I just paid $715.15 for a five-year subscription to McAfee Total Protection that covers 20 devices. At least, that’s what a stranger would have me believe.
Also: Stop paying for third-party antivirus software. Here’s why
The news of my transaction came in the form of an email sent to my personal account, with a PDF file attached. This is what the attachment looked like.
This fake invoice is convincing enough to fool an unsuspecting recipient.
Screenshot by Ed Bott/ZDNET
That “receipt” looks official, doesn’t it? Especially to an inexperienced person who doesn’t have the expertise to spot the telltale signs of a scam. You’ve probably seen similar phishing emails, congratulating you on your purchase of a subscription to McAfee or Norton Internet Security or some other brand that’s familiar to consumers.
The amount of the alleged transaction is often high enough to alarm you. And if you don’t realize it’s a scam, your first reaction is to pick up the phone and call the toll-free number on the invoice to explain that it’s all a mistake and that you never ordered those products and ask them to please cancel the charge.
How the scam works
So what happens if you call the number on that receipt? Thanks to an affidavit filed as part of a case in a U.S. federal court. In the Southern District of Mississippi, we now have a detailed account of this scam in operation. (Thanks to Seamus Hughes and his excellent Court Watch Newsletter for the link.)
Also: AI-powered phone scams look very real. Do these 5 things to protect yourself and your family
The affidavit’s author is Martez Simpson, a special agent with the U.S. Secret Service, who described how the victim was robbed of nearly $11,000. Agent Simpson even managed to speak to the recipient of the funds, an Indian national who was angry that the feds had seized his cryptocurrency account under a court order.
The victim, a Mississippi woman, is identified only as V1 in the affidavit. After receiving the phishing email, she called the phone number and spoke with a person who claimed to be a McAfee employee (needless to say, it was a McAfee employee). That person, referred to by the Secret Service as an unknown individual (“UI”), convinced the victim to install software that allowed the criminals to access her computer.
Using command line inputs, the UI convinced V1 that instead of the $723.64 that the email had indicated had been incorrectly taken out of his bank account, his bank details indicated that an amount of $77,723.64 had been refunded. The UI informed V1 that because the incorrect amount had been refunded to the account, V1 needed to physically withdraw the money from the bank and deposit it into a Bitcoin ATM.
(As Agent Simpson notes in a footnote, it’s possible that more than one person was involved in pulling off this scam. And if this story sounds familiar, it may be because several of the plot elements are central to the film. Beekeeperstarring Jason Statham, now streaming on Amazon Prime).
The victim was apparently convinced that this McAfee employee had access to her mobile phone and email account and that the only way to regain access was to follow his instructions. She withdrew $15,000 in cash from her bank account, and then, while still on the phone with the foreign criminals, went to two separate Bitcoin ATMs and converted nearly $11,000 of that cash into Bitcoin. She then emailed the Bitcoin tracking codes to a Gmail address provided by the criminals, who responded with a pair of QR codes that the unfortunate V1 used to transfer the funds to a Binance wallet controlled by the crooks.
There is no indication in the affidavit of what happened next, but it is likely that the bad guys simply hung up the phone. After all, they had their funds and no longer needed to continue pretending with the victim.
Also: NSA recommends turning your phone on and off once a week: here’s why
After the bank told the victim that he had been scammed, they called the Secret Service, who were able to trace the funds using blockchain analysis. They convinced Binance (who held the wallet) to freeze the $29,788.29 in that account while they went to court to recover those funds. That’s when the owner of the wallet, “Azmi,” contacted the Secret Service to find out why his account had been frozen.
According to Agent Simpson, “Azmi insisted that he did not know these people and insisted that he was just a trader. I believe Azmi was using the conversation to ‘fish’ for information about the frozen account and to get better at this type of cryptocurrency scheme.”
Good luck with that, Azmi.
Other variants of a common scam
Your first reaction to this story is probably something like, “Who would fall for this kind of crazy scheme?” The answer is: a lot of people. They usually respond to one of two universal motivators, fear or greed. The Federal Trade Commission calls them “imposter scams” And what they have in common is that the person trying to take your money wants to convince you that they are working for someone you trust: a big company like Amazon or PayPal, a government agency like the FTC, or perhaps your bank or credit union.
Also: How to find and remove spyware from your phone
There are many variations beyond the fake McAfee receipt. You may receive a phone call, supposedly from Amazon or your bank, warning you about “fraudulent transactions.” You may also receive a fake antivirus warning telling you that your computer is infected and that you should call immediately to remove the virus.
Countless examples can be found of people who were scared and responded to these scams, such as This woman from Pittsburgh who lost $10,000 after receiving a fake virus warning. He called the number in the pop-up message and spoke to a man claiming to work for Microsoft. The thieves said his bank account had been compromised by a gang of Chinese child pornographers who were going to keep his money unless he transferred it using a Bitcoin ATM.
Even sophisticated people can get caught up in a money-moving scheme that, in retrospect, seems absurd. Take the case of Charlotte Cowles, who is not a senior citizen and writes a financial advice column for New York She handed over $50,000 in cash to a gang of thieves who claimed to work for Amazon, the Federal Trade Commission and the CIA. They convinced her that her identity had been stolen and that they could help her avoid money laundering charges. Her bank tried, unsuccessfully, to point out that she was likely the victim of fraud.
What should you do?
The people who carry out these online scams do it day in and day out. They are skilled in social engineering techniques designed to make their potential victims feel anxious and scared. The best way to fight back is to avoid getting involved altogether. If you are helping an unsophisticated friend or family member, here are some tips you can offer them.
1. Trust your instincts
One of the common threads in every story I’ve read about an online scam is the victim’s rueful comment: “I should have trusted my instincts.”
If something seems wrong, it probably is. The smartest thing you can do when you receive a suspicious, unsolicited email is to simply delete it. If you get a pop-up warning you that your computer is infected, press Ctrl+W (Command+W on a Mac), which is the universal shortcut for closing a tab. Press Ctrl+Shift+W (Command+Shift+W on a Mac) to close all tabs.
2. Keep calm
Every online scammer has a script full of dire scenarios to convince you that you are in danger and that you must act immediately to avoid losing money or being arrested. The world doesn’t work like that. There will be plenty of time to call your bank or credit card company later. Don’t panic.
3. Do not dial the number that appears in that email or pop-up window
The goal of a phishing attack is to trick you into talking to someone who isn’t who they say they are. If someone sends you a message trying to convince you they’re from Amazon, Apple, Microsoft, or McAfee, they’re probably lying. If they claim to be from your credit card company, call the number on the back of your card or your printed bank statement and ask to speak to someone in the fraud department.
4. Keep your personal information private
No contact from a legitimate company will ever ask you for your password, PIN code, or credit card account details. If they start demanding that information, ask them a few questions, such as what your account number is and what the last four digits of the card they have on file are.
And if they can’t answer, well, that says something, doesn’t it?
5. When in doubt, hang up and call someone you trust.
Once a scammer has you on the phone, regardless of who initiated the call, you should know that their goal is to create panic and paranoia. The best antidote? Talk to a trusted friend or family member. Or call your bank or credit card company! Unfortunately, they have a lot of experience with these types of scams.
6. Oh, and if anyone tells you to go to a Bitcoin ATM, it’s a scam.
Legitimate organizations do not ask you to send them Bitcoin deposits or gift cards.
If you don’t believe me, Just ask the FTC.
This article was originally published on July 15, 2024. It was last updated on August 17, 2024.