Bogus and bizarre
A criminal network dubbed BogusBazaar by the German cybersecurity consulting firm SRLabs is operating tens of thousands of fake shopping sites, impacting consumers internationally. According to a report by SRLabs last week, over 850,000 customers have fallen victim, mostly from Western Europe and the U.S., with almost none from China, where the fraudsters mainly operate. BogusBazaar, SRLabs explained, lures victims to fake shopping sites offering shoes and apparel by well-known brands at low prices. The scammers then perpetrate their fraud in either (or both) of two ways: through fake payment pages that harvest credit card details and contact information, or by collecting payments for expensive merchandise (think Dior, Nike, Lacoste, Hugo Boss, etc.) that is never delivered or takes the form of cheap counterfeits. The hard-to-wrap-your-head-around twist with this scam is its organizational structure. We're tempted to call it the McDonaldization of fraud schemes, because, as SRLabs describes it, a core team handles the infrastructure management, while a decentralized network of franchisees operates the fraudulent shops. In a write-up of the findings, tech news publisher The Register explained that BogusBazaar affiliates pay the core team for the software and server access as part of what SRLabs calls a "fraud-as-a-service" or "infrastructure-as-a-service" franchising model. The good news is that SRLabs shared their research findings with authorities, and some of the fake shops are now offline. The bad news is that this scheme is still operating; and, as SRLabs points out, BogusBazaar can quickly deploy new shopping sites and rotate payment pages and domains in response to take-downs. A cat-and-mouse game indeed. Check out in-depth reporting on the scam by SRLabs' investigative media partners The Guardian (English), Die Zeit (German), and (oui, oui) Le Monde (French or English).
A tragic outcome
The tragedy that left an innocent Uber driver dead last month serves as a reminder that community education about scams needs to be a priority. Several news outlets reported on the story of William Brock, an 81-year-old who shot and killed Loletha Hall, a 61-year-old Uber driver who Brock thought was working with a scammer. As NBC News explains, a scammer first contacted Brock pretending to be with the courts and claiming to have Brock's relative under arrest and in need of bail money. (We've certainly heard that scam setup before.) The scammer's story then turned into a claim that Brock's relative was being held for ransom (another typical scam angle). The scammer, or an accomplice, then dragged into this scheme an unwitting Uber driver, Loletha Hall, who was summoned to go to Brock's home to retrieve a package. As the NBC story continues, when Hall arrived at Brock's home, he confronted her with a gun and asked her who she was working for. Brock then took Hall's cell phone and prevented her from leaving. Although Hall did not threaten Brock, have a weapon or assault him, as NBC explains, Brock shot her three times, ultimately killing her. According to the Associated Press, when Brock called 911 (after the third shot), he said that Hall tried to rob him. Brock, the original target of the scam, now faces murder, assault and kidnapping charges. The local Clark County sheriff issued a reminder, particularly to older people, that law enforcement and courts do not solicit cash for bail money. Had Brock known this, we'd like to believe that, instead of so heavily engaging with what should have been just another failed everyday scam attempt, he would have contacted police and allowed Hall to leave safely. We're thankful for the sheriff’s tip, and will continue to get the word out about fake emergency scams. Sadly, there's just no way to end this story on a positive note.
Fraud in the forecast
Maine event. Last month, a Spectrum News site out of Augusta, Maine, published a piece about the Federal Emergency Management Agency's (FEMA) warning to Mainers about the potential for scammers trying to target the state's winter and spring storm damage victims. According to the article, FEMA is warning that scam artists may call or come to the door claiming to be legitimate contractors endorsed by FEMA, or they may pose as federal employees. Such scam artists, the story continues, are trying to take financial advantage of storm victims, and may be looking to commit identity theft. The Spectrum piece also explains that residents who have registered for assistance from FEMA have a nine-digit registration number, and that a real FEMA employee will have that number on file and will never ask for it. FEMA also warned, in an April alert to Mainers, that these types of scams don't just happen at the beginning of the disaster response, when people might be more vulnerable, but can happen anytime. FEMA encourages survivors and business owners to be vigilant of several common post-disaster fraud practices, which you can read about here. To report suspected fraud, contact FEMA's disaster fraud hotline at 866-720-5721.
Twisted ways. Late last month, the Federal Trade Commission (FTC) issued its own alert about scammers looking to profit from Midwest tornadoes. The alert points readers to the FTC's "Dealing with Weather Emergencies" landing page as a good spot for helping yourself and others recognize and avoid scams after a disaster. The page includes some handy tips for avoiding clean-up and repair scams. It points out that after natural disasters, unlicensed contractors and scammers may show up promising quick repairs, clean-up services, and debris removal. Some, the FTC explains, may demand upfront payment and not do the work; claim that you’ll get a discount but quote outrageous prices; or lack needed skills. The FTC advises that, before allowing anyone to start work, consumers should know who they're dealing with by asking for IDs, licenses, proof of insurance, and references, and by checking for complaints with state and local consumer protection offices. Other tips include getting more than one estimate, reading the contract carefully, and never paying cash. Learn more about avoiding disaster scams here.
