Tips on Identifying Phishing Attacks, and Other Scams (Including List of My Scam Reports)

in #scams3 years ago (edited)

stylized comic image of a phishing attack

Updated 5/13/22.

I've been enduring phishing campaigns for years now on the phone ☏ and in emails📥. But, since the pandemic, they've gotten worse. I've gotten pretty good at sussing them out 🔍, though, thanks to a lifetime of experiences, IT knowledge 🖥, being scammed (LOL), using analysis and critical thinking, and a few other tools 🧰 in my brain 🧠.

Phishers are "fishing" 🎣 for different things, but it boils down to getting confidential information 🛈 that they can then use to defraud you, rob you, access your accounts, drain your bank account, ruin your reputation, blackmail you, extort you, and/or steal your identity. They may do this by tricking you into voluntarily giving them information via phone, email, mail, or linking you to a duplicate of a famous company's website. They may even use trojan-ware to get information from you. They may offer you a job, fame, big returns on investments 🤑, government-funded benefits, love 💑, or other rewards, or they may threaten you with legal action, a "standing warrant," or freezing your assets, while posing as employees of the IRS, the FBI, the police 👮 and other official agencies. They might lure you into giving them access to your computer on the grounds that they know it's been hacked or damaged and they can fix it. There are so many possible scenarios that, really, there's not much they won't try as long as it triggers your emotions so that you don't think carefully! Love, hope, and fear are all great at lowering your defenses!

The Scam

I was contacted a couple of days ago by a valid LinkedIn account, Richard Galli, with a job offer. It seemed suspicious, especially because:

  • the person is a high-ranking employee of an educational services center;
  • the company is located in Quebec, Canada;
  • my high-school French has pretty much completely disappeared from my head;
  • grammatical, punctuation, and spelling errors;
  • the person provided no info about what kind of job they thought I was a match for;
  • the person was vague when responding to questions;
  • he asked for my resume, which was obviously available from my LinkedIn profile;
  • he wanted it to be sent to a generic Gmail account instead of to:
    • a business email account from the company the person works for, or
    • to someone else on LinkedIn; and
  • he said the person was the hiring manager, but only gave a Gmail address with no name.

I played along and eventually got enough evidence to suggest that the person's LinkedIn account had almost certainly been hacked, and quite possibly the Gmail address I was communicating with was, too, at which point I contacted Mr. Galli's office and got him on the phone. He confirmed that he hadn't been communicating with me and, sadly, hadn't offered me a job. I suggested that he change his password. He did that before sending warning messages to everyone who'd been contacted through the LinkedIn messaging service not to give out their info because he'd been hacked.

This was a better-than-average phishing scam, but it had still had plenty of red flags 🚩. It's harder to know if someone is trying to scam you if they reach out to you from an established account that they've hacked. I'm really eager to get back to work, but I'm deluged by so many kinds of phishing scams every week that I have become very cautious. You should be careful, too! I just released my video breaking down what caused me to be suspicious of the above phishing attack on my YouTube channel (https://www.youtube.com/c/GlennMcGrewII), and I've already uploaded several other debunk videos. Scroll to the bottom for the list of articles and videos I've done relating to this topic.

By necessity, I have not revealed everything that tipped me off that this is a scam. I don't want to give the criminals too much info to perfect their craft. ;) Also, this article doesn't specifically address phone scams.

Search Engines

BTW, if you're going to research a possible scam, I sadly cannot recommend DuckDuckGo due to the inadequacies of their search engine for such a task. Due to absolutely no data privacy in China and Russia (vastly outstripping the surveillance by 5 eyes, 9 eyes and 14 eyes nations), I cannot recommend Yandex, Baidu, Sogou, Shenma or any other engines located in those countries, or other countries where the law gives the government unfettered access to all data on servers in their country and on servers controlled by companies based in their countries.

If you don't mind the aforementioned 14 countries spying on your searches, try Google, Bing, Yahoo!, Ask or any other major US or European engine. If, however, you prefer privacy over all else, Privacy Savvy has a list of 12 choices. You might also want to consider Lifewire's list of top search engines, which includes a description, and pros and cons..

Report an Internet Crime

If you think you're the victim of Internet crime, you can report it via the website you were bilked on, or go to the FBI's Internet Crime Complaint Center to report it. On IC3, it doesn't matter if you lost your money, property or personal info, or just need to report what appears to be a criminal enterprise online.

Tip

Never click on a link in an email unless you absolutely KNOW who sent it and that it's safe. It's better to go to the website directly. Keep in mind people you know can be hacked and then emails with bad links and/or malware can be sent out.

🚩🎣Phishing Indicators🎣🚩

Some of these are not 100% going to be scams but, if you notice multiple indicators, you should be very careful. If you get more than a few of these things checked off, you should be extra careful. This list is not exhaustive. If you have noticed things you think should be added to the list, please add a comment.

