A popular tactic of criminals is the "fake order" scam. The way it works is that you get a message, usually in email or text, that appears to be a routine confirmation for an order. Of course, you never ordered whatever product or service it's confirming.

The message looks common enough, and it says that money will be charged to your credit card or withdrawn from your bank account for the product or service. Then it casually offers instructions on how you can cancel the order if you want to.

Operators are standing by...to steal your information

Where they get you is when you try to cancel the fake order. That's how the scam works.

In order to cancel the fake order, you'll either have to click a link or call them on the telephone. Either way, the ultimate goal of the scammers is to get you to give them some personal information. They'll claim it's for the purposes of canceling the fake order. They'll want your name, address, phone number, and very likely your credit card or banking information. If you protest, they'll insist they only need that information to confirm your identity.

Don't be fooled. They want that information so they can actually charge your credit card, steal money from your bank account, or use your identity to open other accounts.

But wait, there's more

Often there's another part to the scam. The scammers may ask you to download a file, usually a Microsoft Word or Excel file, enter your information into the file, and send that file back to them to cancel the order.

This file will almost certainly include malware. When you open the file, you'll see a notification at the top of the screen asking you to Enable Content.

The Message Bar

If you're on the phone with the scammer they will insist that enabling the embedded active content is perfectly safe, and entirely necessary, to complete the cancellation. It's neither of those things. In fact, it's a malicious macro designed to steal or damage your personal data, install ransomware on your machine, gain access to your machine, or use your device to attack other people.

Important: Never enable content on an Office file unless you're sure you know exactly where it came from and exactly what it does.

If you've been persuaded to download one of these files, just close the file and delete it. 

If you've already enabled the active content, you'll want to run a full antimalware scan of your computer. 

How can you spot these scams?

Fortunately, these scams are often easy to spot. Let's take a good look at the clues in this example that pretends to be a subscription confirmation to Norton LifeLock.

An example of a scam email pretending to be from Norton.

1. The sender address

The sender's email address is often the first clue that the message is a fake. In this example they haven't even tried to make it look real. If Norton were sending you a real confirmation message it wouldn't come from a dodgy-looking Gmail address. It would come from one of their real domains, perhaps @nortonlifelock.com.

Tip: Some scammers will try to get tricky by using a domain that LOOKS like it could be legitimate, such as @n0rtonlifel0ck.com. The letter "o" has been changed to the number 0, but at a glance you might not notice.

Always check the sender's email address and confirm that it makes sense for the message you've received. 

2. To whom it may concern

If they don't know your name, they can't withdraw any funds from your bank account. A legitimate company would insert your name into a confirmation message. It's easy for them to do with modern billing systems.

3. The logo

Scammers often insert the logo of the organization they're trying to impersonate into the message to make it seem more legitimate. In this case they've used a pretty poor imitation of Norton's logo. They spelled "Norton" correctly and seem to have a yellow color that is pretty close to Norton's, but otherwise it's clearly not Norton's real logo.

Tip: Notice the weird spacing in the "N O R T O N" logo? That's intentional to try and hide from filters that might be looking for the word "Norton" and it's another clue that this message is bogus. 

If you get a message with a suspicious-looking logo and you want to see if it's real or not, open your web browser to a new tab and do an internet search for the organization the message claims to be from. You should quickly find examples of their actual logo you can compare it to. 

4. The date format...and other quirks

This message uses an odd date format: "Jan/05/2022". That's another clue that this probably isn't a real confirmation message from a professional company.

Aside from the date, the entire message is awkwardly worded and formatted. Why is "Subscription" used as a proper noun, and why is it a different color? Phrases like "...in your bank account statement" or "auto-paid" don't seem like how a professional company would write a customer message. That doesn't mean real messages never have errors, but this much poor writing is suspicious.

5. The phone number

Notice the odd spacing in the phone number? Just like with the logo that's a trick to try and get around any filters that might be looking for their phone number.

Weird spacing like that is one of the big clues that this message is likely to be fake.

Bonus: The fake urgency

Scammers usually try to create some false urgency in order to get you to react quickly and emotionally before you've had time to think about it, or to ask a trusted advisor for their opinion. Notice in this example that it claims that "$499.99" will be withdrawn from your bank account TODAY. Then, curiously, says you need to contact them "within 48 hours", or "right away."

They know you probably won't be fooled if you stop to think about it, so they want you to react before you've stopped to think about it.

What should you do?

Stop. Think. Breathe. Look closely for clues like the ones we just talked about.

If you're still not sure if the message is real or fake, ask a friend or family member whose advice you trust.

If you still want to confirm if the message is real, open your web browser to a new tab and do an internet search for the organization the message claims to be from. Go to their official website and contact them at their published phone number.

If you have an account with them, open your web browser to a new tab and use your own saved favorite or internet search to sign into your account. Then you should be able to see if this mysterious order actually appears in their system.

Important: Never call the phone number, or click any links, in the email message. 

Once you're comfortable that the message is fake, report it as spam in your email client or just delete it.

Learn more

Protect yourself from online scams and attacks

Protect yourself from tech support scams

Microsoft security help and learning

Need more help?

Expand your skills
Explore Training
Get new features first
Join Microsoft Insiders

Was this information helpful?

What affected your experience?

Thank you for your feedback!