Beware of the New Scam Tactic: How Scammers Exploit Trusted Systems 

Scammers are becoming increasingly sophisticated these days. As a managed IT services provider, we provide security consulting for businesses throughout the country.  This role allows us to see and hear about lots of different types of phishing attempts. From fake text messages,  pdf email scams, phishing emails,  scam links and more, we see it all on a weekly basis. 

One alarming tactic that keeps showing up involves scam artists leveraging trusted platforms—such as PayPal, BestBuy, and other reputable companies—to make their schemes look real.  This is different than spoofing, because the scams are coming directly from the systems you trust. To avoid falling prey to these fraudster’s tactics, it’s important to know how this scam works, why it’s so effective, and how you can protect yourself from falling victim.

How the Scam Works

They Use Legitimate Looking Sources

Trust is key when it comes to these gimmicks. Historically, cybercriminals could get by with creating emails or requests from accounts with spoofed names (ex. B℮stBuy is not the same as BestBuy). As we collectively get better at spotting these things, hackers get better at baiting their hooks.  

Scammers have now learned that by using the infrastructure of reputable companies, they can make their fraudulent communications appear authentic. For example, an email or text message might seem to come from an organization you already communicate with. It may even be complete with company logos and official-sounding language.  Pausing to take a closer look is key to spotting these phishing attacks. 

Scam email example requesting fraudulent transaction

They Manipulate Contact Information

With the request coming from a trusted or reputable company, users tend to let their guard down.  But be aware!  Here’s a quick way to check these bogus emails.  Scammers insert alternative contact details—such as phone numbers, email addresses, or physical addresses—into fields like “notes” or “addresses” portion of the communication.  At a quick glance, this information looks accurate and provides an extra layer of credibility.  

If you aren’t vigilant, this is how you get reeled in. Before you click or call for clarification, always check that the message is addressed directly to you. These are frequently sent in bulk, and will either be addressed to someone else entirely or not include your personal details in the “To:” field. If the message isn’t clearly addressed to you, that’s a red flag that it’s part of a larger scam. 

The Ultimate Goal

Once contact is made, these intruders attempt to get your personal information, including usernames and passwords that you use for your accounts.  They will use these to try and gain access to your financial details or try to convince you to install malicious software. The use of trusted systems makes it harder for many people to spot that something isn’t right. 

Why This Scam Is So Effective 

The answer is simple. They use familiarity to break down your guard.  With your guard down, you’re more likely to click on a link to give away credentials or call to verify address and then update your payment details.

  • They prey on your trust: When a message appears to come from a well-known company, many recipients are less likely to scrutinize its authenticity. 
  • Multiple Layers of Deception: The inclusion of alternative contact information makes it seem like there’s a backup way to verify the communication, further reducing suspicion. 
  • Sophisticated Presentation: With professional logos, formatting, and language that mimic legitimate communications, these scams are designed to bypass your natural skepticism. 
  • Pressure For An Urgent Response: Scammers often create a false sense of urgency to prompt you into acting quickly without proper verification. 

How to Protect Yourself

Verify Through Official Channels

  • Do Not Use Provided Contact Information: If you receive a message that appears to be from a trusted company, avoid using any contact details provided in the message. Instead, visit the official website of the company or use a phone number or email address you know to be genuine. 
  • Cross-Check Details: Look for inconsistencies in sender addresses, domain names, or formatting that might indicate the message isn’t genuine. 

Always Check the Recipient Details

    • Ensure the Message Is Specifically Addressed to You: Scammers sometimes send out bulk messages that may not include your personal details. Take a moment to review the “To:” field or recipient information. If the email is addressed generically or lacks your details, it could be a scam. 
    • Review Example Images: We’ve attached example images of these mail types for your reference. Use these visuals to better understand what to look for, including unusual placements of contact details or generic recipient information.

Stay Alert To Red Flags

  • Unexpected Communication: If you weren’t expecting a message from the company, be cautious. Verify the information by contacting the company directly. 
  • Request for Personal Information: Legitimate companies rarely ask for sensitive information via email or text. 
  • Pressure Tactics: Scammers often create a false sense of urgency. Take a moment to verify the communication and avoid hasty decisions. 

Educate Yourself and Others

  • Keep Up-to-Date: Familiarize yourself with the latest scams. We post educational blogs on our website to help you be aware of these types of attacks. 
  • Spread Awareness: Share this information with family, friends, and colleagues. The more people who are aware of these tactics, the less likely scammers will succeed. 

Report Suspicious Activity

  • Contact the Company: If you suspect that a communication is fraudulent, report it to the company directly using the official contact details provided on their website. 
  • Inform Authorities: In many cases, scams of this nature are part of larger criminal operations. Reporting them can help authorities track and shut down these activities. 

Stay Vigilant

Scammers are constantly evolving their methods, and the exploitation of trusted systems is just one of the latest tactics. If something feels off, it’s always better to pause, verify, and report.  Be sure to use official channels to verify any unexpected communications and carefully check that messages are specifically addressed to you.  Following these guidelines are your best defenses at staying clear of phishing.