Despite what the text you’re staring at says, you did not make a nearly $800 charge at a store you never visited with a bank you do not use. It’s a scam and one you can learn (and teach others) how to recognize and avoid this busy Black Friday shopping season.
I get it, text messages illicit an almost Pavlovian response. We don’t know what they’re about or if they’re even remotely important, but when they appear, we focus our attention and have this almost unstoppable desire to react.
During the Black Friday buying season, which, if we’re being honest with ourselves, started on November 1, you’re visiting dozens of stores online and in person, finding the best Black Friday Deals, using your credit cards (a lot), and setting up multiple deliveries to your home and elsewhere. Deal offers, confirmations of purchases, and notifications that deliveries have arrived (or not) come primarily through email and text.
Whatever attention you pay messages, texts (and possibly even phone calls) is ratcheted up, heightened. That’s normal. That’s fine. Except for the fact that another contingent, the cybercriminal, knows that this is the thing you’ve become – the hyper-focused shopper who needs to know what’s going on with purchases and deliveries – and they are more than happy to deliver that “information” to you.
Merry scam time
“From Black Friday through Christmas these types of scams go through the roof. Not only is it holiday season when there are more special offers and sales than usual, but it’s always when consumers are busiest, and the busier you are, the less likely you may be to take the time to spot a scam,” said Cybercrime Magazine Founder and Editor-in-Chief Steven C. Morgan in an email to me.
Cybercrime is a big business. According to Cybersecurity Ventures, cybercrime will cost the world economy $9.5 trillion in 2024, which means it has the potential to cost $1 billion an hour. For you, the cost of cybercrime could be immeasurable. Certainly, if I had followed a recent text I received, the cost to me would’ve been far less, but also no less catastrophic.
The text in question arrived this morning from “my bank.”
It started with all caps because that’s how you get someone’s attention:
“CHASE.BANK.ALERT:Denied charge for $880.20 is pending at Amazon, Visit https://www.vcreativevision.es/Secure_Chase/ to deny or Approv”
Message in a lethal bottle
Like millions of other people, I have a Chase credit card that I favor for discretionary purchases. If I didn’t know what I do about cybercriminals, I might’ve fallen for this phishing attempt. The message is designed to elicit a combination of confusion and concern. A random, albeit significant, dollar amount is thrown out, the tone is alarmist, and it mentions Amazon where everyone shops.
Oh, and they’ve already done me the kindness of denying the charges (“Oh, they care about me”). However, because the text also includes “pending” in it, it’s clear the charges could still be applied to my account.
Crucial to the scam is the link.
“SCAM 101: Fake Chase Website. They do a really good job on those. But all it takes is someone with good web design skills and time. If you go to the .es site that comes from, you can see who they are,” wrote Morgan in an email to me after I sent him the message.
Morgan’s right, the URL doesn’t even bother to hide the fact that it’s not directly from Chase. When I visited the root domain I landed on a Spanish web designer’s homepage. However, when I let the full URL resolve to a web page, it ended up on a site that looked exactly like the real Chase website.
If I had logged into my Chase account through this site, the cybercriminals would’ve captured my credentials and used them to inflict serious financial pain.
The devil’s in the details
As someone who’s spent the better part of the last four decades working in technology, I know this isn’t the real Chase but I am worried about the rest of you.
Even Morgan admitted to me that there is no easy way to detect the difference.
“That’s precisely why our industry is spending billions (literally) on security awareness training so that by default you don’t click on a URL like that,” Morgan wrote me.
Maybe you’re reading this and thinking, “I’ve never received a text or email like that.” You might also think that even if you did, you wouldn’t be fooled. If you’re reading this (thank you, by the way), that may be true, but there are so many people who are not tech-savvy and think that when Amazon, their bank, the Social Security Service, or maybe the FBI sends them a text, they damned well better respond.
And it’s you’re job to tell them, especially during the busy holiday shopping season: They’re wrong.
“While there may be exceptions, as a rule, tech giants and banks do NOT send text messages to consumers inviting them to websites in order to investigate fraudulent charges or other activity,” said Morgan in an email.
Honestly, the same goes for the Social Security Department (they like to send snail mail), the FBI (they’ll show up at your door), and Amazon (they might send a notification through your Amazon account or the Amazon app).
Generally, no one is sending text messages that ask you to visit a URL. You could get an alert from your bank about suspicious charges, but they will encourage you to visit the official website on your own, log in and address the charges, or call them directly, and not with a number supplied in a text message.
Still, I get how all this can be confusing and the first line of defense is to take a hard look at the email or text message and check for tell-tale signs like an email address that could not possibly be from an official source, a foreign domain (“.es” instead of “.com”), misspellings in the URL or message, and dramatics like ALL CAPS.
I really don’t know exactly what form your scam will take but if you own a smartphone and have a bank account and credit cards, you will encounter them. So will your family, friends, and coworkers. This holiday season, give them the gift of knowledge and educate them on how not to get scammed so we can all enjoy this festive, fun, and insanely busy Black Friday Deals season.
Some final thoughts
- Don’t follow URLs in text messages
- Don’t let scare tactics scare you
- Contact everyone directly
- Never let anyone control your computer
- Get better passwords and digital security
- Be suspicious (that’s it. that’s the advice)
- Share this post
You might also like