Select Page

We would love to hear your feedback

THE DAILY SCAM NEWSLETTER  |  MARCH 27, 2024

Co-Founder/Content: Doug Fodeman  |  Co-Founder/Creative: David Deutsch  |  V04N07

Scampourri: Romance, Job & Business Scams!

Wow! What a week last week was! We heard from several people targeted by a wide variety of scams, while at the same time completing our feature article about a very clever romance scammer who targeted two women at the same time. (We talked to both of them.) We’ve presented this potpourri of scams below as a special sauce that will certainly leave a bad taste in your mouth while you shake your head in disbelief. This recipe calls for a scoop of lover-man “Chanson Louis” of London, a half-cup of a scammer’s check as down payment for your new job, and a pinch of an invitation to become a new vendor for the Saudi Oil giant Aramco! But don’t turn your nose up yet until you taste the full recipe for disaster.

To be crystal clear, Chanson Louis is an alias used by the infamous Zimbabwe Romance Scammer whom we have written about for five years now. More than a fifteen women have reported this scammer to us and we’ve linked his many aliases together based on identical names, documents and websites he has used to support his fraud. In April, 2020, we helped one of his victims trick this scammer into clicking a tracking link. Disguised as “Anthony Fausberg” this scammer revealed that he was located in South Harare, Zimbabwe, and not in Abu Dhabi, UAE as he had told his victim.

Most recently, the Zimbabwe Romance Scammer has been courting two women at the same time, one from Austria and the other from Canada. And sadly, we’re certain that this is the second time this scammer has successfully targeted the Canadian woman. The first time was just months earlier in 2023 disguised as a man named “Boyan Chumak.” Currently, the Zimbabwe Romance Scammer uses the name Chanson Louis and nickname “Dino.” To support his fraud, he has stolen and used dozens of photos and videos that have been publicly posted by an educator from Latvia named Egils Purvins. (Mr. Purvins’ Instagram account.) Here is just one photo of Mr. Purvins, used by “Chanson Louis.”

We’ve shared both victim’s stories in our feature article on our website, and included multiple voice messages left by this scammer. Chanson Louis claims to be from Australia, but living in London, England. Check out this voice message below that was left on the phone of one of the victims in February, after the victim realized that the man she was falling in love with was a fraud. This man does not have an Australian accent! Nor does he have an English accent. His accent is African. According to one person mentioned in our article, she believes it is Nigerian. Our article also provides several reasons why this man is a fraud, and also the Zimbabwe Romance Scammer.

David, my partner at The Daily Scam, randomly received a wonderful email on February 14. He was invited to apply for a job as a “seller manager” for a company called PROSHOP Inc. and then offered the job! Some of the language used in this “confirmation letter” of March 6 below is hysterical! For example, read item #1 and #2 in the list below. Clearly, English is NOT the native language of the person sending this email!

What makes this scam even crazier is the fact that part of David’s new job was to edit texts and emails sent to him and to correct the English in them! Then Daivd was asked to send them back to the scammers. It appears that this advance-check scam was also asking David to help these scammers scam other people!  Here are just 2 messages from a group of five that were sent to David to edit….

David’s back and forth exchange with these scammers dragged on for more than five weeks (resulting in 52 emails from the scammers). He purposely replied with more questions and provided false information. But it was so impressive that David was actually promoted to Sales Manager! Amazing, right?!  He was then sent this awesome pay check in advance. His instructions were to deposit it, keep several hundred dollars for himself, as advance payment for his new employment, and then wire a large portion of the money to a vendor provided by PROSHOP Inc. for equipment he would need to do his company work.  Notice that the name on the check is NOT PROSHOP Inc. The business name on the check, Butters Northern Lights Land LLC, is listed on Bizapedia.com as a “Utah Foreign LLC.” The address for this business shows up as an auto repair shop, though there is a nearby construction company called “C E Butters Construction.” Does any of this make sense relative to the information given to David by the company called PROSHOP Inc? Hell, no!  Obviously, this construction company’s name is being manipulated and misused by these scammers!

Before we sign off on this fraud, we want to show you the very first email David received about this job opportunity, AND MOST IMPORTANTLY, the very last email he received last week on March 21. We think it’s hysterical!

And to complete this week’s fraudulent trifecta, check out this awesome email that our friend and professional scambaiter, Rob, received! This was truly his lucky day! The email came from a Senior Project Manager of Saudi Aramco Oil Company, inviting him to register his company as a vendor with Aramco Oil. By registering, and completing a lengthy application with personal details including banking information, Rob could then do business with this world renowned oil company. His vendor application would only require a small “mandatory registration deposit” of $25,210.00 to be sent to “Aramco’s Nominated Custodian.”  