Tips
A+ for young advocate. If you're among the SCAM GRAM readers who regularly conduct community outreach and education work, look to young Parker Cosimano of Omaha, Nebraska, for inspiration. Cosimano is an eighth-grader who turned a school essay into a community education effort that's gone statewide thanks to coverage by ABC affiliate KETV and collaboration with the Better Business Bureau of the Midwest Plains (BBB). According to KETV, when Cosimano realized his essay about senior citizen scams wasn't going to do anything to stop them, he decided to take the school project further. After his grandmother's credit card number was stolen in a scam, Cosimano determined that he needed to make and distribute flyers to local seniors warning them of scams. Cosimano initially spent a day delivering 1,000 flyers to five senior living homes. Then, as KETV later reported, the outlet helped put Cosimano in touch with the BBB and, when the two met, they discussed getting his flyer placed in every senior living home in Nebraska. According to a Facebook post by the BBB, the agency supported Cosimano's efforts by adding to the flyer data from the BBB Scam Tracker, even more tips on avoiding scams, and hotline and scam-reporting information. The BBB collaborated with area aging agencies, leading, so far, to distribution of the flyer in 30 Nebraska counties. Check out the flyer on AARP Nebraska's X/Twitter page. The BBB Facebook post also includes a contact for getting more information on distributing the flyer. Among Cosimano’s excellent tips, which can serve anyone contacted by any type of scammer: Don't pay money to strangers!
Incorrect password—try again, mom. A recommendation that appeared in Scientific American last week suggests that creating passcodes for family members and friends could be the perfect foil for artificial intelligence-powered impersonation scams. The article explains that impersonators can use inexpensive voice-cloning services to make deceptive and convincing phone calls in another person’s voice. The AI tools, Scientific American explained, process speech samples that they get from, for example, online video posts or “wrong number” phone calls, and then generate audio replicas of the stolen voice that can be manipulated to say anything. Ben Guarino, the story's author, suggests that if there were a golden rule for thwarting AI-infused phone scams, it might be that, online or on the phone, we should treat our family members and friends as though they were an email login page. In other words, Guarino explains, we should make up a passcode (a safe word or private phrase) that we share with family and friends in person and that we memorize. If we get a call from a friend or family member in an alarmed state or under unusual pressure, especially if there is also a request for money, Guarino continues, we should ask them for the code to verify who they are. Check out the Scientific American article to learn how several of the publisher's own editors creatively implemented this advice into their lives. (Don't forget to tell mom and dad that "password" doesn’t qualify as a good safe word.)
One mile forward, two miles back. WITN News in Greenville, North Carolina, reported in April that odometer fraud is on the rise. According to the outlet, Carfax found that roughly 2.1 million vehicles on the road have had their odometer rolled back, which is up 14% from 2021. The story points to a Carfax article listing the 10 states having the most vehicles with rolled-back odometers. The top five states are California, Texas, New York, Florida and Illinois—all saw increases in fraud this year. The Carfax article explains that consumers lose an average of $4,000 in value from unknowingly buying a car with a rolled-back odometer; this does not include unexpected maintenance costs. Tips for avoiding odometer fraud at the time of purchase include asking the seller questions about the car's condition and having the car inspected by a mechanic. There’s also the familiar advice that if a deal seems too good to be true, you should be wary. Carfax also explains that too much pressure from an auto seller is another warning sign. Check out the Carfax piece for state-by-state links to the agency where you can report odometer fraud.
What happens in Vegas... Several local law enforcement agencies and the U.S. Secret Service conducted an operation in Clark County, Nevada, late last month related to payment card skimming and electronic benefit transfer scams. In a press release, the Secret Service said that the three-day affair marked the first time such an outreach operation had been conducted by the federal agency and that it may be used as a model in other parts of the country where EBT fraud and skimming is prevalent. The participating authorities visited more than 1,150 businesses to check for and remove illegal skimming devices from ATMs, gas pumps and point-of-sale terminals (more than 11,600 machines were inspected). Eighteen skimming devices were recovered during the operation which, according to the press release, prevented an estimated potential loss of $5.4 million. The Secret Service recommended several consumer precautions to avoid fraud, including: not using ATMs, point-of-sale terminals, or other card readers that have loose, crooked, damaged or scratched parts; using debit cards as "credit cards" at gas stations (to keep PINs safe, and to prevent immediate deduction from accounts) or covering your hand when entering PINs (scammers can install tiny pinhole cameras to capture PINs); choosing to use ATMs in well-lit, indoor locations, since they are less vulnerable targets; being alert for skimming devices in tourist areas, since these are popular targets; and using debit and credit cards with chip technology (in the U.S., fewer devices steal chip data versus magnetic strip data). While we're glad to learn that we're now less likely to lose money at Las Vegas ATMs and other terminals, can anything be done about losing money on those other popular machines on the Vegas strip, we wonder.
Doctored orders. Consumer Action continues to work with Amazon to educate consumers about scams to be wary of. If you were recently surprised by an alert about a purchase on Amazon that you never made, you can be sure the message was not from Amazon. In a post about the latest scam trends, Amazon warned about the rise in scams involving fake purchases, where scammers claim that there is a shipping issue with your order. These messages, Amazon explained, are most often sent via email, and state that a payment is required—most often by credit card—to fix the issue with your order. Amazon offered two key tips for identifying these scams and staying safe: (1) For any questions related to an order, always check your order history on Amazon.com or via the “Amazon Shopping” app. Only legitimate purchases will appear in your order history; and (2) Do not click on any links or provide your information without authenticating the email or verifying the link. Visit the Message Center, which displays a log of authentic communications sent from Amazon. You'll also want to report scams to Amazon. The company explains that the more scams are reported to them, the better their tools get at identifying bad actors, so they can take action against them. Customers can report suspicious communications at amazon.com/reportascam, and even non-customers can report suspicious messages by emailing reportascam@amazon.com.
Tell us how we're doing!
We'd love your feedback on how we've been doing and which of our services have been most important to you. Please fill out our (very) brief three-question survey here!