McDonalds “Fillet O’ Phishing” Survey Scam

image Would you fill out an email survey, sponsored by McDonalds – if they paid you 250 dollars for completing it? I’ll go out on a limb here and say – yes you would. Just like most offers that sound overly attractive though – this offer is a scam.

This scam is not only plausible, but in appearance, it could easily pass for the real thing. Jump into this one though, and you’ll stand a good chance of losing your credit card information. So, no 250 dollars; just a real messy credit cleanup to look forward to.


Filling out the survey form really isn’t the hook – that comes later.


Clicking on the “proceed” link (this is where you supposedly get the 250 bucks), opens the following screen. All you have to do is provide your credit card details and additional personal information.


If, at this point, you don’t hear a loud warning bell resonating in your head – you’re about to become a cyber crime victim.

To add credibility (and reduce suspicion), victims of this scam are automatically redirected to the official McDonalds site – once the victim’s credit card details have been scooped by the crooks.

In August of 2010, when I first reported on this scam, which was then being “test marketed” by the cyber crooks in New Zealand and Australia, I made the following point –

The rest of us (non Australian or New Zealanders), shouldn’t be complacent because, for the moment, this scam is appearing only in that part of the world. If this scam works there, and I suspect it will work very well, there’s little doubt it will soon be on it’s way to you’re inbox.

Well, here it is in North America and according to the chat on the Net, this time out, the graphics on the survey and phishing pages are loaded directly from McDonald’s own website. You can rightfully accuse cyber crooks of being the lowest form of pond scum imaginable – but you can’t accuse them of not being technically sophisticated.

It’s the same old, same old, though – the first time I came across this scam was in 2006. This type of scam is recycled repeatedly – because it works. Reasonably intelligent people do get trapped by sophisticated scams. Due, in large part, to their failure to take minimum common sense security precautions. Don’t be one of them.

Advice worth repeating:

If you have any doubts about the legitimacy of any email message, or its attachment, delete it.

Better yet, take a look at the email’s headers. Check the initial “Received from” field in the header, since this field is difficult to forge. Additionally, the mail headers indicate the mail servers involved in transmitting the email – by name and by IP address.

It may take a little practice to realize the benefits in adding this precaution to your SOP, but it’s worth the extra effort if you have any concerns.

f you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.


Filed under cybercrime, Don't Get Scammed, Don't Get Hacked, email scams, Malware Reports, Phishing, Windows Tips and Tools

10 responses to “McDonalds “Fillet O’ Phishing” Survey Scam

  1. Hi Bill,
    Having worked at McDonald’s in my youth your use of the term “test marketing” rang a bell.
    I have to hand it to these guys they are clever and getting better all the time. Pretty easy to snag some typical users I see all the time. Running XP letting the kid “share” music, and turn those updates off, they’re such a bother.
    The old days of poorly written spam messages (“please to click on link, emergency” )are long gone.
    I wonder if the new platforms will remain secure very long, I’m guessing not. Money is a powerful motivator.

    • Hi Mark,

      Crafty, creative, and believable, are the “bywords” for today’s successful cyber scams. There’s little protection for those who just don’t get the fact, that if it’s “to good to be true” – it’s not true.

      As you say “Money is a powerful motivator”. And that, unfortunately, works both ways.

      As always, a thoughtful comment.



  2. Mal

    Hey Bill,
    Apart from selling crappy food, McDonalds really are under the pump. Just last year, in Perth, thousands of people had their bank details skimmed and compromised when paying for their purchases. Now this. Really, not good for company image, although in this case, it’s not their fault.

    • Hey Mal,

      You’ve just explained one of the reasons I never use a credit, or debit card, at small operations. Mind you, I’m not all that comfortable using my debit card anywhere since, as opposed to a credit card, I take the fraud hit.

      It’s become so bad here in Canada, that credit card companies are petitioning the gov’t to allow them to charge back actual losses on a customer card, if it can be proven that the customer was negligent. So, the $50 charge back limit, is now under threat. It may take an action as severe as this, before users finally start paying attention. All to the good I think, since it may reduce costs for those of us who do pay attention.



  3. thanks for the heads up..

  4. Bill,
    Excellent article, and a great example of phishing for your readers. And talk about coincidence…I just wrote a post for tomorrow that talks about spam and phishing. Guess your vibes were travelling south today. 😉

    • Hi Paul,

      I’ll be dropping by your site in the AM, for sure. It’s always one of “must do’s”

      I’m happy at least part of me traveled south today – it’s colder than a well digger’s ….. Currently minus 31 degrees. 😦



  5. John Bent

    Hi Bill,

    I’m not aware that this has arrived in the UK yet and I don’t eat at MacDonald’s, so I’m likely to treat anything like this with great suspicion.

    Not everyone looks at your blog, more’s the pity, so it ocurred to me to wonder how much responsibility McDonald’s take to safeguard their customers. I looked at their head office webpage and found no reference to the problem there. After several clickthroughs, though, I came across a warning about phishing (link below). Of course I was specifically looking for this information and I seriously doubt that the average McDonald’s customer would be, so it is pretty ineffective at protecting them.

    MacDonald’s is no different from the major UK banks in this respect. They all have information about phishing on their sites but it is usually tucked away out of sight (and out of mind). So the onus is firmly on the individual to be on guard, rightly in my view. Unfortunately too many people seem to regard the internet as a toy and to forget its potential for harm.

    Kind regards

    • Hi John,

      Well put – “the onus is firmly on the individual to be on guard, rightly in my view”. To be fair to McDonalds and the like, I don’t think that they have much of a responsibility to protect customers/prospective customers, against their own stupidity. As you point out, the Internet has the “potential for harm” – it’s well past the time typical Web surfers paid attention.

      As usual – a thoughful comment.