Walmart customers scammed via fake shopping lists, threatened with arrest

Shopping online or attempting to get in touch with a store is a little bit like walking on a minefield: you might get lucky or take a wrong step and get scammed.

Case in point, a malicious ad campaign is abusing Walmart Lists, a kind of virtual shopping list customers can share with family and friends, by embedding rogue customer service phone numbers with the appearance and branding of the official Walmart site.

The scam ends in accusations of money laundering, threats of arrest warrant, and pressure to transfer money into a Bitcoin wallet.

In this blog, we walk through the different parts of this well executed scheme and provide helpful tips to avoid falling for this scam. We have already reported the malicious Google ads and informed Walmart of the abuse of its customer’s shopping lists.

Malicious Google ads

When searching for Walmart’s phone number, the top result on Google is for an ad (sponsored). Unless you manually checked “My Ad Center”, you would have no idea who the ad belongs to.

More importantly, because the ad snippet shows the https://www.walmart.com address, you might wrongly assume that it is a genuine advert from Walmart.

Figure 1: A Google search for Walmart’s phone number on a mobile device

Figure 2: A Google search for Walmart’s phone number on a desktop computer

In previous cases, we have seen malicious advertisers impersonate brands by displaying their official website in the ad URL. However, this is a little bit different as the ad’s final URL actually belongs to Walmart.

On mobile, due to space limitations in the address bar, users will see walmart.com, while on desktop they will see the full URL. In both instances, this is a strong indicator of legitimacy, one which people have been trained to check for years. This is not an impostor website, it is the real one, so one might think that whatever is shown on the page must also be legitimate.

Figure 3: A fake Walmart shopping list as seen on a phone

Figure 4: A fake Walmart shopping list as seen from a desktop computer

Lists is a feature that registered Walmart customers can use to add items they might be interested in purchasing. To create a list, you first need to register for an account, but it is free and does not require any form of authentication or payment method.

The scammers have created several accounts and fake lists where they can instead add custom text. Their goal is to trick people thinking this is a contact page for Walmart customer service. This is exactly what they do by using fake names like “Mr Walmart S.” and entering their own phone number in the page.

Finally, they can use a link to share this list with others, and this is the link they will use for the Google ads. As such, the ad actually does not violate Google’s policy per se since the branded ad does go to the brand’s website. But, as we know, this is all fake.

What happens next?

People who dial any of those supposed customer service phone numbers shown on the Walmart lists will be directed to a call center in Asia. On the other end of the line scammers impersonating Walmart will get their information (name, email address) before reviewing their details.

As it happens, victims will be told that a large purchase was recently made on their account. That’s the scare tactic that will allow scammers to request more personal information related to their banking, and even social security number.

The call centre uses several different people, all who play a different role to process victims:

• the Walmart customer service representative
• the higher authority or “supervisor”
• a fake bank employee
• a fake FTC investigator

When we called, the scammers claimed that our account had been used to transfer huge amounts of money to narco trafficking countries:

Now, all the banking found which was created using your personal information are transferring huge amounts of money to the narco trafficking countries such as Columbia, Mexico, some Saudi Arabia countries and Columbia.

As a result, we were told that there was an active arrest warrant against us:

Otherwise we have to take you under the custody for [inaudible] purpose, because there is an active arrest warrant also available on your name.

We were threatened several times and warned to go to our bank to withdraw as much money as the bank would allow in order to transferring those funds into a Bitcoin wallet. Oddly enough, the scammer mentions there won’t be any taxes on the transaction, which really would be the last concern on someone’s about to be arrested:

Yes, I know Sir, it’s not a checking account, it’s a Bitcoin wallet. The machines are… is installed by the [inaudible] for the anti money laundering charges. So you don’t, like, get any taxes on it as well as, the transactions done are anti money laundering. So you have to create your own wallet on that machine. How you can create it using your personal information, I will guide you step by step. I will be on the line with you all the time, you don’t need to worry about that. OK?

It’s quite scary to see how anyone can go from wanting to return an item or speak to a Walmart associate, to being falsely accused of crimes and pressured to transfer money. It’s also a reality check that scammers are constantly preying on the vulnerability of innocent people.

How to avoid falling for scams

In a fast paced world where technology can be abused, it is important to keep certain things in mind.

• Sponsored results, or ads can be dangerous due to ongoing and relentless malvertising campaigns. Learn to spot a regular search result from an ad, and if possible avoid clicking on ads.
• Even if you are on an official website, the content you see may not be legitimate. This is a particularly hard one because people will naturally trust that the brand’s own site will be safe. But scammers and spammers can inject content in comments, or custom pages.
• Scare tactics and pressure to act quickly are almost always malicious. Unfortunately, most brands also have these promotions that expire soon and customers believe they need to buy the product now or they will lose on a deal. Having said that, your local store will never threaten you on the phone with an arrest warrant.
• Scammers will often tell their victims to keep everything confidential and not discuss it with other family members or bank clerks. This is only in the scammers’ interest to not be exposed; by all means you should ask for clarification and seek help from others.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.