Copy
THE DAILY SCAM NEWSLETTER — JULY 7, 2021
Content Director Doug Fodeman | Creative Director David Deutsch | Issue 359


THE WEEK IN REVIEW

Criminals take advantage of the way in which the human brain is wired.  Here’s a simple example that explains what we mean.  “Eevn togh tehse ltetres aer jmubeld, msot popel can udnersnatd tehm.” Laura Moss, on Treehugger.com, wrote an interesting article explaining the phenomenon of how our brains can read jumbled letters. Experienced readers easily skim over text as they take in information rather than see every single letter. Criminals take full advantage of that fact and hope that victims won’t notice very subtle differences in domain names and/or email addresses. Take a look at this recent scam email received by our friend and scam-baiter, Rob:


 

The scammer who sent this email to Rob was masquerading as the Chief Executive Officer of the fourth largest bank in Austria, called Bawag P.S.K. The scammer placed a REAL bank email address into the NAME field, hoping that a victim does not notice that the actual address, located in the address field, is a Gmail address but using the exact same name, “Anas Abuzaakouk,” in front of the “@” symbol.  As a kind of “sleight of hand,”, this scammer then used a different REPLY-TO address to point to the following domain: bawwagpsk[.]com.  Did you notice the extra letter?  (While the legitimate bank domain, bawagpsk.com was registered in Austria in 2005, the look-alike domain -- bawwagpsk[.]com -- was registered in Iceland in July, 2020. This year old domain suggests this scammer has successfully used this trick for about a year now!)

One of our readers received a voice message from “Steven with the Student Services Department.” He was calling about the woman’s “outstanding federal student loans.”  According to Steven, the woman is “eligible for Federal Student Loan Forgiveness” and was asked to call him back immediately! The only problem is that the woman he called has never had a student loan! Steven said it was “imperative that I speak with you” and asked her to call him back at 1-800-249-7097.  


Click to listen:

 

We feel pretty confident that Steven’s call is either a very sleazy marketing ploy at best, or a scam at worst, because of the many complaints about this call that we found online.  For example, lots of people on 800Notes.com and Reddit.com have complained about getting this call from 800-249-7097 and the majority of them say they’ve never had a student loan!  Many of the people reporting were also seniors! On June 7, an elderly man named Mike posted a VERY interesting response to this call on 800Notes.com. He said “I once asked one of these callers if he believes in God. He said yes. I told him if you do and what do you think God is going to say when you leave this earth and he finds out you’ve been trying to cheat/steal money from old people, people that couldn’t afford to lose any money etc. He said sir… You’ll never understand my situation. I live where this is the only type of work I can get to feed my family. It made me think and I’ve never been close to being in a desperate situation but somehow I don’t think I would choose that path. But you never know. In any case it was an interesting conversation”  Doug at TDS once had a similar conversation with a scammer in India. This scam is also posted on Robokiller.com, along with an explanation how it operates to target younger adults who actually do have student  loans.

NOTE: There has been an explosion of fake shipping companies that use Americans as mules to move merchandise purchased with stolen credit cards.  So many that we have consolidated their names and links to detailed information about them onto one page on our website.  Visit: https://www.thedailyscam.com/package-shipping-scams/

Daily Scam Home Page

 

PHISH NETS
Amazon, Netflix and Norton LifeLock

Phishermen are heavily targeting Amazon account holders again!  Below are two recent email examples sent to us by different TDS readers. But you’ll see that they share something unusual in common!  The first email came from a website masquerading as Amazon.com.  The domain is actually user8761amazon[.]com and it informed the recipient “We Hold your Account because the payment information did not match.”  (English is clearly not the native language of the real sender!)  The domain used to send this phish was registered just hours earlier!  The email contained an attached pdf file with a link pointing to a website called cmail20[.]com.  Does ANY of this sound like Amazon.com to you?

Deeeeleeeeete!







A second TDS reader sent us another email claiming to represent “Amazon Services,” but coming from the domain jatidiribagus[.]com. It also contained a pdf file with a link that did NOT point to Amazon.com!  REAL company alerts will NOT send attached pdf files containing warnings and links to log into your account.  In fact, this scam pdf file contained a sentence that Amazon and other companies WILL NEVER, EVER SAY!  See the screenshot below.





“Your Netflix Account is on Hold” says this email that came from an account at xbox.com!  Like so many phishing emails, this email has capitalization and punctuation errors.  The link points to Twitter’s link-shortening  service.  We found out that you will be redirected from Twitter to a domain that has been used for phishing scams for several years and called dyndns[.]info. 

Deeeleeeete!





Norton’s LifeLock software is increasingly being used as a social engineering trick to manipulate consumers into calling a scammer’s phone number or to click malicious links to malware.  This email from a Gmail account called “bdepartmentt2” is the former, and recipients are urged to call the scammers at 803-670-9146.  You can see the alphabetized recipient names at the top.  This email targeted those whose email names begin with “dfm.”



Daily Scam Home Page

 

YOUR MONEY
Nike Customer Service Evaluation Assignment

In this week’s Your Money column we wish to bring attention to a different type of scam than we usually post here.  David at TDS received an email inviting him to become a “secret shopper” for Nike.  Of course, the email didn’t come from Nike and he knew it was a scam…. So he accepted the position as a “Customer Service Evaluator!”  His supervisor’s name is “Bill Woods” and uses the bogus Gmail address surveyreport352@gmail.com, and the phone number 424-260-5347.  Below are images of an envelope mailed to David, along with the contents.  It contained the first (and only) assignment from Bill Woods, along with a check for $2,450.52. The check was completely fraudulent!  You’ll see that David was asked to deposit the check, then visit any store where he could buy $2000 worth of  Nike gift cards.  David was instructed to scratch the cards to reveal the valuable numbers and send photos of them to the scammers, errrr…… Mr. Woods. 
 