We can already see you shaking your head in disbelief! But there is one very clever thing about this scam that is critically important to expose. The REAL Aramco oil company uses the domain aramco.com, which was registered in 1994 by Aramco Services Company! The domain used by these scammers, aramcohub[.]com, was registered November 1, 2023 through a private proxy service and appears to have been deleted now and available again for registration.

In addition to the above examples of fraud that came to our attention last week, there were other victims. For example, we heard from a man who was targeted by the “underage girl extortion” scam. This brutal fraud has targeted more than 950 men who have reported it to us. The woman this victim met was on “Seeking Arrangements” and claimed to be 19 years old in her profile. However, the man got an angry call from the girl’s father the day after meeting her online. The father said that his daughter was 17 years old and “underage.” An ensuing argument between father and daughter, he said, resulted in a car accident. The father was demanding that the man pay for the repairs and hospital bill or he would go to the police to report him as a pedofile. This scam can be brutal, and indeed, at least two men have committed suicide after being threatened.  

Please remember…It is soooooooo easy to deceive others online!

Manipulating a Professional, a Facebook Hack, & a Message from FBI Director

Our readers might be surprised by the number of smart, professional, experienced people who have fallen for scams. And even when you think you are astute enough to see through fraud, you may miss it. Such was the case last week when we heard from a Financial Planner. He received one of those seemingly universal phishing emails thanking him for renewing his Norton 360 Security Protection services for $470.52. He is a smart man and not easily fooled but, in that moment, he thought it was a legitimate email and called the number in the email to tell them this charge was a mistake. Once on the phone the scammer manipulated the man to allow access into his Windows PC. Within five minutes the victim knew this was a mistake and the man he had given access to was a fraud. The victim said “we’re done! You’ve been lying to me!” That’s when the scammer said “you can pay me now or I’ll delete everything off your laptop.”  

The Financial Planner hung up and then restarted his computer. However, when he logged back in, there was no desktop, no icons…. Nothing. Just a blank screen. He shut the computer down again and called for tech support. His smart support specialist discovered that the scammers had quickly done three things to the man’s PC in the few minutes they had control of it…

  • They had somehow made ALL the icons on his desktop invisible! 
  • They had somehow manipulated Windows so that services did not fully start up
  • They had installed some type of malware/spyware onto his laptop to further monitor/access his computer once it was back online

Fortunately, the Tech Support hired by the Planner was able to address all of these things. But, in the end, the man decided to purchase a new computer and move his files over after testing them using protective software. It appears that his hacked Windows PC was ten years old!

Have you experienced Scams that come through the US mail or Fax Machines? We’re looking for some  stories about this kind of fraud to share with listeners in our Podcast series. If you have any stories to share, please contact us at fax-postal-fraud@thedailyscam.com.

Last weekend we learned that a woman’s Facebook account had been taken over by a scammer. (We don’t know any details about how this happened.) The hackers completely locked out the owner and were now using her account to perpetrate a fraud to all her friends and family while disguised as her!  Check out this screenshot one of her friends sent to us…

The person whose account was hacked has been trying for days to report it to Facebook and get her account back. However, as we have seen over and over, “Facebook Support” is an oxymoron and this woman’s efforts have been fruitless. Isn’t it time that all Facebook Users realize that you are the product and not the consumer? Your data is being marketed and sold, and your eyes are valuable to Facebook (Meta) for advertising. If you believe that Mark Zuckerberg cares about YOU and wants to help, you’re wrong. And don’t just take our word for it, check out these recent articles…

We LOVED this email that our friend Rob shared with us! It claims to come from THE REAL CHRISTOPHER A. WRAY, Director of the FBI. The amazing quality of Mr. Wray’s English says it all, as does his personal email address that you are asked to use to contact him. It sits on a server in Russia! This email is hysterical and we know you’ll enjoy it as well. However, we want to point out something important that Rob shared with us. There has been a significant increase in the last few weeks from advance-fee scammers who are sending their scam emails from Spike app accounts. Notice “Chat @ Spike” at the bottom of the email. In our opinion, if you see “Chat @ Spike” at the bottom of an email, LUNGE for the delete key! (And before you consider using Spike yourself, check out the poor review on PC Mag.)

Could you imagine creating a legal and verifiable ID using the service ID.me and then handing over the login information for your account to cybercriminals?!  Check out the “ask” in this bogus email from the International Monetary Fund (but using a free Gmail account)! We found 8 English errors in the email. How many can you spot?

