Select Page
Weekly Alert  |  November 23, 2022

Using YOUR Verification Code to Scam YOU Just a few days ago we heard from a man who posted a used sofa on Facebook Marketplace Sunday morning at about 7:30 am.  Within a few minutes he had received a direct message from a woman named Ling Sanders, asking “Is it still available.” The immediate reply to his post made the man suspicious but he was also curious. That curiosity helped expose how scammers use verification codes against you. Sadly, we also heard from a woman in October, telling us that her Facebook and email accounts had been hacked and she was locked out. The scammer then used her accounts to defraud others. Ultimately, the scammer’s use of her Facebook account triggered Meta to permanently shut it down. She lost all her content and was not able to restore or retrieve anything. That scammer also gained entry by tricking the woman to reveal a verification code during a bogus job interview. Let’s take a look at how these clever tricksters ran their scams….

There is no question that Facebook Marketplace is used by hundreds of millions of people around the world. It is an easy way to post and search for items for sale. This is also why it is an exceptionally attractive tool for scammers! When a man recently posted a sofa for sale on Facebook Marketplace, he immediately received a direct message asking “is it still available.” We believe that this was the FIRST red flag suggesting that the interested person was a scammer. The man responded with a yes and “Ling Sanders” asked the man to text her at (617) 706-5366. We see two more red flags in their brief quick text exchange…

Notice that Ling didn’t ask any question about the sofa, ignoring the man’s question, and was quick to say she would show up later with cash. Please note that the seller posted only one photo of the sofa and said it was in “good” condition.  Ling immediately pulled the “for my safety” trick, asking the man to verify that he is a “real seller.” That’s another MAJOR red flag! What safety system is this from? How is it authorized? Certainly, Facebook Marketplace doesn’t have any such system! In fact, if you search Google with the sentence does facebook marketplace use safety codes, you’ll see thousands of links to articles and videos about this scam! Almost immediately after hearing from Ling, the man received a code…

This code confirmed that the man was targeted by a scammer because it was a Google Voice verification code! This is NOT an identity safety code and NOT associated with Facebook, or any other service.  And it even says “Don’t share it with anyone else…” Had the man given this code to the scammer he would have been victimized in a variety of ways. According to this September, 2022 article on Aura.com titled “Is Someone Asking for Your Google Voice Code?” the scammer can:

  • Commit crimes that can be traced back to you. …
  • Scam your friends and family using your phone number. …
  • Open new accounts in your name. …
  • Take over your online accounts using verification codes. …
  • Harvest more sensitive information to steal your identity.

Other resources describing this particular scam include:

FOOTNOTE: We learned that late on Sunday night, the man received his second offer from someone using the name “Oculus Quest.” The offer was for $10 MORE THAN what the man was asking for the sofa. The person offering more included “when can I pick it up?”  Why would anyone offer more than asking and want to pick up a used sofa without seeing it or asking questions about it? This was obviously just another scam and the man blocked him!

A very different “verification code” scam targeted a woman who contacted us in October. She was victimized by this scam in 2020. She had been invited into a text-based job interview and, in the course of that interview, was tricked to reveal important verification codes for her Facebook and Gmail accounts. She believed the job  interview was for a job at Comcast. It felt a bit suspicious and she asked the HR Manager, named John Ennis, to prove her interview was real.  In this “text only” interview, this was his response…

Some people don’t realize that REAL companies would never interview candidates ONLY through texting! IDs like the one sent to her by “John Ennis” are easily created, stolen, or photoshopped.  Proving our point, check out this photo posted on Facebook on October 19, 2021 of an ID from someone named “Mark Brayan.” Mr. Brayan claims to be the Hiring Manager from a company called ClickWork. The photo of someone holding Mark Brayan’s ID is IDENTICAL to the photo above of someone holding John Ennis’ ID!  It is only the ID content that has been changed!

Unfortunately, the woman continued with the Comcast job interview off and on for several hours. During that time, Mr. Ennis asked her to confirm her identity by sharing codes that she received, via text and email. This, of course, was the fraud. During the course of her interview she gave up codes to her Facebook and Gmail accounts. This enabled the scammer to take control of these accounts, ultimately locking her out and using the information to perpetrate several scams, including the misuse of a credit card.

