Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
I'm an idiot. I just gave money to kinda-scammers, not the US government
38 points by ohwellmaybe on March 8, 2024 | hide | past | favorite | 48 comments
Ok, so hear me out. And may this serve as a warning. I'm technical and usually fairly well-prepared, but still...

Mistake #1. On a Friday evening I decided to quickly settle things out for my upcoming travel to the USA in a little over a week (I'm in a dutch citizen, living in the Netherlands). Friday evening. After a very hard week and lots of travel. Very tired. Idiot. https://imgur.com/a/lmsaM48

Mistake #2. I google ESTA, and click on the first link that looks legit because it has something that looks like an offical US Gov seal etc. I don't check the domain or that it's under the sponsored section. Idiot.

Mistake #3. I land on a website that looks exactly what I expect a gov website to look like. Official badly designed form. But it's not too terrible. So I'm positively surprised. It's asking lots of questions. I don't look at the fine print. I start filling in the details. Idiot. https://imgur.com/a/b7kIoVn

Mistake #4. I fill everything in, upload my passport etc. Pay with a credit card (hey, I didn't forget to check for https!) IDIOT!

I receive an email with a confirmation. It doesn't have the $ paid. And I need an invoice to claim expenses as it's a work trip. That's when I start looking more closely and the penny drops.

I hope they just charged me 98 dollars instead of the official 21. That would be a fair price to pay for being an idiot.

But they have my passport details an all. Which is highly unsettling. I'm still wondering whether I need to go change everything immediately.

I'm mostly angry at myself for being an idiot, but also a little bit at google for allowing this shit. I guess what they are doing is not technically illegal (charging people 70 bucks for resubmitting their form). So it may be hard to pin down from a legal standpoint (assuming they don't sell your data). But still... prioritizing sponsored links when people are clearly searching for government websites seems like pure greedy evil. Meh.

P.S. THIS FRIDAY KEEPS GIVING Mistake #5. I post it here with a throwaway account ONLY TO REVEAL MY NAME in the Dropbox links (since changed to imgur). COMPLETE IDIOT! This day shall be celebrated as my personal idiocy day for many years to come. What else have I f*cked up?



Ok friends, I have an update. They emailed (and SMSed!) me back asking for more details. The questions were legit (regarding my previous citizenship etc.) But I used the opportunity to ask them to cancel my order. Within 10 minutes got a replied back that the order was canceled (no questions asked) and indeed the reservation on my credit card is gone.

I can see similar stories here (i.e. when asked to cancel they cancel and give money back): https://www.trustpilot.com/review/www.usimmigrationsupport.c...

Just for me to sleep better tonight, I shall interpret this as a confirmation of the theory that this not a scam-scam, but just a business set up to trick idiots like me. And once they see that you realize - they just cancel in order to avoid confrontation. Cheaper and easier.


You were lucky. You fell to a legal scammer vs an illegal one.

The trick with a legal scam like this, is to bend over backwards if anyone complains - which they did.

An illegal one and they'd milk you in every way possible.

By the way - posting about it is a great way to save yourself if it were an illegal one; because the illegal ones want you to NOT communicate about it, and use the shame of making a mistake to encourage keeping it secret.


thank you.


Google is literally getting a cut of these scams through their ad revenue. Google should be responsible for preventing scams being able to buy their way to the top of the search results.


Yes, and they are likely very good customers - because their whole business depends on being very high in search results, so they are willing to spend a lot on it. Looking as they are basically charging a markup on a service that somebody else (the government) provides, they are probably willing to share much bigger part of their revenue with Google than a legit business would.


And Meta for all the fraud and scam ads on Instagram and Facebook.

People are getting all worked up about ridiculous antitrust stuff, while everybody is ignoring that Google and Meta are making billions of dollars of profits from outright organised criminal activity, which these frauds and scams are.


I wonder if Kagi would have been better or if it also had the bad results first.


Yes and me too! I fell for the same gov-looking web site scam when renewing a passport in a hurry, courtesy of Google paid search rankings.

Do no evil, but how about earning money from evil doers?


Yes, Google either don't care about scams, or they actively encourage them because they get a cut. Google are not the good guys here.

I regularly see scams on YouTube, e.g. an advert showing a video of Elon Musk explaining how he's going to give money away. Unambiguously a scam. I report the adverts, they are fine, according to Google. https://twitter.com/adrianmsmith/status/1727623865952514493


this happens for flight changes and cancellations as well. Search will surface numbers that purport to be the company, but are a third party that charges insane overheads to rebook or update your travel.


The market, both illegal and legal, has gotten very at taking advantage of us during our moments of non hyper vigilance. No one can be vigilant at all times. Eventually you will be taken advantage by someone.


It's tax season. If you Google free tax usa, the second ad is a phishing scam.

FUCK Google.


> I'm an idiot.

Psychologically speaking it is not a right attitude. Martin Seligman[1] would call it a personal, pervasive and permanent causal explanation which is worse than bad.

> Very tired.

Much better. Still personal and pervasive, but not permanent. It assumes the possibility of a change.

> I don't check the domain or that it's under the sponsored section.

