I say all the time that scamming can happen to anyone. The abuse of psychological triggers is something that is specifically done to subvert all your critical faculties. Even Christopher Hagnady, who has published a book on social engineering (the art, or science, of "human hacking"), admits to having been scammed in recent years:
Chris Hagnady is the best of the best. His job is to study phishing attacks and scamming, by performing it for companies on their employees as a readiness test. If Chris Hagnady can be scammed, it can happen to any of us.
It nearly happened to me in perhaps the most ironic way: I logged into Wix, which I use to run my website and eCommerce, and found a message waiting in my inbox.
"Oh, no!" I thought, wondering if a customer had reached out, and I had overlooked their communication. "I hope I haven't upset and lost a potential customer!" Now, already, the psychological triggers of harm and urgency were acting on me.
Urgency - that I had missed a customer outreach, and that I might have missed my opportunity to help them.
Harm - that by missing a customer's outreach, I had not only lost the opportunity to make revenue for my business and household, but that that customer might go off into the world telling people, "don't bother reaching out to CozyTech, they don't reply in a timely manner."
Now, I was moving quickly.
I clicked the notification, which took me to my Messages Inbox. There was a message, not from a customer, but from WIX LIVE SUPPORT.
"Uh-oh," I thought. "I wonder what's wrong?" (Again, the psychological trigger of harm is in effect, as I wonder whether something is wrong with my website, the very face of my business.) The message read as follows:
First Name: WIX Last Name: LIVE SUPPORT Email: wixteamassistmail@gmail.com Message: Dear Merchant, Your website has been flagged for active malware - XSS Malware, which puts it in violation of our security policy. Per platform rules, websites identified with malware are subject to immediate removal—behavior consistent with malware. Status: - Security Level: Critical - Compliance: Failed - Reason: Unsafe redirection flagged by upstream servers This is not a platform-originated issue but stems from your site's content or configuration. If unresolved within 72 hours, your account may be suspended and permanently deactivated. Reply "LIVE SUPPORT" to speak with a specialist within 15 minutes. Sincerely, Platform Security Team WIX.com Phone Number +1805073102
"Oh, gosh," I thought, reading this over. I got a degree in Cybersecurity and Information Assurance, and I know what cross-site scripting (XSS) is. It is a kind of malware that is embedded in websites, and it can be used to steal users' information. If this really got into my website somehow, and WIX was really going to remove my website, I was in big trouble.
It was only when I reached the words, "your site's content and configuration", that I had a reason to slow down, and when we slow down, we can see through the ruse.
My website has been built entirely with WIX tools. The only configurations I have made are within the confines of WIX's own parameters. In short: I never included anything suspicious in my website, and there was no reason to think anyone else could, either.
At this point, I went back up to the top, and started reading more carefully. Here are the red flags I found:
WIX would never reach out to me through the Contact Page of my own website. They would contact me directly through the 'back end' of their system.
This message stated the Contact CozyTech form name at the top of it, and broke "WIX LIVE SUPPORT" into the First Name (WIX) and Last Name (LIVE SUPPORT) boxes. When you see it broken up like that, it looks very silly.
In order to use the Contact form, one must submit a contact email address. In this case, they submitted, wixteamassistmail@gmail.com.
WIX would have no need for an @gmail.com account, because any official outreach from them would naturally have an @wix.com account.
At this point, I knew it was a scam, but just for fun, we can keep digging through.
It is interesting that in "XSS Malware", the M in Malware is capitalized. Malware isn't a proper noun. This is either a mistake on the part of the scammers, whose first language may not be English, or it is an attempt to make "XSS Malware" look official and therefore, scary for people who don't know what XSS (cross-site scripting) is.
"Security Level: Critical", and "Compliance: Failed" are meant to tweak the psychological trigger of fear, and the entire message is meant to set off the psychological trigger of authority (or intimidation) because this supposed compliance check and threat of shutdown are coming from actors impersonating official WIX staff.
Some more unnatural language in the phrase, "this is not a platform-originated issue but stems from from your site's content or configuration." A person whose first language is English would almost certainly not phrase it this way.
The psychological trigger of urgency is then attacked with the threat that, if this isn't resolved within 72 hours, my site may be suspended or even deleted.
Why not one or the other? Shouldn't there be clear consequences for specific violations?
It's more effective at drumming up fear in your mind because it overwhelms you with possibilities for harm.
Why "within 72 hours"? Shouldn't this be more of a "this is your first warning," kind of matter?
The threat of 72 hours panics you with a sense of urgency.
I am asked to reply with a specific string of text, "LIVE SUPPORT", to receive support within 15 minutes.
The most important element here is that I reply, not that I reply with a specific piece of text. This is me taking the bait and tugging the line they have laid out, so they can begin to reel me in.
The request that I reply in a certain way, and the guarantee that they'll get back to me within a certain time frame are both meant to mimic real communication of the sort that companies commonly employ, which is meant to tweak that psychological trigger of authority or the psychological trigger of trust.
Then, in the end, there is a polite sign-off, as well as a number I can reach out to directly. Note however that it is not an official toll-free 1-800 code, but instead, a lookalike 1-810 area code, which is registered in Michigan. This is a phony phone number, likely set up for free or nearly no money, for the purposes of this scam, and it will be torn back down as soon as it is no longer needed (or when covering their tracks becomes prudent).
The Takeaway
Scamming can happen to anyone, even people who make it their business to protect others from being scammed. The fact that I was nearly scammed while coming here to write about another scam (which itself was using the pretense of protecting its victim from an imaginary scam) is a deliciously ironic illustration of the point.
Be on the lookout, and remember the cardinal rule: if you wonder for even a half a second if something is suspicious, you should slow down to think about it a little longer. You can always contact CozyTech to get a quick opinion on whether someone is trying to scam you, and if you'd like individualized or group training on how to better avoid these scams, we'd love to be of service!
Until next time: stay vigilant, and stay safe!
