Content Director Doug Fodeman | Creative Director David Deutsch | Issue 315


During our six-plus years in existence cybercriminals have tried many times to shut us down or interfere with the help we bring to people all over the world.  They have used Distributed Denial of Service attacks multiple times and we were back online within a day.  They succeeded in hacking our website twice and we were back online within a day.  They’ve used brute force login attacks hundreds of times against us and all have failed to breach our defenses.  Now we believe a cybercriminal gang is trying something new.  Beginning last Thursday morning, August 27, cybercriminals posted our content, or content about us, to more than a dozen malicious websites across the Internet. They all cite The Daily Scam. These sites appear to be very sketchy, and many of them are located in Italy.  Here’s a screenshot of one example found on zhafaro[.]store, a domain registered in Malaysia in early July and hosted on a server in Singapore.


This came to our attention in the first place because we had a sudden burst of new subscribers sign up for this very newsletter. (About 60 in less than three days.) While we are thrilled to have so many new subscribers join us (Welcome!), we think that our website’s name and our content is being used as a lure to trick people into clicking malicious Google links to malware-laden websites. (This trick is a form of search engine poisoning.)  It appears that cybercriminals are now using information about us to target the very people whom we try to help.  We have confirmed malware on three of the websites we’ve found so far.  

The websites with confirmed cases of malware waiting for visitors are flowerschoolthailand[.]com, basaltcomposite[.]uz and mail.zhafaro[.]store.  These are the other very recent website domains on which we have found references to us:  (“.it” = Hosted on a server in Italy) (DO NOT VISIT THESE SITES!)


We also found suspicious content about us on three Facebook accounts located in Spain, Russia, Nepal and all registered to a user called “Spamwhisperer.”

es-es.facebook[.]com/ Spamwhisperer/ posts/
ru-ru.facebook[.]com/ Spamwhisperer/ posts/
ne-np.facebook[.]com/ Spamwhisperer/ posts/


Our biggest concern is for our readers.  If you are one of the new TDS readers who signed up for this newsletter after August 26, or found us for the first time after August 26, please think about HOW you found us.  If you found us through a Google search for information about an Amazon customer support scam or love scam AND clicked a link that took you to a weird website, your device **may** have been infected with malware.  We recommend scanning your device for malware UNLESS you already have top quality anti-malware software installed.  These three credible websites have all posted their top choices for Anti-virus/Anti-malware software recently:

    CNET (July 20,2020; for Windows users)

    TechRadar (August 19, 2020; for Windows and Mac users)

    Tom’s Guide (August 21, 2020; for Windows and Mac users)

     Both Malwarebytes and Sophos offer good free products to help you scan and protect your devices.  

Apparently, we’ve pissed off at least one cybercriminal gang around the Internet. (If we had to guess, our pick would be one of the gangs in India.) But this also confirms to us that we are successful in helping people  reduce their online risks!  So we’re going to keep doing what we do best. We will continue to educate people about online threats and call out scams and fraud when we see it.  To our readers… We’re here for you and will always be here for you!  Remember, we don’t just understand your problem, we HAVE your problem!

To the cybercriminals who have taken the time to target our readers (and us)... Thank you for confirming that our work makes it harder for you to earn a living HURTING PEOPLE!  We’ve heard the personal and heartfelt stories of hundreds of your victims.  You may think this is “just your way of making a living” but we want you to know that you are causing a tremendous amount of pain and suffering in the world. For example, you’ve stolen hundreds of dollars from single mothers who can barely make next month’s rent.  You’ve stolen thousands of dollars from elderly people who can least afford it because they have little income or other financial resources.   We CHALLENGE YOU to take a moment and imagine that this pain and suffering you are responsible for were to be inflicted on YOUR parents, YOUR sisters and brothers, or YOUR children!  Imagine that.

We aren’t going anywhere.
Doug & David

P.S. --you can read about prior efforts by cybercriminals to bring us down in our article “Why it Hurts to Be Right.”

Daily Scam Home Page

Citizens Bank, Netflix (again!), Paypal, and whatever this is!

OK, we get it.  NO ONE would ever fall for this, right?  “C1T1ZENS 0NL1NE BANK1NG”  Seriously?  And if not this, then the opening line should make you suspicious because the grammar is all wrong! ‘Nuf said.  D3L3T3!

Netflix account holders have been heavily targeted in the last few weeks.  This may be the eighth or ninth phishing scam disguised as a Netflix email.  Obviously, it didn’t come from Netflix. (ALWAYS look for the address that appears between these brackets <> to see the sender’s REAL email address!) This email came from workrateuk[.]com. (as in Work Rate in the UK)  More importantly, the link points to a website that may appear credible but it is a scam site: resolve-accountproblem[.]com. This is NOT!  This domain was registered four days before this email was sent.  To our newest TDS readers, the age of a domain (the name of a website) is one of the many ways to determine online fraud!  Visit a WHOIS tool and enter the name of the website to see who registered it, when it was registered and where it is hosted. Our favorite tool is ( (If you choose to look up the malicious domains we write about, you’ll have to remove the brackets around the period. [.]  These are placed to protect you and prevent software programs from automatically creating links to these malicious websites.


Paypal users are amongst the most highly targeted folks across the Internet. Here’s another email informing Paypal users that their account “has been limited.”  But look where this email came from! Support @ squarelee[.]com! When we put our mouse over the link for “Paypal Login” (Without CLICKING) and look at the address that appears in the bottom of the browser window, we can see that it doesn’t point to  It points to a malicious phishing link on snip[.]ly.  (This trick is called “mousing-over” a link and is a critically important skill to master to stay safe on the Internet.  You can find information about mouse-over skills on our website: (short video)

Finally, we leave you with one last smelly phish!  But we don’t quite know what the heck this was meant to represent because we were missing the link when this was shared with us.  We’re very sorry, though, to learn that our account “will be deSactivated!” 


