So I woke up to 2 charges I did not buy. Random name and address all purchasing something from geeksquad? This never got charged to my bank but why is it on my shop app? Also i keep trying to report it but it only says I can email the scammer ffs. Can someone tell me how to remove this from my account?
They are sending messages through her chat, which she cannot see, to try and have me send money to a random bank account. She still has access to the app, and it's weird because I can talk to coth her and the scammer at the same time. Ho is this possible?
I have a reservation in Japan soon and today I got this message on Whatsapp from them about verification. However the page itself, which looks like booking, asks me for payment for a room that's already payed for.
They got every detail of the booking right but IDK this looks really suspicious.
I have contacted the hotel on booking but until they answer was wondering if anyone is familiar with this. Is this legit or no?
My father received this email today and sent me a text asking if I somehow locked his cloud storage account. I immediately asked him to forward the email and told him not to click on any links. Not sure how Hotmail allows such obvious phishing attempts through.
I got this email from robinhood, the stock app. could it be a scam?, I havnt used it or logged on to my account in years.but the email makes me think it could be real? Has anyone seen something like this before or is it a common scam or could it be real?
I received an email today from someone I don't know. Here are the details:
The email:
What I found when I searched:
What's weird:
What I did:
My question: Is this a scam? Should i be worried? What do i do? Do i need to do anything?
I just got a bunch of texts with hyperlinks that had authentication codes inside it. The text used my full name, and asked me to "complete my verification". I wasn't doing anything at the moment, and haven't done anything recent. As best as I can tell, the root site is given in title is legit, but I don't dare go to their website. Hoping someone can help validate it or not.
Adding in some mix of the website to help others find this post in the future. chirp digital. portal chirp digital.
Morning folks! I woke up this morning to this email to my Gmail account. It looks like somebody was maybe trying to get into my Microsoft account this morning and a confirmation code was sent to my Gmail. Does anybody know if this may be a phishing scam? Anything I should do with Microsoft? I already changed my Gmail password. Thanks for the help!
Is this fake or real, I certainly didn't request it. It came to my Hotmail account. I have multi factor authentication, too. I don't know if I should change my PW or not, but it seems like it's a fake to me. The profile pic says "MA" when it usually just says"M" and the email address seems a little...... long.
Exactly what the post says. I have been extremely sleep deprived (awake for several days) and I clicked a stupid link sent to my email, logged into my microsoft account, made a damn passkey, then realized it probably wasn’t real. I quickly logged out, changed my password, removed my debit card, and turned on 2FA. Then I changed my bank password and several others. Is there anything more I can do? Should I add 2FA for everything? Contact my bank? What kind of information do Phishers receive? I feel like I’m losing my mind and I can’t believe I did this.
I got an email from my Aunt that was titled "don't miss out on *AUNT'S NAME* fabulous event!" and had a e-vite with a link. I didn't think too much about it as I knew they has a family event coming up, though I was slightly curious because we live 7000 miles from her and why would she think to send the invite. I clicked on it and it directed to the website in the title, but I got
"Sorry, you have been blocked You are unable to access *website name*"
from Cloudflare with the explanation
"This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data."
I checked my Chat next and my Mother had written that it was a scam and not to open. I ran a total virus scan with Avast Free Antivirus and came up with some junk, but nothing much. I deleted the email and then deleted it from the trash.
My points in this post are threefold:
I wanted to put this out there- has anyone else come across this type of phishing?
Does the fact that I got blocked by Cloudflare mean I wasn't infected, and if I was should I take any other steps?
I checked the email and it actually was my Aunt's email. How did they pull that off?
I'll be brief. I'm a player of this video game, and the issue is that there's a problem that's been plaguing it for years.
A group of attackers, for some reason, created a fake forum to try and impersonate the real one. On this forum, they trick users into believing there's a "silver" giveaway (the in-game currency), claiming that to participate you have to leave a comment. The problem is, to do that you have to log in—that's the phishing.
I've been tracking them and taking measures against their attacks for two weeks now, but to be honest, it's exhausting. The whole process of reporting the host, reporting the domain, and reporting it to Google is pointless when it's relatively easy for the attacker to buy another domain, acquire another host, and slightly modify the URL (subdomain) so that Google gets confused and loses track. Basically, the entire process of countering it, which takes several hours or days, takes them an hour or less to return.
So, after thinking it over, I decided to look for phishing communities to take another countermeasure: Prevention.
Phishing description:
The attacker acquires domains very similar to ".com" to avoid detection.
Etc.
