Authored by Paul Ducklin, Principal Research Scientist, Sophos
We've been receiving loads of survey scam emails lately – and you probably get heaps of these, too. So we thought we'd take you through a recent scam from go to woe, with screenshots to document the path that the crooks lured us along. Sometimes, a picture is worth 1000 words (or 1024 words, if you are accustomed to binary numbers like many computer programmers), so we hope this visual tour will be useful so you can show your friends and family what to watch out for. After all, there doesn't seem to be much harm in answering a few pseudo-anonymous questions such as "would you visit our shops in person if they were open later?", or "how often do you browse our website for new products?"
Many brands ask questions of that sort, and sometimes offer small rewards for people who take the trouble to fill in the survey – $5 off your next purchase, for example, or a free product of modest value with your next order.The scammers, however, have much bolder goals. Typically, cybercriminals suck you in with a seemly and believable promise, but suddenly switch things up by suggesting that you're one of the lucky few who is going to get a gift that's much, much more valuable than just a discount code for 5% off your next purchase.
But there's a catch…
Watch out for the catch
Here's one we received over the weekend – this came to an old Australian email address of ours, so the crooks had ripped off a well-known Australian brand to lure us in. But we've recently also received a wave of similar messages in German, ripping off major German shopping brands, as well as "offers" based on popular American brands arriving at various dot-com email addresses we use. So, wherever in the world you are, the chances are that the survey scams you or your family receive will claim to represent brand names that you're familiar with.
Here, the brand identity stolen by the crooks was Bunnings, a well-known chain of Aussie DIY stores:
As you can see, the crooks have started of fairly gently here – they're offering modest gifts for taking part, such as "[h]ealth, skin care products and much more". Fortunately, they've made some obvious blunders early on. The date in the email is incorrect (it's several weeks behind), which goes against the urgency expressed in the advice to "hurry up", and DIY shops aren't really the kind of places that would entice you with skin care products – building hardware and power tools would be more in their line.
Nevertheless, if you click through, the visual material looks OK, because the crooks have stolen it from Bunnings:
Then comes the survey:
We're guessing that the crooks messed up their next stage. We assume that the innocent-enough questions were ripped off from a genuine survey conducted in the past, because the spelling and grammar is better than elsewhere in the scam, but the survey they're conducting has obviously been taken from a grocery shop, not a hardware store:
(We only saw three of the six questions here because we answered Never and None to Q2 and Q5; when we tried again and answered differently, we were asked additional questions of the sort you might expect – for a grocery store, at least.) Then comes a fake notification that your "survey" is being "processed" – notice how the crooks have added text to say "38 visitors" but only "6 rewards left", presumably to give you a sense of being ahead of the rest of the crowd:
This is a common trick – adding a touch of urgency and importance – but it's also a useful giveaway that you are heading into a scam. After all, the initial pitch was that you were one of 250 people who'd been pre-selected to take a survey, and that you would qualify for a gift just by taking part. If that were true, then the maximum number of survey participants would have been known in advance and the gifts couldn't suddenly have started running out. Now, however, there are only six rewards left (and, amazingly, 38 of just 249 other people in the world who were selected to take part are all online right now). Remember, if you are taking a survey and you see anything that doesn't add up – anything at all – then you need to get off the website right away before you get sucked into giving away any personal information. Legitimate companies and geniune surveys should be clearly explained in advance, so if the goalposts move half way through, you're being scammed.
Like many scam sites, this one includes a list of what look like reviews left by other users:
But these aren't even dishonest reviews left by signed-in users who were paid to tell lies – they're utterly fake reviews that are simply hard-wired into the web page. If crooks can get dishonest reviews posted on sites such as Google Play, which they can only ever manipulate indirectly using "sockpuppet" accounts created for the purpose, imagine how easy it is for them to publish made-up reviews on a site that is entirely under the their own control!
Here comes the sting
Now comes the bait-and-switch, followed by the sting. We clicked the same email link several times and the final stage was visually different each time, and the URLs in the address bar were different, though all the web pages we passed through in this case were HTTPS links showing a genuine padlock in the address bar. Remember that the HTTPS padlock tells you that the connection is encrypted against surveillance, not that the actual data in the web page is truthful.
On one visit, we had suddenly graduated from free skin care products to winning a free iPhone 11 Pro:
Next time we followed the link from the original email, we did even "better" and had the choice of a top-end Android, iPhone, iPad or games console.
Note how rewards that were sufficient at the start for 250 pre-selected people went down to just six half way through; by this point, there's only one left – or so the crooks say:
We seem to have got lucky, with a phone left over for us, because now we get to choose a colour! Note how the crooks even have a try at phishing for your email password here by asking for it along with your email address. Remember that when you give other people your email address, it's so they can send messages to you.
The sender of an email message needs THEIR OWN email password to do that, not your password:
And the final sting is to get you to pay a nominal delivery charge – the sort of low, low cost that still makes the phone itself, valued at over $1000, feel "free":
We haven't shown it here, but after putting in your card details (the website verifies that the card number has a valid check digit, but that's all), you get dumped onto Google's main search page. That way the crooks avoid having to come up with a fake error message to explain why they didn't actually do a transaction – but you can be sure that they'll try the details you entered as soon as they can, because the data you put in the form has gone directly to them.
What to do?
P.S. Don't forget that just typing data into a web form exposes it to crooks because they can "keylog" what you put into a webpage even if you never press the [Finish] button to submit it.
