We recently encountered a significant problem with a long-term client. We received a text message stating that they overpaid and that we need to Venmo them the money. The next day, we received a voicemail from an unknown number early in the morning before we opened. The voicemail was from someone claiming to be the client, stating that they had overpaid and asking us to Venmo them the money back. This went on for several days, both via text message and early morning phone calls. The name left on the voicemail didn’t match the name of our client, nor did the phone number. When we called the number, it dropped straight to a full voicemail box.

After the first day, we checked the books, and there was no record of the client overpaying. We did reply to the SMS message with a short and straightforward:

We have attempted to reach you.  Your voicemail is currently full.  
~Simply Web Services

After the second day, we attempted to contact the client. Our first attempt was via email, since that was the client’s preferred contact method.

On day three, the issue recurred, with them claiming two overpaid invoices and threatening chargebacks. We then attempted to contact the client again.

This is now starting to get serious and impacting our daily operations. We were about 95% sure this was a scam and that all signs led to someone pretending to be the client. The problem was that the client wanted us to work with his assistant, with whom we were very familiar. We knew the client and recognized his voice, and the voice on the voicemails was not his voice.

It was around this time that things got strange, and the scammers showed their hand. The client self admittedly isn’t very technically savvy and the scammer was asking for us to setup and manage an email campaign for them (which is something we can do) and then they asked us to setup a dedicated email server for them with certain requirements, and they included the good old phrase of “I have consent to send emails to these people”, which means, I’m going to use the email server to send SPAM.

It was also at this time that we made the choice to no longer entertain these text messages and voicemails and to tell the client that he needs to call us ASAP, that we recognize his voice, and his email account has been compromised. The client called us in about 10 minutes; he wasn’t aware of any of this, and he obviously wasn’t seeking a chargeback or looking for an email server. We told him that it looks like his Comcast email account has somehow been compromised and that he needs to first change his password to lock the scammers out of his account. He or his assistant needs to go through his email inbox and figure out what other businesses they might have been able to contact and try to scam.

How This Scam Works
The bad actor manages to gain access to your email account, likely from shoulder surfing (looking over your shoulder) or otherwise hacking into the account. In this case, the client was on travel in the same locality from which the phone calls were coming. Once they have access to your email, they rummage through your emails, looking for potential payments that you made that they might be able to get the money back from. They will contact the companies and state that they overpaid or that they don’t know what this charge is for. The hope is that the company will avoid the chargeback fees and simply refund the money via something like Zelle or Venmo. They get the money, and they run and move to the next victim. In this case, they hit up a technology company, and we recognized this as a possible scam. Hopefully, we were able to save our client a bunch of headaches.

In the near future, Simply Web Services will implement a PIN code for all clients, enabling us to identify the person we are communicating with, whether it’s an employee or a client’s representative.