Phishing Report: Dicks Sporting Goods Cooler Giveaway

Dicks Sporting Goods does not want to give you a free cooler (BUT NOC does!).

Phishing Lures: This scam's methods

In sharp contrast to the last phishing email that we looked at, this scam is highly-polished and a real threat to certain groups of users. Here’s how the phishers behind this attack try to convince their targets to take the bait.

1. Direct delivery to your primary inbox: Although the actual email address looks fishy to human eyes, most human eyes do not actually look at the email address. By using an Microsoft Outlook email address to appear legitimate, these emails are able to slide past Gmails filters, dodge the spam net, and land right in your inbox. In addition, behind the scenes, the plain text version of the email confounds security software. The result is a prime placement of tempting clickbait.
2. Professional and consistent design: This email looks professional. The image, graphics, font choices, and alignment all work together in a cohesive and appealing design. Beyond the quality of the work, the design elements all align with Dick’s corporate style. Nothing about the colors or artwork indicate illegitimacy.
3. Name and logo of a well-known company: Dick’s Sporting Goods is a well-established brand with widespread recognition. The scammers are relying on their high visibility and legitimacy in the marketplace to lull targets into complacency.
4. Believable subject: Although it might seem a bit unusual to win something in this manner, it does make sense for a sporting goods brand to engage in a little summer promotion through giveaways.
5. Time sensitive language: “Expires tonight,” “last call,” “ends in 6 hours,” “expires today,” “confirm now!” Nearly half of the text on this sparse ad is dedicated to pushing users towards an impulsive click. Quicker clicks mean less scrutiny and contemplation by the target. 
6. Simple call-to-action: All a user needs to do is click the big green button to claim their cooler…or in this case, a giant headache.

Red Flags: How to recognize this scam

Although this scam contains far fewer errors than most, there are still a few signs that a cautious user can detect that reveal this email as a scam.

1. Communication regarding an unsolicited offer: Do you remember signing up for a cooler giveaway? Most businesses do not give away products in exchange for nothing. Normally you need to sign up, buy a ticket, or make a specific purchase in order to be registered for a giveaway.
2. Spoofed email sender: This is probably the most obvious and most egregious red flag on the part of the scammer. Although the sender name “Dick’s Sporting” seems like an elementary mistake, it was likely so named in order to avoid spam filters checking anything purporting to be from “Dick’s Sporting Goods.”
3. Illegitimate mail address: Any legitimate email from Dick’s Sporting Goods should end in @dickssportinggoods.com. For those that know to check the actual sender’s email address of their incoming mail, emails from dsfsdz_ereeesrfge@huje4.zpiaf.space should definitely raise their internal alarm. Once again, although this seems like a simplistic error, the email address was likely specifically designed to bypass Google’s filters. The obvious email address and sender spoofs were necessary tradeoffs in order for the target to see the email at all. Without them, the bait would likely have been trapped in a spam folder.

What to do when you encounter the Dicks Sporting Goods phishing email.

These red flags are enough evidence for a recipient to firmly conclude that this email is not legitimate. Our staff member quickly recognized the signs of phishing email, and the phisher ended up with any empty net. 

However, many people still fall for such attacks. People at higher risk for falling for this attack include those with:

• limited exposure to phishing attempts
• no cybersecurity awareness training
• a legitimate purchase history with the spoofed company—Dick’s Sporting Goods in this case.

If you receive this email, the FTC asks users to report any fraud, and their website makes it simple to do so. DSG is also aware of these attacks and recommends that would-be victims verify the validity of any communication purporting to be associated with their brand by visiting this website with official links to all affiliated companies.

Finally, once you have reported the scam. Report the email as phishing to your email service provider.

To summarize, if you encounter such communication:

1. Never click any links.
2. Report the email to relevant parties (the spoofed business, the FTC, and the FBI)
3. Report the email as phishing to your email provider.
4. Block the sender.
5. Permanently delete the email. 

Did you bite? What to do if you fell for the Dicks’ Sporting Goods cooler giveaway phishing scam.

Uh-oh. You took the bait. You clicked. Now what?

Unfortunately, this happens every day. Time is now of the essence. By moving quickly, you can mitigate the damage caused by this fraud attempt

1. If you paid a scammer through Western Union, MoneyGram, or a debit, credit, or gift card, you should immediately contact the financial institution that facilitated the payment and let them know that it was a fraudulent charge and ask them to reverse the payment or refund your money. If you sent cash through the USPS, you can attempt to intercept your package before the scammer receives it. If they receive the cash, or if you paid in cryptocurrency, you will probably not be able to recover your money.
2. If a scammer has access to your personal information such as your social security number or identifying information, visit identitytheft.gov to report the theft and put together a plan to recover your identity.
3. If you gave a scammer your username and password, or suspect that they have remote access to your phone or computer, run antimalware software on your computer immediately and seek professional help from a cybersecurity expert. 

The FTC maintains a helpful page of advice and resources for anyone that has fallen prey to a phishing scam and provides specific instructions for what to do in your particular dilemma. In many cases, you will have a better outcome if you respond as quickly as possible to the issue. Act quickly and seek professional assistance if you feel that the issue is beyond your ability to address.

The email arrives to the target’s inbox from “Dick’s Sporting” with the title “Email Verification.”

Although the brand of the cooler keeps changing (the original scam was a Yeti cooler)—the basic phishing concept does not. The current version of the scam states that the recipient has won a “Brand New Igloo Trailmate Cooler” from Dick’s Sporting Goods.

According to the email, once you click on the “Confirm Now” button, you too will soon be happily chuffing through the sand with your portable vacation wagon in tow!



Do you actually want to win a Trailmate cooler from Dick’s Sporting Goods? NOC Technology will give you a chance!

It's about time the good guys win one for a change. Although phishers might not want to give you a cooler, NOC Technology is fighting back against the deception by actually giving away one of these awesome coolers to celebrate Cybersecurity Awareness Month!

Does all of this reading about a nice cooler have you ready to go out and buy one for tail-gaiting season?

In a world full of fake prizes and sweepstakes, we are going to actually give away an Igloo 70 Qt Trailmate cooler from Dick’s Sporting Goods!

Unlike the scammers behind these phishing emails, NOC Technology wants to actually make your life a little better. Every day, our team fights to protect our clients against cyberattacks through email scans, managed security software, policy and strategy consultation, ongoing employee training, and so much more.

This Cybersecurity Awareness Month, we hope our giveaway will remind the small business community about the ongoing threat that phishing presents to the well-being of our families and businesses.

If you want a chance to win a cooler, you have until October 31 to register here on our website! Good luck!