{"id":716,"date":"2020-10-29T22:15:59","date_gmt":"2020-10-30T02:15:59","guid":{"rendered":"https:\/\/macphoenix.com\/?p=716"},"modified":"2020-10-31T16:54:14","modified_gmt":"2020-10-31T20:54:14","slug":"pua-scam-email","status":"publish","type":"post","link":"https:\/\/macphoenix.com\/index.php\/2020\/10\/pua-scam-email\/","title":{"rendered":"Pandemic Unemployment Assistance Scam email"},"content":{"rendered":"\n

I recently received a scam email claiming to be from the Department of Labor, saying my Pandemic Unemployment Assistance<\/em> (PUA) has been temporarily restricted. Now, I’m not on PUA, so I knew immediately that it was a scam, but this one was tricky, because the scammers used a legitimate bulk email service1<\/a><\/sup> to send it, and the return address seems to belong to a dol.gov<\/code> account.<\/p>\n\n\n\n

\"Text<\/a><\/figure><\/div>\n\n\n\n

What are some problems with this email? Well, the dol.gov<\/code> address (Department of Labor) looks pretty good, but:<\/p>\n\n\n\n

  1. The \u201cTo: Customer Service\u201d return line<\/strong> is a tell. That should be my email address, not the sender\u2019s.<\/li>
  2. Emails that start with \u201cDear\u2026\u201d<\/strong> Unless it’s my grandma, no email starts with \u201cDear\u201d, especially from a business or the US government. \u201cDear\u2026\u201d is generally my first indication that the email I am reading isn\u2019t legitimate.<\/li>
  3. The greeting doesn\u2019t have my name.<\/strong> If the US government is going to send me something that requires my action, it will use my name. Fraudulent bank\/credit card scams also omit the name, because they don\u2019t know it, whereas legitimate bank and credit cards email do put my name in the greeting. Seeing your name is not a guarantee of legitimacy!<\/em> But if there is no name on something that you, yourself, are supposed to take action on, it’s most likely a scam.<\/li>
  4. The extra spaces between \u201cyour\u00a0\u00a0online\u201d and \u201cand \u00a0require\u201d<\/strong> in the first paragraph. Legitimate emails go through more than one person before they are sent out. Typographical errors are a sign that no one proofread the email.<\/li>
  5. What can’t be seen here is the link under \u201cVerify Your Recent Activity.\u201d<\/strong> If it were legitimate, it would go to a dol.gov<\/code> (US Department of Labor) website. This does not. It links to a very complicated URL<\/abbr>, which is from a bulk email service. See below for more details.<\/li>
  6. The link to unsubscribe.<\/strong> If this were a government email, it would probably have a whole lot more text at the bottom, but it wouldn\u2019t offer a way to unsubscribe as if it were from a mailing list.<\/li>
  7. The entirety of the email being just text and oddly indented. Scammers are extraordinarily lazy. This doesn\u2019t look anything like an email that you would get from the federal government.<\/strong> The lack of polish is a giveaway.<\/li><\/ol>\n\n\n\n


    The link presented by a bulk emailer essentially hides where you\u2019ll end up, in this case a URL starting with themooregroupofsc.cxx\/wordpress\/<\/code> If you\u2019re unsure about the providence of any link, do not<\/em> click or press on it. Often hovering over the link with your cursor on a computer will reveal the link\u2019s URL without clicking it. I haven\u2019t found a good solution on a mobile device, as you have to press the link to expose where it goes, and that pre-loads part of the website.<\/p>\n\n\n\n

    This (with redactions) was the link under \u201cVerify Your Recent Activity.\u201d<\/p>\n\n\n\n

    hxxps:\/\/u######.ct.sendgrid.net\/ls\/click?upn=HUlVlvE0NTGfmvKMRAeHOabb459Zmn4-2F05MDbjItZi4-3DB9Df_IYQgkcewnfgdL-2B1g8T-2FISryWQbRgm5CHR4aUqu-2FNqaI41yO6leoxDZnaMya5uE6R0C1aB-2BZ6Tq52Wql4YZwmg3FOYUTr1eDgfI-2BOrqgwBNKRsLQ-2BhsaYKkta7hMpLblBgjbAggxBjyhAQNosJH8lSwGoaNyEhcoto9h-2F446UqQ3AA1WY7UUw4puPG7S9GYWBaISrKfiX1FfFWDo1TwKedYEGxRzrY-2FdsS-2Bcpwu31CYw-3D<\/pre>\n\n\n\n
    This led to a site that looked like this:<\/p>\n\n\n\n
    \"Website<\/a><\/figure><\/div>\n\n\n\n
    Entering any information in these fields would go directly to the scammers. This is particularly problematic because it asks for a Social Security number. There are a few checks to make before entering information on a website like this. 1<\/strong> is that the URL does not contain dol.gov\/<\/code> or as it would imply login.gov<\/code>, which means that this site is not a Department of Labor nor a US government site. And 2<\/strong>, a more subtle clue is that the site is not SSL secured. The technical aspects of that are not important, but the browser would show a (usually green or grey) lock icon before the URL. In this case, there is a strike-through over the lock icon, which essentially means the browser cannot determine who owns or is responsible for the website. Never put personal or financial information in any field of a website that isn\u2019t showing a lock.<\/p>\n\n\n\n
    If you have any questions, I\u2019m opening the comments on this post. DO NOT SHARE PERSONAL OR FINANCIAL INFORMATION.<\/strong> But feel free to ask general question, point out errors in my logic, or to check if that email that just doesn\u2019t seem right is really a scam.<\/p>\n\n\n\n
    1. No one likes bulk emails (spam), but a legitimate bulk emailer is not a criminal. \u21a9\ufe0e<\/a><\/li><\/ol>\n","protected":false},"excerpt":{"rendered":"
      I recently received a scam email claiming to be from the Department of Labor, saying my Pandemic Unemployment Assistance (PUA) has been temporarily restricted. Now, I’m not on PUA, so I knew immediately that it was a scam, but this one was tricky, because the scammers used a legitimate bulk email service1 to send it, […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_import_markdown_pro_load_document_selector":0,"_import_markdown_pro_submit_text_textarea":"","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[17],"tags":[98,97,95,93,94,96],"class_list":["post-716","post","type-post","status-publish","format-standard","hentry","category-sneaks-and-scammers","tag-email","tag-labor","tag-pua","tag-scam","tag-spam","tag-unemployment"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p8nj3d-by","_links":{"self":[{"href":"https:\/\/macphoenix.com\/index.php\/wp-json\/wp\/v2\/posts\/716","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/macphoenix.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/macphoenix.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/macphoenix.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/macphoenix.com\/index.php\/wp-json\/wp\/v2\/comments?post=716"}],"version-history":[{"count":12,"href":"https:\/\/macphoenix.com\/index.php\/wp-json\/wp\/v2\/posts\/716\/revisions"}],"predecessor-version":[{"id":972,"href":"https:\/\/macphoenix.com\/index.php\/wp-json\/wp\/v2\/posts\/716\/revisions\/972"}],"wp:attachment":[{"href":"https:\/\/macphoenix.com\/index.php\/wp-json\/wp\/v2\/media?parent=716"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/macphoenix.com\/index.php\/wp-json\/wp\/v2\/categories?post=716"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/macphoenix.com\/index.php\/wp-json\/wp\/v2\/tags?post=716"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}