In This Issue
Scam of the Week: The fake VA benefits call
Red Flag Decoder: Even your two-factor code can be phished
Marketplace Alert: The overdue tax bill you don't actually owe
Inbox Danger Zone: The USPS "package on hold" text
What to do this Week: Summary
Scam of the Week: The fake VA benefits call
Your phone rings. A polite voice on the other end says he's from the VA Benefits Office. He knows your name, the year you served, and the name of your last duty station. He says there's a problem with your monthly benefit deposit and you need to verify your Social Security number and direct deposit info before Friday or the next payment will be held.
Nothing is wrong with your benefits. The caller pulled your service details from a public obituary, a genealogy site, or a data broker file.
July is Military Consumer Month, which is why the FTC pushed out a fresh reminder last Tuesday about the specific ways scammers target servicemembers and veterans. VA and Social Security impersonators are near the top of the list. The variations are consistent: a "problem" with your benefits, a "one-time" verification, an "urgent" enrollment step, or a claim that you're owed retroactive back pay if you just confirm your account details.
The scam works because the caller sounds like they belong. They use military-adjacent language ("your DD-214," "your Chapter 33 benefits"), they know a real detail about your service, and they push a deadline that feels bureaucratic rather than aggressive.
Here is the actual VA policy. The VA never calls you unsolicited to ask for your Social Security number, your banking info, or any password. Every legitimate VA benefits update flows through your VA.gov account or through certified mail. When something is genuinely wrong, they write you a letter first, then leave the next move to you.
The rule: If someone calls claiming to be from the VA, hang up. Log in to VA.gov yourself, or call the VA at 1-800-827-1000 using that number, not one the caller gave you. And tell every veteran in your life the same thing.

RED FLAG DECODER
🚩 Even your two-factor code can be phished
You've done everything right. Long password. Two-factor authentication on. A six-digit code from your authenticator app every time you log in. That has been the gold standard for years.
It isn't enough anymore.
The FBI issued a public alert this spring about a phishing-as-a-service kit called Kali365. For a monthly fee, scammers rent a ready-made phishing platform that captures your password AND your two-factor code in real time, then uses both to log into your account within seconds. By the time the scammer is inside, your session token is theirs. Turning off two-factor after the fact doesn't help.
Here is how a Kali365-style attack unfolds. You get an email that looks like it's from Microsoft, your bank, or your workplace, warning about an "unusual sign-in." You click the link and land on a page that looks exactly like the real login. You type your password. The fake page passes it through to the real service, which prompts for your two-factor code. The fake page shows you that same prompt. You type the code. Both the password and the code get relayed to the scammer, who logs in as you. You get a "welcome" page that looks normal. Nothing feels off.
Three defenses that actually work.
One: passkeys. Passkeys use a hardware secret tied to your device and a biometric on your face or fingerprint. There is no code to intercept, because there is no code. Apple, Google, and Microsoft all support them for major accounts now. Turn them on where you can.
Two: a hardware security key (YubiKey, Google Titan, etc.). A physical key you tap or plug in. Scammers on the other side of a phishing page cannot use one.
Three: never enter a two-factor code on a page you reached from a link in an email. Always type the site's real address into your browser, or open your app.
The rule: If you got to a login page by clicking a link, do not type your password or your code there. Real-time phishing kits can capture both. Type the site's address yourself, or open the app.
MARKETPLACE SCAM ALERT
The overdue tax bill you don't actually owe
Your phone lights up with a text: "IRS Notice CP-14: Your 2025 return has a balance due of $2,847. Immediate payment required to avoid enforcement action. Pay: irs-collections-portal.net."
You just filed. You paid what you owed. Your refund arrived weeks ago. So what is this?
The FTC has flagged a fresh spike in fake "overdue tax bill" texts and calls in the weeks after tax refunds hit accounts. Scammers know the calendar. They know that people who filed on time and got a refund are the least likely to worry about a follow-up bill, which is exactly why the fake ones catch some of them off guard. Same wave hits state departments of revenue too, especially in states with July estimated-payment deadlines.
Four tells inside every one of these messages. The link is not IRS.gov (or your state's real .gov address). Real notices link to IRS.gov and only IRS.gov. The text or call demands immediate payment or threatens arrest, license suspension, or wage garnishment. The real IRS starts with paper mail and gives you weeks, not hours. The payment method is unusual (gift cards, cryptocurrency, wire transfer, Zelle). The real IRS accepts checks, direct debit, and card payments through IRS.gov only. The reference number sounds official but doesn't match any real IRS letter format. Real IRS letters use codes like CP2000, LT11, or 5071C, and the number is embedded in a mailed letter, not floated in a text.
The rule: No real tax agency, federal or state, will text or call you about an overdue balance. If you're worried a real bill exists, log in to IRS.gov yourself or your state's .gov revenue site directly.
INBOX DANGER ZONE
The USPS "package on hold" text
A text lands from a number you don't recognize. It reads:
"USPS Notice: Your package cannot be delivered due to an incomplete address. To reschedule delivery, confirm your address here within 24 hours to avoid return-to-sender: usps-redelivery-support.com. Ref: US928471203."
You did order something last week. So did most people. That's what makes this one so effective.
You tap the link. The page looks like usps.com, right down to the eagle logo. It asks for your address, your phone number, and a $1.99 "redelivery fee" for the card that lets you complete the "verification." You enter your card. The next screen says confirmation is pending.
The next morning, three unauthorized charges show up on your card. Not a $1.99 charge. Larger ones, spread across a few days, from stores you have never shopped at. The card details you entered were used the second you hit submit.
Three things give every USPS delivery text away. USPS does not text you about deliveries unless you specifically signed up for Informed Delivery text alerts. And even those texts do not contain links to reschedule anything. The real USPS uses usps.com. Every fake one uses a lookalike: usps-tracking.support, usps-redelivery-us.com, usps.package-hold.net. A real delivery problem does not require a fee. Real redeliveries at your home address are free.
The rule: Never tap a link in a USPS text about a package. If you're expecting something, open the retailer's app or usps.com yourself and search the tracking number there.
What to do this Week
Tell every veteran in your family that no one from the VA will ever call them out of the blue. If they get a call, they hang up and log into VA.gov themselves.
Turn on passkeys where you can. Apple, Google, and Microsoft all support them for major personal accounts. Two-factor codes alone are no longer enough.
If a text or call claims you owe overdue taxes, ignore it and log in to IRS.gov (or your state's real .gov revenue site) directly. Real tax bills come by mail.
Never tap a link in a USPS or FedEx delivery text. Open the retailer's app or the carrier's app yourself and search the tracking number.
Run any suspicious text, email, or pop-up through ScamRank before you act on it. Paste the message in, get a Trust Signal back in seconds. Try it at scamrank.com.
Forward this issue to a veteran or a family member who's been busy shopping online this summer. Two of this week's four scams target one of those two groups.
Until next week,
The ScamBrief Team
ScamBrief is part of the Echo Safe family | Helping families stay ahead of scams | echosafe.co