Scammers Can’t Fool Me (Or Can You?)

You can’t fool me. That’s what I say when I receive a scam email. I can see it coming from a mile away. I take great pride in telling Mitch in our office that he can’t trick me when he sends our regular phishing simulation email.

But maybe I’m not as smart as I think I am. Because on our latest family holiday, much to my embarrassment, I was fooled.

In this post, I hope that by sharing my story, even if it increases my embarrassment, it might help you combat scams both online and even while you’re trying to enjoy some downtime with your family. Looking back on it, I found it uncanny how online scams follow the same patterns as real-life scams.

---

During the Easter holidays, my family and I spent seven nights in Bali. We love Bali. The weather is excellent and the people are incredibly friendly. One day we went for a walk along the beach, and on our way back we ran into a new friend.

“Hello, how are you?” he said as we walked past.

“Good, thanks, you?” I replied.

And so the conversation went, just friendly chit-chat, discussing where we were from, how long we were staying, etc. There was no hard sell, or any sell at all. Just the friendliness we were used to.

As the conversation wound up, he said, “Oh, by the way. I work for this resort called “Karma Resorts” and they’re running a promotion.

“Oh yeah?”, I said a little guardedly. I look him up and down, and I notice he has a Karma cap and a Karma t-shirt on.

“Yeah, they are offering some prizes”. He hands me a cardboard envelope, which is sealed. It has a perforated edge that you remove to reveal your prize. Looked official enough.

Beware: Phishing scams can look legit.

Phishing scams often go to great lengths to appear legitimate, mimicking communications from trusted sources, such as banks, well-known companies, or government bodies. Ever received a scam pretending to be from Aus Post?

They achieve this by copying official logos, branding, and the overall layout of genuine emails or websites. Scammers may use domain names and email addresses that are incredibly similar to the real ones, often incorporating subtle typos or variations, in the hope that you won’t notice the difference.

The language used is frequently professional and convincing, sometimes even personalised with information potentially gathered from data breaches, all designed to create a sense of authenticity just to trick you.

I removed the edge from my envelope, and my daughter did the same. He hands a third envelope to my wife, Caroline. We opened up the first two envelopes, and we had won a cap. The same one he was wearing.

“Cool”, we said, not that impressed, but hey, a free hat’s a free hat.

“How do we claim it?” I ask.

“You have to visit the resort, and they’ll give it to you when you show the front desk this envelope. It’s like advertising for them. They want you to come visit the resort and then maybe next time you stay there or tell your friends”, he said.

Yeah, ok, I can see how a resort might want to advertise like that. Get people to actually visit the resort, impress them, and they walk away with a little something.

Beware: Phishing scams make the scam seem typical.

Phishing scams subtly encourage action by appealing to a user’s expectations or desires.

By replicating the trusted communication style of familiar organisations, these scams request action seem like a normal or expected part of interacting with that organisation, such as verifying account details or clicking a link for more information about a service.

They might present a scenario that aligns with typical online activities, like confirming a recent transaction or updating profile information.

This carefully constructed facade of authenticity, combined with requests that appear routine within a legitimate context, lulls you into a false sense of security, making you more likely to proceed with the requested action without suspicion.

I look over at Caroline’s envelope, and it looks different to the first two. Instead of “Here’s a gift from our sponsors”, it says “Congratulations! You’re a winner!”

She looks a little confused and shows it to our new friend, “Umm, mine looks like I won something good”. He looks down, looks up at Caroline and is in shock. He pulls the envelope out of her hand and gasps.

“Ohhh, I’ve been waiting for this!!!” he exclaims and starts jumping up and down. His excitement is infectious. Caroline starts jumping up and down too. The girls can’t believe it, and although I like to think I was playing it cool, I’m sure my face gave away that I was excited to be a winner as well.

We take another look at our friend, and tears are welling up in his eyes. He says again, “I’ve been waiting for this! You know, they only pay us $10 a day to stand out here handing out these envelopes. Because you won, I get $50!!!”. There’s even more jumping now as we’re happy that he’s a winner too. The tears. The tears were a masterstroke.

I take a closer look at the envelope, and I can see we have won 1 of four prizes.

• An Apple Watch
• An Apple iPhone
• An Apple iPad
• A 7-day trip to one of their other resorts.

We don’t know which one we’ve won yet. The actual prize is under a sticker that can only be revealed at the end of our tour.

“So to be clear. We go for a tour at the resort, and then at the end, we get one of these prizes? That’s it?” I enquire.

“That’s it!” he exclaimed. OK, that sounds reasonable. And he was so emotional. You can’t fake those tears, can you? No, I don’t think you can.

“OK, let’s go”, he waves as he walks back to the street to call a taxi.

“What, now?” I protest.

“Yes, we’re going now. I will pay for the taxi there and back.” He waves down a Bluebird taxi.

Beware: Phishing scams have a sense of urgency.

Phishing scams frequently employ a strong sense of urgency to pressure you into making hasty decisions without thinking critically. This is often achieved by claiming there’s an immediate problem that requires immediate attention, such as a security breach on your account, a pending service cancellation, or a limited-time offer about to expire.

Phrases like “act now,” “urgent action required,” “your account will be suspended,” or “immediate verification is needed” are commonly used to create a sense of panic or a fear of missing out. Yes, they prey on your fear of missing out (FOMO).

By making recipients believe that delays will result in negative consequences or lost opportunities, scammers aim to override cautious behaviour and force quick compliance with their demands, such as clicking a malicious link or providing personal information.

 

The girls and Caroline are halfway into the car. “Are we actually doing this?”

