This Trick Can Net a Scammer Thousands of $! — In today’s digital age of finances, we imagine that most people choose to receive paychecks by direct deposit into their bank accounts, if possible.  Direct deposit removes the hassle of driving to a bank or ATM to deposit the check and then waiting several days for the deposit to be confirmed. And if a paycheck is mailed via the old-fashioned postal service, the delay can be even longer. Direct deposit is fast and convenient for employees and, seemingly, without risks. But if scammers are clever and skilled enough, as they were in late April to target one organization’s business office, they just might pull off a scam that can net them thousands of dollars with ease!

The scam is brilliantly simple in concept.  Cybercriminals use a company or organization’s website to find the names and email addresses of a few employees, and most importantly, the name and email for the Controller working in the Business Office.  That’s what happened in late April to an organization, and they shared this information with us.  Apparently, the organization’s Controller received three emails from employees over a period of several days, informing the Controller that they wished to update their banking information before their next payroll deposit.  The timing of this was also well executed because it is reasonable to expect a paycheck at the end of a month. Here are two of those emails…

One email supposedly came from a woman named Sheila, while another came from someone whose name begins with “Sh.” (We were asked not to reveal the full first name.)  Both emails were sent from the very legitimate email address used by these people in this organization.  Both emails addressed the Controller by her first name, which is reasonable since the organization had less than a hundred employees.. So what’s going on here?  Did the email accounts of all of the employees sending this request get hacked and misused? Last week we reported on an identical email and said that the owner’s account was likely hacked. This was based on the fact that we ONLY received a screenshot of the bogus email, followed by an interview with the real email account owner. But it turns out that we were wrong! This time around, the Director of Finance contacted us and gave us the opportunity to look at the original email in the Controller’s inbox.  All of these emails were SPOOFED!

Email spoofing is a technique used to manipulate an email to make it look like it comes from a trusted source, such as an employee within your organization, when in fact, the email comes from a cybercriminal! Most email programs have some inherent protection to detect spoofing and then toss spoofed emails into a Spam folder, or Trash or just delete it.  They have varying degrees of success. The Controller of the organization, who was targeted, found these emails in both Trash and Spam folders and wondered why they had landed there.  It was the Director of Finance who recognized them as fraud and contacted us. The only way to truly reveal this trick is to look at the code used to craft the email. (In Gmail, open an email and then click the 3-Dots button known as “More” and select “Show Original.”)  Take a look at what we found when we looked at the code for 2 of these 3 spoofed emails…

Sheila’s email actually came from an entirely different email account having nothing to do with the organization. It came from “lexi” at the domain woodsnapa[.]com.  (According to the Better Business Bureau, WoodsNapa[.]com is associated with a Napa Auto Parts business but there is no longer a functioning website there and the domain is “parked.” i.e. no longer in use.) Equally important is the “Reply-to!” Look at the hidden email that follows Sheila’s name in the code.  A reply to Sheila does not go back to her organization’s email. Instead it goes to someone identified as “Rita Weeese 231” at Gmail! This is classic email spoofing!

Now check out the behind-the-scenes coding of the other person’s email (from “Sh”). Rather than coming from the actual organization’s domain, it came from someone identified as “richard” at monotaur[.]com. It is also a parked domain that is no longer in use and without a website.  Once again, the employee’s “Reply-To” address was changed and hidden.  A reply to this email would be sent to a Gmail account called “na3889315.”

Though all of these spoofed emails landed in the trash or spam folder, they still carry risk for any organization or business who isn’t smart enough to recognize WHY they are there! Fortunately for this organization, the Director of Finance was savvy enough to see through the fraud.  Also, they have a policy that requires each employee to have a conversation with the business office and sign a form (in person) to request banking changes FOR EXACTLY THESE KINDS OF REASONS!  

How would your business, school or organization fare under these circumstances? We suggest you send a link to this article to the staff in your Business Office or Director of Finance. If they don’t have policies or special training in place to combat tricks like spoofing, then they are at serious risk for diverting money from their employees to cybercriminals!  

According to a 2015 article written by Investigative Journalist Michael Krebs, during a 14 month period, businesses around the world lost about 1.2 BILLION dollars through email spoofing, including using look-alike domains!  To read more about email spoofing and how to better protect yourself, check out this article at CyberNews.com.

You’re Going to Want to Read This – Trend Micro has recently published an interesting article on ScamAdviser that reviews the top 10 ongoing online scams. 

