Costco’s 40th anniversary scam targets WhatsApp users


If the promise of a cash prize in exchange for answering a few questions sounds like an offer that’s too good to be true, that’s because it’s

WhatsApp users should beware of a scam that lures victims with the promise of cash rewards from retail giant Costco in exchange for a short survey, all in honor of ’40 years’ of Costco.e anniversary”.

There are no prizes to be won, of course. Instead, this recurring scam relies on an old trick: Fraudsters impersonate a well-known brand and use a thematic lure to trick unsuspecting victims into handing over their personal data or installing dubious apps on their phones. devices.

This particular campaign – which was recently spotted in Mexico and a few other Latin American countries – uses other tricks to boost its credibility. For example, the website set up by the scammers features rave reviews and comments from past “winners,” which, again, is not unusual in these types of social engineering campaigns.

Don’t believe what you see

Once you click on a link in a WhatsApp message, you are redirected to a website that asks you to complete the survey. As you might expect, the survey lists several options, but only one reveals the “price”.

Figure 1. Fake Survey

Somewhat inevitably, then, you will fail to pick the right one. A few attempts later, you’re encouraged to “select a winning option” – but only as long as you share the campaign link with your WhatsApp contacts.

Figure 2. Would you share the link?

As many people hope to believe that the prize is real, many are indeed likely to share it. This is partly why these types of scams often ensnare many people around the world. Additionally, as the bond is inadvertently shared between friends and relatives, the trick achieves an aura of “credibility” and fools more victims.

Figure 3. Another step in the scheme

Once you reach the last step to claim your “prize”, you will receive a fake alert for the presence of malware on your device. Some flavors of these scams will suggest that the victim should download an app to clean up the “compromised” device. In reality, however, it installs software that can steal their personal information. In other iterations, you may be asked to share your bank details or other sensitive information in order to “transfer the prize money“.

Figure 4. False virus warning

Malware on the rise on mobile systems

Threat detections on Android devices increased by 8% in the first four months of 2022 compared to the previous four months. HiddenApps – the type of threat that uses deceptive apps that are installed without a visible icon or trace – remains the most common threat in this category.

However, the biggest growth recorded by ESET telemetry was a 170% increase in spyware. This is an all the more worrying trend as this type of threat steals as much sensitive data as possible from its victims who, for the most part, have been unaware of it for years.

The latest ESET Threat Report also highlights that, just like Android devices, iOS devices are also targets of cyber threats. For example, ESET researchers recently discovered malicious cryptocurrency wallets targeting both operating systems in order to steal victims’ seed phrases, the unique code that grants access to users’ crypto wallets.

Social media platforms continue to be fertile ground for various types of fraud. According to ESET phishing feeds, 23% of all phishing URLs detected in the first four months of 2022 were shared primarily via Facebook and WhatsApp.

Figure 5. Android threat detections, January to April 2022 (source: ESET Threat Report Q1 2022).

Protect yourself from scams

As iOS and Android strive to provide a safer environment, it’s important that users also do their part, by taking control of their security and privacy.

  • Beware of offers that seem too good to be true. If you think something is wrong, check to see if the URL really links to the original brand, but also look for simple spelling and grammatical errors on the page. This type of scam usually contains a lot of them.
  • Stay away from surveys, giveaways, or unexpected too-good-to-be-true offers from Costco, even if the links are shared by trusted contacts. It is very likely that the sender is already a victim of the scam.
  • Ignore the content and delete the message. Not only will you avoid becoming a victim, but you will also help break the chain.
  • Make sure you have a security solution installed on your devices.
  • Keep your smartphone’s operating system and apps up to date.
  • Only trust official stores, such as Google Play and App Store.
  • Try to stay informed about common threats – for example, unsolicited messages asking for your personal information and co-opting well-known brand names are one of the most common methods in scammers’ bags of tricks.

Finally, did we say that Costco is not turning 40 this year?

Previous How to add a personal note to your chat profile on Zoom
Next The seven best secure messaging apps with end-to-end encryption