Scam of the day – July 8, 2017 – Mystery shopper text message scam

I have been warning you about mystery shopper scams for years, however what makes today’s mystery shopper scam so timely is that originates with a text message.  More and more scams are now being sent to targeted victims through their cell phones rather than just by email which reflects the increased use of all of us of our smart phones.

Mystery shoppers are people hired to shop at a particular store and report on the shopping experience for purposes of quality control.  Unlike many scams, there actually are legitimate mystery shopper companies, but they never advertise or recruit through emails.

The manner in which the scam works is that when you answer an advertisement, an email or now a text message to become a mystery shopper and you are sent a bank check to deposit and use for your shopping.  You spend some of the money on the goods that you purchase which you are allowed to keep and also are directed to keep some of the balance of the check as payment for your services.   You are instructed to return the remaining funds by a wire transfer.  The problem is that the check is counterfeit, but the money you send by wire from your own bank account is legitimate and that money is gone from your bank account forever.

The new text message version of the scam, which was sent to me by a Scamicide reader who fortunately recognized the scam before she became a victim begins with a text message inquiry about whether the intended victim is available for a “personal assistant job offer” and then gives an email address for the intended victim to contact.  If you contact the sender of the text message, you are prompted to provide some personal information and then told in a subsequent email that you qualified for the mystery shopper job and would be sent a package with further information.


One reason why this scam fools so many people is that there really are mystery shopping jobs although the actual number is quite few and they do not go looking for you. An indication that you are involved with a scam is when you receive a check for more than what is owed you and you are asked to wire the difference back to the sender.  This is the basis of many scams.  Whenever you receive a check, wait for your bank to tell you that the check has fully cleared before you consider the funds as actually being in your account.  Don’t rely on provisional credit  which is given after a few days, but which can be rescinded once a check bounces and never accept a check for more than what is owed with the intention to send back the rest.  That is always a scam.  Also be wary whenever you are asked to wire funds because this is a common theme in many scams because it is difficult to trace and impossible to stop.

Additionally, this particular scam email was sent by the email address of a person entirely unrelated to any mystery shopping company which is generally an indication that you are getting the email sent from an unsuspecting victim of an email hacking whose email address is now being used as a part of a botnet of similarly hacked computers to send out scam emails such as this.

Scam of the day – May 21, 2017 – HSBC text scam

British based HSBC is the world’s sixth largest bank and has branches around the world.  Recently scammers have been randomly sending out text messages, such as the one reproduced below in order to scare people into clicking on the link in order to verify their account and avoid a threatened suspension of the account.  If you click on the link it will take you to a phony HSBC website that looks legitimate, but is merely a scam to lure you into providing your username and password for your HSBC account (if you have one) which the scammer will use to steal money from your account.  If you receive this text message and don’t have an account with HSBC, you know immediately it is a scam, but it can look frighteningly legitimate if you have an account with HSBC.

HSBC banking scam text (Image: loveMONEY_


This message can be particularly problematic if you are an HSBC customer and have signed up to receive text message alerts from the bank. However, whenever you receive a text message you can never be sure who is really sending it to you, so you should never click on links in such text messages which may either download ransomware malware on to your phone or keystroke logging malware that can lead to your becoming a victim of identity theft.  In other instances, such as with this particular text message scam, you are in danger of providing your personal information directly to the scammer that can be used to access your accounts.  The best course of action when you receive such a text message if you have a concern that it may be legitimate is to merely independently contact your bank to determine whether or not the text message was a scam.

Scam of the day – February 28, 2017 – Religious leaders being hacked by scam artists

As many of you know, one of my mottos  is “trust me, you can’t trust anyone.”  I mention this because of a recent story in the news about a Denver church pastor whose Facebook account was hacked.   When a parishioner messaged the pastor about difficulties she was having, her pastor messaged her back telling her about a grant of substantial money he had recently received and gave her the contact information for the grant issuer so she could apply for the money she so desperately needed. Of course the grant was a scam and the message to her came from the scammer who had hacked into the pastor’s Facebook account. Fortunately, in this instance, the parishioner called her pastor prior to making the payment demanded of the phony grant issuer and managed to avoid being scammed.  However, other people have not been so lucky.


Trust me, you can’t trust anyone.  It bears repeating.  Whenever you get an email, text message or phone call, you can never be sure that the communication is coming from who appears to be sending the communication.  It is relatively easy to hack an email account, Facebook account or cell phone.  Therefore, you should never click on a link, download an attachment or provide personal information in response to any communication unless and until you have absolutely confirmed that it is indeed legitimate.

