Category: Hazards (Page 1 of 7)

Brushing Scams

Here’s a scam that you should know about, but not because it’s particularly dangerous. It’s just weird. But once you know the details about brushing scams, they won’t creep you out, and you can quickly move on from them.

Surpriseā€½

When an unexpected item arrives at your doorstep, it may be part of a brushing scam. The item may be lightweight or small or just plain curious: people have reported receiving packets of seeds, hand warmers, “dragon eggs“, and even Bluetooth speakers. The packaging often shows an international return address, but no further clues about the point of sale. No bill is included, no company name or URL can be spotted.

Nothing “killer” about this, just an artsy rock…

In general, the items are harmless. There have been no reports of hazardous items being shipped with this scheme. Whatever you receive, you do not have to pay for it, and you are under no obligations regarding what you do with it. Keep it. Donate it. Trash it.

Why Send Me Junk?

This scam is harmless to you specifically, because it isn’t targeting you. Certainly, someone used your mailing address in this scheme. But don’t take it personally. Your address was probably chosen at random, from any number of online public information sources.

The scam’s target is an e-commerce website. It could be Amazon, Wal*Mart, AliExpress or others. They are gaming the reviews in order to sell more merchandise. Their process is:

  • Create a new account and buy an item.
  • Have the item shipped to a random address in the USA.
  • Once the item is shipped, the new account is considered legitimate, and can leave a review. So the account holder leaves a 5-Star review on the item and for the seller.

If they repeat this over and over for a particular item/seller, that item will soon show a lot of trustworthy, 5-Star reviews, even though it may be a new listing or a shady, fly-by-night vendor. This can help encourage a lot of future sales.

Whatever it takes to sell more jewelry.

Final Takeaways

Most brushing scams give you no info to act on. But if you spot a clue on the parcel and you manage to determine what site it was purchased through, you could follow-up with that company. Don’t call any number listed on the package, but you may, for example, go to Amazon.com or Walmart.com and contact their support about the item. If they care to listen to you, you may ask that they:

  • File a fraud report for the item you received.
  • Find and remove any reviews associated with your name or address.

Brushing scams are actually incredibly effective at what they do. Amazon and similar stores are constantly battling fake reviews. But brushing reviews is where the bad guys have the upper hand. Brushed reviews are almost impossible to suss out, even with sophisticated software tools. So at the end of the day, I have to advise you: Don’t give 100% of your trust to online reviews. Sure, read them over, but take them with a grain of salt.

Fake Hard Drives for Sale

A couple of years ago, I blogged about Fake Flash Drives, and now I have to write a refresh article: You also need to watch out for Fake Hard Drives and Fake Solid State Drives. Please make sure you don’t buy these things!

Good & Bad Examples

First, some examples of legitimate, reliable storage drives:

These items are all fine choices for your data storage. Please note that they are recognizable, big-brand names within the $50-100 price range.

Now for some fakes for your consideration (PLEASE DO NOT BUY THE FOLLOWING PRODUCTS!):

If you regard those items, you should notice some clues that something’s not right. First, there’s no noticeable brand name, or if there is, it’s a name you’ve never seen before and won’t see anywhere else on the web. There’s a big price disparity, too; charging a few dollars per Terabyte of storage is too good to be true.

16TB storage drives do exist, for the rare few of you that need one. If you buy a legitimate 16TB hard drive, expect to pay around $300 at the time of this writing.

Details & Dangers of Fake Drives

The dangers of this scam go beyond losing some money. Your files are at risk if you fall into this trap. These fraudulent devices are mis-manufactured to offer 16TB of storage to your computer. And your computer will believe it when you attach the drive! But there isn’t really that much storage in there. It’s more like a couple of 64GB microSD cards glued to a reader board in these sham drives.

So what happens is that you can try to put data on the device. And it will work, up to a point, but then catastrophe will strike. As your computer pipes data into an area that it thinks is huge but is really much smaller, your data will fall into oblivion. Like lemmings walking off a cliff. And this won’t be apparent until later, when you try to open or retrieve those files. Then you will meet with errors and irrevocable data loss.

