Content Director Doug Fodeman | Creative Director David Deutsch | Issue 357


Sometimes it is the smallest, simplest of emails that can trick people into engaging with scammers.  Responding to it can not only confirm that your email address is valid but that you can be pulled into a conversation.  Here is a recent small example of this type of manipulation we’re referring to.  The email simply says “hello there” and came from someone identified as “Kelly bailey.”  However, notice that it was sent to “undisclosed-recipients.” .

Once you engage with these criminals, some can be truly relentless. On July 29, 2020 we played with a Nigerian 419 scammer who pretended to be a woman diagnosed with lung cancer going by the name of “Dorathy Benson.” 

After a half dozen exchanges of emails we called her out on her scam.  What did she do? She doubled down with deepest sincerity that this was real and she intended to give us millions of dollars.  Every few months she would contact our fake email persona, an elderly woman we named “Sally.”  Again, on June 19, we heard from “Dorathy,” nearly a year after our initial contact!


If nothing else, we have to admire how tenacious these criminals are! Never reply to these kinds of emails unless you truly want to play this game for a long time.  If you don’t recognize the sender of an email, just delete it. Don’t respond.  HOWEVER, if you want to play with them, create a fake account and ONLY use that fake account.  And then share your stories with us!

Cybercriminals will often use a malicious domain multiple times, for multiple types of scams, until it gets shut down.  Here is an example that also includes a “Poker tell.”  This “tell” clearly reveals the email as a fraud.  The email claims to be a Customer Survey for UPS.  We immediately recognized the domain used to send this fraud, “hollywoodactorsguide[.]com,” as a domain we saw in malicious clickbait a week earlier.  However, the Poker tell lies in the fact that the survey questions in this email all pointed to the exact same link.  It didn’t matter if we clicked yes or no, home or work.  They all used one link which, we’re certain, leads to malware.  Why on earth would a UPS survey send you to a website called hollywoodactorsguide[.]com?

Daily Scam Home Page



Very few phish were reported in last week’s sea of scams, thankfully! One of our longtime readers sent us a phish disguised as an email from PayPal but the graphics and text coding was so messed up that it isn’t even worth showing! We can’t imagine anyone clicking on that junk.

However, this email telling you that your new “Apple Iphone 12 Pro - 10 items” was shipped, at a cost of $799.99, might get your attention. Especially since it says your new phone was shipped to someone in Wellington, Florida and not you! Of course none of this is true. Look carefully at the FROM email address called “Billing-Department.” You’ll see that this came from another generic Gmail address called “bairstowdecker8475.”

Recipients are asked to call 800-522-9218 in order to be victimized by these cybercriminals!  Delete instead!

Daily Scam Home Page


Fake Bank Check, Home Warranty Coverage

It may surprise some readers to learn that Nigerian 419ers have created lots of fake banking websites to support their scam stories.  We’ve written about a few of them in our article called Fake Online Banks. Our Scam-baiting friend, Rob, has received a grant from the “European Commission” for 850,000 Euros and this money is sitting in another fake bank!  (Thankfully, this fake bank has already been taken down.)  However, we want readers to notice that the email came from a generic Gmail address called “ecc.pymt” AND Rob was asked to contact “Dr. Bobak Fazeli” of the First Capital Investment Bank Limited, but through another generic Gmail address!  These Gmail addresses should make it clear to anyone that this is 100% fraud!  A real bank employee would use an address using a real bank’s domain!  And not a fake domain, but a real bank that can be verified online as legitimate!


Here is the photo of the check which the scammers sent to Rob.  It was part of their effort to “legitimize” this scam and convince Rob that the money is real.  He ONLY needs to pay a few fees through untraceable wire transfers before he collects his grant money.  Yeah, right.


TDS Readers may remember that a malicious website being used to target people with malware is called “jhonwicks[.]com.” The cybercriminals sending this clickbait point their malicious links to a link which then redirects visitors back to jhonwicks[.]com.  We’ve continued to receive several of these malicious clickbait in our honeypot accounts.  Here’s one pretending to be from a service called “American Home Warranty” coverage. 



