Content Director Doug Fodeman | Creative Director David Deutsch | Issue 327


Happy Thanksgiving to our American readers!  We hope all our readers are healthy and safe in these difficult times.

In our November 11 newsletter we shared several stories from our readers who were targeted, successfully and not, by cybercriminals.  Since then a few more readers have contacted us with their stories.  Here are two more, including one that resulted in a significant financial loss.

“I just received a phone call from Connecticut. The phone number was 203-993-9301. They said they were from Amazon Prime and that my card was charged $146 dollars. I was told to press one to get a refund. I pressed 1 and I spoke with a guy. At the beginning of the conversation he asked me what my computer keyboard looked like so when the guy understood that it was a Mac computer he asked me to use the PC tablet because it would be easier.  But I got suspicious when the guy asked me to install the app Teamviewer and Zoho Assist on my tablet and to give him the ID code I received. After installing the app I understood that this was a fraud and hung up. I hope they couldn’t get into my bank account!  I immediately deleted those apps. Also, it sounded like a call center because I was able to hear many people talking in the background. They are well organized!”

[NOTE: Both Teamviewer and Zoho Assist are applications that allow a remote user to enter your computer and take control of it once you provide the passcode!  We assured the woman that the scammers had no access to her computer, or bank account, unless she had given the code.]

“I wish I had read your article sooner.  But I only found the article when I Googled the phone number 209-813-1985.  I received the exact same email you described in your October 21 newsletter, coming from Paypal, but sent from a gmail address. 

This is the email referred to from our October 21 newsletter...


I noticed the “from” email right away, but when I called the number to deny the charge, they said those emails are sent from a server that assigns random “from” email addresses.

 Stupid, I know, but I did not hang up.  They told me that $479.95 would be taken out of my bank account unless I could prove that I had not made the Bitcoin purchase.  They had me install a program called Teamviewer on my computer, and tell them the User ID and password I was assigned so they could "help" me find the proof that I had not made the Bitcoin purchase. They wanted to see my digital wallet to prove that I had made no transactions today.  In the brief period of time that my wallet was visible, they stole all of my Bitcoin and Ethereum, leaving me with about $180 in Ethereum Classic and Golem.  The amount that I lost was about $23,000.”

[Bitcoin and Ethereum are digital currencies.]

We were very sad to hear about this woman’s loss.  It was the largest dollar loss we have heard about from this kind of scam. We urge ALL readers to pay close attention to the “FROM” email address.  Even if it appears to be correct (because “FROM” addresses CAN BE spoofed) you should visit your own account directly to see if a charge appears on it as an email may describe.  Be VERY CAREFUL about Googling phone numbers because Google is “poisoned” often to show scammer numbers when searching for companies, including Amazon!  We’ve documented 164 fake Amazon phone numbers in our article  Amazon Customer Support Scams.

On the funnier side of scams, one of our readers received the email below from some anonymous stranger claiming to be a “widower and a male U.S. Marine Corps on redeployment in Asia.” The supposed serviceman said that he was looking for “a good-looking and intelligent woman.”  “If you are the one” then you were asked to fill out a form and send your photo and details!  Oh yes, we’re confident that’s what any decent serviceman would do… create a form for random ladies to send their details to a man who couldn’t even provide his fake name!

Daily Scam Home Page

Amazon, OneDrive, and Wells Fargo Bank

Speaking of scams disguised as Amazon, here is an email that came from the weird domain paudsiecenkss[.]live, not  This domain was registered just 4 days before this email was forwarded to us as fraud.  It appears to be an alert that your account has been put on hold due to suspicious activity on it.  And yet, the email doesn’t even identify you by name!  It is very clear if you mouse-over the link for “Verify account” that it doesn’t lead to Amazon! 

A big fat deeeeleeeete!


OneDrive is a file hosting service operated by Microsoft.  People store files in the cloud in secure servers that are backed up.  One might suppose that some of these files are important and private, which makes this next phish very dangerous.  The email name field says “Microsoft OneDrive” but if you look at what follows the “@” symbol you’ll see that it came from a domain located in the United Kingdom called mcgroupltd[.]co[.]uk.  And of course the link to sign your document does not point back to or

Note: It is also possible that the link in this email points to malware, rather than a phishing scam.  However, we were not able to confirm that possible threat.


Once again, Wells Fargo bank account holders are being targeted.  This email came from a Cox account, not  Any time you receive an email saying “for your security, we had to lock your account because there is a possibility that someone other than you is attempting to sign on” you should be suspicious!  A mouse-over of the link “Unlock” reveals that it points to a website at the domain tomalison[.]com.  By the way, the phone number offered at the bottom of this email is the real customer service number for Wells Fargo Bank.


Amazing Gifts for the Holidays, Insurance Savings, and Sam's Club Gift Card

As we get closer to the holidays, malicious emails disguised as holiday-related sales will only increase!  This one actually came from the Hyphen-Poopy gang!  If you look carefully at THE END of the link revealed by mousing over the email, you’ll see the two hyphenated words “raccoons-rowdy.” (We suppose raccoons could be rowdy but we think it is only more likely after they’ve been drinking at a football game against the Beavers.)


The above email leads you to believe it comes from the online retailer called Curious Finds.  But that’s not true.  As usual, the Hyphen-Poopy gang stole this content and created this malicious email that points to a crap domain called semtus[.]work.  This domain was registered the day before the email was received AND it will redirect visitors to a VERY MALICIOUS website called plazabest[.com] where malware lies in wait!


