Did you get a fake McAfee or Norton invoice? How the scam works (and what not to do)

email scam crime concept

rob dobi/Getty Images

I just paid $715.15 for a five-year subscription to McAfee Total Protection covering 20 devices. At least, that’s what some unknown individual wants me to believe.

Also: Stop paying for third-party antivirus software. Here’s why

The news of my transaction came in the form of an email delivered to my personal account, with a PDF file attached. Here’s what the attachment looked like.

fake-mcafee-invoice

This fake invoice is convincing enough to fool an unsophisticated recipient

Screenshot by Ed Bott/ZDNET

That “receipt” looks official, doesn’t it? Especially to an inexperienced person who doesn’t have the experience to spot the telltale signs of a scam. You’ve probably seen similar phishing emails, congratulating you on your purchase of a subscription to McAfee or Norton Internet Security or some other brand that’s well-known to consumers.

Also: Was your SSN leaked to the dark web? How to check for suspicious activity (and what to do next)

The amount of the supposed transaction is usually just high enough to alarm you. And if you don’t realize it’s a scam, your first reaction is to pick up the phone and call the toll-free number on the invoice so you can explain that it’s all a mistake and you never ordered those products and ask them to please reverse the charges.

How the scam works

So, what happens if you call the number on that receipt? Thanks to an affidavit filed as part of a U.S. Federal court case in the Southern District of Mississippi, we now have a detailed description of this scam in operation. (Hat tip to Seamus Hughes and his excellent Court Watch newsletter for the link.)

Also: AI phone scams sound scary real. Do these 5 things to protect yourself and your family

The author of the affidavit is Martez Simpson, a Special Agent with the United States Secret Service, who described how the victim was taken for nearly $11,000. Agent Simpson even managed to talk to the recipient of the funds, an Indian national who was angry that his crypto account had been seized by the Feds pursuant to a court order.

The victim, a Mississippi woman, is identified only as V1 in the affidavit. After she received the phishing email, she called the phone number and spoke to a person who claimed to be a McAfee employee. (He was not, needless to say, a McAfee employee.) That person, referred to in Secret Service-speak as an unknown individual (“UI”), convinced the victim to install software that gave the crooks access to her computer.

Using command prompt entries, the UI convinced V1 that, rather than the $723.64 that the email had indicated was improperly taken out of her bank account, her banking data indicated a $77,723.64 amount was refunded. The UI informed V1 that because the wrong amount was refunded to the account, V1 needed to physically withdraw money from the bank and deposit the money into a Bitcoin ATM.

(As Agent Simpson notes in a footnote, it’s possible that more than one individual was involved in carrying out this scam. And if this story sounds familiar, it might be because several of the plot elements are central to the film Beekeeper, starring Jason Statham, which is now streaming on Amazon Prime.)

The victim was apparently convinced that this McAfee employee had access to her mobile phone and her email account and that the only way to regain access was to follow their instructions. She withdrew $15,000 in cash from her bank account and then, while remaining on the phone with the overseas criminals, went to two separate Bitcoin ATMs and converted nearly $11,000 of that cash into Bitcoin. She then emailed the Bitcoin tracking codes to a Gmail address provided by the crooks, who replied with a pair of QR codes that the unfortunate V1 used to transfer the funds to a Binance wallet controlled by the thieves.

There’s no indication in the affidavit of what happened next, but it’s most likely that the bad guys simply hung up. They had their funds, after all, and they no longer needed to keep up the pretense with the victim.

Also: The NSA advises you to turn your phone off and back on once a week – here’s why

After the bank told the victim she’d been defrauded, they called the Secret Service, who were able to trace the funds using blockchain analysis. They convinced Binance (which held the wallet) to freeze the $29,788.29 in that account while they went to court to recover those funds. That’s when the owner of the wallet, “Azmi,” contacted the Secret Service to find out why his account had been frozen.

According to Agent Simpson, “Azmi was adamant that he doesn’t know these people, insisting that he was just a trader. I believe Azmi was using the conversation to ‘fish’ for information regarding the frozen account and become better at this type of cryptocurrency scheme.”

