Threat Intelligence Directory
Fraud

Overpayment / Fake Check Scam

Attack Trigger

Unexpected windfall — victim receives more money than expected and is asked to refund the surplus

What Attackers Want

$500–$20,000 wired before the counterfeit check reversal is discovered

How This Attack Works

A scammer overpays for a sale, freelance job, rental, or prize, sending a check that initially clears. They then urgently request the victim wire back the overpaid amount before the bank discovers the check is counterfeit and reverses the deposit. By the time the check bounces (often 7–10 business days later), the wired "refund" is gone and the victim is liable for the full amount.

Red Flags to Watch For

  • Payment received is significantly more than the agreed amount
  • Payer immediately asks you to wire back the difference to a third party
  • Check is a cashier's check or money order — these can still be fake
  • Urgency: "I need the refund today before my flight"
  • Payer is a stranger you met online through a marketplace, rental, or job listing
  • Bank initially shows funds as available — this does not mean the check has cleared

Known Malicious Domains

These domains have been associated with this attack. Never click links going to these addresses.

  • payment-processing-agent.comMALICIOUS
  • check-clearing-services.netMALICIOUS
  • overpayment-refund-portal.comMALICIOUS

Glance automatically blocks emails from domains on this list. Domain list is not exhaustive — attackers register new domains continuously.

How Glance Stops This

  • Domain similarity analysis catches lookalike sender addresses at millisecond speed
  • SPF / DKIM / DMARC validation flags authentication failures before you ever see the email
  • VirusTotal + Google Safe Browsing checks every link in real time
  • Urgency language detection scores the email higher for manual review
  • Known malicious domain blocklist updated continuously from live scan data

Don't wait to get hit.

Glance scans every incoming email against 12 detection layers — including the exact tactics described above — before it reaches your inbox.

Protect My Inbox — Free

Similar Threats

Fraud

Fake Crypto Investment Opportunity

Medium
Fraud

SIM Swap Attack

Medium
Fraud

Elder Financial Exploitation

Medium
View all threat profiles