Someday soon your email will have a receipt for something you didn’t buy. It will be matter of fact and bland but you’re pretty sure your wife would have mentioned it if she had bought, say, a pair of Luis Vuitton sneakers, so the email receipt stands out.
You’re paranoid and net-savvy so you know better than to click on a link. You know if you click on a poisoned link you’ll be taken to a bogus page that will try to get your mail password and your credit card number and you’ll wake up in an unfamiliar neighborhood with a headache and a bandage over your right side.
But this is odd – there’s no link, just an invoice for a purchase you don’t recognize and something at the bottom that says you have ten days to cancel the transaction, call the support desk at (800) 555-1212.
Do not call the 800 number. The email receipt is a lie.
I’ve seen a lot of them lately, a purchase from Paypal or a renewal of a subscription to WinVPN or a receipt for fur-covered Crocs. Or Norton, for some reason there are a lot of Norton emails. The receipts are for an amount that will get your attention, a few hundred dollars, but not enough that they’re obviously phony. Frequently the invoice will list something obscure, a tech product, say, because the bad guys know you have trouble keeping track of that sort of thing.
The message looks legitimate. Of course it looks legitimate! They’re copies of real emails from real companies. You get the concept that these are bad guys, right? They’re lying liars who are lying to you to steal your money by lying.
Here’s an example that I got last week. The bad guys took a Paypal message and added the number at the bottom for the Scams Are Us phone center and then turned the whole thing into a .JPG. There was no text in the message, the whole thing is just a picture, which is weird.
The new twist of not including a link – you should be flattered because the bad guys are showing respect for you. They know you are a seasoned paranoid web veteran who would never click on a poisoned link. They know you will hover over the link and look at the destination that pops up over the mouse cursor or in the bottom left and your Sherlock Holmes brain will say, J’accuse!, and you will yank the mouse away like the link is poisoned, because it is.
So they don’t put in a link.
Instead the message says to call the 800 number to cancel the subscription, dispute the charge, reverse the purchase, get a refund, abandon ship, reverse the flow of entropy, whatever.
Do not call the 800 number. The email receipt is a lie.
If you call the 800 number – well, you won’t do that because you are smart and strong and you won’t be taken in by such tomfoolery, right? But let’s say your neighbor’s father calls because frankly he shouldn’t be around computers any more but he’s headstrong.
He’ll speak to a nice customer support agent who will be anxious to straighten out the simple misunderstanding and may I just confirm the credit card number used for the purchase, sir, ah, yes, that matches, and if I can doublecheck your name and the expiration date and security code and billing address, well, that all checks out, okay, that charge has been reversed, thank you so much sir and enjoy your day, although you might not enjoy tomorrow quite as much as today, sir, after your bank calls with a few questions, adieu bonjours byebye!
Maybe it’s a different pitch. Absolutely, sir, we can reverse that charge but to do it safely and securely I will need to connect to your computer remotely so we can log into your bank and I can lead you through the process and, my goodness, sir, are you aware that you do not have security software running on your computer, a bad guy could damage your computer, oh, yes, what a shame that people like that are out there, look at these disturbing errors in your Event Log, I can install a modern security package for only $299 and you will be fully protected and by the way would you like an inflatable motorcycle?
The bad guys want to get you on the phone. Oh, you might still get messages with poisoned links or the latest twist, attached .HTM files, a format that displays something that looks like a login screen but doesn’t have the giveaway address at the top for https://criminal.rus or the like. You won’t type in your password because you have electrodes attached to your nether regions that give you a painful shock whenever you type in a password, right? If it even occurs to you to type in your password anywhere that you are not 100% confident about, do yourself a favor and get the painful nether region electrodes and hook them up. Trust me – they’re less painful than getting hacked because you gave away your password to Ivan Hackerovski.
Where was I?
This scam isn’t always run by email. The Washington Post reported recently that you might get robocalls or text messages trying to get you on the phone:
One of the top phishing schemes relates to Amazon. For example: “Thank you for shopping with Amazon. Your Visa debit card has been charged for an Apple iPhone 11 for $999, and it is ready for shipment. To cancel the purchase, press one. To confirm the dispatch, press two.”
Or perhaps you’ve heard this one: “This is a transaction alert call on your credit card. There have been two suspicious transactions: one for $499 on eBay and the other for $3,500 on Western Union. If you have made these transactions, hang up to authorize the charges. If you wish to stop the charges and report fraud, please press one immediately.”
Once you press one, scammers will then ask questions to access your personal information.
You are smart and personable and I love you deeply and you know that when I say “800 number” it is an example and the number might be an 844 number or an 855 number or any freaking phone number, the phone number isn’t the point, the point is that the world is full of liars lying to you because they are liars. You knew that. I’m only mentioning it in case you forward this article to your aunt because she has issues and I want this to be crystal clear.
Be careful out there!