The IT Nerd

I recently posted a story on an email scam that claims that you did a hit and run and that you needed to call a number to sort things out. Which means that you’re handing over money to a scammer. Well, the same person who tipped me off to this scam got another email from the same scammers. But the email is different. Let me show you the email:

Let’s dissect this scam email:

• Even though I redacted the email address, it comes from a gmail.com account. No business would use a gmail.com account. That’s your first hint that this is a scam.
• The email uses the recipients name. So it is targeted.
• The English is pretty bad. Another hint that this is a scam.
• The name of the insurance company has the word “Insurance” twice. #Fail.
• The date of the supposed accident in the subject line is different than the date in the body of the email. #Fail
• They threaten to send your info to the cops. Which is meant to make you call them.

And just like the last scam email, my attempt to call the number (which is different than the last scam email that I wrote about) to find out how they perpetrate that scam while blocking the number that I was calling from failed with an immediate hang up. So this suggests that this is from the same group of scammers as they clearly want to grab your number.

The bottom line is this. Clearly this scam is an active one. You need to keep your eyes open to make sure that you don’t become a victim. Thus if you get one of these emails, delete it from your inbox and move on with your day.

Another day, another scam. Such is life at the moment. This scam starts with an email that hits your inbox claiming that you did a hit and run and they have evidence of that. And if you do not call them, they will rat you out to the authorities. Here’s a copy of the email that was forwarded to me:

Here’s why this is a scam:

• The grammar is rather bad. Typically this is the first clue that this might be a scam
• While I did redact the sender’s email address, it was a gmail.com email address. No business would ever use a gmail.com email address.
• If you look at the section where they give you a number to call, it says “= +” right before the phone number. Clearly a typo.
• The date of the alleged incident is 9/12/2021. As I type this the date is 7/27/2021 which means that somehow this accident occurred in the future.
• It encourages you to phone or they will rat you out to the cops. Which I am guessing that the scammer is hoping that you’ll call to say that this isn’t you. Which in turn they will badger you into paying up after sucking up your personal information.
• A Google search indicates that LLP Insurance is a real Insurance company located in the Greater Toronto Area. But not with a number that starts with 313. However, searching the phone number indicates that this number has been used in scams previously.

So I will give the scammers points for using a local insurance company to front their scam. And I will also give them points for trying to use the name of their potential victim to social engineer their way into getting paid. But in the interest of trying further figure out what these scammers were up to, I did try to phone the number using a call display block and I did get some upbeat elevator music. But then the call hung up. Likely because I was blocking the number that I was calling from. I suspect that the scammers want to capture the number that you’re calling from so that they can harass you into paying them.

In any case, this is clearly a scam that you need to avoid. Thus if one of these emails hits your inbox, delete it and go about your day.

If you are a TD Bank customer, you need to pay attention to this scam that hit my iPhone a few minutes ago.

Now I have redacted my phone number. But I left the scammer’s number in place so that you can compare it if you get this text message. The big hint that this is a scam is that it states that “Your Debit Card starting with ‘4724’ has been flagged and disabled for further use.” Ignoring the bad grammar, every TD debit card starts with ‘4724’ which makes this a pretty generic phishing attempt. The one thing that I have to point out is that while most people will ignore this, there are a few who will fall for this. Because a scam doesn’t have to be successful in volume to be successful.

In the interest of science, I replied Y to see what happened next. But I did not get any response. If I do, I will let you know. But in the interest of shutting these scumbags down, I sent this to TD via Twitter:

To their credit, TD replied pretty quickly:

I sent the email that they requested with the screen shot above. Hopefully TD can shut these scumbags down. In the meantime, keep your head on a swivel so that you don’t fall victim to a scam like this.

UPDATE (9/6/2021): I got reports over Labour Day weekend that this scam is still very much active as people contacted me on Twitter with screen shots of the scam in action:

I brought this to the attention of TD on July 13th and I submitted all the info that they requested on that date. It’s clear that TD hasn’t shut this scam down. Thus I am afraid that it’s up to TD customers to protect themselves as clearly TD can’t protect them from this scam. This was reinforced by this reply from TD when I brought it to their attention again:

TD has the information as I gave it to them when they requested it back in July. They clearly haven’t done anything more than “monitor” this. I pointed this out in a reply, and TD replied to me soon after:

That’s bad news for TD customers as clearly TD hasn’t got their back. And based on these replies, the person behind their Twitter account clearly doesn’t get how serious this is.

UPDATE #2: Clearly I am not alone in feeling that TD isn’t trying hard enough to stop this scam.

And seeing that this story is now getting dozens of hits an hour on a holiday weekend, I am guessing that TD’s image as a bank that their customers can rely upon is going out the window very quickly.