Then, as a subdomain, they try to impersonate the Albion Online forum:
abiononline
aIbiononline | a "I" biononline (uppercase i)
albiononIine | aIbionon "I" ine (uppercase i)
Etc.
Then they simply add "forum" to the URL, and that's it.
With all that, they obtain a URL very similar to the real forum, which is: https://forum.albiononline.com/
Using the prepared URL, they create a forum by completely copying the HTML and simulating a thread from that forum where several people are seen commenting to gain the victim's trust. But if you take the time and click on each account's profile, you'll be taken to the real forum, where you'll realize that those accounts have been offline for months or years. But as we know, few, if any, actually do that; most people see a forum similar to the real one, people commenting, don't want to miss the giveaway, go to the fake login, and fall for the phishing scam.
However, this isn't all. Setting up the entire phishing trap isn't very effective if you don't manage to capture the attention of enough victims, so the second part of their plan is as follows:
Create a Twitch account with a random name (it seems automated).
They live and stream the game as if his were a typical new streamer. Title it "470M Silver Event" and tell viewers to check the description below to participate.
Block live comments and focus solely on streaming.
Now, this alone is useless since it would only be seen by those on Twitch. However, many hacked accounts appear in the game itself, spamming the link (stream).
So, the following happens:
Players are redirected from the game to the stream. On the stream, they don't notice anything unusual, just a "small streamer" giving away a lot of money and offering the chance to participate. You click the link (the link provided isn't the real one; clicking it takes you to a fake URL, but few notice) and you're tricked into thinking you're on the real forum. You see comments from people participating and you're encouraged to log in to participate, and that's it—you've been scammed.
Now, saying all this is all very well and good, but what about the proof?
Here I have the evidence I gathered over two weeks, which I used to file complaints with the host and the various domains. Needless to say, it was all for nothing.
Evidence of the existence of the fake forum:
- https://urlscan.io/result/019e1334-8308-71bd-9087-2759b0567fb7/
- https://urlscan.io/result/019e0d8d-1ad7-76c6-be64-c310f2230bf5/
- https://urlscan.io/result/019e09bf-9e33-76dd-bf2d-8c226fa58285/
- https://urlscan.io/result/019df9de-df05-763c-af86-768102b57cb4/
- https://urlscan.io/result/019e26fb-bd46-75db-83c7-a0b8a29bdae3/
- https://urlscan.io/result/019e2dd9-e6f2-7311-9e4c-98411ca9c004/
- https://urlscan.io/result/019e3293-917d-7779-b64b-e46625636007/
Evidence of the existence of the phishing login on this fake forum:
- https://urlscan.io/result/019e0d8b-c7aa-73da-9add-a4d06d7fed55/
- https://urlscan.io/result/019e099e-94cf-748d-a73e-765af800b8b7/
- https://urlscan.io/result/019e0496-f6dc-771b-b69a-043aa36e5cce/
- https://urlscan.io/result/019e034c-813e-7694-a905-bb2d238a763a/
- https://urlscan.io/result/019e02cb-1ca3-712e-808e-b528001d6454/
- https://urlscan.io/result/019dff24-2c10-70de-a3f8-d5397363542f/
- https://urlscan.io/result/019df9d7-940f-77bd-ae7a-da3423f400f8/
- https://urlscan.io/result/019df8a9-2619-7198-8369-d088ac9029e4/
- https://urlscan.io/result/019e1336-5dbd-7134-baba-2ef7a85726b7/
- https://urlscan.io/result/019e26fc-b108-713b-84c2-691718a26972/
- https://urlscan.io/result/019e3297-2a23-77c6-9db0-5c3b07f8fc11/
URLs of previously banned channels (I used these as evidence to help Twitch associate events and react faster):
Anyway, I don't know if there are any players or people here who play this video game, if they have groups, Discord friends, etc., but I wanted to warn about this incident. I know this won't stop more victims from falling victim (if this attacker is still around after all these years, it's because it's working at least minimally enough for him to continue), but at least I prefer to warn as many people as possible.
And I know Reddit isn't the best place to do this, since I could go to Facebook, the game's own Discord server, or the forum, but to be honest, those sites rarely take these things seriously or even ignore them quickly.
Received a suspicious email this morning that someone was trying to login to my Microsoft account, went to the Microsoft website on another device and signed in with a new one-time code, this time sent from an email address that looks identical to the original but with a different profile picture on Gmail.
After signing in I went to my account’s sign-in history, where it showed there was never an attempted sign-in.