The girls are now all the way in. I guess we’re doing this.

We’re in the taxi now. Our friend is so happy. He’s just got a week’s worth of income. He’s calling his wife, taking selfies with us, and showing us pictures of his kids. The guy is over the moon.

Caroline, to her credit, keeps asking, “So this is real? I don’t want any surprises”.

“Yes, 100% real”. He says with his palms pressed together and his eyes shut while making a bowing gesture with his head. She must have asked this 4 times during the cab ride.

“And we’re not paying for the Taxis, right?” Caroline confirms for the umteenth time.

“Yes, we will pay for all the Taxis”, he confirms again.

Okay, so we’ll get an Apple product, and we won’t be out of pocket. If this is a scam, and we’re being taken for a ride, then the only thing we’ve lost is our time. Is it worth the risk? Yeah, it seems like it. Plus, he had tears in his eyes. The tears.

Tip: Phishing scams are best combated together.

Given the deceptive nature of phishing attempts, it is crucial to maintain a heightened sense of vigilance when interacting with emails, messages, or phone calls that request personal information or urge immediate action.

Scammers are constantly refining their tactics, making their communications increasingly convincing. If you receive a message that sparks any doubt, no matter how authentic it seems, pause and resist the pressure to act quickly.

Always keep your guard up and remember that it’s perfectly acceptable, and indeed advisable, to seek help or a second opinion. Reach out to a colleague in your IT team or contact the organisation the message claims to be from through a verified, independent channel, such as a phone number from their official website (not from the suspicious message itself).

Taking that extra step to verify the message’s legitimacy can be the most effective defence against falling victim to a scam.

 

After a while in the Taxi, I started thinking about the prizes. Three of them are physical, and you receive them immediately after the tour. The 4th isn’t something they need to part with immediately.

I wonder what the chances are that the prize is the trip? I think it’s 100% chance it’s the trip. We drive for about 30 minutes in total.

“We’re here”, he says.

I look out the window of the taxi. “Where’s the resort?”

We get out of the taxi, and we’re standing in front of a two-story office building. We head through the glass doors, and we’re greeted with 5 or 6 desks. Each has someone working behind the desk with other “winners” sitting on the other side.

We’re directed to sit at a desk opposite a woman. As we approach the desk, my eldest daughter notices a bookcase with boxes of Apple devices. I suppose that’s our prize, unless they’re empty and there just for show.

We sit down, and our friend hands our winning tickets across to the woman.

“Welcome”, she says pleasantly. “Congratulations. Okay, now let me explain what you’ve won. You have won one of four prizes, which you’ll gain access to after the presentation.”

“What presentation? We weren’t told about a presentation”. Her demeanour changes in an instant.

“What did he tell you?” she demands. “I need to know what he told you?” So we’ve reached the good cop, bad cop stage.

“We were told that we’ll get a tour of the resort and then receive one of those gifts”

“He is not allowed to lie to you”. Hmm ok.

“So if there’s no tour, what are we here for?”. I’m getting upset now.

“You will receive a 2-hour presentation…”

“No, I won’t,” I interrupt, shaking my head.

“…a 2-hour presentation…”, she continues “,…and once it’s complete, you’ll get to see what prize you won”.

“OK, how about this?” I breathe through gritted teeth, “You show us the prize right now. Then we’ll decide if we stay for the presentation.

My thinking here is that if it’s an iPhone, Watch or iPad, that’s worth my time. I’ll sit through a 2-hour presentation for that. But if it’s the trip, well, it’s nothing but a scam. I mean, I knew at this point it was a scam, but a new iPhone? What’s the harm? We’ve come this far.

“Let me ask my manager”, she says. She leans over slightly to the woman next to her, who gives her half a nod, so I guess that was approval.

“It’s ok. We can check it now”, she says. We peel back the sticker, and it’s… the trip.

“OK, let’s go”, I say to the family and stand up.

“No, no, no. Please. Do you want your hats?” she tries.

“Yeah, we’ll take the hats”, I say, trying to salvage anything from the situation.

“They’re just downstairs”. She leads us downstairs, where she asks us to sit down at another desk. “I need your details to give you your hats”.

“No chance”

We head outside and speak to someone there. “Call us a taxi. We’re not paying”.

“Yes, of course”, they reply.

At that point, our new friend comes over. He has a devastated look on his face.

“What happened?” he pleaded.

“You didn’t tell us the truth,” Caroline gave him the smackdown. He skulked off.

On the taxi ride back to our resort, we jumped on Google and found others who this scam had been taken in. And seeing their stories made us feel much better about our own gullibility. The whole scam is a timeshare scam. Some people sat through 6 hours of presentations. One left a £2,000 deposit. Others lost 10s of thousands of dollars.

Tip: Phishing scams are common. Google it.

In the fight against phishing scams, one readily available tool is Google.

If you receive a suspicious email, message, or even encounter a questionable website, taking a few moments to search for keywords or phrases from the communication can provide valuable clues.

Often, if a scam is circulating, others will have already reported it online. Searching for the subject line of a suspicious email, the sender’s email address (especially if it seems slightly off), or even specific phrases used in the text can reveal forum discussions, security alerts, articles from cybersecurity experts, or blog posts from business owners who got sucked in too.

This quick online check can help you leverage the experiences of others and readily identify known scam tactics, adding an extra layer of defence before you consider taking any action.

 

Our eldest daughter says, “You know what? We scammed them. They had to pay for our taxis and got nothing out of us”. Yeah, we showed them!

As for our friend, he’s wasting his Oscar-winning talents. He needs to be in front of a camera. Those tears…