UPDATE (1/17/2022): Over the last few days I noticed that the page views for this story have skyrocketed. Thus it seems that this scam is still alive and well based on these comments:

This reinforces the fact that TD Canada Trust hasn’t got your back as you would think that they would want to shut down any attempt to scam their customers. But that clearly isn’t the case here as they either can’t or won’t shut this scam down. Thus if you’re a customer of TD Canada Trust, it seems that you’re on your own in terms of protecting yourself.

Another day, another scam. This time it’s someone going after Netflix customers trying to steal their payment details. Here’s how it works. It starts with an email that looks like this:

Looks official right? It’s not. If you look at the reply to address, it’s not from netflix.com. Thus that’s your first tip that this isn’t legit. But if you want more proof, how about this?:

The email address it came from is the same as the reply to address. Further validating that this is a scam.

At this point if you get one of these emails, you should just toss it in the trash and move on with your life. But in the interest of finding out what these low life scumbags are up to, I decided to play along. This is what I got:

Wow… This looks totally legit…. All you need to do here is enter your credit card details and you’re good to go. And it never asked you for your username or password first. It’s a very low tech scam if I may say so. The first hint that this is a scam is the fact that the website isn’t Netflix.com as indicated by the circled area. Though they do use SSL security as evidenced by the padlock on the left of the circled area, because even scumbag scammers can’t be too careful. In fact the website address is the biggest hint. Clearly the scumbags behind this didn’t put a whole lot of effort into this. But then they don’t have to. If only 1% fall for it, then it is worth their while.

Bottom line: If you get one of these emails, delete them.

You need to keep your eye out for a new scam involving CIBC which is one of Canada’s biggest banks. It will show up in your email and look like this:

But if you look at the email address, this is a scam:

In the interest of science, I decided to click the link to see what happens:

It appears to try to redirect you via what looks like a Norton LifeLock site to what looks like a CIBC website. But it isn’t. If you look at the top left hand corner you see that it doesn’t come from Norton LifeLock. And I am pretty sure that I am not going to end up at a CIBC website (click to enlarge).

Sure enough, I am not at a CIBC website. Look at the URL that I have circled. That’s not CIBC as it ends in “ug”.

So what is the scam? It’s trying to get your online banking credentials so that cybercriminals can steal the money in your bank accounts. And it is using Norton LifeLock to gain your confidence. Someone went through a lot of trouble to set this up. Which means that you need to be really on your toes to avoid scams like this. And it’s a safe bet that similar scams involving other Canadian banks exist. So keep your eyes out for them and delete any emails that you get that look like the ones above.

UPDATE: CIBC reached out to me to say this.

Yesterday I noted something on my Twitter feed that was frankly disturbing. It was a series of Tweets from Toronto Public Heath:

Now, here’s some facts so that you don’t fall victim to this scam. (Kudos to a friend of mine who works for Toronto Public Health for this info). Text messages from Toronto Public Health will be from 77000. So if you get a text claiming to be from Toronto Public Health from any other number, it’s likely fake. And if you do get a text like this, don’t share any information at all.

I am not sure what low life scumbag is doing this. But this is unacceptable and I hope that the police hunt them down and throw them into the deepest darkest hole that they can find.

I have become aware of a new scam that is phone based, but quickly migrates to your computer if you fall for it. Here’s how the scam works:

• You get a phone call and you hear a recorded voice (though I have heard instances of a live person doing the same thing) claiming to be from “Visa Security” claiming that you have two charges that are suspicious. One is from Amazon. The other is from International Gift Card Company. Which is a company I have never heard of. Though I have heard that eBay and other companies have been referenced in the scam.
• You will be then asked 1 to accept these charges, or 2 to dispute them.
• Regardless of which option you choose, you will be connected to a human who will pretend to verify some info. Then you will be instructed to power on your computer and grant them remote access so that they can “review” your transactions online.

Here’s why this is a scam:

1. Visa as a company will never, ever call you. That’s because it’s your bank’s responsibility to hunt down fraud and not Visa’s. So if you are getting a call from Visa (or MasterCard for that matter). Hang up.
2. Calls of these sort are never, ever automated.
3. Nobody will ever require remote access to your computer to investigate credit card fraud.

