Select Page
Weekly Alert  |  November 17, 2021

Something really BIG happened last week to Doug at The Daily Scam! He received an email notification from someone named “Jarret K” at EducationandLearningConference[.]com about a “prestigious educational conference in the US in early 2022.” Doug has been shortlisted for an award to “honor all leaders and offer them a platform to share their achievements and journey with the world.” THIS IS SO EXCITING!

There were, however, a few minor things that troubled him about Jarret’s email and below you can see Doug’s reply.  Here are five concerns…

  1. The domain educationandlearningconference[.]com was registered anonymously on August 3, about 3 months before this email was sent. This felt a bit odd considering that this is supposed to be an annual conference rather than A “FIRST TIME” conference. (Afterall, Jarret says “we will be organizing the next edition…” not the “first edition.”)

     

  2. There is a redirect element hidden on Jarret’s website that sends visitors to another domain called education2conf[.]com. (This domain was also registered anonymously in mid-July.)

     

  3. Google’s search engine knows NOTHING at all about the website educationandlearningconference[.]com and no other website is referring to it or has information about it.  (On the other hand, Google does find information about an “Education 2.0 Conference” which uses the domain education2conf[.]com.)

     

  4. Scamadviser.com gives educationandlearningconference[.]com a VERY low trust score!
  5. Oddly, a search for the physical address in Jarret’s email also shows NO SUCH organization.  However, we do see that this address at Suite 104 has been occupied by a business called MedCognition for the last 5 years and has an A+ rating on the BBB.org web site. By contrast, “Education and Learning Conference” cannot be found on BBB.org or LinkedIn.com.  The domain Education2Conf.com CAN be found on LinkedIn but they never describe themselves as EducationandLearningConference[.]com and they show a different physical address located in Leeds, Alabama.

But these anomalies don’t really matter, do they? Doug is SUPER-excited and looking forward to hearing from Jarret soon!  Unfortunately, as of November 16, Jarret hasn’t replied.  We wonder why? Could this be a Vanity Scam? We’ll never know until we hear back from Jarret. If you would like to see some examples of Vanity Scams and learn why they are called “vanity” scams, visit our article called Recognizing Vanity Scams.

With the holidays just around the corner, we know that scammers will be targeting consumers heavily this season. This is especially true considering that COVID continues to drive a lot of shopping online.  Check out these holiday shopping safety tips at Scamadviser.com to lower your risk for being targeted! And speaking of safety tips, we often urge our readers to talk to their elderly family members to educate them about online and phone fraud, or to check that they aren’t being taken advantage of by fraudsters.  But how about your children? Check out these tips on Scamadviser.com to help keep your children safe as well!

Also, we want our readers to be aware of the “reshipping” scams that have victimized many looking for new jobs during the last 6 months. Indeed.com posted a good article in October that details what these scam jobs look like, and might look like as we approach the holiday season.  Check out “Everything You Need to Know About Holiday Reshipping Scams.”

Amazon and Your Password Will Expire in 12 HoursThe FROM address in this email begins with an email belonging to Amazon.com. BUT that address is written into the text field!  The REAL sender of this email comes after this text and is seen in blue enclosed by brackets <>. It shows that this email came from the domain agentofficemail[.]com instead of Amazon! A search for this domain in Google shows that it has been used for phishing scams for a few years now, including a post on Reddit.com from 5 months ago. VirusTotal.com tells us that many security services are well aware of this threat.  (See the screenshot below) Now you are too!

Doug and David at TheDailyScam.com are really enjoying the continued phishing attacks against us that began 2 weeks ago.  They warm our hearts and fill us with joy as we approach the Thanksgiving holiday! We are truly grateful. (We’re not kidding!) Check out this one that was sent to us from a server in South Africa while we also share a bit of country code tradition with you…

Did you know that there is an “International Standardization Organization” that was founded in 1947, but had its roots in the 1920s? (According to Wikipedia.) The “ISO” was responsible for assigning 2-letter country codes in 1974, which then began to be used in many domain names in 1985. Though there are a few exceptions, ISO tried to honor each country, when possible, by using 2 letters taken from the name of the country in a language spoken in that country.  Hence, the 2-letter country code for South Africa is “.za” which represents the Dutch language for “Zuid-Afrikaanse” = South Africa!  Other examples include “.es” for España = Spain and “.de” for Deutschland = Germany. (Learn more about the ISO 2-letter country code system on Wikipedia.)