Scam of the day – June 9, 2016 – Dual factor authentication scam

Scam artists never cease to amaze when it comes to the creativity and artistry they put into their scams. As I have written many times, scammers will often lure people into providing their user names and passwords to scammers using carefully crafted spear phishing emails or text messages.  This was how the cybercriminal who was able to steal access to the gmail accounts and iCloud accounts of celebrities such as Jennifer Lawrence was able to gain access to their accounts.  One of the ways often advised to avoid this problem is to use dual factor authentication whenever you can.  With dual factor authentication, whenever you are going to access an online account, a special code will be sent to your smartphone after you have typed in your user name and password.  Without this code, you cannot gain access to your account.  Dual factor authentication works well, but nothing is fool proof.  Fools are powerful.

A fascinating way that scammers are now getting access to the accounts of people using dual factor authentication is by sending you a text message posing as the company with which you have an online account and telling you that your account may have been hacked and that if you want to close access to the account for security purposes, you will have to reply to the text message with the 6 digit verification code that you will be sent by the company momentarily.  Of course, the text message is not from the company you do business with, but rather it is from a scammer who has just typed in your user name and password, but can’t get access to your account protected by dual factor authentication until he enters the code about to be sent to your smartphone to verify the legitimacy of the hackers attempt to access your account.  If you fall for the scam and reply to the text by sending the code you receive from the company with which you use dual factor authentication, you will have turned over access to your account to a scammer.


Whenever you use dual factor authentication, you will only be sent the code to verify an attempt to log into your account so if you have not attempted to log into your account and you receive a verification code through a text message to your smartphone, it is because a scammer who already has your user name and password is attempting to access your account.  Never provide that code to anyone.  It should only be used by you to input into your smartphone or computer when you log into a dual factor authentication protected account.  Never provide sensitive information, such as your Social Security number, credit card numbers or dual factor authentication codes in response to an email or text message because you can never be sure who is actually communicating with you.

Scam of the day – July 18, 2015 – Ingenious text message gmail scam

It is not surprising that scam artists are the only criminals that we refer to as artists.  Some of their scams are truly ingenious.  Today’s scam starts when you receive a text message from Google with a verification code.  Immediately thereafter and before you can even respond to the first text message, you receive a second text message that states, “Google has detected unusual activity on your account.  Please reply with the verification code sent to your mobile device to stop unauthorized activity.”  Many people have been merely following those directions and promptly send the verification code they just received.  However, by doing so, the victim has just turned over his or her gmail account to a scammer who can scour the account for information to be used for identity theft purposes.

What actually went on was that a hacker with the victim’s email address and cell phone number went to login on the victim’s gmail account and clicked on the “Forgot password” link prompting a verification code to be sent to the victim’s cell phone.  Immediately thereafter the hacker sent the original message that appears above pretending that he or she is Google so when the victim responds by sending the verification code, he or she is actually sending it to the hacker who then uses it to access the victim’s gmail account.


Never send a verification code to anyone through an email or a text message.  The only place you should use a verification code is when you login online.  If like the victim of this scam, you receive a verification code sent to you on your cell phone that you did not request, notify your email provider because that is an indication that someone is trying to hack into your account.

Scam of the day – November 6, 2014 – New Smishing scam

Smishing is the name given to text messages that lure you into clicking on links or providing personal information in response to a text message from what appears to be a trusted source, such as a company with which you do business, such as your bank.  Recently there have been a number of smishing scams in which the messages appear to be from the bank Sun Trust.  In some of the recent Sun Trust smishing scams you are prompted to respond to a feigned emergency by providing personal information such as your account number.  If you provide this or other personal information, it is used by the scammers to make you a victim of identity theft.  In other smishing scams, you are told to call a telephone number that is a toll number with charges as much as $19 per minute.  Often you are put on hold for long periods of time to increase the charges.


Your bank is not going to contact you by a text message if there is a problem with your account.  More importantly, as I have warned you many times, you can never be sure who really is sending you an email, text message or phone call and should never provide personal information in response to such communications.  If you think that there is a possibility that the contact may be legitimate, you should call the real company at a telephone number that you are sure is legitimate to learn whether or not the original communication with you was a scam.

Scam of the day – August 30, 2014 – New scam threats springing from J.P. Morgan data breach

As I have told you so many times, whenever something catches the attention of the public, it catches the attention of scammers and identity thieves who use it as a hook to turn that public’s interest in something into making the public victims of scams.  The recent death of Robin Williams and the Ice Bucket Challenge are two examples of things that have fascinated the public that were used to turn people into scam victims.  You can find the details about both of these scams in previous Scams of the day.  Now, the J.P. Morgan bank hacking is a big news story and it should be.  The data breach at J.P. Morgan and a number of other banks poses a serious threat to the financial well being of many people.  Scammers and identity thieves are now capitalizing on this concern and fear in the public to send emails and text messages to people in which the identity thieves pose as J.P. Morgan or other banks.  In the emails and text messages, you are told about problems with your account that require your immediate attention and you are directed to click on a link for further information.  If you click on this link, however, you will end up downloading keystroke logging malware that will steal the personal information from your computer and use it to make you a victim of identity theft.  In another variation of this scam, you are directed to provide your personal banking account information in response to the email for verification purposes.  Of course, if you do this, all you will succeed in doing is providing an identity thief with the information he or she needs to steal money from your accounts.


