The real fraud usually happens during that call – when scammers try to extract personal data, gain remote access, or redirect money.
This article breaks down a real sample and explains how to spot it and respond safely.

What this scam is

The Norton invoice refund scam (often paired with tech-support tactics) starts with an unsolicited invoice claiming you paid for a product you never ordered.

The PDF typically highlights a “support” number and makes canceling or refunding sound urgent. If the victim calls, the scammer guides the conversation toward actions that increase risk – sharing sensitive information, installing remote-access tools, or initiating a payment under the pretence of a refund or verification.

What the invoice tries to make you believe

The sample PDF uses familiar branding and billing language to look legitimate. It claims an auto-debit subscription renewal, shows a high dollar amount, and adds a time limit to push quick action.

This combination (brand + big charge + urgency + phone number) is a strong indicator of an invoice-refund campaign.

Tip: Assess the email sender and headers first. A polished PDF does not prove authenticity.

How the Norton invoice refund scam works

Most campaigns follow a predictable flow. The fake invoice is only the opener – the attacker aims to move the target into a phone conversation where they can control the narrative.
The flowchart below illustrates the typical sequence and why the phone call is the critical risk point.

It usually starts with a simple hook: a polished-looking invoice PDF lands in your inbox, labeled “renewal” or “receipt”, with a big charge that you do not recognize. Next comes pressure – the message adds a tight deadline (often 12-24 hours) to stop you from thinking and checking calmly.

Then the trap appears: a “call support” phone number that promises a quick fix. If you call, that is where the real attack begins – the scammer tries to steer you into installing remote-access software, “confirming” card or bank details, or logging in while they watch. The safest ending is to stay off their channel: do not call, verify independently in your bank/app and the official vendor site, then report the email and delete it.

Red flags that indicate an invoice refund scam

Some signals are strong enough that a single one is often sufficient to treat the message as malicious. Others are weaker on their own but meaningful in combination.
The chart below summarizes the most common flags seen in invoice-refund campaigns.

High-confidence indicators

• Sender mismatch: the email comes from a domain that is not owned by the brand (for example, a consumer domain like @gmail.com).
• Phone-first resolution: the PDF insists you must call a phone number to cancel, dispute, or refund.
• Artificial urgency: 12-24 hour “deadlines” or “statement cutoffs” that pressure immediate action.
• No external verification: the claimed charge cannot be found in your bank/card portal or official account history.

Medium-confidence indicators

• Vague product or plan names, inconsistent formatting, or missing account identifiers you recognize.
• Long, random-looking invoice strings that are easy to generate but hard to validate.
• Generic greetings (“Hi there”) and unnatural phrasing that suggests templated content.

What to do if you receive a suspicious invoice

The safest response avoids interacting with the message and focuses on independent verification. The steps below are designed to prevent the scammer from moving the conversation onto their channel (phone, remote tools, or payment workflows).

If you have not clicked or called

1. Do not call the number and do not reply.
2. Open your banking app (or card portal) and check for a real charge.
3. If there is no charge, delete the email and mark it as spam/phishing.
4. If you want to verify anyway, type the vendor website manually and check your account there (do not use links from the email).

Operational rule: treat all contact details inside the email/PDF as untrusted until verified independently.

If you called, clicked, or installed something

1. Disconnect the device from the internet.
2. Uninstall any remote access tools you were told to install.
3. Change passwords starting with email, then banking, then everything else (from a clean device if possible).
4. Contact your bank/card issuer and explain you interacted with a refund/tech support scam.
5. Run a reputable malware scan and review browser extensions.

Reporting and verification

These official channels can be used to report scams or confirm next steps. If you are unsure about a link, type the official URL manually.

• US FTC – Report fraud: reportfraud.ftc.gov
• FBI IC3 – Internet crime reporting: ic3.gov
• Canadian Anti-Fraud Centre: antifraudcentre-centreantifraude.ca
• Norton support portal (for general verification guidance): support.norton.com

Disclaimer: This article is educational and describes common scam patterns. If you see an unexpected charge, verify it through your bank/card issuer and the official vendor account portal (not via phone numbers or links provided inside the email/PDF).

The post Fake “Norton Invoice” refund scam – anatomy, red flags, and what to do (real example) appeared first on Gridinsoft Blog.

These scams are part of a broader category of professional hacker email scams that use similar tactics to intimidate victims. Like other sextortion email campaigns, they rely on fear and embarrassment to pressure people into paying.

But here’s the thing: it’s complete nonsense. These scammers are banking on your fear and lack of technical knowledge about how real malware works. Let’s break down exactly why this scam is fake and what you should do if you receive one of these emails.

What Makes This Scam Different

Unlike generic blackmail emails, the Pegasus scam has evolved to become more convincing through personalization. Modern versions include:

• Your real first name in the subject line
• Your phone number displayed prominently in the message
• Old passwords you may have actually used
• PDF attachments named after you (like “john.pdf”)

This personal touch makes people panic and think the threat is real. But it’s just sophisticated social engineering using leaked data that’s probably years old.

Examples of Current Pegasus Scam Emails

Here are the complete email samples that people are receiving right now. These show the full extent of the scammer’s manipulation tactics:

Version 1: The Personalized Threat

Version 2: The “You Have Been Hacked” Variant

Threat Analysis Summary

Before we dive into why this scam is fake, here’s a comprehensive breakdown of what security researchers have documented about these campaigns:

Known Scammer Cryptocurrency Wallets

Security researchers have identified multiple Bitcoin and Litecoin addresses used in these scam campaigns:

Important: If you sent cryptocurrency to any of these addresses, the transaction cannot be reversed. This is why scammers prefer cryptocurrency payments.

Why This Scam is Complete BS

Now that you understand the scope of these campaigns, let me explain why every claim in these emails is fake:

Pegasus Isn’t Available to Random Scammers

Real Pegasus spyware is developed by NSO Group and sold only to governments after extensive vetting. It’s not something random criminals can buy on the dark web, despite what they claim. The actual cost runs into millions of dollars per deployment. Unlike these fake claims, real spyware threats are documented in legitimate cybersecurity research.

Technical Claims Don’t Add Up

The scammers claim Pegasus works on “Android, iOS, and Windows” – but real Pegasus primarily targets iOS and has limited Android capabilities. Windows? Not really its thing. These scammers clearly don’t know what they’re talking about.

No Actual Evidence Provided

Notice how they never include screenshots, file names, or any specific evidence? That’s because they don’t have any. Real hackers who compromise systems usually provide proof to establish credibility before demanding payment. This contrasts sharply with legitimate security warnings about actual threats like malware-spreading phishing emails.

Mass Email Campaign Logic

Think about it: if someone really spent months spying on you personally, why would they send the same generic message to thousands of people? It doesn’t make economic sense.

How They Get Your Personal Information

The scary part isn’t the fake hacking claims – it’s how they got your real information. Here’s how:

Data Breaches

Your personal details likely came from old data breaches. Companies get hacked, customer databases get stolen, and this information ends up for sale on the dark web. One breach might include your email and name, another your phone number, and yet another your old passwords. This is similar to how account verification email scams and password alert scams operate.

Data Aggregation

Scammers buy multiple breach databases and combine them to create detailed profiles. That’s how they can include your real name, phone number, and an old password you actually used years ago.

What to Do If You Receive This Scam

Don’t Panic

First and most importantly: do not send any money. These scammers have zero evidence because they never actually hacked you. Even if they included your real password or phone number, it doesn’t mean they have access to your devices.

Check If Your Data Was Breached

Visit Have I Been Pwned to see if your email address appears in known data breaches. This will help explain how scammers got your personal information. Understanding how to deal with spam emails can also help you take appropriate action.

Change Your Passwords

If the email included an old password you recognize, change the passwords on any accounts where you might have used it. Use unique, strong passwords for each account.

