This is a scam that has had various forms, but chances are everybody’s seen some variant of it. Most places I frequent just call it the refund scam (as if there was only one kind of refund scam); I call it the Unpurchased Purchases Refund Scam, becuase what you’ve supposedly bought differs over time, and can be a service or an expensive device. Sometimes it just comes as a random email from a just as random email address (commonly gmail); sometimes it comes from Paypal, or Quickbooks, or any other standard invoicing services. When I first saw it, it was always a GeekSquad/BestBuy, Norton, or McAfee subscription, but other versions have included Bitcoin, Surface Pros, or iPhones.
Sometimes there is an invoice in PDF format; do not open it as sometimes this includes malware - not covered in this article as its focus is on the scam.
The main purpose of the scam is to get you to call. If it’s done via invoicing services, they’ll happily take your money, but the main idea is to trick you into calling them. Some versions of this scam - possibly earlier ones - sought to get your name and credit card number (remember, they pop these things out by the thousands, hoping to hook victims!), but most are aiming to get as much money as they can from you. If you’re lucky, they might ask for a wire transfer, cryptocurrency or gift cards. If you’re unlucky, they’ll wipe out your entire bank account.
Here’s how the most common scam works:
You get an email (or rarely a text, but email is far more common) stating you have made a purchase! Congratuations! Money will be withdrawn from your account. You have 24-48 hours to dispute, or very rarely 72 (always a time limit, a big red flag!), here’s the number to call. In some cases, this will be an actual invoice generated through an actual accounting company or PayPal, but most are not.
You call the number. The person asks for the invoice number and then pretends to look for it, then tells you that they can refund the money.
But for them to refund the money, they must have your financial information. And to do that, they need you to log into your bank account. But wait! They want to be helpful, so they need you to download a remote access program and take control of your computer to fix the problem.
Once they have access, they have you log into your bank account and then they manipulate the data to show a supposed refund.
Commonly, the agent “sends too much money”. To fix the overpayment, you need to either get bitcoin via a bitcoin ATM or get gift cards and send them the money that way. Or do a wire transfer, or convince you to Zelle/other digital payment the overpayment back to them. In some more uncommon cases, they just show the fake refund and then black out your screen so they can Zelle or wire transfer the money out of your acccount and then wipe evidence that they’ve done so. If you’ve given them access, they can even do this after you’ve supposedly gotten your refund and ended the call.
This is actually, in its most common form, a high-tech variant of the very common advance fee scam; you’re given money, but more than you’re supposed to get, and you must send a portion someplace else. At worst, especially if you save your passwords on your browser (which many people do; I’m guilty of the same), you essentially have given the scammer access to your bank account and any other account whose password you’ve stored- especially if you don’t have some secondary protection such multi-factor authentication!
How to protect yourself
Like many scams, the first thing you should do is breathe. Don’t call the number on the invoice. Don’t pay the invoice if it’s been sent by Paypal/Quickbooks, etc. Look up the actual support number for the company you supposedly bought from. If you do call, never ever give a random person remote access to your computer - and this goes double for customer service, accounting, and fraud, none of which need to remote access your computer.
The scammers are depending on people not being financially savvy. People don’t seem to generally know that if you are being billed something, it’s usually instantaneous and for that matter, they already have your financial details. A company’s fraud folks don’t need to get into your bank account to refund money that hasn’t been taken out yet, they just need to notify their accounting department that something is fraudulent and not to charge the person. If the money has been taken out (and I can guarantee that it hasn’t unless you’ve given them your details), the company can reverse the payment on their end without going into your account. Also, an unpaid invoice - in case you get one of the Paypal/Quickbooks/Xero-generated ones - is just an invoice. No money has gone out because, again, the scammers don’t have your financial details unless you’ve given that to the scammers.
And if you’ve given these scammers access to your computer, go to a computer they haven’t had access to, change every password you’ve stored in your browser(s) on the computer, remove the software, run a virus scan and possibly engage professional help to make sure they haven’t planted anything for future exploitation.