Select Page

We would love to hear your feedback

THE DAILY SCAM NEWSLETTER  |  MAY 29, 2024

Co-Founder/Content: Doug Fodeman  |  Co-Founder/Creative: David Deutsch  |  V04N16

Get Paid to Take A Survey

For more than a decade we’ve seen the same scam used over and over to trick people into giving up their  credit card information to scammers, including their security code. That’s right! People are tricked to just hand it over to cybercriminals who, no doubt, use it to make fraudulent purchases, causing your CC company to have to cancel your card. How do they do it? It’s actually easy. How many times have you ever seen an email inviting you to take a survey and receive a reward? We see these pour into our honeypot accounts every single week!  Early in May our friend Rob said that he would be happy to step into that rabbit hole and show us his journey. This scam hasn’t changed much in 13 years!  Check out what happened when Rob clicked a link to take part in “State Farm’s Marketing Survey” and earn $90 in rewards!

This scam started with an email offer. However, to be 100% clear, this email didn’t come from statefarm.com and the links didn’t point to it either!  It is 100% a fraud. Also, once clicked, these surveys always pressure the victim into completing the survey quickly. You typically learn that the rewards survey expires today and you have less than 8 minutes to complete the 6 – 10 questions and select your free gift!  In other words, hurry up and don’t think about whether or not this is a fraud!

The questions in these fake surveys don’t typically raise any red flags. From this bogus insurance marketing survey, it is not concerning to see questions like “which company do you use for your auto insurance,” “do you have their mobile app installed on your mobile phone,” or “what qualities do you value most with your auto insurance.” The survey then provides 4 to 10 choices as buttons from which to choose a response. Questions can even refer to competitor companies as if the marketing survey wants to assess how you value these other companies.  However, what you’ll notice throughout these surveys is that you’ll either see “verified” comments, at the start or as you take the survey.  These fake comments praising the rewards, show bogus names and pictures of people who supposedly completed the survey and received their gift. They may also include hearts and/or thumbs-up emojis, as if others agree with these completely fabricated comments! But don’t linger!  You only have 5 minutes and 33 seconds left to complete your survey and select your reward!  (Can you see the scam yet that’s about to hit you?)

Finally, you’ve rushed through the survey questions and completed them in time to get your reward! And then you see that your time to select and order your reward is also limited to a few minutes!  Oh no! Hurry, hurry, hurry!  All of the details provided in these rewards are meant to manipulate your decisions and your ability to evaluate whether or not this is legitimate. IT IS NOT! Rob was presented with a variety of 4 items to choose from for his reward. The Le Creuset Cast Iron set, valued at more than $560, looked like a steal!  

    Oh my gosh! Rob clicked “I’ll take it!” for the 5 piece Le Creuset Cast Iron Set. And there was only 1 set left. Look what he discovered!  Now it is a 10-piece set and there are 3 sets remaining! How awesome is that! (We’ve always considered Rob to be one of the luckiest guys on the planet because every week he gets emails telling him that he has hundreds of millions of dollars coming to him!) Please note that Rob was asked to fill out his personal information to receive his cookware set. He completely fabricated that information. (Name, Address, Email and Phone number.)

    Finally, after rushing through this State Farm (bogus) survey, Rob had his just reward! And to send him that 10-piece wonderful Le Creuset cookware set, he only had to pay $7.85 for shipping and handling. Wow! This is even less than the $9.95 that was listed on the item when he first looked at it! What a lucky guy!  Rob decided to enter bogus credit card information and click “Complete Order” just to see what would happen. His order was immediately declined! 

      In the end, Rob obviously never entered his real credit card information, nor his real personal information. Imagine what these scammers could do with those details and how much they might have charged against Rob’s account?  By the way, below is the original fake email pretending to be from State Farm that landed in Rob’s inbox. Not only did it come from a bogus email address  When we investigated the link on this survey, we discovered that this email came from a unregistered domain in the name of an Algerian singer (Cheba Warda Charlomanti [.]com) The link points to a malicious domain (droubq[.]store) but  you’ll be redirected to ANOTHER malicious domain at bdsrvuytrck[.]com. This domain was registered in late January of this year, in Canada.  Does ANY of this sound like State Farm marketing to you?  