Scan Your Computer

While the Pegasus claims are fake, it’s still good practice to scan your system for actual malware. Use a Gridinsoft Anti-Malware to make sure your computer is clean.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

While the Pegasus scam emails are fake, it’s always wise to ensure your computer is free from actual threats. For comprehensive protection, consider learning about current scam trends and online shopping fraud.

How to Protect Yourself From Future Scams

Be Skeptical of Threatening Emails

Legitimate security researchers and law enforcement don’t communicate through threatening emails demanding Bitcoin payments. If someone had real evidence of wrongdoing, they wouldn’t give you 48 hours to pay up quietly. Learn to spot other common tactics used in phishing attacks and fake security alerts.

Keep Software Updated

Real malware often exploits outdated software vulnerabilities. Keep your operating system, browsers, and security software up to date to reduce the risk of actual infections.

Use Strong, Unique Passwords

The scariest part of these scams is seeing your real password in the message. Prevent this by using unique passwords for every account and changing them regularly.

Enable Two-Factor Authentication

Even if scammers have your password from an old breach, two-factor authentication prevents them from accessing your current accounts.

Why These Scams Keep Working

Despite being obvious fakes to security professionals, Pegasus email scams continue because they exploit basic human psychology. Similar tactics are used in cryptocurrency scams and “we hacked your system” email scams:

Fear of Exposure

The threat of having private activities exposed to friends and family triggers powerful emotional responses that override logical thinking.

Technical Intimidation

Most people don’t understand how malware works, so claims about sophisticated spyware sound plausible even when they’re technically impossible. Understanding the difference between real threats like information stealing malware and fake scam claims helps build better awareness.

Artificial Urgency

The 48-hour deadline prevents victims from researching the scam or consulting with others who might recognize it as fake.

Personalization Creates Credibility

Including real personal information makes the entire message seem more legitimate, even though that data came from unrelated breaches. This personalization technique is also used in phishing attacks and social media investment scams.

The Bottom Line

The “Have you heard of Pegasus” email scam is sophisticated social engineering, but it’s still just that – a scam. The technical claims don’t hold up to scrutiny, the demands are typical of blackmail operations, and no legitimate security incident would be handled this way.

If you receive one of these emails, don’t panic. Delete it, change any passwords mentioned in the message, and move on with your day. The only real threat here is the risk of falling for the scam and losing money to criminals. Stay informed about other current threats like AI-related scams and QR code phishing.

Stay vigilant, keep your software updated, and remember: real cybersecurity threats don’t announce themselves with Bitcoin ransom demands.

The post Pegasus Email Scam – Fake “Have You Heard About Pegasus” Emails appeared first on Gridinsoft Blog.

What is the “Account Verification Alert” Email Scam?

The “Account Verification Alert” email is a clever phishing trick that pretends to be from real email providers. These fake messages claim that your email account needs checking due to strange activity or system updates. The email warns that if you don’t complete the verification, your service might stop working or your account could be deleted.

These phishing emails usually include:

• Subject lines creating urgency (e.g., “Account Verification,” “Action Required,” “Security Alert”)
• Official-looking logos and branding stolen from real email providers
• Vague mentions of “strange activity” or “security measures”
• A countdown or deadline (usually 3 days) to make you rush
• A big “Verify email address” button that leads to a fake website

The email typically follows this format:

Subject: Account Verification

Account Verification Alert!

Hello [user],

You're receiving this mail because your email account ([user email]) requires verification. Please verify this email address to avoid stopping your service or account deletion.

[Verify email address button]

This link will expire in 3 days. If verification is not complete, you might lose your account. Please wait while your request is being verified...

For help, contact us through our Help center.

Important: All claims in these emails are completely false. The messages are not sent by real email providers and only aim to steal your login details.

How the Account Verification Scam Works

The “Account Verification Alert” scam follows these steps:

1. First Contact: The scammer sends mass emails to thousands of people, hoping some will click on the link.
2. Creating Urgency: The email makes you worry by saying your account might be shut down.
3. Getting You to Click: When you click the “Verify email address” button, you’re sent to a fake login page that looks like a real email service.
4. Stealing Your Password: Any login info (email and password) you enter on this fake page is grabbed and sent to the scammers.
5. Using Your Account: With your stolen login details, scammers can get into your email account and maybe other linked accounts too.

Once scammers have access to your email account, they can:

• See private information stored in your emails
• Reset passwords for your other online accounts (banking, social media, etc.)
• Send scam emails to your contacts, spreading the scam further
• Pretend to be you to ask your contacts for money or information
• Send harmful attachments to your contacts
• Use your account for other scams

Warning Signs That Show This is a Scam

Even though these “Account Verification Alert” emails are getting better at looking real, they still have clear warning signs:

1. Strange sender address: The email seems to come from an official source, but looking closely at the actual sender address shows it’s not from a real domain. Look for small spelling mistakes or added words (e.g., security-mail.outlook.com-verify.net instead of outlook.com).
2. General greeting: Real service providers usually use your actual name, not vague terms like “user” or “customer.”
3. Rush tactics and threats: Real emails rarely threaten to delete your account or stop service without giving clear details about the problem.
4. Spelling and grammar mistakes: Many fake emails contain spelling errors or strange wording that you wouldn’t see in real company emails.
5. Fishy links: Hovering (without clicking) over the verification button or link will show you where it really goes, which is usually not the real service’s website.
6. Asking for your password: Real email providers rarely ask you to verify your account by typing your password through an email link.

Similar Email Scams to Watch For

The “Account Verification Alert” scam is part of a bigger group of password-stealing phishing attacks. Similar types include:

• Server (IMAP) Session Authentication Email Scam — Technical-sounding emails claiming your email account needs checking due to strange activity
• Microsoft Account Unusual Sign-in Activity Phishing — Alerts about account activity requiring immediate verification
• Avoid Getting Locked Out Scam — Warnings about account access issues that need immediate attention
• Chase – Transfer Is Processing Scam — Bank notices that look like real banks to steal your login details
• Bank Details Email Scam — Financial institution emails demanding immediate verification of account details

These scams all use the same tricks: creating rush feelings, using fear, pretending to be trusted companies, and asking for quick action through fake links.

How to Protect Yourself

To defend against the “Account Verification Alert” scam and similar phishing attempts, follow these safety steps:

1. Check the official website: Never click links in fishy emails. Instead, open your browser and go directly to your email provider’s real website to check for any real account notices.
2. Look at the sender address: Always check the full email address of the sender, not just the display name. Real service providers use their official web addresses.
3. Turn on two-factor authentication (2FA): Even if someone gets your password, 2FA adds another security layer that can stop unwanted access.
4. Use different, strong passwords: Create different passwords for different accounts to limit damage if one account gets hacked. Follow our guide on securely storing passwords.
5. Keep your software updated: Make sure your computer, browsers, and security software have the latest updates and security fixes.
6. Use good security software: Install and maintain reliable security software that can spot and block phishing attempts.

For better protection against email threats including phishing attempts, GridinSoft Anti-Malware provides strong scanning that can spot fishy links and potential phishing content. Read our email security tactics guide for more prevention strategies.

What to Do If You’ve Been Tricked

If you think you’ve fallen for an “Account Verification Alert” scam, take these steps right away:

1. Change your email password right away: Go to your email account through the official website (not through any links in the fishy email) and set a new, strong password.
2. Turn on two-factor authentication: If not already on, set up 2FA on your email account.
3. Look for strange activity: Check recent account activity, sent emails, and account settings for any changes you didn’t make.
4. Reset passwords for linked accounts: Change passwords for any accounts connected to your email, especially banking and social media.
5. Scan for harmful software: Run a full system scan using GridinSoft Anti-Malware or another trusted security tool to find possible harmful programs.
6. Watch your financial accounts: Check bank statements and credit card activity for purchases you didn’t make.
7. Report the scam: Forward the phishing email to your email provider’s security team and agencies like the Cybersecurity and Infrastructure Security Agency.
8. Tell your contacts: If your account was hacked, let your contacts know they might get strange messages that seem to come from you.

Frequently Asked Questions

Why did I get this “Account Verification Alert” email?

