Weekly Alert  |  March 29, 2023

Using Linkedin to Target Job Seekers Recently we heard from a woman in the finance industry who is looking for a new job. We will call her Betty. Betty posted her resume on the job hunting service at Linkedin.com. A few days ago she received the following email from a woman who identified herself as Hilary Smith. Ms. Smith showed Betty that Linkedin had notified her that Betty was a matching candidate for a job posted for “Data Entry Clerk.”  The email actually included all the information that Betty had posted on Linkedin about her work history, education and qualifications!  It looked exceptionally legitimate so Betty responded….

This time, Betty’s response was followed by an email from the Hiring Manager who used the name Samantha Harrison. Here is the first email sent by Ms. Harrison to Betty. Can you spot any suspicious red flags in it? We can!

On Thu, Mar 16, 2023 at 11:24 PM Samantha Harrison <Samantha.Harrison37 @ ccloudsmail[.]com> wrote:

Hello,

My Name is Samantha Harrison I am the Hiring Manager.

Thank you for your application. I would like to inform you that now we have two shifts available Day and night. Which one would you like to Join Day or Night ?

Shifting Hours are 9 Am to 3 PM And 3 Pm to 9 PM.

Salary range $29-$37 ( will be decided after the interview ).

Thank you,

Hiring Manager.

Samantha Harrison.

===========================================================

These are the red flags we noticed in the email above…

  1. Samantha Harrison sent her email from a server at ccloudsmail[.]com.  This service, and Samantha’s actual email itself, have been flagged as untrustworthy by Scam-Detector.com!  In fact, a search for this domain “ccloudsmail.com” (using Google in Firefox to avoid visiting the site itself) shows a bunch of links that are related to job scams!

  2. Samantha Harrison doesn’t name the company she claims to represent!

  3. Samantha Harrison doesn’t provide a telephone number or any contact information besides an email address.

However, Betsy replied saying she was interested in the position for the day shift and asked if this job was remote or in-person. She got the following reply from Samantha Harrison:

We immediately noticed that the website listed in the email as IQCreditCheck[.]com actually had a link pointing to pm.checkingio[.]us. Unfortunately, Betsy replied and said that she would complete the credit check the next day but when she tried to do that, this other DOT-us website asked for her credit card information and said that there would be a $1.00 charge for the credit check. It also said that she was signing up for some type of subscription service that will continue to charge her.  She wasn’t sure what these charges were and felt uncomfortable that this was required.  So she contacted Samantha Harrison again and asked about these charges. This was Ms. Harrison’s response…  

On Sat, Mar 18, 2023 at 4:03 PM Samantha Harrison <Samantha.Harrison37 @ ccloudsmail[.]com>  wrote:

Hello,

Actually, They just take $1 and that’s Refundable. Because they need information to Verify your Details. You have to use the Link Because these 3 Bureaus Are Connected with our Company. So We can Check your Criminal History and Background Records. Please Send a Screenshot once you Done.

Thank you!

As you can guess, the poor capitalization and grammar in this email, along with the site charges and subscription made Betsy suspicious and that’s when she reached out to us.  We told her this “job” was just another scam! You might think that this is the end of her story. Unfortunately, it’s not.  We’ve learned over the years that many scammers are extremely persistant! If they feel that they were almost successful at scamming someone, then they will try over and over to target that person again.  Some people have been targeted for months by similar scams. Just two days later, Betsy received another email from a woman named Lisa Maher about a job opportunity with a company called “Encore Vet Group” that serves United States Veterans. Betsy replied and said she was interested. Lisa Maher followed with this email that seems very promising if it weren’t for one single CRITICALLY important clue.  Can you spot it?

The email from Lisa was sent from the domain encorevet[.]us. This domain was registered about 3 weeks before Betsy was contacted and this domain is hosted on a server in the Netherlands! If you do a Google search for “Encore Vet Group” you’ll find that their REAL domain is encorevet.com and it was registered in May, 2018.  Once again, Betsy was targeted by a fraud. But she didn’t realize it and continued with the digital interview process. It’s important to note that at NO TIME did she speak with someone over the phone, have a video chat or meet someone in an office.  All communication was through email and that is standard practice with these types of scams!  “Lisa Maher” sent Betsy an email asking her to take an “interview quiz” using a link to an online form with 9 questions. The test was actually hysterical! 

“For the interview process, you will be required to take a web based assessment test/interview. Your performance will help the company determine if you will be hired for this position. Meanwhile, kindly fill out the employee form https://forms.office.com/r/1ddGUjywvn

Let me know when you’re done filling the form so I can send you the page to take your test.”

Here are questions #4 – 9:

4.Which is NOT a temporary account?
Sales returns & allowances
Inventory

Rent Income

Interest Expense

Interest Income

5.Which is NOT an expense account?

Advertising

Rent Expense

Interest Expense

Accrued Expenses

Repairs Expenses

6.Which Number should come next? 144 121 100 81 64?