There are many things about this next email that make no sense at all, which is why we don’t recommend clicking the links for a “free quote” on insurance savings!  This email was received by an American citizen in the U.S.  So why would a quote for U.S. auto insurance come from a computer-related email address in the United Kingdom? (See “.uk” in the FROM address.)  Also, the field to enter your “Zip Code” is not a data field but part of the link that will send you to an oddly named domain called peerandagegroups[.]com.  When we used a screenshot machine to visit this site there was barely any content or links on the site other than a small paragraph that begins with “you’ve found peerandagegroups[.]com dedicated to finding the best money-saving offers on the Web and delivering them directly to you, the Consumer.”  Though we liked the picture of the seashore on the site, we wouldn’t trust this site for a nanosecond! 



What would a week be without a $100 gift card email that leads to a malware infection?  Here’s the latest one that appears to come from Sam’s Club but came from a domain called gourmetcaterers[.]com.  Look at the crazy subject line! The links in this email point to the link-shortening service at  We discovered that the shortened link used in this email will also redirect visitors to a VERY MALICIOUS website called daddygangz[.]com where malware awaits!

Daily Scam Home Page


A Peak into Apartment/House Rental Scams

During the year, an increasing number of TDS readers have been reporting house and apartment rental scams to us.  Most of these, but by no means all of them, have been appearing on Craigslist, such as the scam below.  Here is a snapshot into what one of these scams looks like and the tell-tale signs to watch for.  Please consider sharing this email with friends and family who may be in the market to rent a new home or apartment.

In May, 2020 we heard from a very savvy gentleman looking to rent a home with his fiance. He describes his suspicions well...  “Thank you, for all of this documentation on the evolution of these scams. My fiance and I are looking for a place, and I'm grateful for my skepticism, as well as your website. I spoke with the "owner" for a little, but after the initial email, I was immediately suspicious. $645? Even in Penn Hills, that's cheap. Oh, and by the way, it includes everything. "Owner" is actually in Nevada right now, on a contract, or something. I saw all of the red flags, but the nail in the coffin was the "questionnaire" that another user submitted, with a Craigslist ad that couldn't be viewed. This was actually what drew the line for me in my skepticism, since in the top right corner, it asks for the passport ID. Personally, I was more concerned with the fact that someone who I'd never spoken to outside of text on a screen, was about to have every bit of personal information about me, just enough to use my identity if they wanted to, and I would've just handed them that information.”

Here are several MAJOR red flags which concerned this gentleman and that we often see associated with these types of scams:

  • Many of these rental properties are priced below the common asking price for the area or type of rental

  • Communication with the owner is ONLY via text and certainly NEVER via video chat or in person!

  • In all cases, the owner is away and cannot show you the inside of the property.  You are told to drive by to view the outside.  But if you agree to send a deposit, the owner will mail you a key to get into it. (Deposits are requested via untraceable and irrevocable money transfer services.)

  • If an application is sent to you, you are likely to find oddities including questions that are inappropriate to ask, unrelated, or just plain weird. (See the application below that was sent to this gentleman and containing many red flags.)  A question often asked by scammers concerns how many months in advance you are willing to pay rent.  Many times, people are told that the more money they pay in advance, the lower monthly rent they will be charged.  This premise is, of course, ridiculous and completely unrealistic!

  • Fake house rentals in particular are usually real houses that are “for sale” by a realtor or the legitimate owner.  And so scammers will often make some reference to the fact that they’ve changed their mind about selling the house and will remove the “for sale” sign once they have a new tenant.

  • Fake house/apartment rentals often include EVERYTHING, including utilities, to make it as attractive an offer as possible for a potential victim.

Here is an initial exchange of emails between the scammer and our gentleman. How many red flags can you count? (We spot 7 red flags without even opening the application!)

Check out the questionnaire that was sent to the man.  It contains many more red flags, including questions that are completely irrelevant. (We love the scammer’s nice touch of including the American flag as both an icon and background in this application.  It’s as if the scammer is trying too hard to say this is a real American rental, which it isn’t.)

As he said, the potential victim became very suspicious by both the circumstances (unable to see the inside of the house without paying a deposit for the key to be sent) and the questionnaire.  He decided to search for this property on realtor’s websites and had no problem finding the house for sale and a legitimate realtor responsible for the property. (By the way, if you look at the photo of this home on Craigslist --left image, you’ll see that it doesn’t have a “carport” and there is NO WAY that this home is “wheelchair accessible!”

Daily Scam Home Page


Any Chance You Recognize This Person?

This email is classic clickbait!  It came to a TDS reader from a name she recognized but not the correct email address.  “Howard” asked if there is any chance she recognized the person in this pic.  But instead of including the photo, a sketchy link was provided.  Odds are REALLY HIGH that malware sits at the other end of that link!


Textplosion: Free iPad! And more….

Doug at TDS received a text to say that he was being given a free iPad.  Oh joy. Not.  The domain used in the link was registered just hours earlier on the same day the text was sent. Bah, humbug!

A friend of ours received this random text from a Yahoo account she didn’t recognize.  NEVER REPLY to spam texts like this!  It only encourages the sender.

Oh yes, this is how we expect to be informed about real job opportunities (said tongue-in-cheek)...

Until next week, surf safely!

Forward to Friends

About Us
Contact Support
Manage Subscription


Produced by:
Deutsch Creative
Copyright © 2020 The Daily Scam, All rights reserved.

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list

Email Marketing Powered by Mailchimp