These emails are sent to thousands or even millions of email addresses that scammers have collected from various places. Getting such an email doesn’t mean your account has any real issues—it’s just a widespread scam attempt.

Is my email account really at risk of being deleted if I don’t verify it?

No. The claims in these emails are completely false. Real email providers don’t typically shut down or delete accounts without giving specific details about the issue and sending multiple notices through various ways.

I clicked the verification link but didn’t enter my information. Am I at risk?

Just visiting a phishing website without entering your login details typically doesn’t put your account at risk. However, some tricky phishing sites might try to use browser weaknesses. To be safe, clear your browser cache and cookies, update your browser, and run a security scan of your device with GridinSoft Anti-Malware.

How do scammers get my email address to send these phishing attempts?

Scammers get email addresses through various ways, including data breaches, public listings, social media, bought email lists, guessing (especially for common names at popular domains), and from harmful programs that collect contact information.

Can my email provider stop these phishing emails from reaching me?

Email providers are always improving their spam filters, but some clever phishing emails may still reach your inbox. Using extra security tools can give you more protection against these threats. Learn more about keeping your system protected.

Conclusion

The “Account Verification Alert” email scam is a big threat to email users worldwide, potentially leading to account theft, identity theft, and money loss. Understanding the common tricks used in these phishing attempts is key for protecting your online identity.

Remember that real email service providers almost never ask for verification through surprise emails with buttons or links. If you’re ever unsure about an email, always go directly to the official website or app and check your account status there.

By staying alert, following good safety steps, and using trusted security tools like GridinSoft Anti-Malware, you can greatly reduce your risk of falling for verification scams and other phishing attacks as online threats continue to grow. For more tips on protecting yourself online, check our guides on recognizing phishing scams and protecting your personal data.

The post Account Verification Alert Email Scam: How to Spot and Stay Safe appeared first on Gridinsoft Blog.

Someone Entered Correct Password For Your Account Email Scam Overview

Our security team classified “Someone Entered Correct Password For Your Account” email as a phishing scam, a form of social engineering designed to exploit users’ fears of unauthorized account access. Multiple sources confirm its prevalence and deceptive nature, and the possibility of a bad outcome for an unaware user.

An important thing to say is that the scam is not linked to any legitimate service provider, regardless of the disguise it has taken. Its main aim is to steal email login credentials through tricking users into thinking it is a legit online service who they’ve got the email from.

The message says that someone has entered your password and attempted access from an unrecognized device or IP address, which immediately scares the user and adds to the urgency of the situation. Message bodies may include fake details and images such as an IP address labeled “Secured” and a computer user name like “[Your Username]_computer”. All this is an attempt to mimic legitimate security alerts from services like Gmail or Yahoo, so unsuspecting users are more likely to fall into this trap.

How Does the Someone Entered Correct Password For Your Account Scam Work?

The main course of action of the Someone Entered Correct Password For Your Account scam takes place by the link added in the message body. To mask the real website address, fraudsters use URL shortener services, or create a hyperlink in the text. All the previously mentioned disguise is topped up with the “CLICK HERE” sign right in front of the malicious link.

This link redirects the victim to a fake login page that closely resembles the one of the service that the attackers are trying to use as a disguise. If the user enters their credentials, this data is sent straight to the scammers. One example of such a phishing domain is portfolio.cept.ac[.]in (analysis link), associated with IP address 103.229.5.70 and flagged by several security tools, including our GridinSoft Website Reputation Checker. Once cybercriminals have the login information, they can lock the user out of the account, access personal data, and use the compromised account to target others.

The data that attackers get in such a way is often exploited further. Among the most prominent examples of such a misuse is financial fraud and distributing malware – all from the name of an unsuspecting user. Attackers might also blackmail victims using personal emails, documents, or photos, which is typically false, but the tricks con actors can do with the compromised account can quickly make the victim believe their claims.

What Are the Risks?

The Someone Entered Correct Password For Your Account email itself does not pose any threat to the user until the user starts interacting with it. But if they decide to follow the instructions in the email, the risks can be quite serious. It can be unauthorized access to personal accounts (e.g., email, social media, banking), theft of sensitive data (e.g., emails, photos, documents), identity theft, financial loss, and reputational damage. Scammers can also use compromised accounts to spread malware or conduct further phishing campaigns.

For example, if credit card information was disclosed, attackers can try to withdraw money, and in quite a few cases they will succeed. If you notice any signs of identity theft, contact the Federal Trade Commission for assistance. Also, contact your bank immediately to block the card and order a new one.

I’ve got the Someone Entered Correct Password For Your Account Email, What Should I Do?

If you became a target of this scam, it’s important to respond quickly and methodically to reduce potential harm. First, don’t interact with the suspicious email – avoid clicking any links or downloading attachments. Always verify alerts by going directly to the official website of the service in question instead of using links in the email. Once logged in, check your account for any unusual activity.

If there’s any sign your account may be compromised, change your passwords immediately. Choose strong, unique passwords and consider using a password manager to help with storage and generation. Enabling two-factor authentication on all your accounts adds an extra layer of protection and can help block unauthorized access.

Beyond that, learn how to spot phishing attempts, especially those that try to create urgency or ask for sensitive information. As a rule of thumb, never open attachments or click on links from unknown or shady sources. And remember, legitimate companies usually won’t send password reset links unless you specifically requested them.

The post “Someone Entered Correct Password For Your Account” Email Scam appeared first on Gridinsoft Blog.

What This Scam Claims

These emails usually begin dramatically: “Consider this message as your last warning. We hacked your system!” From there, the scammer spins a tale about how they’ve gained complete access to your device through a trojan virus, supposedly contracted when you visited an adult website.

The scammer then makes the bombshell claim – they’ve created a split-screen video showing you watching adult content on one side and your reaction via your webcam on the other. All your contacts, they threaten, are just a click away from receiving this fictional compilation unless you pay a ransom (typically around $1300 in Bitcoin).

The Fear-Inducing Subject Lines

These scams often arrive with alarming subject lines designed to make you open the email immediately. Common variations include:

• “Your System Was Breached By Remote Desktop Protocol”
• “Operating System Fell To My Hacking Expertise”
• “Time Is Slipping Away From Your Grasp”
• “I’ve Got Access To Your Smartphone”

Notice the urgent, threatening language. That’s your first clue something fishy is going on.

The Technical Bluff

Where the “Professional Hacker” scam talks about driver-level malware with signature updates, the “We Hacked Your System” variant claims to have a “Trojan virus that gives full access” and allows them to “not only see your screen but turn on your camera and microphone without your knowledge.”

Real malware certainly exists, but it doesn’t come with a ransom note announcing its presence. That would defeat the purpose – like a spy wearing a shirt that says “I’M A SPY” in big letters.

The Threat and Countdown

The email typically gives you about 50 hours (just over 2 days) to pay the ransom, usually around $1300 in Bitcoin. The artificial time pressure is designed to make you panic and pay without thinking clearly.

They also warn that if you share the email with anyone, they’ll immediately release the “compromising video.” This isolation tactic is meant to prevent you from getting a second opinion that might expose the scam.

The Bitcoin Wallet Telltale Sign

Just like in other sextortion scams, these emails include a Bitcoin wallet address for payment. If you see wallet addresses like these in threatening emails, they’re confirmed scams:

• bc1qj2aesryeq0yhg6ntk4s8n2sssgtpde4a2jt5eq
• bc1qzxzazuz7twfx4e0mzfg97606d5dytksue9j3ag
• 1N6TYc2FFJmjMDPnAKQgjRh65ou58EfQNM
• 12nEVuGNtRFMVjeVmLtD4nt2sHX68S47yH

Remember, cryptocurrency transactions are practically irreversible. Once you send money to these addresses, you can’t get it back.

Example of the “We Hacked Your System” Scam

Is This Scam Real?