      Using the ACID TOOL to Fight Fraud and Questions from Readers…

      During our 13+ years exposing online fraud we have often lambasted ICANN.org for their horrifically poor governance of Registrars (sellers of domain names) and the implementation of the Domain Name System (DNS). We think ICANN’s practices do remarkably little to protect the world from cybercriminals who abuse both DNS and Registrars in their effort to victimize the public. For the record, ICANN still does a horrible job of implementing safety rules, holding the Registrars accountable, or make it easy for the public to report abuse.  However, in March of 2023 ICANN.org released a tool to help people report fraudulent domains and domain abuse. This new tool is called the “ACID Tool” or “Abuse Contact Identifier” tool. As ICANN says…. “The Abuse Contact Identifier (ACID) Tool is a service offered by the Registrar Stakeholder Group to help internet users who need to report online abuse determine where to send these reports. ACID Tool provides publicly-available contact information for web hosting, email, and domain registration providers in response to domain-based lookups.”   (The fact that it has taken us AN ENTIRE YEAR to learn about this tool once again says something about ICANN’s lame effort to keep the public safe from cybercriminals. By the way, did we mention that ICANN receives millions of dollars each year from cybercriminal domain purchases?)

      We tried using the ACID Tool last week after finding a nasty phishing page on the domain called linkup[.]top. (See the Phish Nets column below.) This domain has been active since December of 2022!  VirusTotal shows SEVENTEEN security services that have identified this domain as malicious, phishing and/or hosting malware!  And yet, it was STILL ACTIVE as of May 20, 2024! Well, we have good news and bad news about ICANN’s ACID Tool to report to our readers. The good news is that this tool quickly returned the information we needed, along with phone numbers and/or email addresses to report abuse to the services with whom this malicous domain was registered and hosted.  On May 21st we reported this fraud to both the Registrar of this malicious domain (NameCheap.com) as well as the Hosting service (Amazon AWS) that hosts the phishing website.  Within minutes we received automated responses from both services.  The response from Amazon AWS was pretty short and simple, telling us that they will investigate our report and respond once that investigation was complete.  Seven hours later, we received another email from Amazon AWS telling us that they had completed their investigation and were “mitigating the issues” but gave no details due to the privacy of website ownership. After reading this second email we re-checked the phishing page at linkup[.]top and found that it had been taken down! That was a fast turn-around! Kudos to Amazon! (However, the top page of the domain seemed like a website that was still waiting to be set up.) So what’s the bad news? The email response we received from Namecheap was filled with legal language and links telling us to make sure that we met all their guidelines for reporting online fraud or malicious intent. The email felt like it was meant to make the reporting process much more difficult! It’s been more than a week (at the time we’re drafting this story) and we’ve still not heard back from Namecheap. For the record, Namecheap.com is one of the worst Registrars in the business! They routinely turn a blind eye as they sell hundreds of thousands of domains to cybercriminals, raking in millions of dollars of revenue each year!

      Last week we saw a Reddit post concerning a Canadian apartment/room for rent. The person posting was asking the Reddit community if they thought this Rental was a scam. (Kijiji.ca is a Canadian classifieds website.)

      We said that this post seemed a bit suspicious, or perhaps, a bit naive in the way the information is presented.  We believe the best way to determine if it is a scam or not is to ask for a video chat with the person posting it. 99% of scammers won’t do that! Also, NEVER send money in advance and don’t assume that if you are sent documents to sign that it means the rental is legitimate. Fake documents are easy to produce. It also sounds like this Rental is a sub-let. Ask who the apartment owner is and then try to verify this information and contact her/him. And NEVER send money in exchange for the key to the property! By contrast, another young man also reached out to us last week to ask our opinion about a house for rent in Washington State on Tullis Street in Olympia.  All communication with the homeowner, a Mr. Michael Scholl, was via text and email only. The landlord, Michael Scholl, used the phone number (951) 635-8317.

      The text thread above doesn’t raise any obvious alarms until more information was provided. The “renter’s agreement” that the young man received was covered in suspicious red flags or outright fraud! Check out this screenshot below of the opening few paragraphs of the 3-page Renter’s document that Mr. Michael Scholl sent the young man….

      • It includes information that is meant to paint a picture of an inexperienced, trusting and innocent new landlord. Often times, the scammer presents himself as a member of the clergy, or a very religious and faithful person. Nothing could be further from the truth!  Also, look at the all-CAPS last sentence. The English error is a “reveal” that this scammer is not likely a native English speaker.

      • The language of this agreement reveals an important part of this fraud that is always used. The landlord makes the excuse that he is out of town and cannot show the interested party the property in person. However, he’s willing to send a key if the person puts down a deposit. He claims the deposit will be returned if the person decides not to take the rental, or apply the deposit to the 1st month’s rent and security deposit.