Verification codes are CRITICALLY important to keeping people’s accounts safe and secure if you ever forget a password! There is a reason why the Google verification code said “Don’t share it with anyone else.”  But scammers are clever and have thought of dozens of ways to engage people in conversations in which it seems real to be sent a code you are asked to share. NEVER, EVER share a verification code with anyone over text, EVEN IF YOU KNOW THEM!  If you know them, video chat with the person to have proof you are speaking with the person you think you are speaking with. And the reason for sharing that code should be because YOU asked them to help you! Never the other way around.

Become a Netflix Video Tagger! Have you recently come across the website TagAndChill[.]com and wondered whether it’s too good to be true? Do Netflix tagger jobs even exist? Check for the answers to all these questions and protect yourself with this FREE, all-in-one tool:

When is a Google Search NOT a Google Search? During the last few years we’ve been targeted many times by a simple trick that many people are likely to fall prey to.  You learned in today’s Top Story that scammers can trick someone to give up access and control of their email or social media accounts. One of the many ways that a scammer can use that access to target others is by sending the victim’s family and friends a simple email like this…

(This particular email came to the victim from an unknown email address.)  It appears that the recipient is sent a link to Google showing the results of a search for his email address.  HOWEVER, when the recipient moused-over the link, it didn’t point to Google as shown.  The link pointed to a link-shortening service at Bit.ly.  As we’ve said many times, shortened links are often used by cybercriminals to hide the destination of a click. (Here is our resource explaining the risks of shortened links and how to unmask them.)  When we unshortened this short link, we learned that this supposed link to Google was set up to redirect us to Amazon’s AWS service. This service is being misused and the link is 100% malicious! DO NOT TRUST a link just because you see that it points to Amazon or Google!  And if you see a shortened link, DO NOT CLICK IT without using a service to unshorten it to verify where it will send you!

    In past weeks, we’ve had the help of @WhiskeyScambaiter to expose fake online specialty liquor stores. A few days ago he sent us a link to another fake store that was a bit more challenging to uncover because it had stolen a lot of content from a legitimate liquor-selling website. However, the most important clue revealing the lie was their “about us” page!  They state “Best Whiskey Online Shop is an online-only store and has been going since 2010.” But a WHOIS lookup for their domain shows that their website name was registered in May, 2022 and the person who registered the site, Pastore Junior, didn’t list a city with his address!  As we say over and over… verify, verify, verify!

      Amazon, AOL, Comcast and Email Amazon will NEVER, EVER contact you through Paypal! Period! Check out this email sent from a real Paypal account, with links pointing back to a real Paypal account. It informs the recipient that she has an invoice for $400 and the charge was made through the victim’s Amazon account!  The note is insane and makes no sense at all!  But the scammer hopes that people are confused by the message and will call their scam phone number at which time they will truly be victimized!  Step away from the ledge….

      One of our readers received this in his AOL email account about a request he supposedly made to shut down his account.  Yeah, right. It represents a travel experience that most people wouldn’t imagine. It begins with the fact that this “AOL email” came from a website called naytdinlevertiti[.]com and this website was registered in Morocco on the day the email was sent. The link to “cancel the termination” points to another website called holdorstoorin[.]store which was also registered in Morocco (46 days ago) and is being hosted on a server in Saint Petersburg, Russia! Given the current tension between Russia and the Nato alliance, we don’t recommend clicking that link for a visit.  It’s likely going to explode in your face.

      Here’s a very interesting smelly phish that came from a personal Comcast account, informing the recipient that their recent cable payment was returned.  They are asked to log into their Comcast account to fix the issue. But the link to “My Account” points to a Google email account!  Hmmmmmm….. We’re not feeling too good about this email but at least they say “Thanks for being a Comcast customer.”

      Our Readers have been targeted by many emails pretending to be about their “email account,” including us. Many reasons for the email are cited, such as a recent request to shut down the email account. Here’s an email sent from a server in South Korea (“.kr”) claiming that the incoming mail “has been placed on pending.” However, the link for VERIFICATION points to the legitimate AmazonAWS service. It is being abused! Fortunately, VirusTotal.com shows that one security service can identify that link as malicious!