Capital One and CVS Pharmacy Rewards Promotions

Cybercriminals routinely use malicious emails disguised as promotions and rewards as clickbait.  Here are two recent ones sent to us by our readers.  The important thing to notice are the oddball domain names these emails are sent from, and the links they point to.  None of these domain names or links are actually the company they claim to represent.  In fact, the link in this first email points to a photographer’s website that was hacked and hosts a malicious redirect to another website.  Visitors who land on the photography website will be immediately sent to a website named guerly[.]com.  Does that sound like Capital One to you?



We’ve seen sooooo many malicious emails disguised as surveys for which participants are offered $50 that we reflexively throw up when we see these! OK, that may be an exaggeration but not by much.  Check out the domain this CVS Survey email came from…. “SpontaneousGregarious[.]com”  This oddball domain was registered in Bulgaria a year ago. The website you’re sent to has so many redirects lying in wait, that our tools couldn’t evaluate them all.  We’re certain at least one of them is malware-laden!


Clicking the CVS link will, however, send you to a PRIMARY website that will appear on your web browser about a CVS customer survey.  Below is a screenshot of the top page of this survey.  There are so many lies and “dark patterns” on this webpage! Don’t believe them when they tell you…

   “Over $5,000,000 in Offers given out so far!”

   “Supply is extremely limited so act fast today.”

   “Limited Supply: 9 Rewards Remaining”  (This is a very manipulative dark pattern!)

   “THIS IS AN INDEPENDENT SURVEY. This website is not affiliated with…” yada, yada, yada. BS!

And certainly don’t believe the five names and quotes listed!  It took us less than 5 minutes, for example, to do a reverse image search of the photo of “Donny Phillips” to discover that this photo is on dozens of websites around the world using different names.  Here are just two examples.  Apparently Donny is also known as “Jeane Allen” from New York and “Arthur G. Spriggs” from Las Vegas.  Both, Jeane and Arthur, posted opinions on the website  Their “opinions” are just another example WHY it is so hard to trust anything you read/see on the Internet that is not vetted by credible sources.

Daily Scam Home Page


Can Two Letters Reveal Fraud? YES!

Many people are able to look at an email, community post or an SMS text and immediately spot it as fraudulent, malicious clickbait, or at least highly suspicious. We teach several ways to make these important evaluations.  One of these skills simply relies on finding, and recognizing the importance of TWO letters.  These two letters are country codes that sometimes appear in an email address or domain name.  Take a look at this recent email sent from Nancy Johnson, with subject line “Very Urgent.”  Her email address comes after her name and the domain name appears after the “@” symbol.  It shows that this email came from enjoy-crepe[.]gr.  That “.gr” is critically important.  It reveals that this email came from a server in a foreign country.  Can you guess which one?


The “.gr” indicates this email came from Greece.  When you combine that fact, along with the fact that this email went to “undisclosed-recipients” and that the “reply-to” for Nancy for a different email address instead of the original email source in Greece, it all smells of fraud.  And of course it is.  This is just another variation of the Nigerian 419 advance fee scam.

Now that you have an idea where to look for 2-letter country codes, take a look at this recent email from Fayaz Uddin, asking if you are interested in applying for a job as a “Package Manager.”  What country do you think the email came from, and what country did this email also go to?


The email came from India (“.in” = India) and was copied to someone in Brazil (“.br” = Brazil).   By the way, a very similar email was received by the same TDS reader the next day from Anyta.  Anyta’s email was sent from a Yahoo server in France.  Many 2-letter country codes are easy to figure out, such as…

.us = United States

.uk = United Kingdom

.ru = Russia

But what about others like “.cn” “.pw” or “.au”? is a very user friendly website that lists hundreds of 2-letter country codes alphabetically.  Wikipedia also does this, and provides much more detailed information about this Internet naming system known as the ISO3166-1 Standard from the International Organization of Standardization. (By the way: “.cn”=China, “.pw”=Palau and “.au”=Australia, not Austria!)

Learning to recognize country codes can be invaluable to rooting out fraud or suspicious content!

Daily Scam Home Page


Malicious Texts Continued!

As a result of our Top Story about Texting Mayhem posted a couple of weeks ago, many TDS readers are reporting lots of texts containing malicious links that have been sent to their smartphones.  One woman told us that she is so sick and tired of getting these!  We hear you!  On Sunday, 8/23/20 she received this from 714-642-0547: [NAME REDACTED], we came across a parcel from February pending for you. Please claim ownership and confirm for delivery here:  K9svm[.]info/ bZwzCNnmlO 

And then on Tuesday, 8/25/30 from 917-853-4679: [NAME REDACTED], we found a package from July pending for you.  Please claim ownership and schedule for delivery here: lasmc[.]info/ i4COxUbrRe

Here are two more that came from other TDS readers that point to the same malicious domain, and are very similar to those mentioned above.  The domain used in the links below was registered just a few days before the texts were received.  We all know what that means!  ALL OF THESE LINKS LEAD TO MALWARE DESIGNED TO INFECT PHONES!  (Note the 2-letter country code in the WHOIS Information for Panama: .pa)

Until next week, surf safely!

Forward to Friends

About Us
Contact Support
Manage Subscription


Produced by:
Deutsch Creative
Copyright © 2020 The Daily Scam, All rights reserved.

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list

Email Marketing Powered by Mailchimp