- Kids are going to camp, and if it is a warm, sunny Friday (as it is in Oakville) I know countless adults will be playing hooky to take in a round of golf – or sit on the patio with a drink, or whatever it is that adults will do on a warm sunny day when they play hooky (or leave work early).
I woke up to the following e-mail this morning:
From: Fred Smith email@example.com
Just hoping this email reaches you well, I’m sorry for this emergency but I just have to let you know my present predicament. I made an urgent trip to Madrid, Spain. Everything was fine until I was attacked on my way back to the hotel, I wasn’t hurt but I lost my money, bank cards, mobile phone and my bag in the course of this attack. I immediately contacted my bank in order to block my cards and also made a report at the nearest police station. I’ve been to the embassy and they are helping me with my documentation so i can fly out but I’m urgently in need of some money to pay for my hotel bills and my flight ticket home, will PAY BACK as soon as i get back home.
Kindly let me know if you would be able to help me out so I can forward you the details required for a wire transfer. I will expect your response soon.
Poor Fred! to be attacked while on vacation abroad? It is terrible! Having recently been attacked on a trip abroad I feel great sympathy for the poor man. I am sure, if you knew Fred, you would too… and with good reason. Fred may not be in Spain, but he has indeed been attacked; his e-mail account has been hijacked.
This scam is a lot more dangerous than most.
- They hijack someone’s e-mail account (in this case GMail, but it could as easily be a Hotmail or corporate account).
- In this day and age most people keep a comprehensive contact list with their e-mail account, and even if you don’t, a lot of mail servers will cache the addresses of anyone you have e-mailed in the past, or received e-mail from. They send this letter to the entire list, in the BCC field. They use BCC for two reasons: A) It keeps it simple – you don’t need any sort of mail merge to send it out to hundreds of recipients, and B) nobody is going to look to see that they are the recipient of a message… but they likely will see if it is being sent to hundreds of people. It is won’t set off a flag.
- Notice the spelling is all correct, and although acceptable the grammar is not formal. It is written the same way most people write.
- Because you know the sender’s e-mail (and his signature, including credentials, is correct) you are automatically A)not concerned about a scam, and B) worried about your friend/contact.
- The smart scammer knows that this is a time-sensitive attack. He will be redirecting the e-mail to another account that he has set up that will look like the correct one, but most people who send you e-mail from a GMail account do not want you replying to a Yahoo account.
- When you reply, they will be convivial and urgent, and have you wire them money or give them a credit card number, or some other method of sending them cash. They will be persistent and stressed – exactly how you would expect your friend lost and alone in a foreign country without means to be. If you suggest a method of transferring funds that would require them to prove they are who they say, then they will have a very good reason why they cannot. ‘I can’t get to a phone – I’ve been kicked out of my hotel, and you can’t just ask anyone if you can make an overseas call from their phone, or even wait for one to come in! Please just transfer the money to me!’
- Once you have sent the money they will be gone… and so will your money.
- If you reply to the e-mail to tell your friend that his e-mail has been compromised, the response ‘No you fool, it is really me, and I really was attacked!’ will be the reply… because the person checking the e-mail is the person who hacked the account!
Unlike so many attacks out there this one does not prey on greed, nor on charity. It preys on the sympathy of a friend, and most friends, given the chance, will help people they know. I recently had a conversation with someone who had been duped by this scam; an intelligent professional, someone who should have known better. Unfortunately we should all know better, but most of us don’t. It is not that we are gullible… these scammers are good. They have been working on their craft for a long time, and frankly they have learned from generations of scammers who have honed it to a fine art. These are people whose great-grandfathers sold snake oil, bridges, and promises of great things, all while expertly fingering your pocket and relieving you of your pocket watch without your knowledge.
The lengths I go to for my readers…
I replied to Fred (obviously not his real name) from an account I keep just for these purposes. It is under an assumed name, so the first indicator of a scheme would be that he seems to know who I am… even though John Fockerson (also not the right name) doesn’t really exist.
From: John Fockerson
To: firstname.lastname@example.org <note the different e-mail!>
Subject: RE: Urgent
Sent: 29 Jun 2012 14:05
Sorry to hear that! How can I help?
Your Dear Friend In Need,
It didn’t take more than five minutes to receive this reply:
Thanks, please I need to borrow about €950. Western union is the fastest option to wire funds to me. All you need do is go to the nearest western union agent to you and request to make a transfer to me. See details needed for western union.
Name on my ID: Fred Smith
You will need to email me the western union MTCN number as soon as you make transfer so I can receive money here, I have my passport as a means of identification. I will receive money from WU with it.
Firstly, this does not sound or feel like a response to an e-mail that was signed ‘Your Dear Friend In Need.’ Secondly, didn’t Fred say that his passport was stolen? Embassies are great for helping you when you are stranded abroad, but they do not work at the speed of light. Only Internet scammers do that.
