert one document. They denied a refund. FYI there is most likely a better service that has more integrity.”  The PDFGuru practices sure sound scammy to us! Caveat emptor.

    Another one of our readers sent us a screenshot of this message that’s been circulating on Facebook. He wanted to know what we thought of it. We’ve heard about the “don’t say yes” to a stranger’s phone call many times and for years. And yet, we’ve never heard of any fraud associated with it. There is actually a lot of doubt that this is truly a scam. Wikipedia does a decent job of documenting this history and why it is not likely a scam. Check out:

       https://en.wikipedia.org/wiki/Can_you_hear_me%3F_(alleged_telephone_scam)

    Below is a very long email sent to us by a reader. It is HYSTERICAL!  If you want a good laugh, please read it! The subject line is “YOU WILL BE ARRESTED AND JAILED IF YOU FAIL TO READ THE EMAIL AND COMPLY” and was supposedly sent by the FBI. Also funny is the fact that this fraud was sent from a server in Japan!

    This is a terribly sad outcome from a pig butchering scam that targeted a father.  He commited suicide after losing his life savings to the scammers….

        https://www.aol.com/news/killed-scam-father-took-life-160016296.html

    Remember to check out our podcast series on the SecureWon website:

        https://www.securewon.com/resources/podcasts/

    Several Important Phishing Scams, but first “S” as in Sam

    We have several important phishing scams to share with readers this week, but first….  Last week we presented a phishing scam disguised as a Paypal charge sent by fraudsters to one of our longtime readers. However, we forgot to say that this longtime reader actually called the 818 phone number in the phishing scam! He told us that he had a lot of fun wasting about an hour of the scammer’s time!  It was all part of his effort to “get this fake charge removed from his credit card.” Of course, there was no such charge on the man’s credit card and he knew that. However, this new scambaiter told us how the scammer kept trying to manipulate him into installing software on his computer that would allow these criminals to take control of his computer! The scammer told the man to “type s, as in Sam” to get to the scammer’s website where he would be asked to download and set up the software to take control. The scammer was spelling the website name.  On purpose, our friend played dumb and kept typing sasinsam! But, gee, that didn’t work and it kept frustrating the scammer. Oh come on, man! Our friend was just an old man typing exactly what you told him to type. But the man did this over and over until finally, out of frustration, the scammer hung up on him!  Kudos to our new scambaiter!

    ID.me is a federally certified online service that verifies your identity before logging you into a website. The US Social Security Administration is switching over to using this service and anyone with a social security account will have to set up an account with ID.me. That increase in use likely explains this first phishing fraud that a reader sent to us last week! The name in the text field is “ID.me Notifications” but if you look carefully at the email address in the < > brackets, you’ll see that his phish came from a server in India! Deeeeleeeeete!

    Speaking of India, Cybercriminal gangs there are responsible for a great deal of fraud targeting Americans, Canadians, Brits, New Zealanders and Australians.  We believe we have a tiny bit of proof of such fraud. Check out this phishing email that came from a free Gmail account to one of our readers in New Zealand. (This type of fraud is exceptionally common and seen by tens of thousands of people around the world!) The email pretended to from PayPal and contained an attached PDF. When we peaked “under the hood” of that PDF file, we could see that the author of that file was a name common to India, Tousif Mondal.  We have a message for Tousif… How would you feel if it was your mother, or your grandparents who were victimized by a scam? Imagine that! Now look around the room at the lower-than-dirt people you work with because that’s what you and they are doing…. Targeting people like your mother and grandparents and stealing their money. And the harm YOU all are causing cuts far deeper than just stealing money! You are deeply damaging their lives! Go get a different job, Tousif Mondal!

    Here’s a phishing email about a supposed package from UPS that is “suspended” (from the ceiling??) In order to get your suspended package, you are asked to click a link to the link-shortening service at TinyURL.com.  But that’s not how the real UPS service operates! (Of course we unshorted that link using Urlex.org and discovered that you’ll be forwarded to a phishing website.) And this fraud came from a long gibberish domain name ending in DOT-us. LUNGE for the delete key!

