We’ve been receiving loads of survey scam emails lately – and you probably get heaps of these, too.
So we thought we’d take you through a recent scam from go to woe, with screenshots to document the path that the crooks lured us along.
Sometimes, a picture is worth 1000 words (or 1024 words, if you are accustomed to binary numbers like many computer programmers), so we hope this visual tour will be useful so you can show your friends and family what to watch out for.
After all, there doesn’t seem to be much harm in answering a few pseudo-anonymous questions such as “would you visit our shops in person if they were open later?”, or “how often do you browse our website for new products?”
Many brands ask questions of that sort, and sometimes offer small rewards for people who take the trouble to fill in the survey – $5 off your next purchase, for example, or a free product of modest value with your next order.
Tha scammers, however, have much bolder goals.
Typically, cybercriminals suck you in with a seemly and believable promise, but suddenly switch things up by suggesting that you’re one of the lucky few who is going to get a gift that’s much, much more valuable than just a discount code for 5% off your next purchase.
But there’s a catch…
Watch out for the catch
Here’s one we received over the weekend – this came to an old Australian email address of ours, so the crooks had ripped off a well-known Australian brand to lure us in.
But we’ve recently also received a wave of similar messages in German, ripping off major German shopping brands, as well as “offers” based on popular American brands arriving at various dot-com email addresses we use.
So, wherever in the world you are, the chances are that the survey scams you or your family receive will claim to represent brand names that you’re familiar with.
Here, the brand identity stolen by the crooks was Bunnings, a well-known chain of Aussie DIY stores:
As you can see, the crooks have started of fairly gently here – they’re offering modest gifts for taking part, such as “[h]ealth, skin care products and much more”.
Fortunately, they’ve made some obvious blunders early on.
The date in the email is incorrect (it’s several weeks behind), which goes against the urgency expressed in the advice to “hurry up”, and DIY shops aren’t really the kind of places that would entice you with skin care products – building hardware and power tools would be more in their line.
Nevertheless, if you click through, the visual material looks OK, because the crooks have stolen it from Bunnings:
Then comes the survey:
We’re guessing that the crooks messed up their next stage.
We assume that the innocent-enough questions were ripped off from a genuine survey conducted in the past, because the spelling and grammar is better than elsewhere in the scam, but the survey they’re conducting has obviously been taken from a grocery shop, not a hardware store:
(We only saw three of the six questions here because we answered Never and None to Q2 and Q5; when we tried again and answered differently, we were asked additional questions of the sort you might expect – for a grocery store, at least.)
Then comes a fake notification that your “survey” is being “processed” – notice how the crooks have added text to say “38 visitors” but only “6 rewards left”, presumably to give you a sense of being ahead of the rest of the crowd:
This is a common trick – adding a touch of urgency and importance – but it’s also a useful giveaway that you are heading into a scam.
After all, the initial pitch was that you were one of 250 people who’d been pre-selected to take a survey, and that you would qualify for a gift just by taking part.
If that were true, then the maximum number of survey participants would have been known in advance and the gifts couldn’t suddenly have started running out.
Now, however, there are only six rewards left (and, amazingly, 38 of just 249 other people in the world who were selected to take part are all online right now).
Remember, if you are taking a survey and you see anything that doesn’t add up – anything at all – then you need to get off the website right away before you get sucked into giving away any personal information.
Legitimate companies and geniune surveys should be clearly explained in advance, so if the goalposts move half way through, you’re being scammed.
Like many scam sites, this one includes a list of what look like reviews left by other users:
But these aren’t even dishonest reviews left by signed-in users who were paid to tell lies – they’re utterly fake reviews that are simply hard-wired into the web page.
If crooks can get dishonest reviews posted on sites such as Google Play, which they can only ever manipulate indirectly using “sockpuppet” accounts created for the purpose, imagine how easy it is for them to publish made-up reviews on a site that is entirely under the their own control!
Here comes the sting
Now comes the bait-and-switch, followed by the sting.
We clicked the same email link several times and the final stage was visually different each time, and the URLs in the address bar were different, though all the web pages we passed through in this case were HTTPS links showing a genuine padlock in the address bar.
Remember that the HTTPS padlock tells you that the connection is encrypted against surveillance, not that the actual data in the web page is truthful.
On one visit, we had suddenly graduated from free skin care products to winning a free iPhone 11 Pro:
Next time we followed the link from the original email, we did even “better” and had the choice of a top-end Android, iPhone, iPad or games console.
Note how rewards that were sufficient at the start for 250 pre-selected people went down to just six half way through; by this point, there’s only one left – or so the crooks say:
We seem to have got lucky, with a phone left over for us, because now we get to choose a colour!
Note how the crooks even have a try at phishing for your email password here by asking for it along with your email address.
Remember that when you give other people your email address, it’s so they can send messages to you.