      Malicious Gmail Gibberish! One of our longtime readers routinely sends us content that targets him, and he gets targeted ALOT! Lately, we couldn’t help but notice a similar pattern to the variety of landmines placed into his inbox. We’ve seen this pattern before and wanted to add it to your toolbox to assess malicious content before you even open it! Each of these threats came from a free Gmail account that was set up using a completely nonsensical gibberish stream of characters. And so, dear readers, should you ever see such nonsense, we STRONGLY advise you to lunge for the delete key!  Let’s start with a “Fantastic Prize” from Ace Hardware. Notice the crazy gibberish name of the Gmail account.  The links point to nasty link to a website called pemsv30[.]net.  A search for information about this odd website turns up Spanish that translates to “Ministry of Environment and Sustainable Development.”

      Deeeleeeete!

        “Black Friday” is just a couple of days away and the online deals and steals have been pouring in! We hope you’ve been careful on what you click and believe!  Here’s another gibberish Gmail email congratulating our Reader for being a “lucky winner of this month.”  He’s invited to take advantage of this Black Friday special! The link points to another malicious website called ddlnk[.]net.  And, in case that didn’t entice him to click, the scammers sent him ANOTHER malicious gibberish Gmail email (say that 3 times fast) telling him he was the Sunday winner! Links also pointed to the same malicious website ddlnk[.]net.  We can’t imagine why this man is so heavily targeted but, thankfully, he’s pretty savvy at recognizing online threats!

          Don’t Believe Everything You Read – Our longtime readers may remember that a very upsetting scam that has targeted victims for years is a form of extortion.  The scammer tries to trick the recipient into believing that malware hidden on his computer has recorded the victim engaging in self-sexual stimulation while viewing porn sites. A bitcoin payment from the victim is required or the extortionist threatens to publish the captured video to friend, family and work colleagues.  There is NEVER any photo or video proof offered showing that the scammer actually has what he claims to have captured! Sometimes, the scammer reveals to the victim a personal password belonging to the victim, as if that is proof enough that there really was malware recording things on his personal computer.  But passwords are stolen across the Internet and sold on the dark web ALL THE TIME! A stolen password doesn’t reveal anything! Here is the latest version of this scam, sent to a Newsletter reader who shared it with us…

          Speaking of confidential information not to be revealed, one of our honey-pot email accounts received this short but clear email from Joy Sade Emerald with the subject line “TREAT AS CONFIDENTIAL.”  We couldn’t help but notice that it was sent to “undisclosed-recipients!”

          Side Hustle, Earn $700 a Week, and Random Donation – This week’s malicious texts all have us scratching our collective heads wondering who on earth would actually fall for this malarky! But sadly, some people do and others are desperate for money.  Let’s begin with this “side hustle” sent to one of our readers. “Earn Up to 1500!”  A link was provided and the recipient was asked to “tap to load preview.”  DANGER, WILL ROBINSON, DANGER! We immediately recognized that link as a very malicious threat we’ve seen before!

          DO NOT CLICK!

          Next came this bogus text sent to 17 people about making money simply by displaying advertising on their “Vehicle Bike and Trucks.”  Hmmmmmm…. Ads on your bicycle? Why not go “all out” and offer money for ads to be displayed on your baby carriages, scooters and unicycles!  That shortened link will redirect visitors to a webpage on the free service called Wixsite: anhchuai04[.]wixsite[.]com / drpepper  You’ll find a form on this webpage where applicants are asked to enter their name, address, email, phone, bank, age, sex, marital status, and the make, model and year of their vehicle just to get started. However, the scam page says you’ll only be paid $500/week instead of the $700 promised in the text! What? Where’s my additional $200? Forget it! Delete!

          You know the expression, “good things come to those who wait?” We don’t believe it. Imagine getting this text in your inbox from Mrs. Mavis Wanczyk.  She has randomly chosen YOU to receive $100,000 because she’s such a generous person. How sweet! And now, together, we all say “deeeeeeleeeeete!”

          Until next week, surf safely!

          Copyright © 2022 The Daily Scam and Scamadviser. All rights reserved. You are receiving this email because you
          have subscribed to it via Scamadviser.com or thedailyscam.com

          Keurenplein 41, UNIT A6311  |  1069CD Amsterdam, The Netherlands

          Contact Webmaster