This is probably phishing, right?

Today I get this email purportedly from Valvoline Instant Oil Change saying:

Thanks for bringing your vehicle in for service on March 6, 2024.
Here is a summary of your visit.
Vehicle: 2017 GMC Yukon XL, 245,121 miles.
• Full Synthetic Oil Change

They even say: Hello JOSE (which is my first name and the first part of the email address) and include a “handy link” to an invoice (that probably downloads ransomware to your PC, so I didn’t click it), claiming to be for 150-some dollars.

At no point in my life have I driven a GMC vehicle, let alone one with that kind of mileage. Unless someone is coincidentally using my email as a throwaway to avoid spam, I can’t figure out how they got it. The email they sent it to was my first and last name run together, whereas I have it [email protected], but I know that Google is agnostic about that.

I guess I should just classify it as spam and not look back (and obviously look for such a charge on my cc and bank statements).

I get quite a few emails for other people with my name who have used my gmail address for various things (my email is firstname.lastname too). At times I have received emails about an investment into my supposed meat distribution company, an architect contacting me about a plot of land in Tennessee, and one about meeting up for a meal at a fancy restaurant. I also get repeated bank statements for someone with my name who lives in Brazil.

I occasionally reply to advise of the mistake and sometimes even have a fun little conversation with the sender off the back of it.

I used to too until I saw this John Oliver report:

If you know the service referenced isn’t something you had done then just ignore it. No need to talk with them.

I got an email like this a few days ago as well. I thought it was weird and also figured it was a scam.

You can hover over the link and see if the URL is legit. Could just be a case of crossed emails, but if it doesn’t go to valvoline.com or vioc.com that’s your tipoff.

Last week I got an invite to a group text from “USPS” at 9pm. I guess they’re scamming in bulk now.

I get legit emails all the time intended for other people. Like, a LOT a lot. Often enough that I’m starting to feel like someone REALLY thinks my email address is theirs, and I just don’t know how they haven’t yet figured out they’re missing email. It’s not just throwaway stuff like invoices (though a lot of it is,) but sometimes things like kids’ soccer schedules and “hey, I’d like to talk about dividing up mom’s estate.” (And not in a spammy like way, but like…legitimate family wanting to discuss things.

Point being, sometimes it’s hard to be sure, but I generally just archive it and move on, and mark as spam if I’m SURE.

This is a flavor of the fairly common invoice scam. Mark as spam and move on.

For fun, look up the old Popehat blog series where he actually pursued a scammer doing this and (IIRC) it ended up with them in jail.

When I hovered over it I got “t.em.vioc.com”, so it appears some idiot is using my email address for this account.

I was getting lots of legit looking emails for another party at a different gmail address, and it turned out it was an older Canadian couple out of Vancouver whose actual address was “papageno89” (the 89 referring to the year they bought a sailboat which they dubbed Papageno-- yes they’re also apparently fans of Die Zauberflöte), but the wife was either just ditzy or suffering from dementia and would forget about the 89 part when giving out the address.

And of course it could be a deeper scam, where they send you to the proper site, you don’t see the bill, get back to them, and then they start sending you resolution links that are malware. Either way, kudos for being cautious!

I once got a password reset request for Instagram. The thing is, I have never had an Instagram account. And they kept coming. So I reset the password and logged in. Somebody was using my email address and it did not look like a typing mistake. I am Chinese and my very Chinese surname is in the email address. The name on the account was assuredly not even close. I don’t know what sort of scam he was trying to pull so I just deleted the account.

I just dove deep on this for more than an hour, thanks!

Here’s the entire series, via the Wayback Machine.

I just got a Pig Butchering text today! Some random number using the name of a young-sounding woman (at least to us fossils, it was Ashley something) claiming to work for “the Ritz-Carlton Hotel in Florida,” saying they were looking for people just like me to work from home for them. Yay, I am special and going to make a mint! Right. Report as spam, block.

A double giveaway in that one. “Work at home” has been a red flag since before the Internet. The second is kind of unique to me, but also anyone with access to Google & a skeptical mind. My wife and I stayed at a Ritz-Carlton during our honeymoon, and so made a grand plan to stay in a different Ritz-Carlton on every anniversary (that lasted two years, due to the kids starting to come along). But we were looking at them for our last anniversary since the kids are adults now, and learned there are nine Ritz-Carltons in Florida. So telling me you’re from “the” Ritz in Florida just tells me you’re bullshitting and don’t know to identify which one, or that there is more than one.

The last one I got that was definitely “pig butchering” was one where someone texted a “Coach Linda” about not making it to a class at the gym. I foolishly sent a text back saying “I’m not Coach Linda, but good luck” or something, and after “she” started to engage I immediately became suspicious and did a quick Google search. Apparently they try to convince you to spend your money on some new cryptocurrency (a concept which I wish would just effing die already, but that’s another discussion).