      Google shows that the property on 1329 Tullis St. NE, Olympia, WA is a home that is not for sale.  But more importantly, searching for this property did not turn up a single post that the property was for rent!  This rental offer is 100% fraudulent!  In addition to the points above, the rental agreement sent by Mr. Scholl contained many questions that are obvious scammer questions (especially #6 and #7), illegal, and/or inappropriate to ask a potential tenant. They included….

      1. Job history and income
      2. Picture of the occupant
      3. Are you married?
      4. How Much Do You Have At Hand Right Now If You Are Asked To Secure The Property Today?
      5. Do you agree to make a down payment before you move in?
      6. Do you agree to receive the keys and the document via FedEx shipping company?
      7. How many months’ rent can you pay upfront? Minimum (1month + SECURITY DEPOSIT), (2 months + SECURITY DEPOSIT) or (3 -6 months + SECURITY DEPOSIT) so which option do you prefer
      8. Do you work late night?

      Imagine getting an email from the Social Security Administration telling you that your Social Security number is being suspended due to criminal activity associated with it! This email includes lots of legal language about what is going to happen to you and you are asked call the Social Security Administration. But the number provided is a scammer’s phone number: (888) 619-3616. That email dropped into the inbox of one of our readers and she reached out to us. She didn’t think it was legitimate but wanted to be sure. We pointed out that the email did not come from the legitimate SSA.gov domain and yes, it was a fraud. 

      However, we also reached out to Professional Scambaiter Rob and asked him if he wanted to call the bogus number, play with the scammers, record the call and send us the recording. He did! Below is Rob’s recording from May 20 at 11:15 AM.  The scammer barely has any accent, but it is there and very subtle. Listen how this supposed federal agent tries to pressure Rob, in a calm manner, into providing information. (We’ve cut out Rob’s personal details revealed in this call) Rob tells us he has had experience with this fraud before. The scammer was going to send him to a “local law enforcement officer” who would explain that his bank account is not safe and needs to be shut down due to the fraud uncovered in his name and social security number.  Rob would be asked to transfer his money to a secure account and the “agent” would help him do that. However, Rob exposes this fraud at about 14 and a half minutes into this recording and then hangs up!  Would you have believed this fraudster?

      We have several interesting articles to refer to our readers this week. Some of them are terribly sad given the amount of money lost or the way in which the fraud was carried out. But most surprisingly is the article about a fraud carried out by teenagers in New York’s Central Park!

      Scammers stole more than $400,000 from a woman through an elaborate Publisher’s Clearing House sweepstakes scam:  https://ca.news.yahoo.com/scammers-stole-more-400-000-201941775.html

      Published on NYTimes.com on May 20, this ‘Russian Woman’ Loves China. Too Bad She’s a Deepfake. A.I.-manipulated videos on Chinese sites use young, supposedly Russian women to promote China-Russia ties, stoke patriotism — and make money. https://www.nytimes.com/2024/05/20/world/asia/china-russia-deepfake.html

      Have you ever been approached by a teenager asking for a donation to support their sports team or league? We have! We would never suspect these kids might be scammers. They typically are wearing the jersey, hat or full sports uniform of the team, and they typically have some type of paperwork backing up their claim to solicit for donations. That’s not what happened to some people when they were approached in New York City’s Central Park recently!  And it wasn’t just a ten-dollar donation that was made! (Lesson here: NEVER, EVER hand your phone to a stranger!)

      https://www.westsiderag.com/2024/05/22/sports-team-scammers-swindle-thousands-of-dollars-from-people-in-central-park-this-weekend-police

      Here are two more examples why “online privacy” is an oxymoron!

      https://krebsonsecurity.com/2024/05/why-your-wi-fi-router-doubles-as-an-apple-airtag/

      https://www.cnn.com/2024/05/16/tech/damaging-hacks-expose-the-weak-underbelly-of-americas-health-care-system/index.html

      Remember to check out our Podcasts!  Visit: https://www.securewon.com/resources/podcasts/

      Facebook Copyright Infringement and McAfee Fraud

      On May 21, a Reddit account holder posted the text below that he had received after putting information on his Facebook account related to a side job he was promoting. He asked the community if they thought the text was  legitimate from the Facebook Support Team. Hell no! He was told that his account had infringed on copyright rules and would therefore be deactivated. He was asked to click a link to verify his account information. NOTICE that the link looks like it points to facebook.com BUT that link contains a built-in redirect to the domain lookup[.]top! This malicious link also contains a directory name of “SupportMeta[.]com” at the end of it. When we visited this phishing page, we found a very fake login that appears to be for Meta. The link is a VERY CLEVERLY disguised fraud!  Don’t believe everything you read! Cybercriminals often create links with redirects built into them. Deception is too easy online!

