I clicked on four sneaky online scams on purpose - to show you how they work
I'm not a sucker, but I played one on the internet last month -- purely in the interest of science, of course. My text messages and email spam folder are filled with the usual assortment of shady stuff from online crooks. As a public service, I decided to play along with the bad guys to see what happens.
Also: The best VPN services (and how to choose the right one for you)
Before we get started, let me stress one thing: Don't try this yourself. I did my experimentation in virtual machines and sandboxed environments where I knew my personal data wasn't exposed. You might be tempted to click a link, just to see what happens. That's a very bad idea, because what happens can sometimes be catastrophic. So, a little bit louder now:
Don't try this at home.
The scams and online attempted attacks I encountered were all depressingly common. You've probably run across similar examples on your own devices. None of these crooks are criminal masterminds; for the most part, they're petty thieves trying to get you to do something that will give them access to your identity or money.
Here's what I found.
1. The fake security upgrade
We've all been trained to pay attention to security alerts, so when I received an email telling me that "suspicious activity" had been detected on my Wells Fargo Securities account, I was alarmed. Mostly because I don't have an account with that institution, but these crooks are playing a numbers game: Some percentage of the people they reach with this mass mail will have one of those accounts.
So, on behalf of Wells Fargo customers everywhere, I clicked that link, which took me first to a page that simulated a Captcha, and then to this scary-looking dialog: Look at that address bar carefully - this isn't a webpage, it's a Google Docs file made to look like a security warning
You know the drill. If you're told to install a security-related update, you're supposed to do it. And sure enough, when I clicked that button, the browser in my sandboxed PC began downloading a file called WF-Login-Signature.exe.
Instead of running that file, though, I uploaded it to VirusTotal, the Google-owned site that analyzes a suspicious file using the engines of more than 70 antivirus tools. Not surprisingly, this file was flagged as malware by 24 of those sites. Specifically, the file I downloaded was a remote administration tool called ConnectWise, which is a legitimate management tool being used in a most unauthorized fashion here.
Also: Deleting your personal info from Google Search is stunningly easy now - and fast
If you were paying attention, you might have noticed that those "security alert" pages were actually nothing more than Google Docs that took over the browser window to simulate a web page. It took a couple of days, but Google eventually shut down those accounts.
The moral of the story? If a web page tells you that you need to download a program so you can continue, stop right there and close that page. If you downloaded anything, delete it immediately.
2. The fake Captcha
I was genuinely puzzled when I first saw this one. I had been searching for information on tax incentives for energy upgrades, and one of the results led to a blog post from a solar company in the Northeastern US. (Names withheld to protect the innocent bystander.)
Also: That weird CAPTCHA could be a malware trap
Within a few seconds after loading that page, though, I encountered this challenge: "Verify you are human by completing the action below." Spoiler alert: That is not a real Captcha request.
The page contained the familiar Cloudflare logo, but instead of asking me to type a Captcha code or check a box, it wanted me to open the Windows Run box, copy a command, paste it in the Run box, and then press Enter.
Seriously?
In my sandboxed virtual machine, I copied the code, and then pasted it into Notepad so I could see exactly what I was being asked to run. The full-text string included much more than the "I am not a robot" text visible on that page; it also included a Powershell command that would have retrieved a malicious payload from the attacker's website, which would in turn have installed a program to steal information from my PC. (MalwareBytes Labs has a good write-up on how this attack works.)
When I went to look at that text file a few days later, Microsoft Defender quarantined it, warning me that it had detected a threat called Trojan:PowerShell/FakeCaptcha.
The takeaway? If a stranger tells you to run any code on your computer, don't do it.
3. The fake receipt
I wrote about this tactic last summer when everyone I knew was bombarded with fake invoices, supposedly for subscriptions to popular security software packages: "Did you get a fake McAfee or Norton invoice? How the scam works (and what not to do)" This fake invoice is convincing enough to fool an unsophisticated recipient.
As I explained then, the scam is pretty straightforward.
The amount of the supposed transaction is usually just high enough to alarm you. And if you don't realize it's a scam, your first reaction is to pick up the phone and call the toll-free number on the invoice so you can explain that it's all a mistake and you never ordered those products and ask them to please reverse the charges.
Also: How AI will transform cybersecurity in 2025 - and supercharge cybercrime
I didn't have to call that number because I already had testimony from a criminal case explaining how the scam works. I would have been connected to someone claiming to be an employee of the company that sent the email, and they would have tried their best to convince me to install some software to help fix the problem. In reality, that software will give the thieves remote access to their victim's device, and at that point, it's just a matter of how much they can steal.
How can you spot one of these scams?
- Is your name on the invoice/receipt? A fake invoice is usually addressed to "Dear customer" or something equally generic.
- Is your payment method identified? A legitimate vendor often includes the last four digits of your credit card number.
- Check the sender's address carefully. It's almost certainly not from a legitimate domain.
The simplest way to avoid being a victim? Don't ever call the number on one of those emails. If you think you might have an issue with a credit card or bank, call the number on the back of the card or a recent statement.
4. The fake toll bill
What phishing is to email, smishing is to text messages -- the word is a mashup of SMS, the acronym for the Short Message Service protocol used for sending text messages, and phishing. And last month, everyone I knew was getting fake messages like this one, warning that they had an unpaid charge from driving on a toll road: Legitimate businesses don't demand payment via text message.
Unlike the fake invoice in the previous section, this one usually comes with an amount that's absurdly small -- so small that you might be tempted to just pay it.
When I clicked the link on that text message, it took me to a page that was a nearly perfect clone of the Massachusetts EZ-Pass portal, which asked for my name, address, and other details. The next page asked for my credit card details. That page even included a box where I could enter the SMS code my bank might send me to authorize the transaction.
Also: Why rebooting your phone daily is your best defense against zero-click attacks
The biggest tipoff that this wasn't a legitimate site is right there in the link itself. An official website for the Commonwealth of Massachusetts would be hosted at mass.gov, not at a random site in the .vip top-level domain.
Had I given those ne'er-do-wells my actual payment details, there's no telling how many charges they might have racked up or how many hours I would have had to spend to undo the damage.
Security expert Brian Krebs has an excellent explainer on why these scams have become so widespread -- a criminal gang in China has released a do-it-yourself kit that anyone can use: "Chinese innovations spawn wave of toll phishing via SMS."
Also: Think your Venmo is private? You should double-check this setting
There are variations on this type of smishing scam, including fake messages from the Postal Service or UPS asking for payment to deliver a package.
But here's the thing: No legitimate business will ever ask you for money via text message. If you owe money for a highway toll, you can expect to get a bill that includes your name, address, and, crucially, your license plate number.
Delete these messages and move on.
What's Your Reaction?
Like
0
Dislike
0
Love
0
Funny
0
Angry
0
Sad
0
Wow
0
