Get Help Now



The Anatomy of a Complicated Scam

Posted February 16th, 2023

Last week, the GreyCastle Security Incident Response Team (GCSIRT) responded to reports of a scam involving two organizations: one was a higher-education institution, and another a highly respected local business.

The incident started with threat actors sending phishing emails to students. The phishing email from a known malicious site (consultant[.]com), lured students with a job offer for an attractive employer in the area and invited them to an interview. The phishing email contained a “Bitly” link which launched an SMS (Short Message Service, aka “texting”) interview. 

Bitly is a link-shortening service often used in SMS messages and social media posts; this link contained the spoofed company’s name, and as shown in Figure 1 below, the interviewer used “HR Recruiter” as their name.

Figure 1: The initiation of the fake “text interview”

After forty-five minutes of “interviewing”, the victim was presented with a “company registration link” (Figure 2 below).

Figure 2: Link to a fake company registration, hosted in Google Forms

This link directed victims to a Google form, parts of which are shown in Figure 3 below. The form was several pages long, and had the spoofed company’s logo on it, making it appear legitimate. In addition to asking some basic interview questions, the form requested several pieces of information, including Social Security Number, Bank name, and an upload of the victim’s ID.

Figure 3: several pieces of the Google Form designed to steal personal information



The GreyCastle GCSIRT found three attack methods that are worth noting because they are commonly seen in scams and attacks:

  1. Attackers did significant amounts of homework before launching this scam. They targeted local colleges and used an attractive local employer to lure victims. Victims are often surprised to find the level of effort that attackers exert when perpetrating a scam.
  2. Attackers used SMS messages as part of their attack chain. SMS messaging is becoming a common attack method. Often, attackers use SMS Phishing (“Smishing”) because it effectively skirts corporate email phishing protections.
  3. Attackers used Google Forms to gather information. The GCSIRT sees Google Forms used in numerous scams. Because Google Forms are commonly used for legitimate purposes, they are easily leveraged by attackers to fly under the radar of corporate protections.

Impact and Recommendations

The impact of a scam such as this can be devastating for the individual. Scammers might use this information to commit crimes such as stealing money from the victim’s bank, opening up loans in the victim’s name, or billing fraudulent charges against their health insurance. If you have become a victim of a scam such as this, ensure that bank account login information, passwords to email and social media accounts, and any other important accounts are secure.



Let’s Discuss Your Cybersecurity Needs

Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Consent to display content from - Youtube
Consent to display content from - Vimeo
Google Maps
Consent to display content from - Google
Consent to display content from - Spotify
Sound Cloud
Consent to display content from - Sound
Contact Us