Now this isn’t the only form that this scam takes. Here are a few other versions of the scam that I am aware of:

• Call-back request: The caller may ask you to call the 1-800 number on the back of your card to prove to you the call is legit. When you hang up, however, the call is not immediately disconnected because there is a 5 to 25 second disconnect delay on landline calls in Canada. To really fool you, the caller even plays a recording of a dial tone to make you think you are placing a new call but, the scammers are still on the line. When they “answer” your call, they redirect you to an imposter who may ask you to transfer funds to an external, supposedly “safer”, bank account (that belongs to them) while the “investigation” is taking place. To protect yourself, physically hang up your phone and then either use your cell phone to call the number on the back of your card, or wait five or ten minutes before calling the number on the back of your card.
• Information Verification Request: To verify that they are speaking to the right person, the caller recites your home address (correctly) and says you can call the 1-800 number on the back of your card later if you have questions. Finally, they ask you to prove that you are in possession of the credit card by asking you to read out the card number, expiry date, and the three- or four-digit CVV (Card Verification Value) security number on the back of your card. After you do this, they respond that you are correct, thank you and hang up. And you have just been pwned. I should note that sometimes the scammers already have the card number and the expiry date and they simply need the CCV number from you. To protect yourself, never, ever hand over any credit card info over the phone to anyone that calls you out of the blue.
• Investigation-assistance request: Other victims are asked to “help” catch the criminal by accepting a deposit and transferring on it to another account. The deposit, however, is fake. Which means victims end up transferring their own money to the scammers. To protect yourself, never agree to be part of any “investigation” and never transfer money to anyone that asks you to do so.

Like always, you need to keep your eye out for these scams as they can really hurt if you get caught up in one. But if you have any doubt, simply hang up and move on with your day. It’s better to do that than to be taken advantage of.

Earlier this week I detailed the story of a senior who fell victim to a tech support scam. These sorts of scams infuriate me as they target people who don’t know any better, or in this case they target people who are unable to defend themselves. Now there is good news, some areas for concern, and some bad news to report.

• Let’s start with the good news. I did a second examination of her computer and found nothing “bad” on her computer and it appears to be working fine. Thus I have to assume that that after the scammer installed the remote access software, they put on “a dog and pony show” to convince her that her computer had serious issues.
• Now to the areas of concern:
  • She got a phone call from what sounds like to me to be an automated system saying her credit card had two charges put on it and she mentioned something about having to press one or two to approve or reject the transaction. She was unable to really give me a better description than that. So I recommended that she call or visit her bank and have them review her transaction history with her to make sure that they did not somehow get her credit card details.
  • One concern of mine was that they might have stolen documents and files off her computer. The remote access software had no logs for me to look at. So I am unable to answer that question and the possibility that she might be a victim of identity theft might still be on the table.
  • The bad news is that she didn’t have call display, and any other details that she provided to me were on the scant side. So I am unable to report this to the relevant authorities (more on that in a second) as there is simply not enough for them to work with. Thus these scumbags continue to roam free without having the relevant authorities hunting them down, or yours truly naming and shaming them.

One other thing, the scammer did call back. But she hung up on them and avoided engaging with them.

So that leads to me to what you should do if you encounter this scam.

Fact: Microsoft, Apple, or Google would never call you to say that your computer is broken and it needs to be fixed. And I do mean NEVER. The exception might be your ISP as there’s a minute possibility that your ISP would call you if your computer has been infected with malware that could be sending out something from your computer. If a caller claims to be from your ISP, ask for the caller’s name, where his or her office is located, and for the office telephone number. Ask why you’re being contacted by telephone, what the issue with your computer is and how the ISP could tell it was your PC specifically that had a problem. If a call sounds legit, hang up and call the ISP yourself, then ask for the tech support department or for the person who called you specifically. Use a phone number listed on your ISP’s website or on your bill, not a number that the caller gave you. That way, you could confirm or deny if this is legit.

Now, if you get a call from a scammer. The best way to deal with them is to hang up. That’s it. Hang up and move on with your life. You can’t get scammed if you do not engage. But let’s say you did actually fall for this. You need to act fast. First, shut down the computer. Then do this:

1. First download and install legitimate antivirus software. Then, run a scan to see if anything has been left behind. Then change the passwords on the user accounts on your PC. You don’t have passwords on the user accounts? You should precisely for this reason. If you don’t feel comfortable doing any of these items, call an IT expert for help.
2. If you gave the scammer your credit card number, then you really need to act fast. Call your credit card provider and either reverse the charges or cancel the card.  Then you should also contact one of the three credit-reporting agencies. Namely Equifax, Experian or TransUnion and ask them to place a free 90-day credit alert on your file. For the record, Experian doesn’t operate in Canada but the other two do. The agency you contact will alert the others and you’ll be notified if someone tries to do something in your name.
3. Report it. Microsoft has a Web page dedicated to reporting tech-support scams. The U.S. Federal Trade Commission has a website for fielding complaints, while the Canadian Anti-Fraud Center is the place to go if you’re in Canada.

As you can see, getting hit by a scammer is not a trivial matter. You need to be on your toes to avoid this sort of thing. If you are, then you should never have to worry about the negative effects of being scammed. I’ll continue to document these sorts of scams, and where possible I will name and shame the scumbags behind them. Plus I will provide details so that hopefully you will never be a victim.