Good luck with that, Azmi.

Other variations on a common scam

Your first reaction to this story is probably something along the lines of “Who would fall for this kind of crazy scheme?” The answer is: a lot of people. Typically, they’re responding to one of the two universal motivators, fear or greed. The Federal Trade Commission calls them “imposter scams,” and what they have in common is that the person trying to take your money wants to convince you they’re working for someone you trust: a big company like Amazon or PayPal, a government agency like the FTC, or perhaps your bank or credit union.

Also: How to find and remove spyware from your phone

There are plenty of variations besides the phony McAfee receipt. You might get a phone call, supposedly from Amazon or from your bank, alerting you to “fraudulent transactions.” There’s the fake antivirus warning that pops up and tells you your computer is infected and you need to call right away to remove the virus.

You can find countless examples of people who were scared into responding to these scams, like this Pittsburgh woman who lost $10,000 after she received a phony virus warning. She called the number on the pop-up message and spoke with a man who claimed to work for Microsoft. The thieves said her bank account had been compromised by a gang of Chinese child pornographers who were going to take her money unless she transferred it using a Bitcoin ATM. 

Also: Wiping a Windows laptop? Here’s the safest free way to erase your personal data

And even sophisticated people can get caught up in a money-moving scheme that looks preposterous in hindsight. Take the case of Charlotte Cowles, who is not a senior citizen and writes a financial advice column for New York magazine. She turned over $50,000 in cash to a gang of thieves who claimed to work for Amazon, the Federal Trade Commission, and the C.I.A. They convinced her that her identity had been stolen and they could help her avoid being charged with money laundering. Her bank tried, unsuccessfully, to point out that she was probably a victim of fraud.

It’s a wild story.

What should you do?

The people who run these online scams do it day in and day out. They’re experienced in techniques of social engineering designed to make their would-be victims feel anxious and afraid. The best way to fight back is to avoid engaging completely. If you’re helping out an unsophisticated friend or relative, here’s some advice you can offer them.

1. Trust your instincts 

One of the common threads in every story I’ve read about an online scam is the victim’s rueful comment: “I should have trusted my instincts.”

If something feels wrong, it probably is. The smartest thing to do when you receive a suspicious unsolicited email is to simply delete it. If you get a pop-up warning you that your computer’s infected, press Ctrl+W (Command+W on a Mac), which is the universal shortcut for closing a tab. Press Ctrl+Shift+W (Command+Shift+W on a Mac) to close all tabs.

2. Remain calm

Every online scammer has a script filled with dire scenarios to convince you that you’re in danger and that you must act immediately to avoid losing money or being arrested. That’s not the way the world works. There will be plenty of time to call your bank or credit card company later. Don’t panic.  

3. Don’t dial the number in that email or pop-up window

The whole point of a phishing attack is to fool you into talking with someone who is not who they say they are. If someone sends you a message trying to convince you they’re from Amazon, Apple, Microsoft, or McAfee, they’re probably lying. If they claim to be from your credit card company, call the number on the back of your card or on your printed bank statement and ask to speak to someone in the fraud department.

4. Keep your personal information private

No contact from a legitimate company is ever going to ask for your password, your PIN code, or details about your credit card account. If they start demanding that information, ask them some questions, like what’s your account number, and what are the last four digits of the card they have on file.

And if they can’t answer, well, that says something, doesn’t it?

5. When in doubt, hang up and call someone you trust

Once a scammer has you on the phone, regardless of who initiated the call, know that they thrive on creating panic and paranoia. The best antidote? Talk to a trusted friend or family member. Or call your bank or credit card company! They have a lot of experience with this grift, unfortunately.

6. Oh, and if someone tells you to go to a Bitcoin ATM, it’s a scam.

Legitimate organizations don’t ask you to send them Bitcoin deposits or gift cards.

If you don’t believe me, just ask the FTC.

ftc-bitcoin-atm-warning

Credit: Federal Trade Commission

This article was originally published on July 15, 2024. It was last updated August 17, 2024. 

READ MORE HERE