Not even remotely. Like other sextortion scams, “We Hacked Your System” emails are sent in mass campaigns to thousands of recipients, hoping that a few scared individuals will pay up. The scammers have not:

• Infected your device with any trojan
• Recorded your webcam
• Created a split-screen video
• Stolen your contacts
• Accessed your social media

Real hackers who manage to compromise your system want to stay hidden as long as possible to steal valuable data. They don’t announce their presence with threatening emails – that would be counterproductive to their actual goals.

Why These Scams Keep Working

The psychology behind these scams is surprisingly effective. They exploit three powerful emotional triggers:

Fear of Exposure

By claiming to have recorded you in private moments, scammers tap into one of our deepest fears – having our private behaviors exposed publicly. The mere possibility creates instant anxiety, even if you know logically that the claim is false.

Shame as Leverage

The specific mention of adult websites is deliberate. By suggesting you were watching adult content, scammers are betting that embarrassment will cloud your judgment. This shame factor makes victims less likely to discuss the email with others who might help them realize it’s a scam.

Artificial Urgency

The 50-hour countdown is designed to force hasty decisions. When people feel rushed, they’re more likely to act on emotion rather than logic. This artificial deadline prevents victims from taking time to research whether the threat is legitimate.

What To Do If You Receive This Email

If this email lands in your inbox, here’s what you should (and shouldn’t) do:

1. Don’t panic. These are mass-sent template emails with no actual evidence behind their claims.
2. Don’t pay anything. Sending money only confirms you’re willing to pay, which may lead to more demands.
3. Don’t reply to the email. This only confirms your address is active.
4. Mark it as spam and delete it.
5. Report the Bitcoin address to the FBI’s Internet Crime Complaint Center if you want to help authorities track these scammers.

For extra peace of mind, you can run a scan with GridinSoft Anti-Malware to confirm your system is clean. Unlike the mythical “undetectable” malware claimed in these emails, real malware can be detected and removed with proper security tools.

Protecting Yourself From Real Threats

While the “We Hacked Your System” email is fake, there are genuine cybersecurity risks out there. Here’s how to stay protected:

• Keep your operating system and software updated
• Use strong, unique passwords for all important accounts
• Enable two-factor authentication whenever possible
• Be careful about clicking links or opening attachments in emails
• Consider covering your webcam when not in use (a simple piece of tape works)
• Run regular security scans with reliable antivirus software

These sensible precautions will protect you from actual threats, not imaginary ones from “professional hackers” who seem more interested in writing scary emails than actual hacking.

Remember, if you receive one of these emails, the best response is a good laugh before hitting delete. The only thing these scammers have successfully hacked is the art of writing scary-sounding nonsense.

The post “We Hacked Your System” Email Scam: Same Trick, Different Package appeared first on Gridinsoft Blog.

What’s This Scam All About?

These emails come with dramatic subject lines like “Your personal data has leaked due to suspected harmful activities.” The message basically says a professional hacker cracked your device, spied on you for months, and caught you in compromising positions. Now they want Bitcoin, or else.

Different versions exist, but they all follow the same script: scare you, claim to have dirt on you, demand payment. It’s like a bad movie plot that somehow keeps getting remade.

The Opening Act: Scary Tech Jargon

The email starts with impressive-sounding claims about “hacking your operating system” or “gaining full access to your account.” To tech-savvy folks, this sounds like someone who learned hacking terminology from a 90s movie. To everyone else, it sounds just scary enough to keep reading.

They throw around phrases that sound technical but make actual IT professionals snort coffee through their nose. It’s the digital equivalent of a kid wearing a trench coat and claiming to be an adult.

The Middle: “I’ve Been Watching You”

Next comes the creepy part – claims about monitoring your activities for months. According to these “hackers,” they installed malware through adult websites you supposedly visited. This explanation conveniently plays on shame and embarrassment, making victims less likely to discuss the email with others.

In reality, mass-sending these emails is far more profitable than actually spying on random people for months. These scammers are lazy by design – why hack one person when you can scare thousands?

The Password Twist: “Here’s Proof I Hacked You”

Some versions of this scam include a particularly clever trick – they show you one of your actual passwords. Suddenly, their claims seem a lot more credible, right? “If they have my password, maybe they really did hack my computer!”

Here’s what’s actually happening: The scammer purchased your email and password from a data breach. Major sites get hacked all the time, with millions of credentials dumped on dark web marketplaces. These scammers buy these lists in bulk for pennies per thousand emails.

The password they show you is likely from a breach that happened years ago. If you still use that password anywhere, that’s the real security problem – not their imaginary spyware. These scammers have no access to your computer; they just have an old password from a completely different website.

The Climax: The Webcam Recording Claim

The knockout punch is always about your webcam. Supposedly, they recorded you watching “adult content” and captured your reaction on camera. They even claim to have created a split-screen video showing both you and what you were watching.

It’s a clever claim because it’s nearly impossible to disprove and plays on universal fears about privacy. The email also specifically mentions sextortion – threatening to share the non-existent explicit content unless you pay up.

The Technical Mumbo-Jumbo

To sound legitimate, these emails include technical gibberish about driver-level malware that “refreshes signatures every 4 hours” to avoid detection. This is like claiming your invisible car also makes great espresso – impressive but nonsensical.

Actual malware doesn’t need hourly updates to avoid detection. That would be like a burglar changing disguises every hour while hiding in your closet – unnecessarily complicated and risky.

The Grand Finale: Pay Up or Else

The conclusion is always a ransom demand, typically between $850-2000 in Bitcoin. They set an artificial deadline of 48-72 hours to create urgency. And they always include a Bitcoin wallet address that looks like alphabet soup had a fight with a calculator.

Some versions even warn that if you share the email with anyone else, they’ll immediately release the non-existent videos. Convenient way to isolate potential victims, isn’t it?

Known Scammer Bitcoin Wallets

These scams use numerous Bitcoin wallet addresses. If you receive an email demanding payment to any of these addresses, it’s 100% a scam:

• bc1qzxzazuz7twfx4e0mzfg97606d5dytksue9j3ag
• 1N6TYc2FFJmjMDPnAKQgjRh65ou58EfQNM
• bc1qz3hct7u9x6tfh4guk3e7wyjaxa2gnalzfgr3kh
• 12nEVuGNtRFMVjeVmLtD4nt2sHX68S47yH
• 1Er1bTsfVpy2uZ88hBDJf1i66SuYxQCRKb
• 1HBiRxpSxekVND1Rqwqh1gbUKeZiYBsDkt
• 19AEV6b6SMVTByErnpaQUDCUWK5cN8gYqh

If you spot one of these addresses (or any similar Bitcoin address) in a threatening email, report it to IC3.gov (FBI’s Internet Crime Complaint Center) and your local authorities. Never send money to these addresses – the scammers will likely just demand more once they know you’re willing to pay.

A Real Example of This Nonsense

These scam emails often begin with subjects like “Your personal data has leaked” or “Ihre persönlichen Daten sind wegen des Verdachts auf schädliche Aktivitäten nach außen gelangt” (for German recipients). The messages are often available in multiple languages because scammers are thoughtful like that.

Typical example of a sextortion email

So Is This Real or What?

No, it’s not real. Not even slightly. It’s just a mass-sent scare tactic banking on statistics – send enough emails and eventually you’ll find someone worried enough to pay.

Any professional hacker who managed to compromise your system wouldn’t announce it with a dramatic email. That would be like a burglar sending you a postcard saying “Hey, I stole your TV yesterday!” Real attackers prefer to stay undetected as long as possible.

The technical claims in these emails fall apart under even casual scrutiny. Anyone with basic IT knowledge can spot the nonsense about “driver-based malware” with “4-hourly signature updates.” It’s the cybersecurity equivalent of claiming your unicorn needs special rainbow feed.

The Psychology Behind The Scam

These scammers are amateur hackers but professional manipulators. They use several psychological tricks designed to bypass your rational thinking.

The Authority Card

They open by establishing themselves as “professional hackers” with technological superpowers. This appeal to authority works because most people don’t know exactly what hackers can and can’t do. It’s like claiming to be a “professional ghost hunter” – if you don’t know the field, you might just believe it.

