Sneaks and Scammers

Pandemic Unemployment Assistance Scam email

I recently received a scam email claiming to be from the Department of Labor, saying my Pandemic Unemployment Assistance (PUA) has been temporarily restricted. Now, I’m not on PUA, so I knew immediately that it was a scam, but this one was tricky, because the scammers used a legitimate bulk email service1 to send it, and the return address seems to belong to a account.

Text of email: Dear PUA Customer, We’re writing to let you know that your access to your online account has been temporarily restricted because of suspicious activity and require your immediate attention: Please log into your account immediately to verify your recent activity: Verify Your Recent Activity It is very important that you follow all instructions included in each document when responding. If you do not respond timely, you may miss important deadlines, and the agency may make decisions about your PUA benefits based on the information available. If you'd like to unsubscribe and stop receiving these emails click here.

What are some problems with this email? Well, the address (Department of Labor) looks pretty good, but:

  1. The “To: Customer Service” return line is a tell. That should be my email address, not the sender’s.
  2. Emails that start with “Dear…” Unless it’s my grandma, no email starts with “Dear”, especially from a business or the US government. “Dear…” is generally my first indication that the email I am reading isn’t legitimate.
  3. The greeting doesn’t have my name. If the US government is going to send me something that requires my action, it will use my name. Fraudulent bank/credit card scams also omit the name, because they don’t know it, whereas legitimate bank and credit cards email do put my name in the greeting. Seeing your name is not a guarantee of legitimacy! But if there is no name on something that you, yourself, are supposed to take action on, it’s most likely a scam.
  4. The extra spaces between “your  online” and “and  require” in the first paragraph. Legitimate emails go through more than one person before they are sent out. Typographical errors are a sign that no one proofread the email.
  5. What can’t be seen here is the link under “Verify Your Recent Activity.” If it were legitimate, it would go to a (US Department of Labor) website. This does not. It links to a very complicated URL, which is from a bulk email service. See below for more details.
  6. The link to unsubscribe. If this were a government email, it would probably have a whole lot more text at the bottom, but it wouldn’t offer a way to unsubscribe as if it were from a mailing list.
  7. The entirety of the email being just text and oddly indented. Scammers are extraordinarily lazy. This doesn’t look anything like an email that you would get from the federal government. The lack of polish is a giveaway.

The link presented by a bulk emailer essentially hides where you’ll end up, in this case a URL starting with themooregroupofsc.cxx/wordpress/ If you’re unsure about the providence of any link, do not click or press on it. Often hovering over the link with your cursor on a computer will reveal the link’s URL without clicking it. I haven’t found a good solution on a mobile device, as you have to press the link to expose where it goes, and that pre-loads part of the website.

This (with redactions) was the link under “Verify Your Recent Activity.”


This led to a site that looked like this:

Website excerpt of scamming site containing fields asking for Social Security Number, password, and Zip code.

Entering any information in these fields would go directly to the scammers. This is particularly problematic because it asks for a Social Security number. There are a few checks to make before entering information on a website like this. 1 is that the URL does not contain or as it would imply, which means that this site is not a Department of Labor nor a US government site. And 2, a more subtle clue is that the site is not SSL secured. The technical aspects of that are not important, but the browser would show a (usually green or grey) lock icon before the URL. In this case, there is a strike-through over the lock icon, which essentially means the browser cannot determine who owns or is responsible for the website. Never put personal or financial information in any field of a website that isn’t showing a lock.

If you have any questions, I’m opening the comments on this post. DO NOT SHARE PERSONAL OR FINANCIAL INFORMATION. But feel free to ask general question, point out errors in my logic, or to check if that email that just doesn’t seem right is really a scam.

  1. No one likes bulk emails (spam), but a legitimate bulk emailer is not a criminal. ↩︎