  1. Email-Specific

    1. You don't know the sender and did not solicit anything from the sender or company. This is probably one of the biggest 🚩red flags🚩. This is also one of the top indicators of unethical sales/marketing.
    2. The name of the sender doesn't match the email address (very common!). I often get phishing emails for insurance, shopper Rewards, window replacements, lawn care, and many others, from a completely unrelated email address. Some of these are phishing and others are spam sales attempts from unscrupulous marketers. Mark 'em as phishing just to be safe and, if they're unscrupulous, that's all they deserve!
    3. The subject of the email is not relevant to you. You might notice this from the topic, or by reading the message, but you're left wondering "Why'd they write to me?".
    4. Telling you that you did something (i.e. applied for a job, submitted a proposal) that you haven't done. If they then tell you to do it (not again, just do it), that's an even bigger 🚩red flag🚩.
    5. Not specifying the website or person they got your resume from or specifying one you don't use.
    6. Offering millions of dollars, and then asking you to pay for some fees.
    7. Emails do not list the company name, address, contact info (e.g. phone number, website), etc.
    8. Didn't sign off on the letter (i.e. no "Sincerely, John Doe").
    9. Used different names in different areas (e.g. John Doe for the email address, Jane Dean for the introduction, and Jox Dork for the sign-off).
    10. The sender's email address is not an address from the company ([email protected]) they claim to represent.
    11. You are supposed to write to a different email address than the one you got the message from.
    12. They send you a document or other file that you didn't solicit. This could be part of the trick, but it could also contain malware. PDFs, MS (and other company) office files, pictures, executables/apps/programs, and other files can all be used to give you malware. It could even appear to be a legitimate program when you use it, but is actually trojan-ware that downloads malware from their secret C&C (command & control) servers.
    13. Topics that don't match the content.
    14. Topics that are currently trending, especially where a reader might feel a great deal of pressure or interest (e.g. legal action against you; the pandemic; government/retirement benefits; job offers; love; sex), especially when coming from an unsolicited source.
    15. Links that take you to a similarly-spelled company name (e.g. Kolls instead of Kohl's), or that sound like variations on familiar brands (Bass Pro News instead of Bass Pro), or that just appear to otherwise be an official site (e.g. https://www.embassy-wakanda.com).
    16. Name-dropping very famous people to show authority or connection. For example, an email saying that you're getting a settlement because the Secretary-General of the UN and the president of the World Bank decided it should happen. This is highly unlikely, if not impossible, and certainly isn't going to be communicated through email.
    17. Not, vaguely, or only briefly answering your questions, even after you have given them what they asked for.
    18. Offering a job opportunity which you are not qualified for.
    19. Getting a password reset email from a company you've never used.
    20. Information about the contact person and/or company is minimal and/or unclear.
    21. The job involves processing mail and/or packages, including opening, inspecting, photographing, repackaging, and resending it to another "client". It's probably just being sent from one victim to the next.
    22. IT-knowledgable people can look up things like IP addresses in the email header, DNS searches, reverse-lookup email addresses and phone numbers, reverse-image-search the images sent in emails and on the website.

example of a typical Nigerian money-scam email
A typical Nigerian money-scam email

  1. Money & Confidential Info

    1. Asking you to provide your credit union/bank account, including things that aren't required for a direct deposit - basically, anything other than your financial institute, branch location, routing number, the name on the account, and the account number.
    2. Asking you to add a gift/credit/debit card of some kind to their order, especially if it's to be sent to a 3rd party. This mostly applies to when you've accepted an order, or someone wants to buy what you're auctioning off, but requests payment via gift cards of ANY kind is a bad sign.
    3. They want payment in cryptocurrency, which is virtually untraceable and unrecoverable once completed.
    4. Requiring an up-front fee for hiring, training, etc. Most job websites do not allow jobs that require this to be posted.
    5. Soliciting money or offering you larger-than-normal remuneration, especially for part-time work.
    6. Expecting you to pay for expenses related to your job, and then they'll reimburse you.
    7. They offer you a high-ranking position, such as "advisory board member," but you have to invest money and don't necessarily have any qualifications for such a position. This could either be a scam or unethical business development.
  2. Procedures

    1. Requests confidential information at an inappropriate stage.
    2. Skips steps in the process you're involved in, such as jumping from "Please apply" to "You're hired!" without the normal intervening steps. Skipping steps you'd normally expect to experience is highly irregular for most situations.
    3. Requests confidential information to prove your identity, but doesn't send you to an official website to read information and disclaimers, give consent, and indicate comprehension, especially if they want to run a background check.
    4. Offers to help you "expedite" (as in "bypass") legal procedures with an extra, often substantial, payment. This is called bribery, or they could be forging documents.
  3. Web Presence

    1. The website doesn't use HTTPS, which the Electronic Frontier Foundation offers help with for free. Using only HTTP leaves your connection very vulnerable to data collection and even highjacking.
    1. They want you to leave an official website (LinkedIn, eBay, Facebook, etc.) the venue where your contact was initiated and give you an unknown phone number and/or a generic (non-business) email address (often: Gmail). This means that any protection offered by the venue will be limited or non-existent if you followed the scammer's instructions.
      drawing of a person giving an email address
    2. You arrive at a website that LOOKS like it's the official site, but you notice things about it that seem wrong, and you notice that the root address doesn't match (e.g. stripenotes.com instead of stripe.com)
    1. The link you were given appears to be a specific sub-page of the company's website, but when you try to browse to the main company page, no page exists or you get an error (including the HTTP issue above). For example: https://l.abcdcompany.com/about/staff.html should have a valid main page of https://www.abcdcompany.com.
    2. Online information is minimal.
    3. Most online information is from the person or company itself.
  4. Menus