They load the email with technical-sounding terms to reinforce this perceived expertise. Most people won’t recognize that these terms make actual security experts laugh their coffee out.

Shame As A Weapon

The scammers specifically mention adult websites and compromising recordings to trigger embarrassment. They know embarrassed people make poor decisions and are less likely to seek help. It’s a classic manipulation tactic – make someone feel shame, and they’re easier to control.

The genius part is mentioning something many people do privately, making the victim think “But how did they know?” The answer: they didn’t. They just made a good guess.

The Urgency Trigger

The 48-72 hour countdown creates artificial urgency to force quick, emotional decisions. This is the same trick used in those “limited time offer” commercials, except with more blackmail.

When people feel rushed, they make mistakes. The scammers know this and use time pressure to override your critical thinking.

What To Do If You Get This Email

First, take a deep breath. Your secrets are safe, your camera hasn’t been hacked, and no one has been spying on you. This is just digital junk mail with extra intimidation.

Mark the email as spam and delete it. Never respond to these messages – even clicking “unsubscribe” links just confirms your email is active, bringing more spam your way.

If the email includes one of your actual passwords, change that password anywhere you still use it immediately. Then check if your email has been involved in data breaches using services like Have I Been Pwned. This is a good reminder to use unique passwords for every site and enable two-factor authentication on important accounts.

If you’re worried about webcam security, put a piece of tape over it when not in use. It’s low-tech but effective – even Mark Zuckerberg does it.

For extra peace of mind, run a malware scan on your system. Contrary to what the email claims, good security software can detect actual threats. GridinSoft Anti-Malware will spot and remove genuine malware – unlike the imaginary super-stealth malware in the scam email.

Protect Yourself From Real Threats

While this specific email is fake, real cybersecurity threats do exist. Update your software regularly and use strong, unique passwords for important accounts. Consider using a password manager to keep track of them all.

Be skeptical of unsolicited emails, especially those with attachments. A legitimate company rarely sends unexpected attachments, and your bank will never ask for your password via email.

Enable two-factor authentication on important accounts. It’s like having a second lock on your door – even if someone gets your password, they still can’t get in without your phone.

These simple habits will protect you from actual threats, not imaginary hackers with magical malware. And if you ever receive another “professional hacker” email, you can have a good laugh before hitting delete.

The post Professional Hacker Email Scam: How to Identify and Avoid Sextortion Threats appeared first on Gridinsoft Blog.

Bank Details Scam Overview

The “Bank Details” phishing email scam is a sophisticated social engineering attack where cybercriminals impersonate legitimate banks or companies, sending emails that request recipients to update or confirm their bank account details. These emails are designed to appear authentic, often using official logos and formatting, to deceive victims into providing sensitive information such as account numbers, passwords, or other financial data.

The primary objective is to facilitate identity theft, unauthorized transactions, or further financial fraud, leading to significant monetary losses and privacy breaches for victims. Recent research says this scam’s prevalence and noting its association with phishing campaigns that leverage attachments to redirect users to fraudulent websites. The scam’s impact can potentially lead to unauthorized online purchases, changed passwords, and identity theft. This is evidenced by various financial institution alerts, warning about similar impersonation tactics.

How It Works

The “Bank Details” scam operates by classic scheme, exploiting victim trust to a name of a well-known banking institution, and, of course, the urgency of supposed actions. Initially, scammers send an email that appears to originate from a trusted source, such as a bank, with subject lines like “Update Your Bank Details” or “Payment Information Required.”

The email content typically claims there’s an issue with the recipient’s bank account, such as discrepancies in the provided details. It often threatens consequences like account suspension if the matter is not addressed promptly. This creates a psychological pressure to act quickly, reducing critical evaluation.

These messages typically include an attachment—often a PDF labeled something like “Bank Detail Form.pdf.” This file may appear intentionally blurred, prompting users to scan a QR code or click a link to view the full content. Alternatively, it may contain a hyperlink leading to a fake website, mimicking the legitimate company’s site, such as a WeTransfer lookalike, to capture login credentials.

Once the victim enters their information, scammers capture it for misuse, including accessing accounts for fraudulent transactions or selling data on the dark web. The process is supported by technical details, such as the attachment Bank Detail Form.pdf and related domains like emailportal.preferenste[.]com.

How can I identify the scam?

You can easily identify the scam by recognizing several telltale signs, present in pretty much every single “Bank Detail” scam message. They are in fact universal for a huge number of other email scams, so let me walk you through and hit several birds with one stone.

The first red flag is unsolicited emails requesting personal or financial data. Legitimate companies rarely use email for such requests. Another red flag is urgency tactics, such as threats of account closure, are common, pressuring victims to act without verification.

Poor grammar and spelling mistakes are frequent in fraudulent emails, contrasting with the polished communications of reputable firms. Mismatched URLs, where the link does not match the official company domain, are another red flag, often detectable by hovering over links without clicking.

Generic greetings, like “Dear User,” instead of personalized addresses, and attachments from unknown sources, especially those prompting form filling, is yet another set of signs that you’re looking at a scam message. Organizations, especially banks, typically have your real name, and they have no reason to restrain from using it in official communications. Scammers, on the other hand, are naught on such details, and are thus forced to tailor their messages as generic and depersonalized as they can.

How To Stay Safe?

The main way to avoid getting trapped in a scam scheme is, in fact, following the previous section of our article. Check for all the scam signs I’ve listed, starting with verifying sender email addresses to ensure they use official domains, such as @bankname.com, and being wary of free email services, like @hotmail or @gmail. Avoid clicking links in suspicious emails; instead, visit company websites directly via bookmarks. Contact companies through known methods to verify requests, enhancing security.

Enable two-factor authentication for accounts, keep software updated with the latest security patches. Use anti-malware software with Internet Security. You may consider using GridinSoft Anti-Malware, as it has this functionality and allows you to block suspicious websites before they are loaded.

If phished, immediate action is critical: contact your bank to report the incident, change passwords for relevant accounts and monitor for unauthorized activity. Don’t forget to report suspicious emails to companies and providers, aiding broader scam prevention.

The post Bank Details Email Scam appeared first on Gridinsoft Blog.

Urgent reminder Tax Scam Targeting Microsoft Credentials

Tax season, particularly before and around the April 15, 2025, filing deadline, is a peak period for scams, as fraudsters exploit the urgency and stress associated with tax obligations. The “Urgent reminder” scam is part of this trend, leveraging social engineering tactics to deceive users into compromising their Microsoft account details. Microsoft accounts are valuable targets, providing access to emails, cloud storage (OneDrive), and other services, which can lead to identity theft or data breaches.

In brief, these emails, often automated and from the supposed “Tax Services Department,” claim users must update tax records by a specific deadline (e.g., March 16) to avoid penalties. Scanning the QR code redirects to a phishing site, which may use bot protection before prompting for Microsoft credentials, with the email pre-filled to seem legitimate. The stolen credentials could be sold on the dark web or used to access email, OneDrive, or other services, posing risks of identity theft or data breaches.

Urgent Reminder Tax Scam Mechanics

The scam begins with an email containing an attachment titled “Urgent reminder,” which is a PDF file. As I said at the beginning, this is a yearly trend, and we already have a similar theme, however this time the scammers have gone further. They use a QR code, which has advantages over a regular link, which I will talk about later. The email is often presented as an automated message with no reply option, giving it an official appearance. It claims to be from the “Tax Services Department” and states that a mandatory review and update of tax records is required by a specific date, specifically March 16, 2025, to avoid penalties or account disruptions.

Next, the user is asked to scan the QR code. Scanning the QR code leads to a phishing website, which may use redirects (e.g., via doubleclick.net) to a domain like fmhjhctk.ru, identified as a russian site. Before prompting for credentials, the site implements bot protection (CAPTCHA), such as “Verifying encryption before network,” to appear legitimate. Once past this, it pre-fills the user’s email and requests Microsoft login details, sending them to the scammer.

