Prize Drawing Deception: How Are We Being Deceived?

It’s no secret that there are a lot of scammers on the internet. Under the guise of various prize draws and promotions, such people are trying to deceive users.

This article will talk about a new way of deception under the pretext of drawing prizes and converting the money won from dollars into any currency.

Learn more about the top internet scams in the world here.

Stage #1: Google’s mail

A potential victim receives an email with the subject “Last notification of account closure.” The text of the mail says that several hundred dollars or any other currency has accumulated on the recipient’s balance — and it is additionally clarified that this is “money”! 

Google’s mail

They need to be urgently brought to the card because the account will soon be deleted, and the accumulated funds will burn “without restoring the balance.” As for what kind of account it is and for what merits its owner was credited with money — the mail does not specify.

“Your balance has accumulated a lot of real dollars/euros, etc. Follow the link!”

There is no unusual text in the sender’s address, typical for fraudulent spam: the message comes from one of Google’s services. It also helps the scammer bypass spam filters. 

How do the attackers manage such a move?

To do this, they used a hole in one of the legitimate Google services — Google Forms. This online tool helps create questionnaires for data collection, online testing, and voting. Anyone can make such a questionnaire — all you need is a mailbox on Gmail.

The creator of the survey can configure it so that each respondent receives a copy of the questions and their answers by e-mail.

This is the function that criminals use. First, they create a survey and then distribute it to the addresses of potential victims (for example, by sorting through addresses from fresh leaks).

They divide the text of the final mail between the question and the answer, so that in the end they are next to each other and the user takes them for the text of the notification.

The list of frequently used email scams is here.

What’s in the mail?

In the text of the mail, the user is offered to follow the link to his personal account to pick up the accumulated “money.” The link, unlike the sender’s address, looks suspicious even at first glance — it’s a random set of letters and numbers. Any organization that respects itself and visitors to its site usually makes its address meaningful and readable.

Google’s mail conditionals

Stage #2: Valuable prize

A link from the mail through a chain of redirects leads to a page where the user is suddenly offered to participate in a prize draw. What about the personal account and the money that must be urgently withdrawn from the card? Forget it. The attackers do not return to this legend anymore.

From the site, it is impossible to determine what kind of body is organizing the contest — this is again a meaningless set of characters. The victim is asked to enter their name on the page itself and then select a box. If the box turns out to be “correct,” the user will receive a prize.

The first two boxes turn out to be empty, but in the third — what a surprise! There’s money lying around. All that’s left to do is to click on the bright green button and pick up your honestly won $3,060.

Especially for those who suspicious that this is a scam, a “live” chat of lucky people who allegedly have already received prizes is posted on the same page. However, none of them responds to messages.

How to protect your email? Learn more here.

Stage #3: Incorrect transfer currency

By clicking on the “Get prize” button, the victim gets into a chat with a certain “operator.” This is a bot, but it fairly reliably imitates a person. Before withdrawing funds to a wallet or card, the “operator” asks you to click on the button “I give my consent to receive prize!”

Transfer currency

Now it seems that it’s a small matter: fill out the card or account details and go spend the money that suddenly fell into your hands. Moreover, the page is trying its best to look reliable and gain your trust — there are icons of international payment systems, CVV is not required, and the data is supposedly protected by Protect technology.

However, it is suddenly impossible to receive money: the recipient’s bank rejected the operation because “it could not make a transfer in U.S. dollars.”

The scammers immediately and kindly offer to solve this problem. You can convert the prize to another currency right here. However, the cost of the procedure is compared to the thousands of dollars won. In addition, they promise to return this amount within a day.

The operation will also allegedly help carry out some “identity verification” and “identification of details” to withdraw funds.

Never mind that no verification was required for the first — failed — transaction.

Stage #4: Time to pay

Let’s say the victim presses a button. Then the thing happens that all of this has been leading up to: a form opens for entering payment information. Now, everything up to the secret code on the back of the card is needed.

The Fast Payment system provides the card data entry page and insists on its security: there are two icons right there with the promise of secure payment and a solid mention of the PCI DSS 2.0 certificate. 

If the victim fills out the form, then no prize money will appear in the account. And it’s good if it ends up just writing off a small amount from the account — since all the card data has already fallen into the hands of an attacker, the losses can be significantly greater.

How not to fall for deception

Unfortunately, sudden payouts and prize draws on the internet are almost always a hoax. And the basic rules of online security will help identify fraudulent mail, regardless of what plot the criminals may invent next time.

  1. 1. Do not trust mails in which you are promised expensive prizes, fabulous sums, and large transfers.
  2. 2. Do not follow links in emails, especially from unknown or suspicious senders. It is better to find the company’s official website from which the message came on the internet yourself. And it’s even better to enter the address manually if you already know it.
  3. 3. Pay attention to errors and inconsistencies in email addresses and websites, their design, organizations’ names, and so on. An unusual domain, numerous typos in the texts, strange wording, or a sudden change of topic from “the amount accumulated in the account” to “a prize draw” are sure signs of fraud.
  4. 4. Do not enter personal data, and especially bank card details, on sites that have aroused even the slightest suspicion.

Use only trusted and secure email services without scammers and frauds.


Leave a Reply

Leave a comment

Your email address will not be published.