I was worried when I got a text for a particular transaction I made the previous day. Decided to go online and find out whether it was real. These are the legit short codes with their corresponding phone numbers. This is as of May 13, 2026 so be aware that if you read this in the future it could change. Also be sure to double check the info I’ve provided online with BofA, as you shouldn’t trust anyone, including me, on these subjects.
Hope this helps
I've been investigating and I've seen that the problem encompassing these "hacks" is phishing. Does anyone know what this is? Who does it, or where it's common to fall for it and have your account transformed into Elon Musk's or Mr. Beast's publicist 🤣
“TIME SENSITIVE
Chase
Our representative is trying to contact you. Tap to respond.”
If the message above pops up on your phone screen, do not click the link to sign in to the Chase app. It’s a scam and the scammers will change your password and email and possibly make quick transactions before you are able to alert Chase that you fell for it like I did. Chase will never send you messages like this via the app. Please be aware and share this. Luckily, Chase was able to lock my online banking before scammers were able to do anything. They tried calling Chase to get a security code but Chase could only send it via text to my phone which scammers don’t have so, they failed even though it put me under tremendous amount of stress. Thanks 🙏
Aside from red flags all over the actual message it looked legit.
The specific red flags in the message being:
There was, of course no new "security activity" on my account.
I’m feeling paranoid about whether I accidentally infected my MacBook after seeing a phishing/scam email, and I wanted some outside opinions.
I was checking emails on my MacBook and saw an obvious phishing email that looked like one of those “claim your reward” scams. The main thing that’s bothering me is that the email had a large image/button (“CLAIM YOUR REWARD”) and now my brain keeps making me question whether I accidentally clicked it without realizing.
Here’s why I’m confused:
The only thing is that I panicked afterward and cleared browser history, so now I can’t verify whether a page opened or not, which is making me overthink more.
From a technical standpoint:
I know anxiety can make people doubt their memory, so I’m trying to separate actual risk from paranoia here. Looking for honest technical opinions.
Hi all,
My grandpa was the victim of a phishing scam on 15/05/2026, and the scammers managed to steal around €20,000. I am trying to gather as much information as possible for the police and the banks, and I would really appreciate help from people with OSINT, phishing-analysis, or malware/forensics experience.
I am not asking anyone to harass, dox, or contact anyone. I am only looking for help identifying technical indicators, infrastructure, mistakes in the phishing setup, or useful evidence that could be passed on to the police, banks, AnyDesk, registrars, or hosting providers.
What happened:
I was passing by my grandparents today, 15/05/2026, and the first thing my grandma said was that there was something wrong with my granddad, something related to fraud. I immediately went over to him at his computer and saw all his bank cards lying on his desk while he was on the phone using the landline. He told me he could no longer access his bank accounts (firewall blocked by the fraudsters).
Right after that, he received another call on his smartphone. I picked up, and some guy told me he was from Bank X and that he had spoken to my grandpa regarding blocking his card. Meanwhile, my grandpa was still on the phone with someone else, also claiming to be from the same Bank X, and both of them were accusing each other of being the fraudster. I immediately dropped everything and called Card Stop to block all his cards. Afterwards, I called both banks where my granddad has an account to see what the damage was and to let them know so they should start a fraud case.
Because this happened on a Friday evening, the banks are now closed for the weekend. Since the cards are blocked, I cannot access his online banking anymore to see the transaction details, including the destination account. Without this information, the police cannot yet file a request to block the transaction or the receiving bank account. We now have to wait until Monday to go to the bank in person, which is ridiculous given the urgency of the situation.
I have gathered all the necessary information to move forward, including filing a police report. However, I would really like to find out more about the technical side of the scam, because I suspect the scammers may have made a mistake and left behind a trail. My knowledge in this area is limited, so I would really appreciate it if someone with experience in OSINT, phishing analysis, or digital forensics could help me identify useful evidence.
Phishing email:
My grandpa received a phishing email from a custom domain trying to copy a Belgian government application, more specifically My eBox.
The email was sent on 15/05/2026 at 05:25 GMT+2 from:
noreply@beheeruwebox[.]com
After doing a quick ICANN lookup for:
beheeruwebox[.]com
I saw that the domain was registered on 15/05/2026 at 04:21 GMT+2 through Namecheap.
Unfortunately, nowadays the personal information of the person who registers a domain is withheld. However, I am hoping that the Belgian police may be able to get a claim through the court to request this information from Namecheap. If the fraudster was lazy, he might have used his real credentials, and if not his real credentials, maybe his or her real credit card or another traceable payment method. You never know.