So, how QR code is better than a link, you ask, and I will answer now. Firstly, QR code better bypasses anti-spam systems, as it is just a picture, not a link. Secondly, it is impossible to determine where the QR code leads until you scan it. Thirdly, the chances that a person will scan a QR code, at least out of interest, are much higher than that he will follow a link. We also have a separate post that explains a lot.

Risks and Implications

How about risks, theft of Microsoft credentials poses significant risks, including unauthorized access to personal emails, financial data stored in OneDrive, and potential identity theft. Given that most people have their work linked to their Microsoft account in one way or another, an account compromise can have catastrophic consequences. From loss of access, which paralyzes workflow, to the leakage of sensitive corporate data.

In this case, the threat actor is tentatively based in Russia, which is not surprising, so this increasing the likelihood of credentials being sold on dark web markets or used for further attacks. This method, combined with pre-filled email fields, increases the likelihood of success, especially among less tech-savvy users.

How To Stay Safe?

Safeguarding yourself from the “Urgent reminder” tax scam and similar phishing threats requires a proactive approach, especially during the high-risk tax season. Never scan QR codes or click links in unsolicited emails, particularly those claiming urgent action. Instead, verify any tax-related communication directly with the IRS through their official website irs.gov or listed phone numbers. Remember, legitimate agencies won’t demand immediate action via email or text. Additionally, always inspect website URLs before entering credentials; authentic Microsoft login pages will use domains like login.live.com.

Beyond manual checks, deploying robust anti-malware software is non-negotiable in today’s threat landscape, and tools like GridinSoft Anti-Malware stand out for their comprehensive protection. It includes Internet Security features that actively block phishing attempts, malicious redirects, and suspicious domains. Its real-time scanning can detect and neutralize threats from QR code redirects or compromised PDFs before they reach your credentials, offering peace of mind against sophisticated attacks.

The post Urgent Reminder Tax Scam appeared first on Gridinsoft Blog.

Server (IMAP) Session Authentication Email Scam Overview

The “Server (IMAP) Session Authentication” email scam is classified as a phishing, scam, social engineering, and fraud threat. It targets users by falsely claiming that their email access has been restricted due to irregular activity, tricking them into taking action.

These emails are often part of widespread spam campaigns designed to make recipients follow the instructions, exposing their login information and personal data. For this, they employ phishing sites that resemble a genuine service provider page, with a sign-in form that collects all inputs. Among the examples of such sites is grandiose-dandy-actress.glitch, which is hosted at IP address 151.101.66.59.

The scam’s potential damages include loss of sensitive private information, monetary loss, and identity theft, with symptoms like unauthorized online purchases, changed account passwords, and illegal computer access. Distribution methods include deceptive emails, rogue online pop-up ads, search engine poisoning, and misspelled domains.

Mechanics of the Scam

The scam operates by sending emails claiming the security system detected suspicious activity, restricting account access, including the ability to send emails. These emails instruct users to press “CONFIRM AUTHENTICATION!” to recover access, redirecting them to phishing sites disguised as email sign-in pages. For instance, clicking the button leads to domains like grandiose-dandy-actress.glitch[.]me (VirusTotal scan report), where users enter their email address and password, inadvertently exposing their accounts.

Once credentials are stolen, scammers can hijack linked accounts, platforms, and services, stealing identities for emails, social networking, and social media. They may request loans or donations from contacts, friends, or followers, promote additional scams, and spread malware by sharing malicious files or links.

Finance-related accounts, such as e-commerce, online banking, digital wallets, and money transferring services, are particularly vulnerable, enabling fraudulent transactions and online purchases. This results in severe privacy issues, financial losses, and potential identity theft, amplifying the scam’s impact.

Why Are Such Scams Prevalent?

Paradoxically, this is not a unique fraud, but rather a massive phenomenon. Moreover, we have a separate post about a fraud that is very similar to this one, and this phenomenon has an explanation. The “Server (IMAP) Session Authentication” email scam and similar phishing schemes have surged in popularity due to their simplicity and effectiveness in exploiting human psychology. These scams rely on urgency and fear, which is a fail-safe mechanism.

Scammers craft these emails with just enough technical jargon – like “IMAP session authentication” – to sound credible, especially to less tech-savvy individuals, while keeping the structure basic enough to mass-produce. The low effort required to tweak the text slightly for each campaign, combined with the high potential reward of stolen credentials or financial access, makes this approach a go-to for cybercriminals.

Another reason for their prevalence is the sheer scale and accessibility of email as a target. With billions of email users worldwide, and the availability of mailbox addresses after multiple leaks, even a tiny success rate yields significant profits. These scams are often distributed through automated spam campaigns, reaching thousands or millions of inboxes at minimal cost.

The similarity also helps them blend into legitimate correspondence, as users are accustomed to routine account alerts from real services. Moreover, the lack of robust security awareness among many users – coupled with the persistence of legacy protocols like IMAP, which lack modern safeguards – creates a fertile ground for these scams to thrive.

Finally, the adaptability and low detection risk keep these scams in heavy rotation. Scammers can quickly alter domains, email addresses, or phishing page designs to evade filters and antivirus software, staying one step ahead of automated defenses. This efficiency explains why such scams, despite their repetitive nature, remain a staple of cybercrime in 2025.

How to Protect Against Email Scams?

To avoid falling victim to Server (IMAP) Session Authentication scams (like any other scams) it is important to pay attention to details. For example, if such an “official” notification comes from an address that ends in @gmail.com or @hotmail.com, it is a guaranteed scam. Real alerts come from addresses that end in @accounts.google.com and @microsoft.com. This is an invariable rule created to allow users to distinguish between personal accounts and corporate accounts.

The second recommendation is to use anti-malware software with Internet Security. This prevents a phishing web page from being opened and downloaded if the user clicks on a link in an e-mail. I recommend GridinSoft Anti-Malware as it does an excellent job.

The post Server (IMAP) Session Authentication Email Scam appeared first on Gridinsoft Blog.

Campaign Overview

The “Internet Fraudsters Arrested” scam operates through targeted phishing emails impersonating Spanish government entities, particularly the Supreme Court of Spain. The campaign claims recipients are entitled to €2,000,000 in compensation following the arrest of individuals who supposedly defrauded them previously. This scam is part of a larger pattern of government impersonation attacks that have increased by 35% in Q1 2025.

The primary objectives of this campaign include credential harvesting, financial fraud, and identity theft. Analysis of campaign patterns indicates connections to cybercrime groups previously observed in banking notification scams.

Technical Delivery Mechanism

The attack utilizes several technical components to bypass security controls:

• Spoofed sender addresses mimicking legitimate Spanish government domains
• Modified email headers with falsified routing information
• Embedded tracking pixels for victim monitoring
• Custom SMTP configurations designed to bypass common spam filtering rules
• HTML content obfuscation techniques

Source: Microsoft Security Intelligence, GridinSoft Threat Intelligence, 2025

Attack Sequence

The scam follows a structured attack sequence:

1. Initial contact: Unsolicited email claiming the recipient is eligible for €2,000,000 compensation
2. Authority impersonation: Use of Spanish government branding and forged headers
3. Action requirement: Instructions to contact a designated representative (typically “George Hernández” at barrjhgeorge7798@gmail.com)
4. Data extraction: Request for personal identification documents, banking details, and contact information
5. Financial exploitation: Demand for payment of fabricated fees or taxes to release the non-existent funds

Technical Indicators of Compromise

Security analysts have identified consistent indicators associated with this campaign:

Email Indicators:
- From: *@gobiernodeespana[.]com, *@courtspain[.]org (legitimate domains use .es or .gob.es)
- Subject line patterns: "Crime Fraud Investigation," "Spanish Court Notice," "Compensation Claim Alert"
- Reply-to: barrjhgeorge7798@gmail.com, barristerspain@outlook.com
- Contact name: "George Hernández," "Jorge Hernandez," "Barrister Hernández"
- Address: Avda Reina Victoria 58 - Esc. 1, 1єA 28003, Spain

Technical Patterns:
- SPF authentication failures
- Missing or invalid DKIM signatures
- Embedded tracking pixels (1x1 transparent GIFs)
- HTML content obfuscation
- Non-government mail server routing

Common Text Patterns:
"compensation of two million euros (€2,000,000)"
"contact our legal representative immediately"
"arrested internet fraudsters who previously victimized you"
"processing fee required to release the compensation"
"confidential matter requiring urgent attention"

Sample Phishing Email Examples

Below are representative examples of actual “Internet Fraudsters Arrested” phishing emails documented by our security researchers. These samples demonstrate the technical and linguistic patterns employed in this campaign.

