My eldest daughter is a bit of an addict when it comes to the online game Roblox - in fact, all three of my daughters like playing the game. Recently my eldest daughter started getting spammed with in-game messages telling her to visit a URL to get free Robux. Robux is the in-game currency for buying accessories, outfits, etc, and can be purchased with real money. In this case, the URL was short and simple to type in:
My daughter opened the URL in a browser and then came to me asking what she should do next. I told her to close the URL and not visit it again, but I could tell that the lure of free currency was too much for her. She seemed disappointed that she was going to miss out on free stuff, and didn't believe me that she should stay away from the offer simply because I'd said it wasn't real.
So, I sat her down next to me and went through signing up for free Robux in an incognito window on my laptop.
We used a made up email address on honeychurch.org (firstname.lastname@example.org was chosen by bashing on the keyboard), as I have a catch-all redirect for all unknown addresses at honeychurch.org to be redirected to my mailbox.
She watched as I filled in form after form, giving over more and more personal information (a mixture of real and faked), and all without ever getting to the point where I was awarded my free Robux. More and more windows were opening, and the completion of each form led to the opening of a new one.
Then after about 5 minutes, we checked my spam folder. Lo and behold, I was already receiving spam emails addressed to the fake address:
# A Galaxy S9 for $3 - bargain!
You have been selected!
SAMSUNG Galaxy S9 for $3
10 LEFT IN STOCK
# Of course I want to win a fortune
What if we told you that you can play, enjoy and win a fortune?
Click here and you will see for yourself.
A staggering welcome bonus is waiting for you at BoVegas
Sign-up today and claim:
The cards are on your table! It\s your time to play…
# I've won!
According to our system, you should have received a Apple iPod Touch one month ago.
You were chosen to get the an Apple iPod Touch with the following email address: email@example.com
We apologize so much for this package hasn't been delivered.
It seems that the shipping address was never supplied.
Just finish the final steps and we can send your package:
- Confirm you shipping address
- Pay the $1 fee.
Do this by clicking "Finish Delivery" below
# Wow, this seems legitimate
Several Countdown gift vouchers have not be claimed so far.
This includes the gift voucher allocated for firstname.lastname@example.org (allocated on today)
The allocated voucher has a value on $50 and can be used in any Countdown store accross New Zealand.
You have not confirmed your Countdown voucher yet!
Please accept the reserved gift voucher here
# Gosh, silly me
Please note that you still have an unclaimed LG K7 Smartphone.
We have repeatedly written to you regarding the delivery. We do not understand, why you have not yet confirmed your information's, so we can send it to your home address.
The price for the brand new LG K7 phone is only $1 without sim lock.
We hope that you'll confirm your information's this time
[Click here to proceed]
I made it fun, showing her just how daft it all was. I talked about how I'd given over enough information that someone could pretend to be me, and in return all I got was a mailbox full of spam - and that the spam emails were just phishing for more information, trying to get me to click on links in the hope that I have an insecure browser that will allow them to infect my PC with malware.
Hopefully the lesson sank in.