Content Director Doug Fodeman | Creative Director David Deutsch | Issue 335


Today, we celebrate the transition of power in the United States from one President to another at the stroke of noon. But it was only two weeks ago that our nation’s Capital came under siege by an organized group of domestic terrorists carrying weapons and symbols of hate. After listening to a now-disgraced President who told them to march to the capital and essentially take it by force, this crowd of insurrectionists violently stormed our central houses of government.  History will not look kindly on soon-to-be former President Trump, the only President impeached twice in the history of the United States. 

A few of our readers may dislike our characterization of these events and President Trump. We may not all agree on our perspectives about this man or the damaging impact he has had on our Democracy. But, it is CRITICALLY important that we all understand that we are being besieged by misinformation/disinformation campaigns to impact our impressions, especially via social media platforms.  AI (artificial intelligence) software is so sophisticated today that it makes it extremely difficult to tell the truth from fiction, especially if we --the American public-- assume that everything we see online is fact.  Here are just two examples of what we mean, along with links to credible sources that reveal the misinformation…

  1. Parkland shooting survivor Emma Gonzalez appears to rip apart the Constitution while protesting against the 2nd Amendment (the right to keep and bear arms) --FALSE: Emma Gonzalez ripped up a bulls-eye target in protest but someone manipulated that video by replacing it with the Constitution and released that modified video on social media to make it look like she is disrespecting our Constitution.

  2. Nancy Pelosi has appeared drunk in multiple videos posted on social media. --FALSE: These videos have all been manipulated, slowed down with augmented sound, to produce slurred words.

Misinformation campaigns work both ways.  Sometimes they have been used to claim that REAL events are fake. For example, there are now people stating that President Trump did not really acknowledge Joe Biden’s victory in the recent election.  Some people on social media are saying the video was manipulated by AI.  But the evidence doesn’t support that claim.  Read this article published on the very credible site Reuters (1/11/21) stating that President Trump's speech is NOT fake.  Other recent manipulation of election-related news is described in this article titled QAnon Posts Evade Facebook Ban Before Inauguration Day (, 1/13/21)

“Misinformation” is designed to confuse or mislead the viewer.  “Disinformation” is intended to cause harm for nefarious reasons, like defrauding an election or political party.  Remember, a Russian disinformation campaign in 2016 was used as a weapon against the United States to produce mistrust and discord between liberals and conservatives in our country. Scampaigns using misinformation and disinformation cause real harm! They can falsely change our thinking, and even our decision-making, about events in our lives, like an election.  This can’t be overstated.  The consequences for believing fake information can be life changing for an individual, community or a country. And adding insult to injury is the fact that a massive study conducted by MIT Scientists in 2018 discovered that fake news spreads MUCH faster than truth on Twitter. (The Atlantic Magazine published a great article about this study.)  That’s why we believe it is critically important for our readers to raise their awareness on this topic.  Don’t take for granted that what you see on social media is real UNLESS you fact-check it with credible sources. Especially if it is politically or emotionally charged!  These and other events have motivated this week’s Top Story… Is it REAL or is it FAKE?

Here’s a playful way in which YOU can check your skills at fact-checking content that has gone viral on social media. Below are links to two short videos that were released on YouTube and other social media.  One of them REALLY happened and the other is 100% completely fabricated.  Can you tell which is which? SUGGESTION: try Googling the exact name of each video as a starting place and look carefully through the results returned by Google. (We’ll give you the answer next week!)

As a final example of completely fabricated content that appears to be real, you might also enjoy this brief Christmas holiday message released by the Queen of England, a tradition she has kept for more than 50 years. Enjoy!

In the Fall of 2020 we published an article titled “Facebook Phonies” in which we outed a group of fake Facebook accounts.  We continue to see fake social media accounts, including phonies on LinkedIn as well.  One of the bogus Linkedin accounts came to our attention when we received an invitation to connect with a gentleman named “Nicholas Sams” who has experience with “Military.”  Nicholas has ZERO followers, and ZERO information posted about him.

This is clearly a fake account.

NOTE: Be sure to read our last column “For Your Safety!” We’ve posted recent tricks by scammers to engineer your behavior to pick up a phone and call them directly!  Speaking of calls, enjoy these two funny voice messages sent to us be TDS readers.  Apparently, they are both about to be arrested UNLESS they call 469-454-0751 and/or 918-420-3269. Plenty of people talking about the first scam phone number on and the second is posted already on


Listen to the Issue Arrest Warrant Scam

Listen to the You Might Get Arrested Scam


Daily Scam Home Page



“Your account has been suspended” says an email that SEEMS to come from service @  However, that email address is entered into the NAME field.  The real source of this email is a numerical domain that appears after the @ symbol between the <> brackets.  The domain is 43656232[.]com. Of course, the email asks you to click a link to log into your Paypal account to fix the issue.  However, a mouse-over of the button shows that it points to!  People don’t realize that LinkedIn links can be used to forward you somewhere else on the Internet and this link does exactly that!  Not only does it lead to a phishing site, but that site is also hosting malware! Ouch!