Job and 419 Scams Are Still Going Strong – Remarkably, last week appeared to be quieter when it came to scams, than prior weeks and months. For example, we saw fewer phishing scams and fewer threats overall were reported to us from our readers. Whatever the reason, we celebrate it! However, stay vigilant because we’re still seeing malicious emails disguised as many things including paid surveys, best bagels and wild seafood, bug zappers and online dating. And let’s not forget the many scam emails and texts inviting people to apply for a job or engage in a financial partnership.  Take this email from Attorney “John Philip Esq” using the very-thoughtful email address “ContactMyOffice81” at Gmail.com.

Though Mr. Philip’s email is lame and an obvious fraud, this next email from “Annapoorna” may seem more legitimate, but it is not! One of our honeypot accounts received FOUR of these invitations that were nearly identical but coming from different email addresses and inviting us to send our resume to 4 different email addresses! Last week the Federal Trade Commission published an article about bogus jobs and business opportunities.  Check out their consumer alert called Scammers Advertise Jobs and Business Opportunities.

AT&T Account Suspended and Nevada State Bank – Phishing was much quieter last week!  This provides an opportunity for us to point out that there are many ways to phish potential victims. Though we primarily focus on email phishing attacks because they are so ubiquitous, there is also a form of phishing that is actually in-person and quite shocking when you consider how in-your-face it can be! It is a type of skimming scam that is well illustrated in this 4 minute YouTube video from The Real Hustle. In their example, they show how a waitress can pull it off without patrons realizing they’ve been victimized. Skimming has even been set up by scammers at ATM machines and at gas stations.

Another form of phishing that we sometimes share with readers concerns phishing phone calls. Listen to this phone message received on May 6 by one of our readers who shared it with us. The man said that the phone number caller ID showed up as “XXXXXXXX X, IL.  217  311 4392.”  It definitely isn’t from AT&T, though it claims to be!

Finally, we have a small-time phish demonstrating that no consumers, no matter how large or small their bank, are safe from these threats!  This email phish pretended to be from Nevada State Bank, primarily serving consumers in the state of Nevada. Their real domain is nsbank.com.  This email came through Coxmail and the “Log in” link points to the link-shortening service at TinyURL. A big, fat deeeeleeeeete!

Unique Gifts for Graduation and Sam’s Club Offer – In so many ways, scammers are predictable! They routinely target potential victims based on the seasons, holidays and events that typically roll through our calendars.  Check out this example from the infamous Hyphen-Poopy gang using the subject line “Gift ideas for Graduation.” It is 100% malicious clickbait!  The email came from, and has links pointing to the 2-day-old domain called anothingor[.]cam.  The two hyphenated words in the link are cherubim-retrains. (Say that 3 times fast!) You want gift ideas for graduation? Don’t get them here! The Hyphen-Poopy gang stole the image used in this click bait from the real service called PersonalizationMall.com.

One of our longtime readers sent us this malicious clickbait disguised as survey offer from Sam’s Club!  These malicious clickbait are a favorite staple of the cybercriminal world.  We can only imagine that it is because people click on this junk. This email was sent from a bizarrely named email account at Gmail and the links point to a likely hacked trading-club service called swingtraderonline[.]com and registered about 2 years ago.  This is NOT samsclub.com!

Government Grant Opportunity – This next scam is an important reminder that cybercriminals are STILL targeting United States citizens disguised as our federal government offering one time grants as a result of the financial impact of the COVID pandemic.  That ship has sailed, friends!  This email came from a website in INDIA called xcellfitness[.]co[.]in, and not from any DOT-gov domain for the US Government!  It is another type of phishing scam meant to collect your personal information! Fortunately, several online security services are already well aware of the abusive link in the email.

Publisher’s Clearinghouse Winner! –Think what you may about the legitimacy of the real Publisher’s Clearing House Sweepstakes.  However, this text, sent to us last week by one of our readers, did NOT come from the real PCH!  The number used to send this malarky was 502-418-2895. We think this number was likely spoofed because an online search for it shows the personal phone for a 26-year old from Kentucky.  The screenshot did not include the link to visit but we’re certain it is a scam!

Until next week, surf safely!

Copyright © 2021 The Daily Scam and Scamadviser. All rights reserved. You are receiving this email because you
have subscribed to it via Scamadviser.com or thedailyscam.com

Keurenplein 41, UNIT A6311  |  1069CD Amsterdam, The Netherlands

Contact Webmaster