 

Notice that the check, which looks like it came from a Credit Union in Florida called VyStar, says it was issued by “Moneygram Payment Systems, Inc.” of Minneapolis, MN.  According to the VyStar website, they only have branches in Florida.  A bit odd for the Moneygram company of Minneapolis to use a Florida bank, don’t you think?




Also, the envelope that David received with this check and “assignment” had a return label from PacificLight Inc. on 160 Holloway Ave., San Francisco, CA 94112.  According to Google, there is no company named PacificLight Inc. ANYWHERE in San Francisco and NO KNOWN business at 160 Holloway Ave. in San Francisco. We’re not surprised!

While there may indeed be real jobs for “secret shoppers” or “mystery shoppers,” we have only seen them used as another variation of the advance-check scam.  You can read more about these bogus jobs in our article titled Secret Shopper Scams.


 

Daily Scam Home Page

 
 

TOP STORY
Unlocking the Door to an Apartment Rental Scam

On June 29 we heard from a gentleman who had been looking for a new apartment to rent for his family in the Denver area. He found the listing below on Craigslist, saying that “This Apartment is fantastically located on a quiet street.” The listed apartment included only 2 photos. The text description included the sentence “Please call David to schedule a tour.” The man was very interested and reached out to David through the Craigslist reply button!


 

Instead of someone named David, the man received a reply from a “Calvin Bradley” who identified himself as a “Property Manager.” Mr. Bradley sent the man ten additional photos, along with more information, including a questionnaire for the man to fill out.





 

The man noticed that Mr. Bradley’s email address was Calvin.Bradley@cityresortrental.com. That’s when he realized this was likely a scam and contacted us. It took up very little time to confirm his suspicions. Follow along with us as we walk through this scam and we’ll show you how to reveal the truth behind it all...

We’re always curious to explore the domain names used by businesses, such as “CityResortRental.com” used by Mr. Bradley. A simple WHOIS lookup for this domain informed us that it was registered anonymously in Iceland almost exactly a year ago through a service called NameCheap.com. (It’s important to note that this legitimate service has been used ALOT by criminals in the last year! We think their standards to verify information or remove fraudulent domains must be pretty poor!) Iceland? Anonymously? Our “spidey senses” started to tingle! We conducted a search for the domain “cityresortrental.com” using Google (through Firefox) and found NO SUCH WEBSITE. However, what Google returned were lots of links about Apartment Rental scams, including a link to one of our own articles at The Daily Scam! Someone also mentioned on Scampulse.com that this rental company was a scam. Apparently, the person posting the apartment asks for deposits up front (via money transfer) before anyone is allowed to see an apartment.  We also saw references to scams connected to a company similarly called CityResortRentalS.com.




We visited ScamAdviser.com AI tool to check on the domain CityResortRental.com and were surprised to learn that any visit to CityResortRental.com would forward you to CityResortRentals.com!  And ScamAdviser also told us that these sites were not very trustworthy!



We had confirmed the man’s suspicions!  If you, your friends or family members are ever looking to rent an apartment, don’t let ANYONE pressure you into thinking that you have to send a deposit up front BEFORE seeing the place!  And, as always…. VERIFY, VERIFY, VERIFY!  Once we knew this was a scam, we returned to the Craigslist listing and copied some unique text from the paragraph.  When we dropped it into Google, we discovered that this text was stolen almost word-for-word from a house that is “off the market” (Not for sale or rent) but still listed on Trulia’s website at 1161 Gaylord Street. And at the bottom of the paragraph on the Trulia website is the sentence “Please call David to schedule a tour.”


Daily Scam Home Page


 

For Your Safety
Norton LifeLock Renewal Notice

This next email was sent to us by a TDS reader. It is disguised as an offer about “Norton 360 Antivirus Protection” and contains many telltale signs to suggest it is malicious clickbait, including spelling Norton with a Zero after the “N.” Also, the links in this clickbait point to a malicious website called deptrater[.]net, which was registered in late December, 2020 and is hosted on a server in Spain. Sound like Norton.com to you? Yeah, we didn’t think so either.

Delete.



Daily Scam Home Page

Textplosion
Indy Surveys, Popeye's Famous Chicken Sandwich and Donation by Powerball Winne

The variety of text scams last week was impressive, to say the least! Let’s start with a survey sent to a TDS reader on June 28 from “Alexis from Indy Surveys” (using 561-944-5562) and asking for voter’s opinions. The voter was asked to visit a link to a webpage at study-group[.]org.  But a WHOIS lookup tells us that this erudite group domain was registered that same day (and in Canada)!

THAT IS NEVER A GOOD SIGN!





Wow, what’s better than getting a text telling us that “The famous Chicken Sandwich is back.”  Yep.  If we want to “try it for free” all we have to do is click the link to visit “getpopeyees[.]com!” Looks like one too many “e” for our stomachs though. That and the fact that this Popeyees domain was registered in Iceland just two days before we got this lovely offer!




 

Finally, one of our TDS readers sent us this amazing text she received just a few days ago from 804-217-1056.  Wow!  How lucky is she?!  To receive her $50K donation, all she has to do is send a text to Brad Harrison at 804-265-1374! Perhaps we should all bombard Brad with a text telling him we were offered that $50K!



Until next week, surf safely!

Forward to Friends

About Us
Contact Support
Manage Subscription
Unsubscribe


SUBSCRIBE


Produced by:
Deutsch Creative
 
Copyright © 2021 The Daily Scam, All rights reserved.


Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list

Email Marketing Powered by Mailchimp