      At the other end of the clever spectrum is stupidity! Check out this very lame effort to phish your personal information. The email came from a free Gmail account and the name in front of the email (“Kasper Banele”) doesn’t match the name withing the email address! (“gleonalbraith”) And NO legitimate business email sending an invoice will begin with “Hey there!” and include emojis like the heart used below. Lunge for the delete key and remember to report your smelly phish to us and Google: https://safebrowsing.google.com/safebrowsing/report_phish/

      Home Warranty

      Last weekend we heard from a woman who asked us about a home warranty letter sent to her mother. Her 85 year old mother had paid more than $250 for a home warranty renewal two days earlier. The daughter was pretty sure that the warranty was a complete fraud. Especially since her mother lived in an apartment!  She was correct! Below is a screenshot of the letter her mother received. It turns out that her mother had also received multiple phone calls about her “expired home warranty” too. We’ve seen this fraud for years and easily found more than 100 online reports against the phone number used in this fraud (888-404-4504). We also found the real name of the company behind it: 4Ever Home USA.  Making this scam more serious, the 85 year old woman had given these scammers her debit card information for a direct payment from her checking account. Two days later, her daughter was trying to cancel this payment. She called this company back at 888-404-4504 to cancel the insurance payment. The “agent” she spoke with said yes, they would cancel the payment. But to safeguard her mother’s account, they also spoke with her bank and cancelled the card. To be completely safe, they requested a new bank account number and a new debit card.  Both of these were the smart thing to do to protect against more possible fraud. 

      Take note that in the “FINAL NOTICE” letter received by her mother (Below) that there is NO company name given!  Like all previous scams of this kind, the letter simply says “Home Warranty Division.” But, not only did the letter include the full name and address of the recipient, it also includes a current or former mortgage lender used by the victim! If you check out these complaints about this company’s fraudulent practices posted online, you’ll read that many people say this company had their mortgage information and pretended to be associated with the lender. Check out….

      ….as well as many other links around the Internet. Even Main Street Bank has reported this fraud to their customers AND the US Department of Justice raised awareness about this fraud in 2022! Finally, we even reported on a prior example of this exact fraud in our newsletter from December 1, 2021 (in the “Your Money” column).  Why does this fraud still exist!  The people behind it need to be caught and shut down!

      View Completed Documents & Your Netflix Membership Expired!

      Cybercriminals often use “document signing” as a means to trick you into downloading malware onto your computer or phone. Trust us when we say this will not end well for you! Check out this bogus email that a reader shared with us on May 20th. It came from a server in Ukraine and pretended to be from Docusign.  The link pointed to a very malicious website buzzing with fraud called beehiiv[.]com. (We’ve reporte on this malicious busy-bee site before!) Deeeeeleeeeete!

      It is critically important to mouse-over links before you click and look in the lower left corner of your browser to see where they point to! This email pretends to be from Netflix but certainly didn’t come from netflix.com! Your Netflix membership has NOT expired!  But more importantly, when you mouse over the links in the email you’ll see that they don’t point to any named website. They point to an IP Address (95[.]158[.]247[.]46) According to IPLocation.net, this IP address is located in Russia!  YIKES!  If you ever see a link pointing to a set of numbers instead of a named website, DO NOT CLICK!  The chances are exceptionally high that the link is a fraud. Now, Comrade, delete that email! Da?

      Job Offer for You!

      We have no idea why job related scams are on the rise but they are. Here’s an example that landed via random text on my personal phone last week. Lucky for them, I had time on my hands and wanted to play for a little while. “Vicky Bell” contacted me about a job offer. Notice how she sometimes uses a ZERO 0 instead of the letter “o” in her texts, and she purposely avoids spelling WhatsApp correctly.  We think these scammers believe that doing this better protects their scams from being searched by victims.

      After saying I didn’t have a WhatsApp account (I lied), I received a text message on it from another woman who identified herself as Elina. (Holding a baby. Awwwww.) It may not be obvious in this fraud but understand that this text conversation took place on a Saturday night after 8 pm.  What LEGITIMATE human resources department for any legitimate business is going to engage in this conversation by text only and on a Saturday night?  NONE! This is 100% a scam, though Elina didn’t agree with me when I told her as much! I asked Elina after about 30 minutes of texting if she enjoyed scamming people. She told me she didn’t understand my question.

      Until next week, surf safely!

      Copyright © 2024 The Daily Scam. All rights reserved.
      You are receiving this email because you have subscribed to thedailyscam.com

      Marblehead, MA 01945

      Contact Webmaster