Example 1: Basic Crime Department Variant

From: Roger Louis <tanya@simo.ru>
To: Undisclosed recipients:
Subject: From the Crime Fraud Investigation Department Spain.
Date: 3/26/2025, 8:26 PM

From the Crime Fraud Investigation Department Spain.

This is Roger Louis, United States detective working under Spanish police on Cyber Crime and Internet Fraud.

Be informed that the internet fraudsters who defraud you have been arrested and charged to court, last Friday was the final judgement, The court has ordered the Spanish Government to pay you compensation and damages for all the money you lose to those fraudsters, in which the crime are committed by South Americans and Africans living over here in Spain.

This is to notify you that The Supreme Court of Spain has ordered the Spanish Government to pay you compensation and damages, The sum of ₤2,000.000.00 {Two Million Euros } has been approved to you in order to compensate you for all the money you lose to those internet fraudsters in Spain.

The Policía Nacional Crime Fraud Investigation Department Spain is very pleased to inform you that your information has been passed to Barrister George Hernández for immediate transfer of your compensation funds from the Spanish Government.

Barrister George Hernández will help you claim your compensation fund from the Spanish Government, You should contact Barrister George Hernández on this email address below.

Contact person : Barrister George Hernández from Principal Attorney George Hernández & Asociados Corporate and Finance Law Firm Madrid, Spain.
Contact email: ( barrjhgeorge7798@gmail.com )
Contact Address- Address- Avda Reina Victoria 58 - Esc. 1, 1єA 28003

If you are interested in receiving the compensation funds ₤2,000.000.00 - Two Million Euros, You should contact Barrister George Hernández on this email address: ( barrjhgeorge7798@gmail.com ), He will direct you on how to receive your funds.

When contacting the Barrister, Please ask for his ID Card, for you to be sure you are in contact with the right person.

Thank you and Congratulation in advance

Best Regards

Roger Louis
United States detective working under Spanish police on
Cyber Crime and Internet Fraud.

Example 2: Spanish Court Notice Variant

From: Judge Manuel Gonzalez <judicial.office@tribunaldeespana.org>
To: Undisclosed Recipients
Subject: URGENT: Spanish Supreme Court Compensation Notice #REF-78591

SUPREME COURT OF SPAIN
OFICINA JUDICIAL DE MADRID
REF: SCJ/MAD/2025/COMP-78591

OFFICIAL NOTIFICATION OF COMPENSATION AWARD

This official communication is to inform you that following the successful prosecution of international cyber criminals operating from Spain, you have been identified as a victim entitled to restitution.

Case Reference: SCJ/2025/CYBER/114
Court Ruling Date: March 12, 2025
Compensation Amount: €2,000,000.00 (Two Million Euros)

The defendants, members of an organized crime syndicate operating from Barcelona and Madrid, have been successfully prosecuted for various cybercrimes including phishing, identity theft, and financial fraud targeting foreign nationals. According to our records, you were among the victims who suffered financial losses.

To initiate the compensation claim process, you must contact our appointed fiduciary officer:

CONTACT INFORMATION:
Name: Barrister Antonio Fernandez
Email: barr.fernandez.legal@outlook.com
Phone: +34 912 555 788
Reference Code: COMP-EU-78591

You will be required to provide basic verification information and complete Form SCJ-11 (Compensation Claim Form). Please note that under Spanish Law 15/2023, a processing fee of €175 is required to cover administrative costs for international transfers.

IMPORTANT: This matter is strictly confidential. Do not share this information with third parties as it may compromise the security of your compensation.

Respectfully,

Dr. Manuel Gonzalez
Chief Justice, Cyber Crimes Division
Supreme Court of Spain

Example 3: Police Department Variant

From: Inspector Carlos Moreno <c.moreno@policia-nacional-es.com>
To: Undisclosed Recipients
Subject: [OFFICIAL] Cyber Crime Victim Compensation - Reference #PCN-29875

POLICÍA NACIONAL DE ESPAÑA
DEPARTAMENTO DE DELITOS INFORMÁTICOS
Case Reference: PCN/CYB/2025/29875

VICTIM COMPENSATION NOTIFICATION

Greetings,

I am Inspector Carlos Moreno, Head of Cyber Crime Unit at the Policía Nacional of Spain.

This is to officially inform you that following Operation "Digital Shield" conducted between January-February 2025, we have successfully arrested and prosecuted a network of 17 individuals involved in international online fraud schemes.

After forensic analysis of the seized devices and servers, we have established that you were among the victims of their criminal activities. The Spanish Government, in accordance with EU Directive 2012/29/EU on victims' rights, has allocated compensation funds of €2,000,000.00 (Two Million Euros) to be paid to you.

The Royal Court of Madrid has appointed Crown Attorney Maria Lopez to handle the disbursement of these funds. To initiate your claim, please contact her directly:

ATTORNEY INFORMATION:
Crown Attorney: Maria Lopez
Email: attorney.maria.lopez.2025@gmail.com
Office Address: Calle Gran Via 42, 2B, Madrid 28013, Spain
Reference Number: PCN-2025-VIC-29875

You will be required to provide identification documents to verify your identity. Please do not delay as the compensation fund is only available for claim until May 30, 2025.

IMPORTANT NOTE: To combat potential fraud, please request to see Attorney Lopez's official identification before proceeding with any transfers or payments.

Yours faithfully,

Inspector Carlos Moreno
Badge Number: PN-87542
Cyber Crime Division
Policía Nacional de España

These examples illustrate several key technical aspects of the campaign:

• Use of false sender identities including law enforcement, judges, and barristers
• Domains that imitate Spanish authorities but use incorrect TLDs (.org, .com instead of .es or .gob.es)
• Consistent monetary value (€2,000,000) across variants
• Reference to fictitious cases, badge numbers, and legal frameworks to establish credibility
• Contact information using free email services inconsistent with government operations
• Mention of processing fees that will be requested later in the scam

Email Authentication Analysis

Examination of email headers from this campaign reveals technical anomalies that help identify these communications as fraudulent:

Key technical differences in the fraudulent emails include:

• Non-governmental email routing paths
• SPF/DKIM authentication failures
• Inconsistent return-path values
• Fabricated X-headers attempting to simulate legitimate communications
• Mixed character encoding to evade content filtering

Mitigation Strategies

Organizations and individuals should implement these technical countermeasures:

Technical Controls

• Configure email security gateways to detect and quarantine messages with known indicators
• Implement DMARC, SPF, and DKIM email authentication protocols
• Deploy anti-phishing protection with URL reputation filtering
• Enable multi-factor authentication on all accounts
• Utilize endpoint protection with behavioral detection capabilities

User Verification Procedures

Train users to verify email legitimacy by checking:

1. Full sender email address (not just display name)
2. Email domain authenticity (Spanish government domains end with .es or .gob.es)
3. Presence of unusual requests, especially involving financial information
4. Contact information through official channels rather than details provided in the email

For comprehensive protection against email-based threats including this campaign, consider implementing GridinSoft Anti-Malware with email security capabilities.

Similar Campaign Patterns

The “Internet Fraudsters Arrested” scam shares technical characteristics with other phishing campaigns:

• Chase Transfer Processing Scam – Similar email structure and extraction techniques
• FBI Monitoring Alert Scam – Parallel authority impersonation methodology
• Identity Theft Schemes – Comparable document collection procedures

These connections suggest a broader network of operations potentially sharing infrastructure and TTPs.

