Steven J.J. Weisman, JD
Steven J.J. Weisman, JD, attorney in private practice and senior lecturer at Bentley University in Waltham, Massachusetts. He is author of Identity Theft Alert and founder of the scam-information website Scamicide.com.
Email scams are becoming tougher than ever to detect. Thanks to artificial intelligence, even scammers who lack strong command of the English language or graphic design skills now can create emails and websites that look 100% legitimate, with none of the telltale typos, mangled syntax or clunky graphics that previously tipped off potential victims that something was amiss. Among the latest email scams going around now—from our Bottom Line scam expert Steven J.J. Weisman, Esq.…
A man receives an email request from his adult daughter asking if he could buy some gift cards and send her the numbers. The email says she’s tied up with something but needs the gift cards ASAP…and promises that she will pay her father back within the week. The father is suspicious—he’s heard of gift card scams—but the email address on the message is his daughter’s.
Scam: Just because it’s his daughter’s email address doesn’t guarantee that it’s his daughter’s email message—scammers have ways of sending emails that appear to come from other people’s addresses. In fact, by “spoofing” the email address, scammers can do this without even hacking victims’ accounts. Spoofing is essentially forging an email address so that the email appears to come from it. Spoofed emails are believed to have been at the heart of a recent scam that cost a Luxembourg-based chemical company $60 million—one of the company’s employees was tricked into thinking he had been instructed to send out massive payments.
Self-defense: Don’t ever assume an email is from the person associated with the listed email address. Reach out to the sender via a separate text or phone call to confirm that it’s real—particularly if the email includes a request for money or gift cards…or a request to click a link or visit a website. Be especially suspicious if the email says not to bother reaching out in these ways.
A man receives what appears to be an invoice from PayPal—it came from a PayPal email address—only it’s for a purchase that he didn’t make. The invoice contains a phone number to call if the recipient has questions about the bill, so the man calls and a PayPal rep leads him through a series of steps on his computer to figure out what’s going on.
Scam: The phone number on the invoice connected this man with a scammer, not with PayPal customer service. Following that scammer’s instructions allowed the scammer access to the man’s computer and digital accounts. Fake PayPal invoices are a common scam, but this version is especially tricky because the invoice comes from an actual PayPal email address—scammers can accomplish this by opening PayPal Business accounts.
Similar: In a comparable Geek Squad scam, victims receive emailed invoices that appear to come from Best Buy’s subsidiary, Geek Squad. The victims reach a scammer when they call the provided phone number to protest that they never requested Geek Squad services.
Self-defense: Be wary of any email or invoice that seems to come from PayPal—it’s one of scammers’ favorite companies to impersonate along with Geek Squad and Netflix. Don’t click links or call phone numbers provided in these emails—or those in any email that seems to come from a major company. Instead, visit that company’s legitimate website, locate a customer service phone number or chat link on that site, then use this to ask whether the email or invoice is legitimate. One clue that the victims have dialed a scammer—they almost immediately get through to a real person, without navigating a phone tree or sitting on hold.
An airline passenger posts a message on social media complaining about a problem he is having with an airline—perhaps he has been unable to secure a refund he’s due, for example. Posting complaints like these to social media can be an effective way to spur action—corporations, including airlines, often have customer service reps monitoring social media for such posts. And this passenger does indeed receive a reply—an airline customer service rep emails to say she saw the posting and wants to help.
Scam: This reply isn’t really from an airline employee—it’s from a scammer who monitors social media, then poses as a customer service employee. The scammer tries to trick passengers into providing their credit card numbers or get them to click links that download malware onto their computers. The scam is effective because the actual airlines provide such poor customer service that passengers leap at offers of assistance.
Variation: The scammer just sends out thousands of emails or texts that appear to come from one of the major airlines warning recipients that there’s a problem with their upcoming flight. The message might claim a flight was canceled, and the passenger must click a link to rebook on a different flight. These scammers know that if they send out enough emails, some recipients will have upcoming flights on this airline.
Self-defense: Never click links or call phone numbers in emails or texts that appear to come from airlines. Instead, use a search engine to find that airline’s actual website, then contact the legitimate customer service department via phone or chat to confirm whether the message you received is real.
Also: Don’t toss airline boarding passes into airport trash cans after landing. The barcode on your boarding pass contains information about you—even your email address and phone number. Scammers have been known to purchase code readers, pluck boarding passes from airport trash, then contact the passengers posing as airline employees.
A Social Security recipient receives an email warning that the Social Security system is implementing increased online security measures…and because she set up her “My Social Security Account” prior to September 18, 2021, she must transition to a new “Login.gov” account.
Scam: This latest Social Security ploy is especially tricky because these emails really might be legitimate—the real Social Security Administration actually is requiring people who set up My Social Security Accounts before that date to transition to new accounts. But the fact that the Social Security Administration is sending out these emails inevitably means that scammers will send out fakes that encourage recipients to click links that lead to ID theft and/or malware.
Similar: In another Social Security scam, victims receive an email warning that they have not yet registered for Social Security’s recent cost-of-living increases and that they’ll miss out if they don’t do so soon. Reality: Cost-of-living increases are applied automatically—there’s never any need to register for them.
Self-defense: If you receive an email about updating your Social Security account, don’t click any links in the message. Instead type “Login.gov” into a web browser’s address bar, then click the “Create an account” tab. If you receive an email prodding you to register for Social Security cost-of-living increases, simply ignore it.
A car owner receives an email or text warning that he has a small unpaid balance on his E-Z Pass account—E-Z Pass is the transponder-based system that allows drivers in the eastern US to pay highway and bridge tolls without stopping at toll booths. The message includes a link to a website where the car owner can pay the balance due—and a warning that he’ll face significant fines if he fails to do so promptly.
Scam: The message isn’t from the real E-Z Pass system. If this man pays as directed, he’ll be handing his credit card information to a scammer. The scam is effective because so many drivers use E-Z Pass, but few of them keep careful tabs on their account balance and it seems easier to pay a very small bill than confirm it is legitimate.
Self-defense: Rather than click a provided link to pay an E-Z Pass balance, enter “E-Z Pass” and the name of your state into a search engine to locate the program’s actual website, then check whether you have an outstanding balance.