Something Phishy

computer keyboard with a credit card hooked on a fishing hook

I’m prepared to be judged for this. Whenever someone is scammed, we like to assume they’re stupid because that leaves us feeling we’ll never be a victim. My response has always been, “They wouldn’t keep the scam going if it didn’t work”. I hesitated to write about it. But after something similar happened to the wise and wonderful Reta Ismail, she encouraged me to tell my story. Maybe it will help someone else.

I spot scams all the time. I’m skeptical and fairly savvy. But I still got hooped by this one as circumstances collided on a recent Friday afternoon around 3:00. What’s left of the active world was preparing to shut down for the weekend. I’d been immersed in writing an article for the Byron Villager and suddenly, this became my focus.

Part of the email I received

We have extenuating circumstances for deliveries right now. Our postal outlet is on the Oneida reserve which is closed to the general public, like all native reserves, because of COVID-19. Our mail is being diverted to Shedden and they won’t deliver packages out here. So, the first thing I did was reply to the email asking for more details.

Also, we were waiting for the delivery of a first-world problem-solver. Something important-to-us but unimportant in the scheme of things: a new bulb for our projector TV. It was delayed for weeks which we completely understand. Was that the package in question? And was there any way I could get it before things shut down for the weekend?

While I waited for an email response, I called Canada Post. Their phone line message says to not bother waiting because of much larger than usual call volumes. It says to go to their website instead. So, I did and, unable to find my specific issue, I looked up our postal outlet. Then I tried about 700 different ways via Google, Canada411 and you name it to find its phone number, without success. I even tried to find the number for the business beside it. Also unavailable.

Back I went to the original email and clicked the embedded link to reschedule the delivery. It took me to a Canada Post page that required a password, which was in the email. Fine. Next, it required me to create a profile because, it said, I owed $2.99 on the package.

At that point, I hesitated and closed the window to think about whether this was legit. Did it make sense to have to create a profile on Canada Post’s site? Would they really take payment online for package delivery? In these crazy times, it didn’t seem impossible.

Back I went to the email, to finish my profile at the link. I looked in the upper left corner for the little lock that (supposedly) denotes a secure and encrypted website. It was there. I also noted the site had linked to USPS (US Postal Service) help page. That didn’t strike me as too odd, because the shipment was coming from Amazon. I filled in the fields including – gulp – my credit card info. It still didn’t feel right and my tummy protested but I did it anyway, with the projector bulb on my mind.

The instant I clicked submit, I felt I’d been had. Immediately, I called my credit card company and got the same type of response as I did from Canada Post. Back to the web I went and sent an urgent message telling the card co. that I believed I’d been the victim of a phishing scam and to cancel my card if they needed to. Then I Googled USPS to see if the specific page I’d been on was legit. You already know the answer. There was nothing more I could do.

My mistakes were:

  1. Rushing
  2. Ignoring my spidey senses
  3. Justifying the website URL to myself

I did get an email response later that day. The email address belonged to a vitamin company with whom I’ve never done business. Their address appears to have been scooped by the scammers in case anyone like me tries to respond. They said the email didn’t originate with them and that they were going to investigate and get back to me.

I already knew the answer.

I check my credit card balance online just about every day. There are no bogus charges. I don’t know why, because they have all they need. But I’m grateful. Maybe it’s because I reported it right away. Maybe it’s because I’m lucky. Or maybe, the attempted theft is still to come.

The bulb was delivered a few days later with no indication that a $2.99 charge was necessary. Nor was there a $2.99 charge on my card.

I know better. I’m the one in my little circle whom people ask to verify whether a site is legit or not. I don’t click links I’m not expecting. And still, due to timing, circumstances, and letting my guard down, I got roped in.

The advice to look for the padlock that denotes security on a website is out of date. According to this research by PhishLabs, as many as half of all phishing websites have the padlock, possibly more. The scammers are always one step ahead.

A scam really can happen to anyone. And even though, for the moment at least, I have escaped harm, I’ll always be wondering what the heck that was all about.

3 thoughts on “Something Phishy”

  1. Scams work for the reasons you sited above. We often have to many other things on our minds and the simplest of things slip by and the next thing we know, were tricked into hitting that submit button. FYI: Download your banks App for you can suspend your credit card via the App and set up alerts that anytime there is a transaction your notified of every payment and charge.

  2. I think many more people have fallen for scams and just don’t admit it or still don’t know. I get a call at least once a week from my 90 year old Dad who used to have trouble controlling the finger that clicked on anything that tempted him. After years of downloading viruses he’s decided to start checking with me first. As annoyingly awful and a pain in the rear as it will be I think a new credit card is the safest way to go. Someone could hack the scammer and your info be stolen. Personally, if I got a chance to scam a scammer I think I might just do it. Currently, my only outlet is to tell the people that call pretending to be Microsoft or the CRA that I am putting a curse on them. I hope I never get a legit call from the CRA. That might not go well for me.

Leave a Comment

Your email address will not be published. Required fields are marked *