Daily Scam Home Page


A Father's Day Gift Quiz

Happy POST-Father’s Day to all the Dads out there!  This special day was celebrated in the United States, the UK and 89 other countries  on the third Sunday in June.  However, Father’s Day is celebrated in more than 150 countries around the world on various dates, according to this Wikipedia article.  We noticed an interesting uptick in malicious clickbait emails of a certain type in the two weeks before Father’s Day. These were emails that stereotypically might appeal to the “do it yourselfer.” The person who likes to tinker and use tools. While we know several women who are extremely skilled with hand tools and like to build, we think that the “do it yourself” builder is a stereotype for Dads.  Scammers are very nuanced and so have created clickbait pretending to be these kinds of gifts for Dads.  

Therefore, in honor of Father’s Day and malicious clickbait, we’ve created a quiz for all our readers to test their skills.  Below you’ll find screenshots of two recent emails meant for the “do it yourselfer.” In the bottom left corner of each email you can also see the link to which you would have been sent if you clicked the email. Your job is to look at each of these emails carefully and create a list of “red flags” -- warning signs that something about each email is suspicious.  How many red flags can you list?  We encourage our readers to use the online tools we routinely employ to help us evaluate and assess malicious intent.  Here are a few of them. HOWEVER, NO TOOL IS PERFECT!  Sometimes the reports from online site scanners will say a site is safe or legitimate, and it is not! Also, simple common sense can go a looooong way to see through online fraud and deceit:

WHOIS to help determine website ownership and registration information to check for website trustworthiness
Zulu URL Risk Analyzer to analyze possible threats waiting on a website
Sucuri Sitecheck scanner

Good luck!

  1. The World’s Best Measuring Tape:

  1. 12,000 Shed Plans!  Build Your Own Shed.


HOW MANY RED FLAGS DID YOU SPOT?  Here is our assessment…

1. The World’s Best Measuring Tape:

a) This malicious clickbait was created by the infamous Hyphen-Poopy gang whom we think is located in India.  In the link found in this email you’ll see the two hyphenated words “exalted-environs.”

b) This email came from, and has links pointing to, a very oddball website named “krig24-01[.]shop.”  A WHOIS tool will tell you that this domain was registered on the very same day that this email was sent. (see screenshot below)  This is a SURE SIGN of malicious intent!

c) The WHOIS tools also told us that this “shop” domain was registered anonymously in Iceland and is hosted on a server in Amsterdam.  Yes, these facts make this shopping website very suspicious!


d) Finally, informed us that the web page at krig24-01[.]shop was an empty page AND that it was blacklisted by the security service McAfee! 

e)  Sucuri also showed us that visitors will be forwarded to a very real website where you can buy tools such as this tape measure.  This behavior is HIGHLY suspicious and often means that the oddball website will hit you with malware and then forward you to a legitimate website so you aren’t suspicious that you just got targeted.


2. 12,000 Shed Plans!  Build Your Own Shed.

a) Once again, the domain name used to send this clickbait AND found in the clickable links, is extremely odd.  It is called catermic[.]digital. A WHOIS lookup tells us that it was registered anonymously in India on March 12.  These facts are HIGHLY suspicious!

b) You’ll also notice a physical address listed at the bottom of this email for those who may want to “unsubscribe” without clicking a link. (NEVER click UNSUBSCRIBE in suspicious emails!)  A search for this address in Google tells us that it leads to a Registering Agent called Harvard Business Services, Inc.  This business has NOTHING to do with email subscriptions or marketing for businesses.




c) Just like the first email, also showed us that visitors will be forwarded to another real website where you can find plans for sheds.  Again, this behavior is HIGHLY suspicious and often means that the oddball website will hit you with malware before forwarding you to a legitimate website.


d) Finally, the Zulu URL Risk Analyzer was able to identify the links in this email as 90% chance of being malicious.  We’ll add the additional 10% and call it 100% certainty!

Daily Scam Home Page


For Your Safety
Your Facebook Account Has Been Locked!

When one of our TDS readers first sent this email to us, we thought it was just another phishing scam.  Afterall, the trick is to hand over your login credentials for Facebook through an email that came from a Microsoft email account called “facebookservice.”  However, we were wrong!  This clickbait was meant to infect your computer with malware!  OUCH!  Step away from the ledge….

Until next week, surf Safely!

Forward to Friends

About Us
Contact Support
Manage Subscription


Produced by:
Deutsch Creative
Copyright © 2021 The Daily Scam, All rights reserved.

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list

Email Marketing Powered by Mailchimp