Of course, what this all means for our email below is that the password is not going to expire in 12 hours, but we sure love this scammer’s enthusiasm!!

Fall Scams Not to Fall ForDeciduous trees and other plants drop their leaves every Fall and people get to enjoy the amazing color changes as these plants stop making food through photosynthesis. As these plants stop producing their photosynthetic pigments, they begin to decay but these pigments decay at different rates.  We see these changes as color changes in the leaves, until finally, the leaves have died (shades of brown) and fall to the ground. (The science of the annual “Fall” is truly fascinating! You can learn more about the role played by chlorophylls, carotenoids, and anthocyanins in aging leaves in this article at the College of Environmental Science and Forestry or this article from AmericanForests.org.)

However, as predictable as are the falling leaves of deciduous trees, we also see these malicious clickbait emails fall into our inboxes at this time of year. They are disguised as legitimate businesses but didn’t come from those businesses!  Check out these two examples. Both came from the infamous Hyphen-Poopy Cybercriminal Gang! (Look for the 2 random hyphenated words found in the clickable link.) Though Leaf Filter Gutter Protection is a legitimate set of products, this first email came from a crap domain registered in Iceland in January, 2021.  The links point to this crap domain as well. (Note: The Hyphen-Poopy gang LOVES to purchase their malicious domains in Iceland from a Registrar called Name Cheap. Name Cheap does a VERY POOR job of safeguarding the misuse of the domains they sell, in our opinion!)

This second example has links that point to a domain that was registered in Bavaria, Germany just three days before this land mine dropped into our inbox.  It’s easy to spot the hyphen-poopy tell-tale sign at the end of the link when we mouse-over it, BUT DO NOT CLICK IT!  All of these links lead to a malware infection! So the next time you see a “great deal” for Fall products, think twice before clicking!  Do your due diligence and look carefully at the source of the email and where the links will send you!

One Man’s Job Hunting Nightmare – Last week we were contacted by a Reader who lives in South Africa about a possible job scam. To protect his identity we’ll call him Jim.  Jim is eagerly looking for a new job and is especially interested in jobs in the UK. He tells us that he would prefer to accept a job in the UK and move there than stay in South Africa. The problem, however, is that because Jim has posted his resume on many different online job-search services, he has been flooded by scams disguised as real jobs!

For example, Jim received an email invitation to apply for a job with Virgin Cruises, based in West Sussex, UK. He replied enthusiastically, sent his resume, and filled out their brief job application form.  This original email to Jim contains two MAJOR RED FLAGS that scream out “FRAUD!”  Can you spot them?

    Did you spot the fraudulent tell-tale signs? Hold on, we have more…. After Jim responded to the email above,  he received the email below from Gunn Portford, who claimed to work for the Virgin Cruises Human Resources Department. Now how many “red flags” can you spot in this email that should make everyone suspicious? (Our answers are below.)

      So how many red flags did you count in those two emails? We see 3 SERIOUS red flags that scream out “fraud!”  We also see a common “poker tell” in the second email that we often find in scams perpetrated by fraudsters from a variety of African countries, like Nigeria. The most obvious red flag is the many grammatical, punctuation and awkward English errors found throughout these emails, especially Mr. Portford’s response. These errors made Jim highly suspicious that this was not a real job offer! The second and third red flags are ABSOLUTE PROOF that these emails are fraudulent. A Google search for Virgin Cruises will show you that the parent company, Virgin Voyages, uses the domain virginvoyages.com. Neither of these emails came from virginvoyages.com. The first came from a generic Gmail address with the name field “VirginVoyagesCruises” while the second email came from the domain “workmail[.]com.” We’ve documented many job scams, including many in the last two years that use emails sent from workmail[.]com.  You can see them in our article You’re Hired! (Job Scams).