I mean, the giveaway is that someone’s texting you out of the blue.

I accidentally texted the wrong person a Happy Birthday on Tuesday. I didn’t know my brother had changed his phone number.

They actually responded “wrong number.” I guess I should have tried to scam them!

I’ve suddenly started getting calls telling me they can make sure I’m getting all the benefits I’m due with my Medicare.

They may be using AI voice generation on this one. I’ve received 4 such calls, and there have been 2 from Lauren, one from Susan, and one from April. All have natural sounding voices instead of sounding like like a female Stephen Hawking. They are pretending this is a real person with pauses for you to answer but the answers don’t matter as no matter what I say, I qualify and will be connected to a senior supervisor which can help me.

I’m not sure exactly what their angle is. I’ve tried to play along but have been hung up on almost right away in every instance. Anyhow, they really need to filter their call list by removing non-US area codes. I’m Canadian and don’t have Medicare coverage.

Don’t know if there are &pizza fans here, but I am and always found their website helpful and easy to use. They texted me a link to their new website and rewards program. It was so ugly and dysfunctional, I was pretty sure it was a phishing link, but no, that’s really their new site

OK, let’s go through this, step by step. If some of y’all understand how scams work, hopefully we can help folks avoid scams.

First: consider that ANY email address you may have provided to order food online, or to sign up to a web forum. Or for social media. Or for insurance or a bank…consider ANY of those email addresses to be compromised and available on lists that are regularly traded and purchased out there. No one specifically tried to “get” your email address. Your email address was likely on al ist captured from a data breach over the last 5-15 years ago. Also: the longer you’ve been using an address, the more certain it is that your address is compromised.

“Compromised” here is a bit of a loaded term, too. I have three email addresses – one for work, one for personal and friends and family and REALLY important stuff, and one I use for Steam and Amazon and signing on to social media, etc. At least two of those are “compromised”, and I know that fully well…and I’m OK with it. It just means my spam folders get a little bit of a workout, and I need to be at least a little familiar with phishing scams. So let’s continue.

The first thing that a scamming operation that knows its business will do is to figure out which of the hundreds of thousands – if not millions – of addresses on a list they just bought or traded for is valid. They’ll send out shitty, obvious spam and scam emails for nonsense that are barely legible. The kind of spam we all laugh at.

Realize this: some of those are autogenerated nonsense. But a decent number of those are sent out just to check to see if the email address they’re sent to bounces the email back because the address is no longer in use. If the email is old and not valid any more, off the list it goes. If it does go through – even to a spam folder – it’s on to the next stage.

In that next stage, they step up the game, but only mildly. Now they’re going to start using an email program that will return to the scammer two things: whether an email was opened, and whether something in the email was clicked. That is why – and I cannot state this in big enough or bold enough font – NEVER OPEN AN EMAIL THAT LOOKS SUSPICIOUS WITHOUT HOVERING OVER THE EMAIL ADDRESS LISTED FROM THE SENDER TO SEE THE ACTUAL EMAIL ADDRESS.

Once you’ve opened an email from a phishing operation, they know you’re worth proceeding with, and you move on to the next stage.

In that next stage, they’re going to start hitting you up with emails from specific businesses. Banks usually, but anything will do. Now they’re pinging to see if you’ll open another email, but they’re using specific businesses to not only find out which fake business fronts you’re opening an email from, but also your location – not all businesses and banks operate in all areas of the country. And they may have another list of names, addresses, and even phone numbers and they’re trying to associate that information with a specific email if they can. They’re going to start paying attention to which emails you open.

And from there, it’s going to be a series of scammers using their most effective email addresses and their most effective scam come-ons, in increasing levels. The vast majority of folks who get baited into opening an email never get baited into a full-on scam, thankfully. But they’re the target group, and that’s how.

So. To defend yourself:

1. Don’t egage. At all. They don’t care if you send an email back saying “Haha, this is a scam, you dummies.” They’re trying to find out if you’re the kind of person who opens emails from people they don’t know. Because that fits the profile of people who can be scammed. Don’t open any email that looks sus, without first hovering the email address. Block and spamify suspicious texts.

2. Know your own financials. It’s free to sign up for Experian or Creditwise or similar sites. Many credit card companies offer credit monitoring for free (Capital One, for instance, operates Creditwise) You should be doing weekly/monthly checks of your credit rating if you think you’ve even been adjacent to a scam or accidentally opened an email.

3. Keep your credit frozen until you need it unfrozen. It’s easy to freeze and unfreeze credit. It doesn’t affect your score. Do it.

4. It’s easy to get flustered within the moment, but take some time and think through the scam email situation. For instance, stop and think about an instant oil change service in the original post. No instant oil change service place on the planet is going to let you drive off of their lot and send you an invoice via email. Not now, not ever. Like I said, it’s easy to get flustered in the moment and let your guard down. You can’t do that, though.