What steps can you take to confirm your friend isn’t really in Spain?
As silly and low-tech as this may sound, the first thing you should do (if you are able) is to call them on the phone. ‘Oh, phone calls are so 20th Century!’ That may be true, but if you can hear your friend’s voice, you can confirm that their cellphone wasn’t stolen.
We don’t always have the ability to make a phone call. It is amazing how many people I have in my contact list for whom I don’t have a phone number. Ok, then they probably have a Twitter account, LinkedIn, FaceBook, or whatever other social media site it might be. If their FaceBook (or Twitter) says ‘What a gorgeous day in Oakville… I wish I didn’t have to go into work today!’ then they are not in Spain! Send them a message on all of these letting them know what has happened – there is a good chance that they don’t even realize that their account has been compromised yet.
Incidentally, I fly with boring regularity, and not once in the last five years have I had to present a paper ticket in order to get onto the plane. In other words, airline tickets are nearly impossible to steal. Also airlines know that sometimes things do happen to people traveling abroad, and will work with you to make things right. All you need is your passport – which according to this e-mail, Fred has.
What can you do if you’ve been hacked?
Firstly, if the scammers are smart (and they are!) they have already changed your e-mail password; it is seldom going to be as simple as ‘well drat, I have to log on and change my password before they actually catch anyone. Firstly you likely won’t get into your account, and secondly they’ve likely already caught someone.
Most e-mail hosts have a way to report if your account has been compromised. Find it. They will work with you to regain control of your account, and those stupid questions they asked you when you set up your account – ‘Who cares what my first pet’s grandmother’s favourite TV show was?’ – will actually authenticate that you are who you say you are.
If they have caught anyone – and it is not going to be uncommon to find that someone you know did send them money – then you may have to cooperate with the authorities. Your e-mail box is now a federal crime scene.
You are going to have to urgently (as soon as they let you) send an e-mail to all of your contacts telling them what has happened, and to not send you money in Spain (or wherever else). The smart thief knows that this is a time-sensitive crime, and that it is only a matter of time before you regain control of your account. The first thing they do is set a simple flag on the outbound e-mail to configure the Reply To: address. In other words, you are getting an e-mail from email@example.com, and when you hit Reply the e-mail is routed to firstname.lastname@example.org. They will lure your friends in, then once they have them will use a different address (to a box that they have created) to continue the conversation.
Post to every social network imaginable that your account has been compromised, and that you do NOT need anyone to send you money. You will feel stupid letting the world know you have been hacked (your dog’s name is NOT a safe password, nor is P@$$w0rd) but you will feel a lot worse knowing that because you did not do that one (or several) of your friends lost thousands of dollars ostensibly trying to help you.
REPORT IT! The US Federal Government has a site called On Guard On-Line where they teach people on-line safety, as well as track these sorts of incidents. It is a joint venture of the United States Postal Inspection Service, the Federal Communications Commission (FCC), and the Office of Justice Programs. They have set up an e-mail address where you can report these types of e-mails (email@example.com), as well as a link to file a complaint with the FTC (Federal Trade Commission). None of this will help your friends who have been hit, but it might prevent future attacks. Unfortunately the Government of Canada does not have any such program that I am aware of.
The Bottom Line
It sucks that the only way we can protect ourselves is to become more and more vigilant and skeptical, but that is the reality. They used to say ‘trust none of what you hear and half of what you see.’ That was the days before the Internet. You can no longer trust ANYTHING you see, hear, or read on-line (except on this blog, of course!) and should never do anything without getting double- and triple-confirmation. It is terrible to hear, but it is true.
It is no longer a question of ‘If it is too good to be true, it probably is.’ That argument may work on scams that prey on greed, and even on our heartstrings. When it comes to a scam that preys on the loyalty of a friend, we need to go back to the cliché-drawing-board. That I will leave to someone else… I am too long-winded to pen catchy clichés.
The world is not a friendly place, and the Internet remains the Wild West. If you or your friends get duped then there is a slim-to-none chance that they will ever receive compensation or justice. The only thing you can do is prevent it, and that requires vigilance. Keep your passwords safe (Expert Advice to Keep Your Passwords Safe) and change them often… especially if you use a lot of public Internet cafés or other untrusted wireless networks… and especially if you use an iPhone (or other smartphone) to check your e-mail. At a recent demonstration in New Orleans Dana Epp showed us how easy it is to hack anything… and snatch your passwords right out from under you. Dana is one of the good guys – he is the owner of Scorpion Software, and is one of the best Penetration Testers out there. Unfortunately there are a lot of bad guys who know the same tricks that he does, and you will never see them coming.
Should you be afraid? Yes. Fear is nature’s way of telling us we have something to be concerned with, and to take the appropriate steps. Should we turn off our computers and revert to the days of non-electronic communications only? No. We simply need to do what we can to protect ourselves… whether we are on-line, or in the streets of Madrid.