The sender of an email message needs THEIR OWN email password to do that, not your password:
And the final sting is to get you to pay a nominal delivery charge – the sort of low, low cost that still makes the phone itself, valued at over $1000, feel “free”:
We haven’t shown it here, but after putting in your card details (the website verifies that the card number has a valid check digit, but that’s all), you get dumped onto Google’s main search page.
That way the crooks avoid having to come up with a fake error message to explain why they didn’t actually do a transaction – but you can be sure that they’ll try the details you entered as soon as they can, because the data you put in the form has gone directly to them.
What to do?
- Watch out for obvious telltales of fakery. Genuine surveys exist, and you may decide to take part in some of them. But unless everything – and we mean everything – adds up at the start, stay away. Spelling mistakes, wrong dates and unexpected questions, as in this case, should be all the warning you need. If in doubt, leave it out.
- Beware of bait-and-switch tricks. Surveys may look genuine at the start because the crooks often copy them from a legitimate brand. But when the “rules of engagement” start to change and the goalposts move, as they did here (250 rewards turned into just six and finally into just one), get off the site as quickly as you can.
- There is no free iPhone. Or Android, or tablet, or laptop. There just isn’t. Stores don’t hand out $1000 mobile phones in return for you telling them whether you think they should stay open later. They just don’t. Follow your head and not your heart.
- Use a security product on your laptop or phone. Sophos Home (Windows and Mac) and Sophos Intercept X for Mobile (Android) are free. These products add to the built-in protection on your device by scanning downloaded programs and data for threats before they get used, and by blocking bad or scammy websites before your browser can visit them in the first place.
- Report compromised payment cards immediately. If you get as far entering any banking data into a “pay page” and then realise it’s a scam, call your bank’s fraud reporting number at once. (Look on the back of your actual card so you get the right phone number.)
P.S. Don’t forget that just typing data into a web form exposes it to crooks because they can “keylog” what you put into a webpage even if you never press the [Finish] button to submit it.
Gerry Gan
What if any tools/product do you have for Chrome OS? If running Android apps, is there anything else I should do?
Paul Ducklin
Our Sophos Mobile products can help you manage Chrome OS devices, just as it can iOS phones and Androids, but we don’t have what you might call “an anti-virus” for Chrome OS like we do for, say, Windows, Linux, Mac and Android.
Like Apple’s iOS, Chrome OS isn’t really open to independent software vendors to support full-blown anti-virus tools on the device itself… a Chrome OS device is supposed to be a sort-of sealed unit that you interact with via the browser.
One thing you could consider, however, would be to use a web filtering proxy at home, perhaps via a VPN, and then to tunnel all your devices out onto the internet through that same web filter, which would at least allow you to put consistent controls in place for all the device types you have at home.
(Sophos XG Firewall is 100% free for home use, including VPN, web filtering, malware scanning, IPS and so on. However, it’s not a 60-second job to set it up and you will need a spare computer or virtual machine to run it on – it needs a bit more RAM and CPU than your average home router! Also, running a VPN at home can slow you down a bit when you /aren’t/ at home – if that’s likely these days – because all your traffic has to return to yur home network first before it emerges onto the internet proper, and all your replies have to go to your home network first to get filtered before being encrypted and sent back to the device you’re protecting.)
More on the pros and cons of VPNs and working from home in one of our recent socially distanced Facebook Live videos:
HtH
Rich
“Sophos XG Firewall is 100% for home use” – should that say 100% free?
Paul Ducklin
Yes! Fixed, thanks.
Roger Tobie
I’ve seen some invitations to take surveys. Some of them may be genuine but I assume most of them are not. In any event I don’t take surveys, genuine or not. Phooey! And Boo Hiss!
spryte
Re: chromeOS, correct me if I’m wrong, but isn’t VirusTotal a google product? You’d think they’d have something?
Paul Ducklin
I think the theory is that Chrome OS is the “walled garden” that Android never was. As though Google looked at iOS and figured, “Hey, we should build ourselves one of those, but with higher walls.”
John Harding
Like the previous comment I have stopped doing surveys. Every time I hover over the link a huge great URL pops up which may, but usually does not include the URL or the organisation that purports to be the subject of the survey.
I realise that many companies use third parties to run surveys but that is tough. The advice is not to click on links that go to anywhere but the host organisation so until companies (Banks and Credit card companies take note) I will not be completing any surveys.
Shame really – to complete their surveys one has to ignore the advice that the company gives to avoid fraud.
Paul Ducklin
I’m with you. Sometimes it’s a company I rather like and wouldn’t mind helping out by answering a few simple questions – if only the company itself would take the trouble to ask them.
David C.
If you’re interested in taking surveys for rewards, there are several legitimate survey companies. They don’t ask for your credit card or passwords (except for their own site). They also don’t pay very much (typically between $0.25 and $1.50 for each survey you qualify for and successfully complete – and you probably don’t qualify for the majority of them).