    Report your smelly phish to us and Google!

    https://safebrowsing.google.com/safebrowsing/report_phish/

    Natural Relief for Your Pet and Work From Home Jobs

    A very active cybercriminal gang floods our inboxes with malicious clickbait disguised as many things. To make things easier for themselves, they often repeat the use of various tricks, over and over. Case in point, this bogus email pretending to offer 3 free bottles of CBD pain-relieving medicine designed for your pet! This clickbait came from the inappropriately named domain “fuchstanley[.]com” which was registered by a fictitious name last year and is now hosted on a server in Sofia, Bulgaria! This criminal gang is making great use of link-shortening services to hide the final destination of your click. (Just like the last phishing email above.)  They love to misuse Bit.ly, for example. (See the screenshot below.) Did you know that in a shortened link, NOTHING matters from the # symbol and what follows it? We unshortened their Bit.ly link (3WJek3P) and discovered that you’ll be redirected to a malicious domain called studzral[.]com. Just like fuchstanley, this domain was registered with a fictitious name to an address that doesn’t exist in Illinois! (8434 Smith Street, no city named in Illinois) It is remarkably easy for cybercriminals to lie to Registrars when they purchase domain names for their malicious clickbait. Registrars don’t check and most of them act like they don’t care about public safety, especially Namecheap!

      One of our readers reached out to us last week after finding 3 very sketchy emails in her inbox on June 18 about “work from home” job openings. CLEARLY they were designed and sent by the same sender, though each email was associated with a different domain. (Domains: jobyricon[.]com, appfestive[.]com, and amikar[.]com) We know they are related based on the email design or the design of the link in the email. Did we mention that this woman was NOT looking for a new job?

      Though none of the tools we typically use to uncover online threats could find any risk in these 3 websites, we’re confident that these sites are related to some type of fraud or risk.  For example, a visit to the top of each website subdomain “go.DOMAIN-NAME.com” shows an identical web page that invites you to upload your resume and then says “3,269,187 real job openings today.” And yet, all 3 domains were registered at different times in 2020 and 2021. All of this **STRONGLY** suggests to us that these job announcements are a scam or fraud in some way.  We hope you agree! FYI, Job scams have been heavily targeting Americans during the last few months.

      Non-Disclosure Agreement

      Tricking YOU into clicking a file than can take control over your web browser is a common practice of cybercriminals. Those attached file types are typically html, htm, shtml, or js (javascript) documents. NEVER click these documents!  Below is another recent example sent to an Accountant from an unexpected, unrecognized email address at smartocto[.]com. Though this domain was registered waaaaay back in 2014, it is hosted on a server in Ireland, making it suspicious from the Accountant’s perspective.

      TD Bank, Job Scams including a Conversation with Alice

      On June 18, a Reddit member named Witty-Car-3269 posted a text screenshot that appeared to represent his bank, TD Bank. He asked the community if the link in the text seemed to be legitimate. It wasn’t! Two pieces of evidence revealing this fraud are…

      1. The domain in the clickable link is “restoreusagetd[.]com”. A WHOIS tool shows that this domain was registered just hours before the text was received! That is NEVER safe!
      2. The text came from an unrecognized phone number. IF this were a real text from a bank or credit card as it implies (TD Bank), then it would have come from a registered short code (5 or 6-digit number)

      As we stated earlier, job scams have been significantly on the rise these last few months.  Here are a few more examples that targeted people via a randomly received text…..

      Finally, I received one of these random texts from “Alice” about a job with a company called BBSI. I engaged Alice in a short conversation but then called her out as a scammer. She denied being a scammer. (What a surprise!) I asked her to prove it to me by sending me an email from the business domain she claimed to represent, bbsi.com. But she couldn’t do that!  It proved my point, and ended our conversation!

      Until next week, surf safely!

      Copyright © 2024 The Daily Scam. All rights reserved.
      You are receiving this email because you have subscribed to thedailyscam.com

      Marblehead, MA 01945

      Contact Webmaster