Whenever you receive an email or a text message you cannot be sure of who sent it to you.  Even if the address of the sender appears to be legitimate, it is easy for a scam artist (remember, they are called artists) to “spoof” or counterfeit a legitimate address to make the message appear to be legitimate.  Never provide personal information in response to an email or text message.  Never click on links in emails or text messages unless you are absolutely sure that the message is legitimate.  If you have think that the email or text message may be legitimate, you should call the bank or other purported sender at a phone number that you independently have confirmed is legitimate to inquire.  Don’t call the number provided to you by the scammer.

Scam of the day – June 19, 2013 – Smishing gets worse

Many of you may be unfamiliar with the term “smishing” which is described in detail in my book “50 Ways to Protect Your Identity in a Digital Age,” however, you are probably familiar with the term “phishing” which describes the scam by which identity thieves will trick you in an email that appears to come from a person, company or governmental agency to go by way of clicking on a link to a phony website that appears to be that of a legitimate company or governmental agency.  There you are either tricked into providing personal information that becomes used to make you a victim of identity theft or by merely clicking on the misleading link, you unwittingly download a keystroke logging malware program that reads and steals all of the personal information from your computer and proceeds to make you a victim of identity theft.  Smishing is the latest development in this scam.  Rather than coming to you by way of an email,  a smishing attack delivers the scam to you through a text message, which is technically a “short message service” (SMS) hence smishing.  Often the phony text message appears to be from your bank, telling you for whatever reason, you need to provide personal information.  You may be told that you need to provide the information due to a security breach at the bank or for any other reason that may appear legitimate.  However, it never is.  Instead you will either be pumped for personal information or unknowingly download the keystroke logging malware.

Never respond directly to these text messages.  Don’t text “stop” or “no” as sometimes suggested.  Doing so only alerts the identity thieves that they have a real  and active smartphone number. Instead forward the text to 7726, which spells SPAM on your keyboard.  You can never be sure when you receive a text message asking for information if the sender is who he or she says he or she is and even if the message originates with a legitimate smartphone, you can’t be sure that the legitimate smartphone was not hacked into and the message you receive is from an identity thief.  If you ever have the slightest thought that the text message may be a legitimate message from your bank or any other entity with which you do business, you should contact the bank or other entity directly at a number that you know is correct to inquire about the text message.

Scam of the day – May 12, 2013 – Bank text message scam

Everyone texts including scammers and identity thieves.  A recent text message scam that has resurfaced involves a text message from “Credit Card Services Alert” and it informs you that your debit card has been deactivated.  The text message provides you with a telephone number to contact.  If you respond by calling the number, you will reach an automated service informing you that you have reached the card activation center.  It then asks you for you credit card number, expiration date and security code.  Anyone providing this information is sure to become a victim of identity theft.  Your bank or credit card issuer will not contact you in regard to problems by a text message so if you do receive such a text message, you should immediately delete it.


Whenever you receive a text message, email, letter or telephone call, you can never be sure of who is communicating with you.  If you have even the slightest thought that the message may be real, you should not respond to the text, email, or caller directly, but rather contact the bank or other organization that they pretend to represent at a telephone number that you know is accurate in order to inquire about the legitimacy of the communication, whereupon you will promptly be informed that it was a scam.  Remember, texts and email messages or phone calls can appear to come from legitimate companies, but that does not mean that it is not a fake.  I received a very real looking email message about a problem with my bank account, however, there was only one problem.  I didn’t have an account at that bank so I merely deleted the email.  You should too.

Scam of the day – December 14, 2012 – New Mac app scam

For many years, users of Apple computers have felt safe knowing that by and large most of the computer scams have targeted users of PCs rather than Macs.  However, with the increasing popularity of Apple computers and portable devices, more and more scammers and identity thieves have begun to tailor their illegal activities to Mac users.  Earlier this week the Russian Security software company, Doctor Web announced that it had found  new malware that is aimed at Mac users.  The scheme starts with a text message or email that asks for you to enter your phone number.  In response the victim receives a text message asking for a registration code.  When the victim responds, automatically continual charges are made to the victim’s smart phone in a scam called cramming.  The particular scam found by Doctor Web targeted people using a music app.


Only get your apps from legitimate sources.  The cost of many free apps that you may find on the Internet is far too dear.  A good rule to follow is never to install an app if you are required to provide your smart phone number or send a confirming text message.  That text message may just sign you up for continuing charges wtihout your being aware of it.  Finally, it is time for Mac users to join the rest of the world and realize that scams are not just found on PCs, but are also written for Macs too.