Daily Scam Home Page


BEWARE of Stimulus Check Scams and Oddball Top Level Domains!

Who is Terri Jackson and why is he/she sending me a notification that my stimulus check for $6,345 is ready and waiting for me?  The domain jacksonterri[.]com was newly registered last October and someone has reported this site as a scam on

Most importantly, a mouse-over of the link “Review Now” shows that it points to a HIGHLY MALICIOUS domain called aiftrckr[.]com.  We’ve reported several times about malware lying in wait at this domain!  Delete and wait for your stimulus check to be announced on a US Government website (“.gov”)

Every internet user has experienced domains that end in “.org” or “.com.” These are called global Top Level Domains (gTLDs)  The internet began with only 6 gTLDs and now has more than 1500.  Most of these are obscure and used primarily by cybercriminals, such as “.cam” and “.work.”  (A glance at “.cam” may lead some to assume this is “.com”)  Here’s a simple example.  One of our honeypot accounts received an email to remodel your bath & shower with a “$500 off” offer.  But the email came from the oddball domain bhswr[.]work  --the gTLD is “.work.”  A WHOIS lookup of this domain shows that it was registered in India on the very same day that this email was sent!  Longtime TDS readers know that this is a VERY bad sign meaning malicious intentions.

Here’s another example.  This time from an email claiming to represent supplemental medicare coverage, which means it is clearly targeting Americans.  “Affordable Medicare Supplement Coverage Starts Here.”  But the email was sent from the crap domain “medcre[.]cam” and links point back to that domain.  That domain was also registered in India just hours before the email was sent and is being hosted on a server in the city of Kharkiv, Ukraine.


Did you see who is behind both of these malicious clickbait? If you look carefully at the links in those emails, you’ll see two hyphenated random words.  Both of these malicious clickbait are the work of the notorious Hyphen-Poopy gang.  We believe these cybercriminals are located in India.  The Hyphen-Poopy gang is an archnemesis responsible for targeting millions of Americans with malicious tricks for their financial gain.  STAY VIGILANT! Notice the gTLDs that appear at the end of a domain name. Look to see if oddly hyphenated words appear anywhere in a link.  Trust your gut!  If something seems “off,” do not click the link!  Send it to us to check out!  In the meantime, check out the misspelling of the word “citizens'' in this email sent from another “.cam” called citzns[.]cam. Like the others above, it was registered in India on the day the email was sent.

Need we say more?


As we stated in our opening remarks, it is becoming increasingly hard to tell the truth from fiction online.  Cybercriminals and bad actors with an agenda are using very sophisticated tools and clever techniques to fool unsuspecting netizens the world over.  Here’s are 3 simple examples. 

  1. IntelliShop is a real service that uses the domain and has been around for at least 21 years.  In Internet years, that’s ancient! But almost exactly a year ago, scammers created a look-alike domain, usa-intelli-shop[.]com, that tricked people into believing they were dealing with the legitimate company.

  1. Our honeypot email accounts get lots of Nigerian 419 scams every week and TDS readers send us more.  They are so common that we don’t often spend much time on them UNLESS we see something clever or unique.  Such was the case of an email sent directly to Doug at The Daily Scam!  It was as if the scammer was begging for attention!  Check out this email from “Richard Ball” informing Doug that he is set to inherit millions of dollars (British pounds).  The email came from a server in Brazil on January 15, BUT a reply to this message will automatically be sent to a domain called MillstreamFinancial[.]com. THIS got our attention! (Notice the FROM address ends with the 2-letter country code “.br”)

Who is Millstream Financial Services and the Advisor named Richard Ball?  Apparently, Mr. Ball is a real financial advisor of a real business in Beckenham, England, according to the Financial Conduct Authority, along with other credible websites that verified this business. This financial service has used the domain, which was initially registered and hosted in England in March, 2010.  (However, as of January 16, 2021 there is no website available at  A Google search shows yet a third website about this business and it is on a subdomain found on All of the contact information found on this “member site” matches the information listed with the Financial Conduct Authority.  Are we to believe that Mr. Ball is also using MillstreamFinancial[.]com now?  