Impact Assessment

Victims who interact with this campaign face multiple risks:

• Financial loss: Direct monetary theft through fraudulent fees or unauthorized transactions
• Identity theft: Exposure of personal identification documents
• Account compromise: Credential harvesting across multiple platforms
• Secondary targeting: Addition to lists for subsequent attacks

Reporting Procedures

If you encounter this scam, report it through these channels:

• Forward the email to phishing-report@us-cert.gov
• File a report with the FBI’s Internet Crime Complaint Center (IC3)
• Contact your email provider’s abuse department
• Report to your national computer emergency response team (CERT)

Conclusion

The “Internet Fraudsters Arrested” campaign demonstrates how threat actors leverage authority impersonation and financial incentives to execute effective phishing attacks. By understanding the technical indicators and implementing appropriate security controls, organizations and individuals can effectively mitigate this threat.

Early detection through technical indicators combined with proactive URL verification remains the most effective defense against these increasingly sophisticated phishing campaigns.

The post Internet Fraudsters Arrested Email Scam appeared first on Gridinsoft Blog.

What are Chase – Transfer Is Processing And Will Be Deducted Email Scam Messages?

The “Chase – Transfer Is Processing And Will Be Deducted” email scam has been identified as a phishing threat. This scam is part of a broader category of social engineering attacks aimed at financial institutions’ customers, exploiting trust in well-known banks like Chase. Scammers send emails claiming a $350 transfer is about to be deducted from the recipient’s account, creating a sense of urgency.

These emails include a link to verify or stop the transfer, but clicking it leads to a fake Chase Bank login page designed to steal the user’s username and password. This can result in unauthorized access to the victim’s real account, leading to financial losses and identity theft.

Technical Details of the Scam

The “Chase – Transfer Is Processing And Will Be Deducted” scam email typically has the subject “You have a new secured message” and claims a $350 transfer is processed, set to be deducted on the next business day. It prompts the recipient to verify or stop the transfer via a link if unauthorized, threatening account termination for wrong details, and is signed by “Chase Online Service.” The linked website, historically associated with domains like boxauth[.]ru, leads to a fake Chase Bank login page. Analysis shows the serving IP address was 104.21.70.94, flagged as phishing page by quite a few online security vendors.

Research shows that while specific mentions of this scam are less prominent in recent reports, phishing attacks targeting Chase Bank customers remain a significant concern. However, the “Chase – Transfer Is Processing And Will Be Deducted” scam is not unique. We have had many similar schemes in our review, such as this one. So, given the nature of phishing, similar tactics are still in use, with scammers adapting domains and methods.

How Does This Scam Work?

The scam works by leveraging fear and urgency, which is not at all new at this point. The email creates a scenario where the recipient believes their account is at risk, prompting quick action without verification. Clicking the link leads to a phishing site, often hosted on compromised or newly registered domains, where entering credentials exposes them to scammers. These credentials can then be used for fraudulent transactions, online purchases, or selling on dark web markets, leading to severe financial and privacy issues.

If credentials are compromised, immediate action includes changing passwords for all potentially exposed accounts and informing Chase Bank’s official support. Contacting appropriate authorities, such as the Federal Trade Commission, is advised if personal information is disclosed. The consequences include unauthorized purchases, changed passwords, and identity theft, with potential monetary losses significant enough to warrant swift action.

How to Avoid?

To protect yourself, verify the sender’s email address to ensure it’s from an official Chase Bank domain, like “@chase.com.” Look for spelling or grammar errors in the email, as these are common in scams. Never click links in suspicious emails; instead, visit the Chase Bank website directly by typing the URL or using a bookmark, ensuring it has “https://” and a lock icon.

Use strong, unique passwords and enable two-factor authentication if available. Regularly check your bank account for unauthorized transactions and report suspicious emails to Chase Bank’s customer service. Remember, no one company, as well as a Chase Bank will never ask for personal information or credentials via email, so any such request is likely a scam.

In addition to all of the above, you should use reliable anti-malware software. This will be the last line of defense that will neutralize the threat if it somehow got into your system. For this purpose, I recommend using GridinSoft Anti-Malware because it meets today’s security requirements. In addition, it has an Internet Security module that can block potentially unsafe sites as well as prevent malicious attachments from being downloaded.

The post Chase – Transfer Is Processing And Will Be Deducted appeared first on Gridinsoft Blog.

“Ledger Recovery Phrase Verification” email scam overview

The email titled “Ledger Recovery Phrase Verification” is a deceptive phishing attempt targeting cryptocurrency users, specifically those with Ledger wallets. It falsely claims to be from Ledger, asserting that the company has suffered a data breach that exposed recovery phrases of some wallets.

This message pressures recipients to verify their recovery phrases via a provided link, ostensibly to protect their accounts. In reality, this link leads to a phishing website that mimics Ledger’s official page, designed to steal the victims’ cryptowallet credentials.

The fraudulent email commonly bears subject lines such as “Action Required: Ledger Data Breach – Check Your Recovery Phrase”, although these may vary. Its narrative suggests that users can confirm their wallet’s safety by entering their recovery phrase on an “official verification page”. The overall tactic is not really different from multiple other email phishing scams that have happened lately, with Meta Security email scam being the most recent.

Victims who fall for this ploy expose their log-in credentials to cybercriminals. Once scammers have this information, they can access the wallets and steal the digital assets stored within. Because cryptocurrency transactions are irreversible and often anonymous, stolen funds cannot be recovered.

How does the Ledger Recovery Phrase Verification scam work?

This scam exploits the irreversibility of blockchain transactions and the critical role of recovery phrases in wallet security. Recovery phrases are like master keys to crypto wallets, and their exposure grants full access to a user’s funds.

The phishing page linked in the email is a main tool in attackers’ kit. It records entered information and transmits it directly to the scammers. Once the unsuspecting user types the recovery phrases on this website, hackers get them and can immediately switch to draining all the funds.

Ledger Recovery Phrase Verification scam represents a classic phishing strategy, one that employs scare tactics. Claims like a data breach pressure victims to act hastily without verifying the legitimacy of the email and its sender. Similar spam campaigns distribute malware through various methods, including malicious email attachments or links, so be careful opening any attached files in similar messages.

These files can range from Office documents and PDFs to archives like ZIP files, executables, or even JavaScript files. In some cases, emails instruct the users on how to “open the file”, which in fact activates the malicious payload. Either way, responding and interacting with any of the contents you find in Ledger Recovery Phrase Verification email is a bad idea.

How to avoid falling victim?

To avoid falling victim to scams like this, users should treat emails and messages they do not expect to receive with caution. Suspicious links or attachments should never be opened, and users should rely solely on official websites or verified sources for account activities. Here are some red flags to watch for:

• Suspicious sender address. Always check the sender’s email domain. Legitimate emails from Ledger will come from an official domain like @ledger.com. If the domain looks unusual or altered (e.g., @ledger-secure.com or @gmail.com), it’s a red flag.
• Phishing links. Hover over any links in the email to check where they lead. Ensure the domain matches Ledger’s official website. Phishing emails often use fake sites that look similar to the real one but have slight variations in the domain name.
• Urgency. Pay attention to phrases like “Immediate action required” or “Your account will be suspended”. They are common tactics used to pressure recipients into acting quickly without thinking. These should raise suspicion.
• Ongoing phishing campaign notice. If you use Ledger or any other crypto service, consider spending 5-10 minutes a day to read their news articles. If there’s an ongoing phishing campaign, an article like one they’ve recently posted will keep you aware about the potential threat.

In addition to all the above, use a reliable anti-malware software that can provide web protection and block all the phishing sites before they even open. GridinSoft Anti-Malware is a perfect solution for that case: its Online Protection feature intercepts even the most recent scam pages, drastically decreasing the probability of a successful phishing.

The post Ledger Recovery Phrase Verification Scam appeared first on Gridinsoft Blog.