Scamming As A Service - The Tale of a Phishing Fraud Kit Mastermind.

Show Notes

Welcome to Scams, Hacks and Frauds.  Have you ever wondered how Scammers get your information?  Have you seen those ads that tell you how easy it is to get your business online?  What if I told you that setting up a trap to steal information like names, passwords, and banking details is just that easy?

Ollie Holman is big in that business, except he won't sell you a website for your personal blog, or to take your small business online.... No, he sells websites that mimic other websites to steal your details.  We'll tell you all about his caper and what happened when he finally was caught.

We're also joined by Alex Quilici from YouMail, which is a service that takes the fight back to the scammers by upgrading your phone and voicemail to stop the scammers from even reaching you.  He'll give you some important tips and tricks to ensure that you and your family don't fall victim to these scam sites.

We publish new content every other Monday. The  10 minutes our episodes may save your wallet, and help protect your family.

If you like shows like "The Perfect Scam" or "Darknet Diaries" then this show might be for you.  

On our website you’ll find more computer hacking, identity fraud, impersonation, consumer rights and Romance Scams.  To find these and to access our transcripts, visit us at www.scamshacksandfrauds.com.

The transcript and spoken audio are available under the Creative Commons, Share Alike, With Attributions license. For more information on this visit creativecommons.org.  

Chapters

• 0:00: Introduction
• 0:34: Meet our Phishing Kit Mastermind
• 2:02: What is phishing, and what is a phishing kit?
• 3:58: Speaking with Scam Expert Alex Quilici from YouMail.com

Transcript

Introduction

SPEAKER_00 0:00

Have you ever wondered how scammers get your information? In many cases, they create fake versions of websites that you use every day to capture your personal details. They call this phishing. In this episode, we'll expose how these websites have become a multi-million dollar business in their own right, and talk to Alec Quillicci from Anti-Scam Service Umail to discuss how to keep your family safe from these scams, hacks, and frauds. He's an undergraduate student at the University of Kent in Canterbury, studying electronic and computer engineering, a course he started in 2021. Whereas most of his fellow students are struggling to make ends meet with government loans and part-time jobs, he's become quite the entrepreneur. He's been selling websites. And he's pretty good at it. For a few hundred pounds, he'll sell you a fully functional, professionally laid out website with all the correct code and backend to allow people to log securely into the site. Thanks to selling these sites, he's only himself£405,000 in profit over two years. Much better than the bar or retail work most of his fellow students have found. What Ollie doesn't know is that the City of London police, who usually take the lead in fraud and cyber-related crime, are just outside of his university dorm room, ready to burst through the door. Ollie's not just selling any old type of website. Olly's selling fake websites designed to steal your personal information. Although he might not be committing the fraud himself, he's taking money from the people who are. And the£400,000 is nothing compared to the estimated£100 million his customers have made by stealing from people just like you. For many years, scammers have been using fake websites to catch your details. They call this phishing, spell with a pH rather than an F. They sell these details. A full name, date of birth, social security number can cost between$20 and$100. Credit cards, depending on the limit, up to$120. A bank login starts at$200 and can go into the thousands. So it shouldn't surprise you to hear that Ollie's fake websites included banks. Just one login could pay for the website they bought from Ollie. And just like the ads you might see from those hosting companies saying how easy it is to set up a website with them, setting up a scam website is now just as easy. Olly's business was no flyby night operation. In the two years he'd been running the business before his first arrest, he sold at least 1,052 of these fishing kits. And once the kit was sold, the service didn't end there. Through encrypted apps like Telegram, he'd provide the after-sales service, troubleshooting the kits, and provide advice on how best to use them. And yes, I did say first arrest. You would have thought after the raid in October 2023 he would have had a clue and stop what he was doing. But ever dedicated to custom service, he continued to provide that sport until his second arrest, in April 2024, at his family home in West London. In July 2025, Ollie was sentenced to seven years. With time served and current early release policies in England, he can expect to be out of prison by mid-2027, but will likely face further restrictions on his release. That said, he's still believed to be sitting on over 300,000 in crypto assets, including Bitcoin earned through his criminal enterprises, and further court hearings are still pending to try to seize those assets. So with tens of thousands of phishing websites out there, and these sites now more convincing than ever, we thought we'd talk to an expert on how to keep your family safe from scam websites and fraudulent charges on your cards. Alex Quilici is the CEO of Umail, a service that helps block scams and spam calls. Thanks for being with us, Alex. So with these scam kits, setting up a fake website is easier than ever, but they still have to get their site up onto our screens. What tricks do scammers have to get us to look at their site instead of the real one?