Frequent readers of this blog know that I have documented a couple of tech support scams in the past. For those who are not familiar with this scam, someone claiming to be from Microsoft or Apple, or perhaps an ISP claiming that your computer is broken in some way. They will then convince you to connect to them remotely so that they can control your computer and fix whatever problem they claim you have.While doing this, they will ask you for a credit card number at the very least, or at worst they will steal information off your computer so that they can commit some form of identity theft. And that doesn’t take into account the possibility that they will simply trash your computer in some way. Clearly these guys are scumbags and I truly feel that they are the lowest forms of life on Earth that need to be exterminated.

In any case, this past Monday I got an email from a 90 year old client of mine with cognitive issues who got one of these calls and completely got sucked into letting them connect to her computer and do their evil work. I dropped everything that I was doing and raced over there to see what damage was done after telling her to turn off the PC.

Upon arriving at her home, I interviewed her to find out what the sequence of events were. She apparently got a call from the scammers who were claiming to be from Microsoft and over the next half hour she fumbled her way to getting them connected to her computer. During that process the scammers got frustrated and abusive, which from my research isn’t a surprise as they want to get in, scam you and get out as quickly as possible. Then for the next hour they showed her all the “errors” that her computer. Then they made an appointment for the next day to fix all these “errors”. But due to her cognitive issues, she couldn’t give me many details. So I went about investigating her PC to see if I can figure out what they did.

I’m going to stop here for a moment and rant for a bit because scams like this makes me very, very angry. Because of her cognitive issues, she’s the perfect target for this sort of scam. I say that because according to her she has a “Microsoft” computer and from her perspective if someone from “Microsoft” calls her to help her, she should listen to them and do what they say. I’ll explain why that isn’t true in a bit. And because of her cognitive issues, I can’t get the usual amount of information for me to hunt down the scumbags behind this and expose them to the world. Which means that the people behind this one might have gotten away with this. The key word being might as I will do everything in my power to figure out who these scumbags are and expose them for what they are.

In any case, from what I can tell, they had the client download a piece of software called AnyDesk which is a commercially available piece of software that is typically used for remote access by IT help desks to help people in a company or for individuals to access a computer in their office from home. Using commercially available software is pretty typical behavior for these scammers as it adds some legitimacy to their scumbag activities and is not going to get flagged by antivirus software. I found a copy of AnyDesk in her download folder, and combined with some notes that she took and a Windows 7 (as she runs Windows 7) virtual machine, I was able to reverse engineer what they did to connect.

When you first run the application, you see this:

In the top left you will see a number which is 511 553 741. This is the code that the scammers use to connect to her computer from their copy of the software. I know this because on her notes, there was a set of numbers that I am guessing that she wrote down and then repeated to the scumbags.

The next box of interest is the “Set password unattended access…”. On her notes, I saw “can12345” which is not the most original password that I have seen. But this I assume that this is meant to set up her computer so that they can come into the computer, look around and steal stuff at will assuming the computer was on. I also noted that they had configured the program to take total control of the computer do anything they wanted. 

The final box of interest is the “Install AnyDesk” box. I am going to guess that once the scammers connected, they pressed this button so that AnyDesk would be live and connected to the Internet without requiring a user to do anything. To make sure that they couldn’t do anything on that front, I uninstalled AnyDesk. I also examined the computer in a variety of ways and found no evidence that they did anything else. No backdoors, no viruses, nothing. Though I am going to be doing a second look at the computer today to make sure that there’s no other issues lurking to cause trouble. But based on my initial look at her computer I think that they might have done some sort of “dog and pony show” to make her think that there were major problem with her computer and to suck her into letting them do more.

One that that really got my interest is that they did not ask for her credit card details or her banking info. This is strange as when I typically come across these scams, the scammers try to get these details up front. I can only see three possibilities for this: 

• They were going to get these details in their appointment that they scheduled for the next day. Which I told her to hang up on them when they called.
• They were looking for details for identity theft.
• Both of the above.

When I examine her computer again today, I will take a second look for evidence of any of this. I will post an update with what happens. But in the here and now, let me give you some advice in terms of avoiding being a victim of one of these scams. When I covered previous tech support scams that I investigated, I posted this advice which is still true today. But if you take away nothing else from this, remember that you will never, ever get a call from Apple, Google, or Microsoft to fix your computer. It will not happen. Thus if you get a call like this, hang up. That is guaranteed to make sure you are not a victim.

Expect a further update on this later today. As mentioned above, I am taking a second look to see if these scumbags did anything else, and I will be trying again to see if I can identify who they are so that I can name and shame them.