Fake Geek Squad bill
(but a very real phishing attempt)
Fake Geek Squad bills are like spring rains: they may be early or late by a few weeks, but sooner or later you get one - or several in a row. The sophistication of these phishing attempts also varies. Some go as far as billing you through a legitimate Internet billing service, especially one of those services that send bills on behalf of small or one-man blue-collar companies (e.g. electricians, plumbers, gardeners etc.) and have few checks about the legitimacy of companies paying for this billing service. In a way, these invoices are real, although you are in no way obliged to pay them. See for instance this article by Intego. Other attempts, like the one discussed below, are very crude.
I received today what at first sight looks like a bill for an IT security service I never subscribed to. The amount is relatively large (US $ 592.99), and this is designed to try and make the destinatary worried (and therefore less likely to think clearly and analyze the likelihood that this is indeed just a simple-minded phishing attempt).
Delivered-To: xxxx.xxxx@xxxx.xxxx
Received: by 2002:a05:6a11:f5a1:b0:5ec:d89d:102 with SMTP id ic33csp453450pxc;
Thu, 8 May 2025 07:19:18 -0700 (PDT)
X-Received: by 2002:a05:6512:ba0:b0:54d:6dcb:ac8b with SMTP id 2adb3069b0e04-54fbfc538a7mr1355700e87.44.1746713958006;
Thu, 08 May 2025 07:19:18 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1746713957; cv=none;
[non-essential headers were deleted here]
Return-Path: <leonardozatth@gmail.com>
Received: from mail-sor-f65.google.com (mail-sor-f65.google.com. [209.85.220.65])
by mx.google.com with SMTPS id 2adb3069b0e04-54ea94f1242sor2742883e87.24.2025.05.08.07.19.17
for <esava1953@gmail.com>
(Google Transport Security);
Thu, 08 May 2025 07:19:17 -0700 (PDT)
Received-SPF: pass (google.com: domain of leonardozatth@gmail.com designates 209.85.220.65 as permitted sender) client-ip=209.85.220.65;
Authentication-Results: mx.google.com;
dkim=pass header.i=@gmail.com header.s=20230601 header.b=IwX7H6WK;
spf=pass (google.com: domain of leonardozatth@gmail.com designates 209.85.220.65 as permitted sender) smtp.mailfrom=leonardozatth@gmail.com;
dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com;
dara=pass header.i=@gmail.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20230601; t=1746713957; x=1747318757; dara=google.com;
h=to:subject:message-id:date:from:mime-version:from:to:cc:subject
:date:message-id:reply-to;
[more headers deteted here]
Subject: Remember The Notes MAY at 08-2025 from Daniel K King
Content-Type: text/plain; charset="UTF-8"
Remember The Notes MAY at 08-2025 from Michelle James
You can notice that the subject header and the text are meaningless and make no reference to the bill. This is to prevent spam filters from doing their job. The following GIF image is attached to the message. Present spam filters do not OCR-convert images to text, and therefore cannot flag the readable content of the image as spam or phishing. Without these precautions by the scammers, the message would immediately be routed to your spam folder, and you would only see it when it is time to clear out this folder.
The scammers are counting on you to ignore the subject and text of the e-mail, and to only attach importance to the bill.
You can also notice that this e-mail was sent from leonardozatth@gmail.com, i.e. from an e-mail account that takes only minutes to create and start using by anybody, anywhere in the world. It does not come from a corporate e-mail address, which you should expect from this type of bill.
Image of PDF invoice.
And the plain text of the bill, after OCR conversion:
Date Invoice Support
08-May-2025 85302439KRA8 +1(818)-474-0776
Dear xxxx xxxx
We appreciate your business. You paid $592.99 for your Geek Squad subscription, which has been automatically renewed for another2 years.
This is an email confirmation for the payment made through your account.
The amount of $592.99 has been processed and will be debited today. This transaction will reflect within 24 hours on your account.
We appreciate your continued partnership with us.
Unit Total
Description Quantity
Price Amount
Geek Squad Subscription (2 years renewal)
• Computer & mobile Virus removal and protection
$592.99 1 $592.99
• Software and hardware troubleshooting
If you wish to cancel or extend Unsubscribe then kindly contact our support team.
Contact Support
+1(818)-474-0776
Regards,
Geek Squad Inc.
2211 N First Street San Jose, CA 95131
System email donot reply
52e07ebr2bf8.-4ad6-80fb.e4a6b13ed95c
Naturally, I removed my contact information from the e-mail message and attachment.
The whole effort of the scammers unravels once you start googling "Geek Squad bill scam". Nothing more needs to be said about this unsophisticated, and in fact quite stupid, phishing attempt.
A further giveaway is that no company is using the US telephone number (818) 474-0776. The 818 prefix belongs to the San Fernando Valley region of Los Angeles County, California, and calling this phone number will likely lead you to the scammers through a number of call relays and redirections. Very likely, the scammers are physically located in an entirely different geographic region, quite possibly in a different country.