SPEAKER_01 4:28

So the biggest one is they send you text messages. So they have a link to their site and a text message, and the text message will say something like, Hey, there's a charge on your account. You know, click here if it's not you. Sense of urgency, one tap, and boom, you're on their website.

SPEAKER_00 4:43

Yeah, sense of urgency is something that does come up a lot, even sort of outside of scams as a way of sort of tricking people into buying things that otherwise maybe they wouldn't. If someone is looking at a website with a login box on a website that seems familiar, what should we be looking for to make sure that it is the right site and not one of those phishing kit sites?

SPEAKER_01 5:01

So these phishing kit sites are so hard to detect, right? If they do Amazon, it'll look like Amazon.com, but they'll have a zero instead of an O in Amazon, right? And so you look at the site, you cannot tell, right? Even experts looking, it's very easy to be tricked. So our advice is if you think you just click something that sent you to Amazon, actually type in Amazon.com in the browser. Like do the extra step and go there directly. If you go indirectly through, you know, a text message link, you don't know where you're gonna wind up. Same with banks, right? You have the URL on the banking card, just type it in. It's a little extra work, but it's a guarantee then that you go to the right place.

SPEAKER_00 5:40

So would you agree then it's safer just not to click on any links in any email and always type it in direct?

SPEAKER_01 5:45

I think in general, it's true. There are a few exceptions. Like if you go to a website like Amazon and you get the little email with the authentication code, right? Okay, you can click on that. If you've interacted directly, it's safe. But it's all this incoming stuff that you're reacting to that's always the problem. And you're absolutely right. You should never click on something unexpected, ever.

SPEAKER_00 6:05

You've just mentioned the code there from Amazon, and we've talked a lot about two-factor or multi-factor authentication in previous episodes. Just how important is this in stopping phishing attempts?

SPEAKER_01 6:15

It's helpful. So multi-factor authentication is great because someone can't just take over your account. You know, there are uses for it. The problem is the bad guys, the phers, will actually ask you for a code. They'll go to a website like Amazon and pretend they're you logging in, they'll get the code, you'll go and give them whatever code you got, and then they log in. And so 2FA is a double-edged sword. It's actually the number one way people are breaking into accounts. It just requires some social engineering to get you to tell them the code that they just generated and went to your device. So it's a tough one. I mean, it you want to turn it on, but you've got to be aware of some of the limitations.

SPEAKER_00 6:52

That's a very fair point there. What would you say is the number one thing someone can do right now? Takes next to no time, money, or effort that someone can do to reduce their risk of becoming a victim.

SPEAKER_01 7:02

The number one thing we always tell people is just take a breath. Don't tap immediately. Sit there for a second and go, is this real? What should I do? Just doing that alone often gives you some idea of how suspicious something really is. So if I get a text from Amazon claiming something, I just need to stop for a second and go, hmm, why would Amazon tell me that there's a 1299 iPhone and I have to press one to say it's not me? That's not how it works. So we always recommend that costs nothing, just a little bit of patience, and it goes a long way. There are obviously other things. You should run tools that can block texts and block calls, and you can run other things, but you definitely need to take that breath.

SPEAKER_00 7:42

Absolutely. The world might be getting faster, but slow down.

SPEAKER_01 7:45

And it's amazingly difficult for people to do, actually, right? We're all so used to let me tap-tap, get this out of the way. You look at your Gen Zers. For them to take a breath is really, really hard, but that's why it's so powerful if you can train yourself to do that.

SPEAKER_00 7:59

Absolutely. Well, thanks very much for joining us there, Alex. Thank you for having me on. Those are really great questions. If you're having problems with spam calls, you might want to check out umail at umail.com. We'll have a link in the description of notes so you can see if this service might be right for you. But that's all from this episode of Scams, Hacks, and Frauds. Please share the episode with someone you care about to help keep them safe from scams, hacks, and frauds. The music is not included in this license. For more information on the Creative Commons license, please visit Creative Commons.org.