Just last week a friend of mine who reads this blog said “you haven’t had to rescue a client from a scam lately”.
Little did I know that he’d just jinxed my existence.
Yesterday afternoon I got a panic call from a client while I was driving from a data recovery facility on behalf of another client. (That’s a story for another day) The client in a panicked voice described getting an email saying that she had been charged hundreds of dollars for buying Bitcoin using PayPal. She phoned the number and that’s where things went rapidly downhill. I diverted myself from Markham Ontario to downtown Toronto to deal with this. And I’ll give you a bit of a spoiler, she was lucky.
When I arrived, I looked at her Mac and I tried to reverse engineer what happened. Here’s what I found.

She got an email from a random gmail.com account claiming that she had bought Bitcoin using PayPal. There was nothing on the email identifying her other than an email address. That along with the random gmail.com email address should have been the hint that this was a scam. But she didn’t check those details because of how professional the email looked.
Top tip: No matter how professional an email like this looks, if you know that you didn’t buy something from a vendor, and there’s nothing identifying you as being the purchaser, it’s likely a scam and you should just delete the email. In this case, this is called the refund scam. You’ll see why it’s called that in a moment.
She then called the number and the scammer at the other of the line then started to weave a story about her PayPal account being hacked and how they needed to connect to her computer to “secure it” as well as to “generate a cancellation form” to refund her money. That’s where the refund part of the refund scam comes from. The scammers have zero intention of refunding anything and are instead focused on stealing everything they can.
They then connected to her Mac using Team Viewer and then blanked out the screen to cover up their attempt to install ConnectWise Control on her Mac. But for reasons that I cannot discern, they failed at doing that. I’m guessing that it was because she never provided the scammers her computer’s password as I asked her about whether she gave them her password several times. But if they had succeeded, it would have given the scammers the ability to control the Mac and watch what was going on at will and without her knowledge.
In any case, she was told to log into her PayPal account. And she did. However she hadn’t used it in years and it not only had no funds in it, but wasn’t linked to a credit card or bank account.
Fun Fact: The client asked me to help her to cancel the PayPal account because of this incident and because she didn’t use it.
That’s when the scammers pivoted to trying to get her to log into her bank account. Her husband was nearby and got suspicious. When he started to try and intervene, the scammer then started to weave a story to get her husband to leave the room and take his devices (laptop, phone, etc) as they would get taken over by the hackers. Now this illustrates how scammers can use psychological techniques to advance their goals of stealing your money. Which in turn illustrates how dangerous they can be. Because what the scammers were trying to do is to keep them apart so that he couldn’t put an end to the scam. But that didn’t work and when he mentioned that he was going to call me and the scammer heard that, the scammer flipped out on her claiming that “computer guys know nothing and are out to steal your money.” That’s when my client clued in that this was a scam and hung up the phone.
By the time I had arrived, the client had frozen their credit cards and bank accounts. That’s a good idea in a situation like this as you don’t know what info the scammer might have stolen from you. They were also able to validate with their bank that no money was taken and no charges were on their credit card. In terms of their Mac, Team Viewer was installed on it and I removed it. I also found the installer for Connect Wise Control and nuked that too. I spent a fair amount of time looking at the Mac and found no evidence that the scammers had set anything else up. So I felt confident that the Mac was safe to use. As part of this, I was able to discover the ConnectWise instance that the scammers were using. So I reported that to ConnectWise in order to have them kill it. On top of that, I turned over the other information to the scam bait community so that they can extract some “vigilante” justice as I know that this is the only type of justice that these scammers will get.
At this point it appears that no money was stolen from the client, and her Mac is clear of anything “evil”. So other than a bit of wounded pride, the client survived this incident. But it highlights the need for people to stay vigilant. Trust any phone call that is unsolicited, or any email that seems weird to be a threat and do not engage with it. That’s the best way to stay safe. Especially during these times where scams seem to be out of control.



































The Parking Fine Text Message #Scam Is Back…. Sort Of [UPDATED]
Posted in Commentary with tags Scam on October 8, 2024 by itnerdA couple of years ago, I wrote about a pretty sophisticated parking fine scam that was making the rounds in Ottawa. At the time it got a fair amount of attention. But then it disappeared. And I forgot about it. But last night a reader sent me this screenshot:
It appears that this scam is back. Or at least a threat actor is trying to bring it back. You’ll understand why I say that in a moment. Right now, let’s look at the text message. The redacted section is your cell phone number goes. That’s the only thing that comes close to identifying you. Seeing as it is likely that any city would have access to your name and address via your license plate number, logic would say that your name or license plate number should appear. That’s a departure from the Ottawa version of this scam which actually referred to you by name, which made it more convincing. Or put another way, the threat actors behind this are far less sophisticated than the ones behind the Ottawa scam.
All of the above ignores the fact that no city would ever contact you regarding an unpaid parking ticket in this manner.
The text message also piles on the pressure by saying that if you don’t pay this parking ticket, you’ll have to go to court, your license and vehicle registration will be suspended, and you’ll have to pay a lot of money. That’s to get you to suspend your critical thinking and just react to the text message rather than think this through and conclude that this is a scam.
Now the website that you’re supposed to go to has been taken down as I type this which is a good thing. But it only means that the threat actors behind this will find someplace else on the Internet to set up shop to try and execute this scam. That in turn means that you need to look at any text message or email that you get with a critical eye to make sure that it is legitimate. And if it’s not, you should never engage with it.
UPDATE: It seems that the website is back online. Which means that I can actually tell you what these threat actors are up to.
There’s a fake Cloudflare page that pops up when you go to this site. That’s meant to make sure that you believe that it’s real.
Then you’re taken to this page. Fun fact: The Government of Canada or provinces are not involved in collecting parking fines. That’s up to individual cities. But the threat actors are clearly hoping that you will not know that and click on the province that you live in. I must say that this website is pretty well done. But you know it’s fake because one look at the address bar at the top right shows that this isn’t a Government of Canada website as it doesn’t end in “gc.ca”.
The individual provinces websites are well done as the match the theme that each province uses in their website. But the information that these scumbags want to collect is exactly the same. Starting with your license plate number.
Then they want your details. Specifically your date of birth, along with your name and address. All of that is great for stealing your identity.
Finally they want your credit card details. Which on top of helping the threat actors steal your identity, they’ll likely go on a shopping spree.
Now to be clear, you should not do what I have done here because clicking on links from unsolicited parties is a risky thing to do. But I take precautions when I do this sort of thing because I want to illustrate what threat actors like this one are up to so that you can see how dangerous these scams are. And also why you should never click on links or do anything else with any email or text message that you get.
1 Comment »