Even better. Still personal, but very specific.

> This day shall be celebrated as my personal idiocy day for many years to come.

Humor it good, but I think, you need just stop and relax and ask your the most important question: why all this happens in such a succession? What can you do to avoid piling mistakes like that in future?

I experienced something like that, and for me it was an urge to act immediately that made me to pile one mistake on top of another. I think it is fight or flight response. I've learned to detect such mental states and to slow myself. Fight of flight response is driven by hormones, so if I manage to show my mind that I'm safe and to keep this mind state for a 10 minutes, then my body cleans up adrenalin with friends from my blood, and I return to a normal mental state, I could think straight, do not make more mistakes than it is normal for me, and so on.

To make myself feel safe I normally try to imagine the worst outcome and accept it like it had happened already. Body tends to overreact to bad events like they are life-threatening, but they aren't. So accepting the worst (which is not a death or even nearly as bad) allows me to spend 10 min drinking tea or talking to a friend, and them I'm me again, not a some panic-stricken idiot.

I wonder how people manage this when their profession requires a fast reaction times, when they have no 10 min to deal with a sudden attack of hormones. Some heuristics and rules of thumb ingrained by a learning, I presume.

[1] https://en.wikipedia.org/wiki/Learned_optimism


Mistake #0 not using an adblocker which removes "Sponsored" results.


YES! which one would you recommend?


uBlock Origin by Raymond Hill

FireFox: https://addons.mozilla.org/en-US/firefox/addon/ublock-origin...

Chrome: https://chromewebstore.google.com/detail/cjpalhdlnbpafiamejd...

And a "lite" version that works with Chrome's Manifest V3. https://chromewebstore.google.com/detail/ublock-origin-lite/...

Chrome will start phasing out Manifest V2 in June of this year: https://developer.chrome.com/blog/resuming-the-transition-to...

Also supported on Brave and Opera: https://en.wikipedia.org/wiki/UBlock_Origin#Currently_suppor...


Thank you, just installed and it's awesome.


Non-google search engine? Kagi is popular around here, but something like Brave Search would work too.


ublock origin

When you search for it, make sure you have the full name "uBlock origin". Not ublock.org, not any other block origin. Specifically ublock origin.

Chrome extension here: https://chromewebstore.google.com/detail/ublock-origin/cjpal...

This is Github if you'd prefer to audit and install local: https://github.com/gorhill/uBlock


uBlock Origin. Make sure it's origin, not base uBlock.


uBlock Origin. Make sure it's origin, not base uBlock.


This is similar to scams you face when registering for a small business in some (all?) US states. Official-looking compliance documents physically mailed, and emailed. The gist is the same: They shadow official forms, with a large markup. There is always fine print explaining that they are not associated with the state etc, but their business model is to fool their targets into thinking they are a state agency.

There's a similar scam for UAV registration.


This is a common "scam", there's an equivalent for many countries. I say "scam" because the service these companies claim to provide is an easier, guided process to apply for things than the official process. And, sometimes, for some people, maybe that's true.

If you're an EU citizen travelling to the US, that's kinda playing on easy mode, and the value add here is clearly so low that the $70 feels like a scam. If you're a citizen of another country with more complex application procedures, it could be trickier (although unlikely to warrant $70). If you're a less technically literate user and they have an easier to understand process, maybe it's worth it? I don't want to make that judgement call.

It is highly unlikely that your passport details are going to be sold on. It's somewhat likely that your email address will be sold on to advertisers. It's fairly likely that you'll get upselling emails for other services they provide, although you should be able to GDPR them. The aim is the $70, not to steal your identity. The business model is to be technically-not-a-scam, legal, and therefore not something that advertisers realistically can de-list. It sucks, but thankfully you're only out $70, and you'll probably be able to expense it, just don't give your work too many details about what it is.


The same sort of "scam" has helped me immensely in getting visas from countries like Russia and India, where the official process seems like it's geared toward supporting a cottage industry for third party agencies. For India in particular, doing it through the official web page required things like fitting a 100 character street address into a 40 character text box (or you get an error and it's back to square 1), trial and error to figure out what they think a valid date format is, etc. There was even a whole side quest around an alleged alcohol consumption license from Maharashtra State that featured prominently on government websites but no Indian person I knew had ever heard of.

So yeah, I think you're spot on, and this is just spending a little extra money to make the process easier, but it's just not super useful in this case.


These types of companies have been very common before government agencies were on the internet. When I traveled to the US for the first time in the 90s, I had a choice - apply for visa myself, and deal with all the bureaucracy and lines and stuff (nothing was online back then), or pay additionally to the company that just takes my papers and after a while returns my passport with visa stamped and all that. I chose the latter and never regretted it. Yes, they took money for something that I could have gotten for free, but it'd cost me time and effort and annoyance. Now though, a lot of these processes are much more convenient online, so the same companies have to resort to tricks to still make the same living they used to make before.


> If you're an EU citizen travelling to the US, that's kinda playing on easy mode

Whatever country you are traveling from, the procedures are the same. The only variation is if you need a visa or not.