54

43

49

41

7.Which of the following word best describes “work from home”?

Offshore

Remote

Overseas

All of the above

None of the above

8.Do you like being in control , Leading others, and being the centre of attentions?

Yes

No

Maybe

YES! I like to take charge, but as long as i have some help

YES! I am a natural born leader

9.TELL US WHY YOU FEEL YOU ARE THE RIGHT PERSON (Open response)

Once again, Betsy reached out to us, and sadly, we had to tell her again that this was another fraud. But the scammers weren’t done targeting Betsy! The next day, March 22, Betsy got another job inquiry from a man named Dennis Harold (email: ncpba.dennis.h @ gmail.com). He claimed to represent a company called CAL Builder’s Inc. located on 2020 Old Dixie Hwy SE #6, Vero Beach, FL 32962. There is indeed such a company at this location. However, the problem was that Dennis Harold used a generic email address to contact Betsy rather than the domain calbuildersinc[.]com that Google says is used for this business. (NOTE: Our protective tools gave us a warning about visiting the real CAL Builder’s website when we tried, even though it appears legitimate and was registered in 2005.)

As you can imagine, Betsy is now extremely suspicious of all of these job possibilities, as she should be.  We’re certain she’ll be targeted again, and perhaps for a few more weeks, by the same group of scammers. One of the tips we gave Betsy to help her discern legitimate from scam offers is to insist on a video chat with the hiring managers at the business. We’ve never heard of a scammer willing to risk putting themselves into a video chat with a person they are targeting.  And if you do have a video chat, record it to protect yourself!

Binance, Tinder, Costco, and Walmart – Top Phishing Scams of the Week Hot phishing scams of the week: Binance, Tinder, Costco, and Walmart. Did you receive any of them?  Check it out and protect yourself with this FREE, all-in-one tool.

Warning About a Chrome Extension, New Rules from the FTC to Protect You, Bogus Call from National Grid, and Your Verizon Data May be Exposed — Scamadviser is reporting a new, dangerous Chrome Extension that pretends to be for the very popular AI service called ChatGPT. This bogus Chrome extension is actually hijacking Facebook Ad accounts and installing hidden account backdoors for the scammers.  Read more about this in our latest article: FakeGPT: New Variant of Fake-ChatGPT Chrome Extension Stealing Facebook Ad Accounts

Our Top Story in our January 4, 2023 newsletter exposed how legitimate companies can scam you through subscription offers and accompanying “dark patterns” that make it feel impossible to cancel. Thankfully, the U.S. Federal Trade Commission is finally recognizing these practices as unfair tricks against consumers! The FTC is now proposing new rules by which companies ask people to sign up for subscription services.  For example,  one proposed change would require that companies offer the same number of clicks for cancelling a subscription as was required for signing up for it! (Doug spend 90 minutes trying to cancel his Disney Plus free 1-year promotion once he learned that he would soon be charged about $18/month for it!)  This is especially important for consumers because studies show that during the pandemic consumer subscriptions skyrocketed and more of us are now paying for many more subscriptions services than ever before!

More information about the FTC proposal can be found on news services, such as NBCNews.com. However, our advice to everyone before signing up for a new subscription service is…

  • Read the fine print about the offer!
  • Set reminders for yourself in your calendar for when your subscription will run out because it may be a reduced rate or free offer that renews at a much higher rate!

Here is another valuable resource from the FTC about the Pros and Cons of free trials, auto-renewals and subscription services.

National Grid is a utility company that serves residents of Massachusetts and New York in the United States. Last week, we spoke to a woman (we’ll call her Rosa) who received a phone call from National Grid. At least that is what her caller ID showed on her cell phone when it rang. Of course, this turned out to be a lie! Rosa lives in Massachusetts. When she answered the phone she heard from a woman with a heavy accent who asked her for her name AND her National Grid account number. (She couldn’t identify the type of accent. Rosa also told us that the call sounded as though it was coming from another country very far away.) Rosa said “who are you calling?” and the woman gave Rosa’s full name! She responded with “she’s not here at the moment” and the “National Grid” woman asked if there was another number to reach her. Oddly, Rosa gave the caller her landline number and then hung up.  Almost immediately her landline started ringing and the caller ID on it again said that the call was from National Grid!  Rosa decided not to pick it up!   If you ever get a call from any utility provider and they ask YOU for your name and account number, HANG UP!  The caller should already have this information on file!

During the last ten years, the phone/Internet service provider Verizon, has suffered several data breaches resulting in stolen consumer information. On March 6, SafetyDetectives.com reported such a breach in January of data containing about 7.5 million Verizon customer records that revealed personal information such as names, contract status, router specifications, mobile device types, and more. We’ve not been able to confirm these details from other sources but if you are a Verizon customer you may want to check out their report:  https://www.safetydetectives.com/news/verizon-breach-report/

Finally, we hope this leaves a smile on your face.  Earlier in March a Reddit User posted an FBI “Final Warning” that they received. It claimed that they were going to be arrested and jailed UNLESS they paid back an alleged $1000 that was accidentally sent to them! Of course this is all a scam and the graphic came from a personal Gmail account.  Enjoy!

Spear Phishing a Business Office, Microsoft Outlook, PayPal and More! We routinely hear from a school’s CFO that the employees in their business office are frequently targeted by spear-phishers. These scammers pretend to be school employees and always request a change to their banking information for auto-deposits.  This school has literally received more than thirty of these bogus requests in the last year! In every case, the email FROM address appears to be legitimate but the “Reply-to” address is always a scammer’s email at Gmail or somewhere else.  One of these last bogus emails even included a photo of the real employee that was taken from the school’s website!

One of our readers sent us this phishing scam disguised as an email from her Microsoft Outlook company account. But the email actually came from a hacked email account for a Virginia Periodontist! No email service will ever ask you a question like this did! Stay with your current password?  Seriously?!

We continue to receive LOTS of bogus emails from our readers that have attached pdf files and claim to be about payments charged to their credit cards for purchases they never made.  Each pdf file, of course, contains a scammer’s phone number that you can call to “cancel” the fake payment! Check out this bogus notification for an iPhone purchase and look at the American Express account number listed!  Not the least bit legitimate!

Here’s another one of these bogus emails that actually came from PayPal. But that doesn’t mean it’s real!  Look at what the criminals wrote in the notes field of this “canceled request!” (“canceled” is spelled in the customary British spelling, not American spelling!)

Casino Promotion, Credit Card Debt and CryptoCurrency Wallet Upgrade Readers have recently shared some very interesting scams with us related to money! Let’s start with this wonderful promotion that seems to be from a gambling platform called Raging Bull Casino. The recipient was offered a $3500 promotion and link to gambling tips handed down “through the ages, through generations of kings and queens.” But this clickbait didn’t come from Raging Bull Casino! The link to “verify here” pointed to the link-shortening service at Bit.ly.  When we unshorted that link, we learned that you’ll be sent to a website called austribed[.]us[.]com.  It was registered last December through Namecheap. Lunge for the delete key!

Speaking of shortened links, check out this wonderfully helpful (said dripping with sarcasm) email asking you if you are tired of credit card debt. It came from a University account in Egypt! The shortened link in this clickbait uses another service that is called rb[.]gy.  This shortened link will redirect you across the world to a website hosted in Russia.  Need we say more? You know what to do!

And finally, we have a very interesting scam message sent to us by another reader. It claims to be from the Cryptocurrency Wallet service known as “Meta Mask.” However, the reader told us that the real domain for this service is myracingaccount.com and this notice did not come from there!  The fraudsters are trying to trick folks into clicking this upgrade for the wallet software, and this is likely going to install malware onto your device!

You’ve Reached Your Storage Limit and Many Hand Grenades! —This email almost fooled the reader who sent it to us! He said that he knew his iCloud storage was nearly full and so he was a bit interested to see this iCloud storage offer. However, the subject line looked really sketchy and the link used in this email CLEARLY didn’t point to either icloud.com or apple.com!  Notice, in small fine print at the top, that these scammers were hoping to collect your credit card details!  Check out the link! We know what a Narwhal is but what is a luxury narwhal? Now delete.

The safety officer at a chemical company often sends us her malicious clickbait. Lately, she tells us her inbox has been exploding in them! Here are a collection of just 3 of these VERY DANGEROUS emails she’s received in two days. Each contained an “htm” or “html” attached file designed to take control of the woman’s browser and send it to a malware trap!  

Coincidentally, another one of our readers sent us this email with a similar attached threat.  As we’ve said before, an htm or html attachment is their weapon of choice for attacking a computer! 

Amazon Account Suspended, CVS Store Credit and Wipe Out Wrinkles! — Lions and tigers and bears, oh my! Readers sent us lots of malicious texts in the last couple of weeks! Check out this wonderful notice pretending to be about your Amazon account. The scammers don’t make any effort to hide the fact that their link points to a website in the UK called “bravethinking” and NOT amazon.com!  The Bravethinking website has been hacked and we’ve informed the owner.

Isn’t it lovely to know that you are a “treasured customer at CVS!”  At least that’s what this bogus text wants you to think!  The link in this fake “rewards” text actually points to a malicious website in India!  Can you spot the “.in” country code in that link? Don’t believe scam emails like this! Just delete them…

Hmmmm….we’re not sure whether to be offended that someone is telling us we need to wipe out wrinkles to look younger, or the fact that this is just another malicious clickbait with a link pointing to another website in India again! Either way, delete, delete, delete!

Until next week, surf safely!

Copyright © 2023 The Daily Scam and Scamadviser. All rights reserved. You are receiving this email because you
have subscribed to it via Scamadviser.com or thedailyscam.com

Keurenplein 41, UNIT A6311  |  1069CD Amsterdam, The Netherlands

Contact Webmaster