Proper Sky Fake Invoices Scam

How to spot the Fake Proper Sky LLC Invoices

On 10/5/2021 we received several strange requests from people or businesses we have not worked with to delete accounts we didn’t own or refund invoices we didn’t create.  Fortunately one of the recipients of this email was kind enough to forward us this email so we could help users identify the fraud.  We’re not sure if we should be flattered that we’re being used to scam or furious but here’s how to tell.

First, the email looks something like this:

The scam in this case is to get you to call the 215 phone number at the bottom of the screen.  Once you call that number, they’ll tell you that your credit card has been fraudulently used and that they need to remote into your computer to get access to it to “remove the fraud”.  Generally these are people with heavy accents working from overseas but not always, English is almost always a second language though, which we dive into below.

The real scam is once they get on your computer, they disable your antivirus and firewall or they encrypt your PC and ultimately demand payment or try to steal credit card information with keyloggers or other nasty software.  What better way to do that than to pretend you’re an IT company?  Also, since our actual domain, propersky.com has a good reputation, Google & Microsoft’s spam filters are more likely to let these emails get through, which makes us more valuable.

If we look further into this email, there are several dead giveaways that this message is fake.

1. Scammers don’t spend money.  The biggest tell of all is that the email actually came from a gmail.com address and not a propersky.com address.  Sometimes, these values can be spoofed or tricked but in this case, they simply used the Gmail address.  They most likely did this because we have some advanced email settings that are designed to prevent emails from looking like they come from propersky.com.  IF YOU GET INVOICES FROM GMAIL.COM ADDRESSES YOU SHOULD ALWAYS ASSUME IT’S A SCAM.  Any legitimate business will use business email or a third party payment system to send you invoices.
2. Scammers are dumb.  The invoice number is impossibly long.  Most invoices numbers make sense, this is just a random number.  We don’t need an 11 character invoice number.  They don’t care about nuance.
3. Scammers are lazy.  In the email above you’ll notice that they didn’t bother to change the dates.  This invoice is technically 6 months old and even though we have today’s date, they didn’t bother to update the service date with something that made sense.  When you’re reviewing these types of emails, pay attention to the dates & times.  Also, most invoices don’t just include the name of a person, they typically include other details like address & phone number, customer number and more.   Doing that legwork takes to much effort and most scammers are lazy so they apply minimum effort.
4. Scammers don’t spell check.   Since many of these scammers are overseas and often speak with English as a second language, tenses, conjugation, contractions and wording can be awkward and use non-characteristic sentence structure.  For example, the use of the word “query” is both misspelled and a very non-American way of saying “questions” or “inquiries”.  “Haven’t order it” is also another giveaway, that’s a very non-standard sentence structure and the tense is incorrect.
5. Scammers cannot verify accounts.    So calling that phone number above gets you to the “customer service center”.  They cannot tell you the name of the company that sent the invoice.  They cannot tell you your invoice number.  They don’t answer the phone as “Proper Sky”.  They cannot tell you your email address.  There is literally nothing they can do on their end to verify that you are a customer, have received an invoice or even if you are who you say are.  If you have gotten this far down the scam, however, they do now know your phone number and, if you give them a working email address or verify it, an obvious “phish” you’re on the hot list for more of these messages.

Got it.  So now I know what to look for what should I do?
Unfortunately there aren’t many ways to quickly stop this type of fraud.  The scammers are using a Gmail account to send email.  So we should report that address (which we have done).  You can also do that yourself by contacting Google’s email abuse form.   There is one thing you will need to collect something called “Email Headers”.  MX Toolbox has an incredibly comprehensive guide to collecting them from different services and software.  If you follow those instructions you can easily get the Email Headers, that helps google better diagnose this issue at the source.

Unfortunately, the problem with this approach is that even if the account is cancelled, they simply create a new account move the contacts into it and start spamming again from Gmail again.  Each time they have to do it though, it slows them down a little bit so every report helps.

The other thing we need to do is report this phone number.  215.486.6159.  First we head to Spokeo an do a lookup.  There we see that the phone number is hosted with bandwidth.com.

Then, we head over to Bandwidth.com’s Fraudulent Number Reporting Tool and report the phone number as fraud.

Lastly, we report the fraud to the FBI.  In addition to some of the simple steps that we take above, we collect as much metadata as we can about the IP addresses involved, the countries, the time of day, similarities of nearby IP addresses, information regarding hosted IP addresses and much, much more.  Unfortunately, the cure takes much, much longer than the initial email to get resolved and can be setup and turned up much faster than it takes to shut it down.  Anyone that gets phone calls about auto warranties can tell you this stuff is hard to stop.

We certainly did not send you an invoice so do not pay it!

If you have ANY questions about any of this, please give us a call (215.305.8899).  We’re not sure to be flattered or upset but in the meantime, there is a real risk and we want to keep everyone safe.. If this was helpful, let us know. Send us a Tweet, comment on Facebook or peg us on LinkedIn.

Thanks All! Be Safe.