This is presented for entertainment purposes only.
* Nothing in this post should be construed as legal advice. *
Review this scenario with your older, technophobic and more trusting relatives, co-workers and friends. Discuss with them how to protect themselves from criminals online.
Setting the Scene
I recently had a client describe getting several product and service subscription renewal notices via email. These were for products that they didn’t use, and I suspect they may have wondered if someone had used their credit card to subscribe to these services.
NOTE: If you are worried about someone else using your credit cards I was taught that you ALWAYS contact your bank or credit card’s fraud protection service via the phone number on the back of the actual credit card, or from the phone number found on one of your bank statements. Definitely do not call a phone number received in a sketchy email.
In this case my client received numerous emails claiming several different legit sounding tech subscriptions were being renewed. All of the emails came in the same day which created a sense of urgency.
The messages also said that the $$$ charges would become irreversible in 24 hours, again adding to a sense of urgency.
Each email gave a different phone number to call to cancel the renewal. Seemingly an easy and trusted method to fix the problem, right? Not using the same phone number, there are no unknown hyperlinks to click on – what could go wrong?
What’s going on Here
The basic idea is to scare you into thinking that you have been subscribed to what sounds like a legit product. You know you didn’t subscribe to that product, and even if you did use that product, the price will seem way too high.
It’s supposed to trigger your “protect my wallet” instinct – without activating your internal “this is bogus” alarm.
They masquerade as popular and/or respected services to make you think they are legit and instinctively gain your trust. Some of my client’s emails pretended to be from a popular Internet Security software and others pretended to be from a popular big-box store tech service department.
What about the different phone numbers in the email? They use temporary phone numbers that are forwarded to other phone numbers and are difficult to be traced later, similar to burner phones.
Don’t Do This
During the process of “cancelling” the bogus subscription the con-artist may tell you that you have malware on your computer. They will explain that this malware subscribed you to their service and it will subscribe you to other services as well.
See how they innocently tie this to the other emails you received, each from seemingly different subscription services? They are making the whole scam seem more plausible by doing this.
Then they ask to remote into your computer to remove the malware. They may even offer it as a discounted billable service. Don’t get out your credit card and don’t let them remote into your computer.
They may also ask to help you fill out their online refund form, again by remoting into your computer. DON’T LET THEM.
If they get a remote session with your computer, they will install malware, remote access, logging and monitoring software.
you’ve Opened the vault
After they fake the subscription cancellation, if they have access to your computer, they instruct you to log into your bank account to verify that your cancellation refund has been received.
If you do this they can immediately view and access your bank account. They can quickly assess your financial liquidity to see how big of a payoff they can try for. Now they will fake an accidental incorrect 10x or 100x refund in your favor. This is explained as having put in too many zeros or missing the “.” separating the dollars and cents in the number that you and they put in the refund form.
So instead of refunding you $305.03, they look like they have accidentally refunded you $3,05.30, or even $30,530.00. If they are logged into your computer they can make the web page on the screen look like your bank has actually received the incorrect 10x or 100x refund $$$ (done via injecting HTML and CSS into the web page).
NOTE: Even if you don’t log into your bank, if you let them remote into your computer you can bet that they now have malware on your PC waiting to capture your online banking and shopping usernames and passwords.
It’s not just One bad actor
There is a team of hackers working behind the scenes to do this sort of scam. It’s not just one person in their mother’s basement. Those days are long gone.
Organized crime recruits individuals to run tech support scam teams. I suspect that once they’ve written the scripts, and rehearsed the plays, they can move their really talented hackers to a new team to mentor and help them get started.
The person you talk with on the phone is the social engineering con-artist. Their job is to keep you busy, giving the others the time they need, making you feel at ease and getting as much trust and information out of you as possible.
Speaking of acting
While sounding distraught and frightened about losing their job due to the refund “error”, they now work to convince you to send back the difference between the accidental overpaid refund amount and the correct refund amount.
In this scenario that would have our client send back either $2,745.27 or $30,197.97. Again, they took a look at your bank account while online with you, and they will have assessed if you look like a target for the higher number or not.
Yup, hundreds of people each year will “return” thousands of dollars to someone that they just met on the phone, from a phone number they called out of an unsolicited email message.
The criminal organization that runs these fake call centers often have their scam scripts very well written, performed by their best con-artists, and many vulnerable people fall for it hook, line and sinker.
How to spot a fake
An easy “tell” is to check the “from address” of the email. Often it will rarely be from the service that it claims to be from. Many times they don’t go to the effort of faking the sender’s email address, even though it isn’t very hard to do so.
If you are uncertain, ask a trusted online expert to review the email for you, contact your state’s consumer protection department, or get in touch with your attorney and have them look at it for you.
In this case “InternetSecuri[email protected]” was clearly a bogus email address.
Additionally, you can copy and paste the contents of the email into a Google search. You can see if others have reported the same email message as a scam online. This works surprisingly well as a way to identify many scam email messages.
Get less junk email
To reduce the number of these incoming spam/scam emails you can setup “filters” in your email program to auto-delete messages with common scam phrases. Yet, be careful that you don’t use phrases that you might see in legit email.
Setting up a filter may look something like: Send all email with the words “Hello User, Member”, or the words “will be reflected within next 24 to 48 hrs” immediately to my deleted folder.
Payback can be educational and entertaining
If you want to learn more about this sort of scam, and be entertained at the same time, check out this YouTube channel to watch a white-hat hacker turn the tables on the scammer.