Dos & Don’ts

The Too-Long;-Didn’t-Read advice I can finish up with is:

  • Do pay attention to brand names, and buy something from a recognizable manufacturer.
  • Don’t jump on amazing prices/deals. If the price is too good to be true, it probably is.
  • Don’t believe the posted reviews! Amazon and other websites are commonly gamed by the scammers, and a sham product can have thousands of 5-star reviews below it.
  • Do be judgmental about where you buy (online). Costco, Staples & Best Buy vet their vendors more than Wal*Mart, Amazon and eBay. Avoid those free-for-all marketplaces where anyone can hawk their wares.
  • Do feel free to report scam products to the website’s support team, but don’t spend a lot of your time or emotion on it. I did that 2 years ago with the flash drive debacle, and it became obvious that these big companies don’t care about or can’t fix the problem from their side.

McAfee Stinger

There are a variety of one-time scan tools available for free, that will check your system for baddies. I’ve previously blogged about ADWCleaner and Norton Power Eraser, and now I should mention McAfee Stinger.

McAfee Stinger is a quick scan for your PC that can detect and remove a specific set of viruses and trojans. If you have reason to think you’re infected, you can download Stinger and use it anytime. It won’t conflict with your full-time antivirus, and it won’t try to sell you anything.

Most modern Windows computers are 64-bit, so use the download for “x64 systems”. You would only use the first Download option for very old, 32-bit computers.

The Text-Based EBT Scam

For anyone involved in SNAP or receiving EBT funds, please be aware of the following scam:

This is a text message that did NOT come from the government or any legitimate entity. It is the beginning of a scheme to steal your EBT funds.

If you receive this text, do NOT call the number. Do NOT respond to the text. Simply ignore, delete or block this message.

If someone calls the number in the text, a scammer will answer and pretend to be with the government. They will try to learn the caller’s EBT account info and PIN. Once they have those numbers, the crook will drain the funds from the person’s EBT account.

The legitimate people in charge of SNAP and EBT will never text you. If you need to contact them, find their official phone number on this list and call them. And if you have fallen victim to this scam, please call your state’s EBT Client ASAP to see if anything can be done.

The Hybrid Paypal Scam

I’ve seen plenty of Paypal-related scams, but this one is the slickest I’ve encountered to date. Pay attention and don’t be fooled if this shows up on your doorstep:

The Scam Arrives

You’ll see this scam arrive either in your inbox as an email, or in your Paypal account as a transaction under Activity.

Email example
from the real Paypal website!

Are you a believer yet? I wouldn’t blame you, because this is not your typical fake-email. This is an authentic Paypal email, and it takes you to the true Paypal website to view a real Paypal invoice! Nothing has been spoofed or faked here. The Paypal invoice can even be downloaded as a PDF from their website. The only lie is what’s shown in the Seller’s Notes field.

What is truly afoot here is that someone’s Paypal account has been stolen and is being used to send payment requests. Paypal calls them “invoices”, and that terminology only serves to make the scam look even more important.

The Two-Fold Danger

You’re at risk from two different directions with this scam. Make sure you don’t get taken by either of these:

  1. The cybercriminal is trying to trick you into paying the bill with a quick click.
  2. The crook wants you to object to the bill and call the phone number listed in the Seller Notes.

For anyone moving too quickly and not thinking enough, #1 quickly puts $500 in the thieves’ pocket. The money will be transferred into gift cards or other untraceable ratholes, and the victim will have a hard time clawing that money back.

#2 leads to a typical remote support scam. If you call the number, you’ll talk to a scammer who will seek to remotely access your computer, steal your money and possibly bork your PC.

In short: do NOT pay this bill, and do NOT call the listed phone number.

What To Do With This Hybrid Scam

First, be very careful as you deal with this. Make sure to avoid any “Pay Invoice” button. It’s safe to view the invoice and other screens in your Paypal account, but you must not accidentally pay the scammer.

Next, much like with an accidental payment scam, you can simply ignore the invoice. Nothing bad will happen if you simply do nothing with this Paypal item. It will sit there inert, until some day when Paypal catches up and removes it.

Alternatively, you can cancel the invoice. Sign into your account at Paypal.com, click on Activity, and select the scam invoice. Right below the blue Pay button, you may safely click on “Cancel Invoice”.

Click Cancel, do not Pay!

Lastly, you may reach out to Paypal support, if you want them to know about the scam attempt. Once you’re logged in at Paypal.com, scroll to the bottom of the site and look for the Contact link. Click it and make use of the Call Us or Message Us options to reach out to them.

Credential Stuffing

The recent compromise of the Seesaw Learning website and app has a lot of people asking me: What is credential stuffing? It’s a good question to know the answer to. Once you get it, you will also know how to keep your online accounts safer.

