My Dad called me all excited earlier today and told me he’d won a free golf cart from Lowes. Immediately skeptical, I asked him for details and he forwarded along the mail I attach. Is this legit or is it a scam?
The expression predates the Internet, but it still remains oh-so-true: There ain’t no such thing as a free lunch. While companies do give away product, your Dad really needed to ask himself why Lowe’s would give him a $10,000+ product in return for a few minutes of his time? Even if he’s the CEO of Home Depot, it’s hard to imagine the economics behind that promotion! Instead, as you suspect, it’s a clear scam and your Dad needs to immediately freeze his credit card, get a new one – with a new number – issued, and closely scrutinize any charges he’s received since filling in the scammer’s form.
That’s the too-long-didn’t-read summary, but let’s have a closer look at this scam and how it preys on people’s desire to beat the system and get something for nothing. Almost 100% of the time, these scams are completely implausible from the get-go, so the challenge of the scammer is to create an experience that will seem so legit that the mark actually goes through with the process and enters their credit card information. Nothing else matters, and whether they immediately charge a few thousand dollars on the new card or simply sell that information on the so-called dark web, the entire game revolves around that payment info.
PART 1: THE SCAMMY EMAIL
The message you sent me shouldn’t even pass the most basic scrutinization with its scammy subject line (do any legit companies use emoji in their subjects?), weird sender address, and immediate pressure to act, act, act, so that you don’t miss out on this great opportunity:
Most modern email systems will have already assessed this message and dropped it into the Spam folder. If that’s where ya find it, it’s a scam. That’s easy enough to figure out! 🙂
But look at that email sender address: A sequence of random characters @ kodagursk… What the heck? If a company like Lowe’s did send out customer surveys or sweepstakes, wouldn’t it come from something like “sweepstakes@lowes.com”? Of course, savvy Internet denizens know that any email address can be spoofed, so that’s not a great indication of veracity, but a lazy, scammy one like this? It should be enough to have anyone just delete the message and move on.
Then there’s the typical chaotic offer. Is this a free golf cart (which we’ll later see is ostensibly worth over $10,000) or is it a $500 reward? Hmmm…
At the bottom of the email is an interesting clue about the scam and scammer, though. A typical unsubscribe line, but it includes a mailing address that isn’t the Lowe’s corporate HQ (which still wouldn’t prove it was legit, of course):
It’s perhaps ironic that this spam message actually has a facet that conforms to the CAN-SPAM laws about unsolicited email by including these last two lines. But what is that address? Google Maps street view to the rescue:
PostalAnnex offers post office boxes, so it’s a safe bet that the scammer has one in this strip mall. Why they included this address at all is something we could consider, but be that as it may, the above address certainly doesn’t look like Lowe’s HQ, their ad agency, or any other legit online marketing business.
PART 2: THE CLICK
Okay, so let’s say your Dad got excited about the offer and didn’t do some basic due diligence. If he was running Microsoft Edge or Google Chrome, a click on “Click Here” would have then yielded this warning instead of the actual landing page:
Okay, it doesn’t get any more obvious that the whole thing’s a scam. Clearly, the related Web site is not one you want to visit as it’s been reported as unsafe.
But what if you have a Web browser that doesn’t have these protections or you’ve disabled them? When I tried the same link in Apple’s Safari browser on the Mac, it went through! After a few redirects, I ended up on a page with this front and center:
Remember, the goal of the site is to get you to the credit card info entry form as quickly as possible without offering any reason to get suspicious and bail. But it can’t be too easy because they’re trying to exploit the psychology behind what’s known as quid pro quo. It’s hinted at here in the pop up message: “Your opinion is very valuable.” But is it? Is your opinion really worth $10,000 to Lowe’s?
PART 3: ANSWERING THE SURVEY
A click on the “OK” and the page explains what the deal is, that $500 Lowe’s Reward entirely forgotten as we’re back to that very expensive golf cart:
That push to keep you moving? “This offer expires today” and “Offer expires in 5:32” both push the visitor to act, not think, and that’s the key to this sort of scam. Note that it says “Home Improvement” on the top and refers to “experience with us”, but doesn’t actually say that it’s a Lowe’s survey or program. Because it’s not.
Scroll down on the page and there are even testimonials, some with photos. These are, of course, incredibly easy to fake, so should not increase veracity one iota.
But, hey, we’ve come this far, let’s see what those survey questions look like:
There are indeed 15 questions of this nature, quick, easy to answer, and no actual thinking required. The goal is to get you through the survey so you feel like you’ve “given” something to them so that when they say they’re ready to reward you, it seems legit. Answer that 15th question and:
Products in stock? Ay yi yi. It’s no surprise that after a few moments you see this:
This might be an actual product on the Lowe’s Web site, and it might even be listed for $10,999.99, but again, isn’t this suggesting that your answering 15 survey questions is worth $10K to Lowe’s? Your Dad felt like that might be legit? That Lowe’s was that generous and cared that much about his opinion? 😐
PART 4: PAY FOR IT! PAY FOR IT!
Now we’re at the final step, so the pressure to proceed is intense, as conveyed by the fact that “179 people are viewing” and there’s only “(1)” left in stock. You don’t want to miss it! “Claim Now” gets to:
Yay! Wouldn’t it be delightful if this were legit and we’d just won a $10K golf cart for shipping costs alone? And wait a second, if this is big enough for four adults, isn’t shipping going to be a bit more than $9.96?
Click on “Continue” and you’re at the climax of this thrilling adventure:
The entire scam has been a funnel to get you to this page and have you fill in the information. They say that it’s a $9.96 (discounted to $5.96!) fee, but perhaps they’ll immediately use the info to purchase $500 worth of gift cards, sent to that PostalAnnex in Las Vegas. Or $1000. Or as many $500 transactions as will work until the card locks up.
PART 5: THE MORAL OF THE STORY
I went through most of the steps with a safe device, but didn’t enter a credit card to see exactly what kind of transaction would have transpired. It could have happened immediately, it could be delayed a few days, or it could simply be immediately posted to a dark web site where the scammer earns $25 for each posting.
Modern credit card companies tend to indemnify cardholders against these sorts of scams, so if your Dad is impacted by this transaction, definitely get the bank in the loop to help out and hopefully recover any lost monies.
But the onus is really on us consumers to be savvier about these scams. Gmail flagged it as spam, Edge warned me about the Web site, but I plowed through anyway. Not recommended at all.
In fact, as soon as you have any reason to doubt an email message or offer, as soon as that “spider-sense” starts tingling, you should closely examine the offer and even contact the ostensible sender (look up their customer service number, don’t call the one in the email message or letter!) to verify its legitimacy.
Scammers are smart and sophisticated, able to masquerade as others, and willing to build professional Web sites, some of which look identical to the real site, in the interest of scamming us out of money and personal information. Don’t be that sucker, and educate your Dad so he learns to be more skeptical too. It’ll save you both a lot of headaches down the road. Be careful online!
Pro Tip: I’ve been writing about online scams for many years. Please check out my spam, scams and security help area while you’re visiting. Thanks!