Just last week, the New York Times published an article brilliantly exposing the Russian disinformation machine that has been used in the last year to discredit Ukraine and its President, Vladimir Zelensky. (You may need a subscription to read the full article) 

https://www.nytimes.com/2024/03/18/business/media/russia-fake-journalists.html

And from ConsumerAffairs.com, an article about your risks for being targeted by a Pig Butchering Scam:

https://www.consumeraffairs.com/news/heres-why-you-may-be-at-risk-from-a-pig-butchering-scam-032224.html

Remember to check out our monthly Podcast series posted on the SecureWon website!

Which is Real and Which is Fake? Amex…

This week one of our readers sent us a really well designed phishing fraud disguised as an American Express Card email. Instead of pointing out the fraud, we acquired a legitimate email from American Express (and modified it to protect the owner) . Can you tell which one is a phishing fraud and which one is legitimate? They are both below. We’ll reveal the truth at the very bottom of this Phish Nets column. Good luck!

Amex Email Sample 1:

We received an email from a server in Vietnam telling us that the password to our email account was going to expire in 48 hours! OH NO! We were asked to click a link to “re-confirm” our password. But the link pointed to a website on a server in Nepal!  Oh dear! Fortunately, Virustotal was well aware of this threat.

Which American Express email did you think was the fraud?  Sample #1 or #2? If you selected Sample #1 as the fraud, then you are correct! The first email above did NOT come from either americanexpress.com or amex.com, both domains owned by American Express. It came from “secure[.]com.”  Also, the email shows the recipients email address for account ownership rather than a full name and the email says “account ending in 0XXXXX.” This is wrong, of course. Finally, the link in that bogus email points to the Twitter (X) link-shortening service! When we used URLEX.org to unshorten that link, we learned you’ll be forwarded to a phishing domain that was registered one day earlier!  (By contrast, email sample #2 shows that the link points to americanexpress.com and includes the name and last 5 digits of the account, albeit modified to protect the person’s identity/account info.)

State Farm in Russia and Valvoline in the USA Offer

Can you hear the commercial in your head?…. “State Farm is there….” We can! But in this case if you clicked the link in this bogus State Farm email, you would fly off to a website in Russia! State Farm Insurance Company is NOT there! And may we remind you that it is never safe to click the link at the bottom saying “click here to remove yourself from our email lists” when the email is a fraud, or suspicious! Now, Camrade, puuush deleeeete!

We’re always showing scams to our readers. And so it occurred to us that maybe it would be valuable to show our readers a REAL legitimate advertising email and show why it is legitimate!  Check out this real email from Valvoline that came out just before St. Patrick’s Day in mid-March.  Don’t bother reading the bold text in front of the < > symbols. The critical information is the domain at the END of the email address within the < > symbols. And thankfully, it shows as “valvoline.com.” (The word “guest” is just a subdomain, in front of and separated from the fully qualified domain by a period, as it should be. Anyone can create one or more subdomains saying anything they like. However, fully-qualified domain names must be registered!)  Also, look at the bottom link that showed up when we moused over the clickable links. Again, it shows guest.valvoline.com with valvoline.com up against the first single forward slash, as it should be!  These two facts reveal this email to be legitimate. Enjoy your oil change discount!

 

Shared Docs for Your Signature

A woman at a Technology firm shared this email with us. It came from a server in Brazil last week. The email claimed to come from the “Shared-Docs Administration” (whatever that is) and included the company’s logo. Apparently, her “Hr office” had documents for her to look at. But a mouse-over showed the link did NOT point to her company’s domain! It pointed to a subdomain (linkprotect) at the domain cudasvc[.]com. Deeeeleeeeete!

I’m Christopher & PayCloud9

The Canadian woman (we called “Maggie”) who was targeted by the Zimbabwe Romance Scammer in our article cut off all contact with him about 2 weeks ago. A week later she received this text from a stranger who knew her name and phone number. Coincidence? We don’t think so! Our advice? Block him and do not respond. When we searched for exactly the phone number 614-362-1842 Google returned only 1 website that was VERY sketchy. Virustotal told us that this website listing the phone number was malicious.  BE VERY CAREFUL if you ever search for phone numbers! Cybercriminals know that lots of people do this and they have created dozens of websites listing thousands of phone numbers, along with malware on the site!

OK, to be honest, we don’t understand what the scam is in this next set of texts. But we can say that the man who shared these with us did not know the sender or what this was about. He didn’t have a PayCloud9 account and wasn’t about to click the link to find out. What do you think?  Any ideas what the fraud is here?  Maybe, just maybe, someone else was trying to open an account in the man’s name?

Until next week, surf safely!

Copyright © 2024 The Daily Scam. All rights reserved.
You are receiving this email because you have subscribed to thedailyscam.com

Marblehead, MA 01945

Contact Webmaster