How Credential Stuffing Works

It begins with cybercriminals attacking and hacking an online website or company. When they gain access, they steal the login info for as many accounts as they can, for that site. They’re looking for a list of email addresses, and the corresponding passwords that are used on that site.

While this starts with the hack of one company, the stuffing happens elsewhere. These thieves are counting on one common tech mistake: People tend to use the same password for all of their online accounts. So if they steal login info from one site, the crooks are hoping those credentials will work on other websites.

These cybercriminals actually have a bit of programming skill. They take their stolen credentials and write a program (bot) to try each email/password combination at the login screen of another website. If they’ve stolen 500 logins or a million, it doesn’t matter. They can set their bots to stuff all of those logins into various other websites, until they get lucky access with someone’s stolen credentials.

What You Need To Do

You cannot predict or prevent this kind of attack, because it is launched against the companies you use. You are not the initial target. But you can protect your other accounts from collateral damage. It’s very simple: Always use a different password with each account you create.

OK, maybe it’s not that simple to do, but it is simple to state. No one likes this advice, because passwords are such a tedious burden to most internet users. But if you can improve your habits and avoid password re-use, then credential stuffing attacks will not affect you as much as other people. If your password is stolen from one website, it will not do the crooks any good when they try to use it elsewhere!

Additionally, turning on 2FA can further protect your accounts against password theft. But not all sites offer 2FA. Using unique passwords remains the best defense.

Coping with Too Many Passwords

Maintaining unique passwords is about as fun as remembering to floss. But it could make a big difference someday. There’s always another big hack about to happen, and you’re going to wake up one morning to find that your bank or your favorite store is involved in the latest tech debacle. That awful cybercrime news won’t affect you as much, if you have good security practices in place.

As you set passwords to online accounts, your browser may recommend unique passwords, and offer to Save them for you. This is a solid tool and fairly reliable. And if you need to know a particular password, you can find it by going into your browser’s options menu and searching for the Passwords List. This is how I manage my 700+ passwords, in Google Chrome and Microsoft Edge.

You might also consider using a Password Manager program, and there are many of them out there. Some are free, some have an annual fee. LastPass, Roboform, Keepass and Bitwarden are some trustworthy password managers.

Using an Excel spreadsheet or a “little black book” is also acceptable. I see plenty of folks using these methods, and I don’t criticize it if it is working well for them.

Data Breach Phishing Email

Here is yet another example of a phishing email to beware:

Not actually from Google or anyone trustworthy…

The sender address and bad grammar should give it away. But it still looks pretty convincing, and is closely modeled off of other real Google email messages.

Do NOT call the number. Do NOT reply to the email. Do NOT click the links.

If you receive this, mark this message as Spam, and then Delete it.


I’ll admit, though, I called the number. From an anonymous line. I added a comical 30 years to my voice and fumbled through a call with a scammer.

He pretended to be with Google, and researched my email address (which I made up on the spot). And he insisted to me that I was being hacked and calling my ISP wouldn’t do any good. He tried to convince me that my IP address was compromised, and because IP addresses were unchangeable and assigned for a lifetime, I had to do the needful and let him fix the issue.

Using my regular voice, I called him on his nonsense and he said some bad words and I moved on. Sigh. It’s just another Monday.

Accidental Payment Scams

You should know about the Accidental Payment Scam that can occur through instant money-sending apps, like Venmo, Cash App and Zelle.

What the Scam Looks Like

It starts with an unexpected payment from an unknown person. Your Venmo may pop up and say any number of off-the-wall things:

  • $600 sent for vintage wedding dress
  • $300 recv’d for Adult Svcs Rendered
  • $250 for Imagine Dragons tickets @ Jiffy Lube Live

And then you’ll see some follow-up email or text:

Don’t Do It!

This is a variation of the Overpayment Scam. They’re counting on your moral code to convince you to help them out. And it would be so easy to send that money over to the poor stranger… but hold your horses, because this was no mistake:

What To Do

  • Nothing. The best course of action here is to do nothing. Don’t send this stranger any money. Don’t reply to their messages. You don’t know them, you don’t owe them anything. Not even common courtesy. If you sit still long enough (few days?), the accidental payment will be reversed or removed.
  • You are also welcome to contact Venmo or your bank (for Zelle concerns). Cash App has some info and contact methods on this site. They may be interested to know about the accidental payment, and they may instruct you on other methods for dealing with it that won’t put your money at risk.