Though MillstreamFinancial[.]com seems like a very logical domain owned by Mr. Ball, and it was where our email Reply is to be sent, Google doesn’t have any listing for this website.  In addition, a WHOIS lookup for this domain shows that it was registered anonymously in Canada on August 11, 2020. Remember, this is in contrast to the 2010 domain,, which was registered AND hosted in the United Kingdom, and verified by multiple sources.  It should now be obvious to all that MillstreamFinancial[.]com is a fraudulent domain, registered by a Nigerian 419er running a typical “advance fee” scam.  We’ll keep you informed how this plays out because we’ve replied to “Mr. Ball” saying that we’re very happy he found that we are related to a “long lost relative” who left millions of dollars without an heir!


  1. Our final example concerns your health and medicine.  If you Google “Zantac cancer claims” you’ll find thousands of websites (many from personal injury lawyers) providing information about lawsuits being brought against the manufacturer Sanofi because many now believe that the primary ingredient in Zantac causes cancer.  This has led to many class-action lawsuits against Sanofi for, what was, a very popular antacid drug.  One of our honeypot email accounts received this solicitation to possibly join a lawsuit and receive compensation if we believed that we (or a loved one) developed cancer AND used Zantac regularly.  The email name is titled ZantacLawsuit Compensation and remarkably, the domain name is not visible in the email address, which is rare. This is the first clue that suggested this may not be what it appears to be.


Though the address in Mt. Kisco, NY, listed at the bottom of the email, is for an email marketing service at this address, we became even MORE doubtful about this email when we discovered that the links in the email pointed to an IP Address, rather than a domain name. An IP Address is a set of numbers used to identify every device connected to the Internet, including its location. To help us humans navigate the Internet more easily, IP Addresses are almost always mapped to a name because names are easier to remember than a seemingly random set of numbers.  So WHY did the links in this email show only an IP Address?  We used a tool called to inform us where in the world this IP Address 51[.]68[.]143[.]24 was located. The answer was Warsaw, Poland! We also found this IP blacklisted by the security service McAfee AND that a redirect at the end of this link sends visitors to another odd website named plutofresh[.]com.

It is clear to us that this invitation to join a lawsuit is completely fake, and nothing more than malicious clickbait. In case all of this talk casting doubt on what is believable online is giving you heartburn, please don’t take Zantac to quell that acid overflow.  Go take a walk in the woods, or along a lake, river or ocean.  You’ll be glad you did.



Daily Scam Home Page



That's Not Mine!

This week’s posts in “For Your Safety” represent a very clever form of behavioral engineering.  Imagine getting a bill or notification of a charge on your credit card for something you KNOW you didn’t purchase! But wait, there’s still time to stop the charge by calling and either cancelling the order or informing them that you didn’t make the purchase!  In order to remove the charge, they’ll need you to provide your credit card information, of course…

This first email, sent to us by a TDS reader, was missing information about the sender.  But a CAREFUL review of the email shows that “Norton LifeLock” misspelled the former name of their own company, Symantec!  No matter, “Thank you for choosing NAV Life-Lock Business Premium” for $399.  But there’s still 24 hours to cancel by calling the scammer’s phone number: 302-425-9815!

Another TDS reader received the email below, for Microsoft Office Renewal at a cost of nearly $400, and actually called the phone number listed, 888-808-5851.  He told us that the man with whom he spoke “was smooth and offered a refund” but needed the soon-to-be-victim’s bank account information!  The scammer also manipulated the man into allowing him remote access into the man’s computer ---which is VERY DANGEROUS!  Fortunately, the man quickly became suspicious, hung up, quit the remote access and ran anti-spyware/anti-malware software. 

He dodged a bullet, but just barely!


Daily Scam Home Page



You Appear in this Video and Your Package is Stopped

There is a Facebook scam that has been circulating in various forms via posts and Instant Messenger for years.  A friend’s account gets hacked and the hacker sends a malicious link connected to an image that says something like “I think you appear in this video.”  This just happened to a friend of Doug’s.  Shortly after, the friend posted a message confirming that his account had been hacked and he didn’t send the message that went out on Facebook Instant Messenger.  The link either leads to a malware infection or a phishing site that will capture login credentials and personal information, including targeting the next group of Facebook friends.

This next email informed us that a package being sent to us was “stopped at our post.”  The email came from a server in Belgium.  We don’t tend to get any packages from Europe. Once again, security services had no problem spotting the malware at the other end of that link, or the fact that we would also have been forwarded to a real and legitimate service called



Until next week, surf safely!

Forward to Friends

About Us
Contact Support
Manage Subscription


Produced by:
Deutsch Creative
Copyright © 2021 The Daily Scam, All rights reserved.

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list

Email Marketing Powered by Mailchimp