Fake Norton Email Scam

Recently I received an email that purported to be from the anti-virus company Norton that was blatantly a scam, but I decided to follow through as much as I could to see what the scammers were trying to do. There's often a side effect of doing this, which is that I can waste the time of the scammers - the more time they're on the phone to me, the less time they'll have for scamming people who are at risk of falling for the scam. Plus maybe, just maybe, the scammers will start to question their career choice if many of their potential marks end up making their life a frustrating misery. Below is a series of events that, all in, might have taken about an hour from start to end.

The Email

When this particular email landed in my mailbox (and sadly not in my spam folder), the first red flag I noticed was that it came from an obviously suspicious address - yiuouio549@gmail.com. Why would an employee from a reputable company be emailing me from a gmail address? I would expect any Norton employee to have an @norton.com email address.

The email said the following:

_From time to time, this Website may contain technical inaccuracies or other content errors, and NortonLifeLock does not warrant the accuracy of any posted information.

#Thank you for your order #WE46DFSDEF_

Presumably the reason the email didn't have much in the way of text is to not give much for spam filters to read - the less text there is, the less chance that keywords will trip the spam filter into marking the email as spam. We're on our second red flag.

The email also had this more wordy image as an attachment:

It's obvious that using an image in this way is an attempt to avoid the spam filter, as most spam filters won't use OCR (Optical Character Recognition) to try to detect and read the text in this image. Red flag number three.

As to the content of the email, the fact that I have never been a Norton customer, and have certainly never used a product called NortonLifeLock, was another red flag.

The English also set off alarm bells for me - from the obvious issues (bad use of English, like “Membership fund was charged” and “your order for renewal of license”) to more subtle ones (Placed with a capital P, weird use of punctuation and multiple spaces between some words). And beyond that, it's just plain wrong to say that an 09 Auckland number is a “Toll free” number. As far as I understand, toll free numbers in NZ are 0800 and 0508 numbers only - your phone's calling plan may or may not include free local or national calling to landlines.

So, at this point, I was pretty sure that I was dealing with a scam where the aim of this email is to scare people into thinking that they will be charged $499 if they don't call the given number for a refund. And once they have me on the phone, presumably they'll try to convince me to do something unwise. This tactic is quite savvy, as usually scammers have to call you - getting you to call them instead is less likely to set off someone's alarm bells. The phone number that is being used, +64 9 889 2332, is an Auckland number - further lending credence to this scam. Little do many people know just how easy it is, at very little cost, to set up a local New Zealand number that connects to a call centre somewhere else in the world.

The Phone Call

Of course, I wasn't going to leave it at that. I immediately called the number to see what I could find out, and was greeted by a woman with an Indian accent. Now I enjoy playing dumb with phone scams, and this incident was no different - so I pretended to be worried, and told her I hadn't authorised a payment for $499, and that I would really like to get my money back.

The woman told me she worked for Norton, and that she would need my Invoice Number in order to proceed. Rather than the invoice number they had sent in the image, I gave them a number I made up on the spot - 666-420-69 (yes, I can be immature at times!). After a few seconds she told me that she had confirmed my invoice, and that I was going to be charged $499 unless I cancelled the order with her.

Next I was told that the company needed to put a stop code on my account. I was asked if I had a computer, and what kind of phone I had. Then I was asked to open the App Store on my iPhone and download an app called AnyDesk. I had a few minutes of fun where I pretended to mishear, and searched for AnyDisk. Then, in the search results, I ignored the AnyDesk app, and slowly read out the names of all the other apps I saw - Teamviewer Remote Control, TeamViewer QuickSupport, AirMirror Remote Support, Chrome Remote Desktop, Microsoft Remote Desktop, Remote Mouse, etc…

At one point, when I started talking about how I wasn't sure about installing unknown apps on my phone, and asking her if I could really trust her, she told me that she was definitely telling me the truth. I then made out like I wasn't sure whether she was trying to trick me, and she told me that she was “just doing her job”. This was a little odd, and felt like she might have figured out I was on to her, and she'd been trying to justify her actions to me.

Once I finally relented and installed the app, I ran it and it showed me a 9 digit code. She asked me for this code, which would allow her to remotely take over my phone. I gave her a code I made up (this time not being so immature - I think I came up with 181-246-147). She typed this in, and then spent the next couple of minutes quietly trying to work out why it wasn't working.

Eventually, after about 20 minutes of wasting her time, my “Norton” employee abruptly hung up on me. This happens often when I waste phone scammers' time - calls suddenly end at either 20 minutes or 30 minutes, almost to the second. I wonder whether there's a hard limit on how long a phone call is allowed to last before it's automatically disconnected at their end, to avoid their operators spending too much time on a call that's unlikely to be fruitful.

The Advice

After the phone call had ended, I looked up the AnyDesk app and found this page on their website which had some good advice:

https://anydesk.com/en/abuse-prevention

AnyDesk is used legitimately by millions of IT professionals worldwide, to remotely connect to their clients' devices to help with technical issues. However, scammers can try to misuse AnyDesk (or any other remote access software) to connect to your computer and steal data, access codes, and even money.

#### 2 simple rules

**#1. Rule number one**

Never give anyone you don't know access to your devices.

**#2. Rule number two**

Never share online banking login details or any passwords with anyone.

#### Detect a scammer

The more you know about the way they work, the better protected you are

**What they do**

If someone you don't know is asking to access any of your devices and wants you to download specific software: Be careful! You're at risk of becoming a victim of a remote access scam.

Usually, these criminals will call and report a computer or internet problem they have detected and offer help. They will probably say they work for a widely-known company such as Microsoft or even your bank.

Never trust a call you weren't expecting!

Don't trust the “help” offered that you did not request!

No bank or company will ask you over the phone to download software!

**What you can do**

Scammers are basically after your money.

If someone who is remotely connected to your device is asking you to login to your bank account or to show any personal passwords, they are most likely a scammer. Don't follow their instructions! Even if they say you need to pay them because they alleged to have solved a problem you were having, don't trust them. You didn't ask for their “help.”

If you feel uncomfortable or insecure:

Stop any phone call just by hanging up!

End any remote session by simply turning off your device!

This is really good advice, although sadly it's buried in their website's menus and not prominently shown anywhere in their front page, or linked to from their app store pages.

The Reporting

The first thing I did after my call was report the email as phishing in my email client, gmail. This is a good way of training their spam filter to protect other people from this scam in the future:

A quick google search also told me that NetSafe was the correct place to report this email:

https://report.netsafe.org.nz/hc/en-au/requests/new?ticket_form_id=5511079742735

So, the last thing I did to round off my experience was to write a quick message and send it to NetSafe. Although it's unlikely they'll do anything about this, at least I've done my civic duty.

**Subject**: Norton scam with an Auckland phone number

**Report**: An Auckland phone number (09 889 2332) is being used for a Norton phishing scam. I called the number out of curiosity, and the scam appears to be one where they attempt to take control of your mobile phone using the AnyDesk app (and presumably from there they ask you to login to your phone banking or similar). Is there any chance this number can be reported and taken down?

My reward for being a good citizen - a large green tick.