Three survey sites I use (no relationship other than a user) are:
[URL REDACTED]
[URL REDACTED]
[URL REDACTED]
They do collect information about you (that’s the whole point of surveys), but they never ask for anything that could be used to steal from you (e.g. account numbers or passwords) or commit identity theft (e.g. social security numbers). And you can always refuse to take a particular survey if it asks questions you’d rather not answer – there’s never any pressure to complete a survey “or else”.
Bryan
Great article and PSA. The final two sentences are HUGE.
…but Duck, I don’t understand your hesitance; I always get my skin care products and fresh vegetables at Lowes.
Don
The more surveys you complete, the more free offers you try for, the more you’re placing your information in the hands of others. You’ll have no control over where it goes or how it’s used afterwards. You should expect to be bombarded with offers from other places Same goes for making a legitimate donation to many charities – they will distribute your information to other charities hoping you’ve got deep pockets and send some cash their way too. I avoid giving others any of my information for these reasons. I’m already in many more databases than I care to be and if there was some way to get them to stop I would. Be careful who you give your information to.
SJD
People should remember that data is the current gold out there. Its worth is far bigger than that of the most expensive smartphone (and lasts much longer).
hotdoge3
No Grocery only tools and hardware
Raffles
I would think that a survey asking for credit card details would be highly suspicious!
Paul Ducklin
Me too. But note how the crooks decouple the credit card number (a delivery fee for the gift you have “won”) from the survey itself. They make it clear the survey is over…
…then there’s a gift, and…
…woo hoo! You’re super lucky because YOU WON THE BIG ONE!
CHRIS CARRICK
Don’t even bother with the door to door [REDACTED] surveys thinking you’re helping some old fellow out who is conducting it . They take an hour to do and lead to more personal questions like how much do you you have in the bank . What real estate do you own . What retirement funds do you have . And at the end of the questions entered by tablet they give you a thick wad of questions to do later for $20 . Not worth it .
Larry
I have been a NS reader for years and find many of the articles helpful and fascinating. I read the above article on surveys last week. I checked my Gmail this morning and found an “Amazon” survey for a $3 gift card. Mousing over the links in the message showed: [REDACTED] but as a network admin, I decided to look at the header, where I found [REDACTED] while the rest of the header didn’t seem too suspicious. But spoofing and whatever other tricks these villains use could account for that. Thank you for another timely and helpful article. You saved me from giving up some personal information and again made me more aware of Internet scams.
Charles R Cochems
Note that just because it doesn’t ask for your email password doesn’t mean it’s not a scam.
Free, but you pay shipping is 100% always a scam.
Always always always.
Best case what you are actually paying for is a free trial to some sketchy web site, and you cannot find this out at all. Having given them your credit card number you will have to follow their crazy procedure to hopefully cancel, and you MIGHT not have to call your bank/credit card company.
Worst case, crooks have your credit card number now, and you should immediately dispute the “shipping charge” and call in the card number as compromised.
Beverly
Got email request to do 60 to 90 minutes interview on my use of Woebot offering me Amazon card gift. Last last I questioned it and came back check my website, which I did not. After checking woebot sites on google it seem study done in June. Anyone have info on this?
Paul Ducklin
Woebot’s own site makes no mention of “paid interviews” being done now – the most recent blog post there is more than a month old and as you say references the results of a survey conducted three months ago.
Sounds phishy to me – sounds as though you have answered your own question! (You would probably let loose a lot of personal information in a 90 minute interview.)
If you want to know it there really is a Woebot survey/round of interviews going on right now I suggest finding your own way to the Woebot team and asking directly.
In short: sounds like you did the right thing and declined to accept anything in an unexpected email exchange…
cyril
I received such a scam link on my mobile today (came from the QR& Barcode Scanner which I got from Google Play).
The URL offering the iPhone 11 fr £1 is here:
[LINK REDACTED]
……..but if you scroll to the bottom of the page you will see the (very) small print:
This special £1 offer provides customers access to a 5-day trial of a skill games portal to compete to win prizes like the one shown. This is an affiliated subscription service, after which the subscription fee (£49.95) will be automatically deducted from your card. If, for any reason, you are not satisfied with the service, you may cancel your account within 5 days. The service will be renewed every 30 days until cancelled.
Here we are…………
Paul Ducklin
Ouch! We’ve seen that sort of ripoff in rogue apps that have made it into Google Play, where there’s a 3-day “free trial” after which (if you aren’t very careful) you get billed some absurd amount ($100 or more) as a “fee”, all for something like a horoscope app, a QR code reader, or some sort of vanilla app that you’d expect to be free, not merely “free”.
Read that small print, folks, and keep your eye on your CC statements so you can contest dubious or badly-explained charges. (Call the number on your credit card or your bank’s website, not a “complaints” service offered by the app!)
Anonymous
I refuse to do all surveys as they are a complete waste of time. That is the best way to avoid survey type scams
Anonymous
Ha Ha Ha!!