      The “Poker Tell” can be seen in the second fraudulent email. Mr. Portford’s closing response includes “Remain Blessed.”  Many African scammers use opening or closing remarks like this to help convince the potential victim that they are a religious person, and by association, a good person.  But Jim wasn’t buying it!  He replied to Mr. Portford and said “May I request confirmation/verification that this job offer is indeed real and not a scam?” Read Mr. Portford’s response to Jim. (See screenshot below.) We think his response is hysterical AND supports the scam accusation!

        Jim has told us that he has received LOTS of scam or suspicious emails like this. As you can imagine, he finds it frustrating trying to wade through this sea of crap to look for legitimate emails.  Our readers may wonder what exactly is the scam here?  We’re certain that there are two potential losses from these scams.  Jim was sent a link to a legitimate “UK Visas & Immigration Form (VAF2)” found on a UK Government website.  He was told to fill it out and send all of the information to the scammers.  Doing this will expose Jim to Identity Theft and other targeted fraud because of the very personal details required by this form.  Included in the requested information is birth date, birth location, nationality and passport details such as his passport number.  It also asks for any UK issued “Biometric Residence Permit Number,” details about phone, email, physical address AS WELL AS details about his Mother, Father, Spouse, children and employment. In the wrong hands, all of this information can be used for nefarious purposes.

        Most importantly, this is an “advance check” scam.  Victims will be sent a well-crafted, fake check to deposit. The amount will include their first week’s salary, along with additional funds to pay for services and/or materials required by the bogus company.  Recipients will be asked to wire their REAL money to the scammers shortly after depositing the check. Of course, the money they send is irretrievable and they won’t discover that the check bounces until days later, and they are hit with an additional fee from their bank to add insult to injury. Real companies will never hire you only through some text communication, and then send you a check for hundreds or thousands of dollars, along with your first week’s salary in advance.

        ACTION NEEDED!!! – Twice in the last week our honeypot email accounts have received two nearly identical bogus emails informing us that our “unsubscribe request is PENDING.”  Here’s one that claims to represent a fictional “Global Unsubscribe System” that simply doesn’t exist. Were we to click any link to “confirm” our wishes, our email would be sent to 24 email accounts all over the world, including 5 on Russian servers, 2 in Czech and 1 in Belarus. (Yandex[.]com is a Russian search engine and web portal that also offers free email services.) LUNGE for the delete key!

        Your Offer of 2.5K Will Expire Today –This text was recently reported to us as unsolicited, arriving on the recipient’s phone about 20 minutes after midnite. The link in it points to a website in Honduras (“.hn”) called msg[.]hn.  However, we discovered that visitors will be immediately redirected to a very questionable website called HolidayWallet[.]co. This domain was anonymously registered recently on September 17, 2021. Visitors to HolidayWallet[.]co are told that they can use this site to apply for loans. The top web page asked us to input our phone number, the loan amount, and the last 4 digits of our Social Security number. WE DO NOT RECOMMEND THIS SITE!  Despite their assurances that they care about your safety and data security, everything about this request feels like a scam! It feels this way because of the age of their domain, the random text received from 415-831-7119 which can’t be Google-traced to any business, the Disclaimer shown at the bottom of their website, and the fact that “AdPath LLC” (mentioned as the source of the text) is an “inactive business” since 2017 with a delinquent tax bill, according to the Wyoming State Business Center where AdPath LLC was last registered. BLOCK THIS NUMBER!

        Until next week, surf safely!

        Copyright © 2021 The Daily Scam and Scamadviser. All rights reserved. You are receiving this email because you
        have subscribed to it via Scamadviser.com or thedailyscam.com

        Keurenplein 41, UNIT A6311  |  1069CD Amsterdam, The Netherlands

        Contact Webmaster