Phishing flow:
The phishing email convinced my grandpa that some amount of money had been credited to him regarding a holiday here in Belgium, but that the details regarding this were not fully completed yet. All bullshit, of course.
In the email, there was a button to go to “his profile” to complete this information. Behind this button was a hyperlink to:
ionsa[.]net
After clicking it, he was automatically redirected to:
vsaldjljsmlk[.]info
and finally to:
vlaamsburger[.]ovanmslalbe[.]com
This phishing website tried to copy the interface you would see on that Belgian government application. Here, my grandpa filled in his details, shortly after which he received a phone call from the fraudsters.
Domain observations:
After another quick ICANN lookup for:
ionsa[.]net
it shows that this domain is registered through publicdomainregistry[.]com, was created in 2008, and was updated in 2026. It contains some contact information, but I do not know what to think of that. It might be meaningful, but it could also be a hacked account or compromised domain.
I did the same for:
vsaldjljsmlk[.]info
This domain appears to be registered through Namecheap and was created on 15/05/2026 at 15:35 GMT+2. This is very weird, because the fraudsters made my grandpa install AnyDesk, and from the logs I was able to see a first remote connection at around 14:18 GMT+2. So maybe this redirect domain was added after the scam. Why? I do not know.
The same goes for:
ovanmslalbe[.]com
This domain also appears to be registered through Namecheap and was created on 15/05/2026 at 15:28 GMT+2.
However, when I put ionsa[.]net through a URL scan on urlscan[.]io, it reported vsaldjljsmlk[.]info as being around 40 minutes old now at the time of writing this post many hours after the scam. Perhaps this redirect domain gets refreshed constantly to avoid blocklists? That would clarify my earlier confusion.
My current guess is:
ionsa[.]net is used because it does not look like a scam domain at first sight. Maybe that helps prevent it from being flagged by the email client.
vsaldjljsmlk[.]info is then used as a throwaway redirect domain, in case it gets flagged or blocked.
ovanmslalbe[.]com hosts the actual phishing page, including the HTML and everything behind it, which would probably take more time to replace if it gets flagged.
But I am not sure whether this interpretation is correct.
Phishing website:
I briefly looked at their phishing website:
vlaamsburger[.]ovanmslalbe[.]com
It looks very poorly made. Most of the official-looking redirects that the real government application would normally have do not work. Because of that, I feel there must be some trails hidden there, maybe something in the HTML, JavaScript, forms, tracking code, or maybe a POST request that shows where the submitted information is being sent.
One thing I find interesting is that my grandpa insists that he did not press the final button to send the information. So I am curious how they were still able to get his information and call him. Maybe the site sends form data the moment you input a character in the fields?
AnyDesk / remote access:
After they called my grandpa, they told him there was a fraudulent transaction on his bank account due to a virus. Long story short, they made him install AnyDesk and then made him share or enter his bank details. They took over control, transferred the money, and afterwards showed him pictures of expensive perfume and luggage, claiming that this was what had been bought with the money that was transferred away due to the virus.
They then closed by saying that everything was okay now, that his card would be blocked, and that his money would be returned. Lowest scum on earth.
I have some logs from AnyDesk and have sent AnyDesk an email asking whether they can help, but I am not sure whether this will result in anything.
They also installed gcapi.dll, perhaps from the Connective signing extension plugin that was also installed in his Chrome browser. Furthermore, they installed Digipass and SignID, which I assume was to get his card or authentication process to work.
Other observations:
Additionally, they also cleared the Chrome history and blocked the websites of both banks he has an account with in the firewall.
The AnyDesk logs say that the first connection was made at 14:18 GMT+2, while the first instance of AnyDesk in his browser/search history that I was able to recover was at 16:15 GMT+2. According to the recovered Google history, the scam continued until at least 19:44 GMT+2.
Again, I am not asking anyone to identify, harass, dox, or contact a private individual. I am only trying to collect useful technical indicators and evidence that can help the police, the banks, registrars, hosting providers, and AnyDesk take the appropriate action.
Once everything important has been preserved and documented, I will fully wipe his computer and reinstall it. However, before I do that, is there anything crucial I may have missed that should be checked, preserved, or reported as soon as possible?
Any advice, pointers, or help would be greatly appreciated. I know this is a lot of information, but even a small suggestion could be useful at this point.
I got this on Discord from one of my "friends". He sent it to me then blocked me a few hours later and wanted to know if this is a Phishing website/IP grabber. I googled it and it said it was. Just checking on other resources to make sure it is not safe so I can report it. Thanks in advance!