    1. Links to "other pages" actually scroll you to a different part of the same page, or don't function correctly (or at all).
    2. No menu at the top (header) and bottom (footer) of the page(s).
    3. Contains images that don't display, links that you can't click, or images/links that link to incongruous content (e.g. a Twitter link should take you to their Twitter page, not somewhere else).
    4. Links that take you to a similarly-spelled company name (e.g. Wagreens instead of Walgreens), or that sound like familiar brands (Bass Pro News instead of Bass Pro), or that just appear to otherwise be an official site (https://www.embassy-canada.com, which is a valid site of a 3rd-party providing info on Canadian embassies - and stating that it's not the actual embassy's website - is a great example of the same thing that is done by scammers).
  5. Products & Services

    1. Gives vague info about products and services with or without links.
    2. Links either don't go to anything or link to equally vague pages.
    3. A more detailed showcase of products and services doesn't exist.
    4. Presented using strong sales techniques or make statements that evoke strong emotional responses.
  6. Supporting Documentation, Partnerships, Media Coverage

    1. Greatly exaggerated claims that use charts and graphics that don't show actual data points.
    2. Lists famous websites (e.g. Forbes, the Wall Street Journal) with or without explanation, horizontally or vertically but either don't link to those websites or don't link to articles about the company on those websites that match the claims of the company you're investigating.
    3. The company claims to possess an accreditation, but it is not from one of the known accreditation agencies.
    4. The company claims to have a special relationship with another company, but there is no such relationship published in media and the other company's website and social media.
    5. Finding reviews/ratings of this company, even on famous websites like Yelp!, the BBB, Glassdoor, Indeed, TrustStar and Google, is difficult or impossible.
  7. Company Information

    1. Offers no or vague "about," company address, email address (or the address is not a company address), phone number, staff/leadership info, etc.
    2. Has a map of office locations globally that doesn't match the stated addresses in some way (different city/state/country).
    3. Provides what appears to be a map website's mini-map of where they're located, but the link doesn't function, it links to somewhere else (physical location or website), or the address and/or company name doesn't actually appear to match.
    4. Being from a different country, especially in conjunction with a very large sum of money.
    5. A business address that doesn't appear on popular mapping apps/websites (Waze, Google, Mapquest, etc.), which could just mean that they haven't added their address yet, don't know how, or they use a different address for their physical address vs. their incorporating address or headquarters.
    6. The business is not shown on a street-level photo in a map app or website (it could be an outdated photo, especially with all the businesses that were destroyed by governments shutting businesses down).
    7. The company claims to have a top rating by the Better Business Bureau, but there is either no listing or they don't have that rating. Shady organizations will often rebrand and reincorporate to lose the negative reviews.
    8. The company is not discoverable using major search engines.
  8. Decorative Aspects

    1. Uses the same photos again and again on different pages. You'd expect a company to be proud of photos of its facilities, staff, etc.
    2. Uses stock photos or cartoons of the "writer" of supposed "recommendations" and positive reviews, and staff members (although a small number of companies do actually have an artistic employee do caricatures of all staff).
    3. Contains images that don't display, links that you can't click, or images/links that link to incongruous content (e.g. a LinkedIn link that takes you to somewhere other than their LinkedIn page,).
  9. Formatting & Language

    1. The email and/or website uses a long-form format, which is an exceedingly long page that could fill a novella, in which everything is included on one page. This is very commonly used on scam websites offering amazing cures, books, and life-changing opportunities, although some companies legitimately use this style. Often, the amazing offer is either something that has been debunked as fraudulent, has no scientific basis, is offered by a "wrongly-discredited expert" or even a non-expert, or exists in the public domain - but they'll give it to you for "only $x for the next hour," and other common scam techniques. Not many legitimate companies use a single-page format for all of their information.
    2. Using high-pressure sales tactics (e.g. legal threat, limited duration, exclusive offer, secret sharing of a huge sum of money, not available to the public).
    3. More than a small number of mistakes in spelling, grammar, and punctuation.

Closing Note

The above tactics are employed by scammers, unethical marketers, and multi-level marketing people alike, so you may have to do further homework to determine if it's a phishing attack, bad marketing, or someone trying to trick you into going to an MLM recruitment meeting or sales event. You may even need to call up companies to get further information. When in doubt, the easiest thing to do is mark it as spam or phishing and let someone else figure it out.

Links to My Articles and Videos on Scams

Videos

Articles



Constructive comments are welcome! If you appreciate this article, please 🏅upvote/like👍, 🤩resteem/share and share it to Facebook, Twitter, Reddit, LinkedIn and wherever else you can!