If You Were Tricked

When a person falls for this scam, they believe the messages and send money back to the person in their DMs. They get a big Thank-You in return and some warm Good Samaritan feelings. But those only last a few days and then the nasty surprise comes.

The original “accidental payment” transaction gets flagged as fraudulent, and is reversed. (It was likely made off of a stolen credit card.) That amount is removed from the victim’s account. It is as if it never happened.

The follow-up transaction, where the victim sent money to the stranger, is upheld. That is seen as a wholly separate transaction, initiated by the victim. The bank will maintain that it is completely legitimate. They usually do not reverse those transactions, and that money is gone, gone, gone.

If you were tricked in this way, I am very sorry for your loss. You should still notify Venmo/CashApp/your bank of the fraud, so that they can track the details, and maybe one day make all of this a safer process.

The Microsoft 365 Renewal Scam

This is yet another phishing scam, based on a renewal or subscription you never agreed to:

This email is 100% fiction and fake. There is no purchase or charge. This didn’t come from Microsoft. If you get this message:

  • Do NOT call the number.
  • Do NOT reply to it.
  • Mark it as Spam or Phishing, and delete it.

How to tell it’s a phishing scam? Well, not all are easy to spot, but this one is. Notice that:

  • It was sent from a Gmail address!
  • There are spelling and punctuation errors throughout the message.
  • Even the Microsoft Logo is a bit off.

While this scam message seems laughable, keep in mind that these cybercriminals actually have good reasons for crafting low-quality emails. Bad spelling and other mistakes help narrow down the number of people who will respond and fall for these ploys.

But the next bogus emails could be harder to spot. If you ever have any doubt about your Microsoft 365 subscriptions, just head on over to Office.com . Sign in and go to My Account -> Service & Subscriptions. That’s where you can review everything you’ve bought from Microsoft, as well as prices and renewal dates.

The RV Giveaway Scam

No, you are not going to win a free RV! But when you see posts about this on social media, they are so tempting. Companies with names like Camping & RV World boast about “unclaimed RVs” that they have to give away for free, and the included photos show some beautiful vehicles. But this is one of those too-good-to-be-true situations. You will not win anything. And there is a lot of harm afoot, even if you click Like on the post.

Scam!

How To Spot the Scam?

This gets harder every year, as the scammers study Facebook and other platforms for ingenious ways to conceal their identities. But here are some clues:

  • When you visit a Business Page on Facebook, scroll down to find the Page Transparency section. Click “See All” to get the most details. This will tell you useful info, like the date that the Page was created, and possibly the country of origin. Scam pages often show a very recent date, while known trusted pages have older dates.
  • Regard the About section: Scam pages often have no info here, while legitimate pages will reveal a proper phone number, physical address and website. Do not trust any “tinyurl”, “bit.ly” or “google.sites” addresses!
  • Search on Facebook for the company in question. Take Camping World, for example, they show hundreds of thousands of Likes. Notice that the scammer’s page probably only has a handful of Likes.
Only 32 people? And most of them are other scammers…

The Hazards of This Scam

The first part of the scam is in the first interaction you have with it. If you click Like or Share the scam, Facebook will promote the scammy post to your friends & family, or to everyone else in your group. It will help it spread like wildfire, or a chain letter. And your endorsement will make the scam look more believable to everyone else!

Next, many of these scams steer you towards marketing websites that promise free money via CashApp. This nonsense will waste your time with survey after survey and form after form. You’ll never get the promised cash, but they will hoover up your information. And sell it to every spammer and telemarketer known to man. If you think you get a lot of spam and junk calls now, just you wait. Participating in these surveys will elevate your spam to nightmare levels!

Finally, these RV Giveaways will “select” you as a winner, and push you into Private Messaging or other non-public communication. And the scammer will prepare to deliver your winnings… but first, they want a delivery fee to be paid. Or some insurance. Maybe a “customs surcharge.” Whatever it is, they’ll make it seem like a trifle, compared with the value of the big thing you’ve just won. But if you pay that fee (through CashApp or wire xfer or gift cards), then you will never hear from them again, and you will not see any RV appear in your driveway.

What To Do

When you encounter this scam on social media,

  • Do NOT click Like. Do NOT comment on it.
  • Report it to Facebook or other social media, as a scam.
  • If posted in a Group, also report it to the admin(s), and ask them to take it down.
« Older posts

© 2022 BlueScreen Computer

Theme by Anders NorenUp ↑