What changes from one country to another are the rules the US will apply to decide if they'll allow your entry or not. But that's not something you do.

Services like those sell two things, the legitimate one is knowledge of the rules. But for US entry, the rules are some 5 or so steps you can easily get on their immigration pages. If your country has an embassy, the steps will be even translated to your language. The other one is bribes, that I don't believe would apply to the OP's case. So yeah, it's nothing more than a scam.


This may be true in the case of getting an ESTA from the US, but that's a very specific non-visa case. In general rules vary wildly depending on the source and destination countries. I'm in the UK, my colleagues here in the UK who are Indian citizens for example, have a much harder time getting entrance to the US.

> So yeah, it's nothing more than a scam.

I want to be really clear here because it makes a difference. I completely agree that this site is bad behaviour, and I think it shouldn't be allowed to operate, however I don't think it's a scam (i.e. illegal), and I'm not certain how one would craft a law that makes this illegal while keeping morally justifiable businesses.

Calling everything we don't like a scam makes it easy to miss things that are useful to someone that just doesn't have the same requirements as us. As an example, there was a time when I thought payday loans were scams, why would anyone get that it's just a terrible financial decision. Well, cash flow is A Thing, it's worth something, and people earning much less than me are more exposed to cash flow issues.


thank you. yes. that's what I was thinking too.


A family member got tricked by a similar scam. They asked for a refund and ultimately got one after lightly threatening a credit card chargeback. High chargebacks cause card issuers to close merchant accounts, so they are a genuine threat.


If you are secure you'll get the chargeback, why not go directly for it? Report the transaction to the operator as a scam.

You shouldn't be nice to people doing this.


CC companies like you to try and resolve it with the merchant first, if possible. Obviously if it's overt fraud (e.g. charge without your consent) then it's not the case, but if the merchant can prove you authorized the transaction (even if you regretted it later), and you claim it's unauthorized then you will be committing fraud. It's probably not something you can be prosecuted for, but the CC company wouldn't like you trying to defraud them too much. OTOH, if you contacted the merchant and tried to cancel and they didn't respond or refused, then the CC company would likely be on your side. So the merchant that is trying to look like legit business would rather cancel when asked. It's not about being nice, but about following the rules. The rules are in your favor, but if you are the one breaking them (e.g. by pretending the transaction is not authorized while it was) then it may turn against you.


On a related note, I know someone who tried installing an authenticator app for 2FA. They searched on the apple app store for such an app, they may even have searched for "Google Authenticator" although I'm not actually sure, and chose the first one. Although there are free quality apps for TOTP authentication, the first result required a rather expensive yearly subscription. Again, it isn't technically a scam, because as far as I can tell they provide a real service, but it is also clearly designed to trick unsuspecting users into paying way more for something than they should.


Don't beat yourself up mate.

Lessons about security should be learned, but Google is complicit in this fraud.

Most people don't expect hijacked search ads with malicious advertising. I've personally witnessed well over 200 intrusions stem from malvertising. Just be happy this didn't lead to your org being ransomware'd.

As said in the comments, use Unlock Origin, and most importantly, move away from Google. Try DuckDuckGo as the default.

Better yet, install Librewolf (built in AdBlock plus DuckDuckGo set to default)


I was just looking into TSA Precheck and stupidly clicked the first link that came up in google. It clearly went to a spam "Resort Destination" site and quickly noped out of there and reported the Ad.

I'm stupid for blindly clicking, but Google should definitely vet these clearly misleading ads.

https://imgur.com/a/U06W29f


The same scam exists for DMV renewals. The first link is always a sponsored ad scammer link who charges extra to just forward your information to the real DMV. I almost fell for it. If government consumer protection agencies had any gumption they'd sue Google over it.


I've had to renew my ESTA last year and theirs (the official) is probably the clearest government website I came across. Lots to read but every possible detail or outlier seems to be clearly handled. Was also processed quickly. Just saying, good luck to OP.


Ridiculous that Google isn't being held partially responsible for cases such as this. Allowing these ads is negligent behaviour.


Hey maybe (Definitely.), you aren't and idiot and the UX of these products is sub-par/unacceptably bad. Just my 2c.


Also, please let me know the site. I'll report them for abuse/fraud and get the ad removed for Google


Honestly it does feel like it’s getting harder to keep up with scammers even for technical people. The volume of attempts across all channels is just overwhelming

Feels like a state change recently but I’m not ready to speculate as to why


i'm confused, in the end, did your documents get processed?


Not yet, I think they would be. (Update: I emailed and cancelled the order, so I think they won't be)


I'm sorry to hear


[stub for offtopicness]


I'll delete this comment shortly, but posting here because there's no other way to let you know -

Because you posted with a throwaway account, you should know that your dropbox link is revealing your full name when people open the image.


I assume you'll want to fix the real-name issue other commenters are pointing out, so I've temporarily buried this thread. If you fix the issue and email hn@ycombinator.com, we can restore it.

Edit: restored!


Just a heads up, looks like you made a throwaway account but your name is visible on the Dropbox link. Might want to remove those and use a different host if you care.


I can see your full name on Dropbox dude




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: