Author’s note: Click or tap the images to see them full size. Note that both the sender’s email address and mine have been suppressed in the interest of maintaining privacy. Copies of the full messages (with headers) in the exchange below were sent to law enforcement, including, but not limited to, the Canadian Anti-Fraud Centre and the Internet Crime Complaint Center, for further investigation.
Cybercrime and online scams continue to proliferate the Internet. In addition to malware, ransomware, and computer viruses, scammers will also try other tactics, including phishing attempts, to try to steal people’s identities to perpetrate fraud.
As part of my work in, I regularly have to participate in mandatory cybersecurity training. I doubt these online scammers thought I was tech savvy when they decided to target me.
Here’s how I scammed them in 10 slides. Bear in mind that I had to do a little research to keep this going and to dig up the names and links I did, but this was highly entertaining.
Note, too, that, although their initial message went to my regular email address and showed up in the Junk folder, I elected to string them along using an alternate address I set up solely for this purpose.
Note that, throughout this exchange, I was sending blind copies to law enforcement agencies and the Canadian Anti-Fraud Centre, along with full message headers, key information that help identify users’ IP address.
So here is the initial email message I received October 23, 2022, congratulating me on my having been awarded a substantial windfall. USD $4.5M? This sounds interesting. And pretty simple. I’ll bite…
So, all I have to do is provide a name and phone number? Sure. That’s easy enough. From my alternate email account, and on the very same day, October 23, I cough over a few following a quick Google search. More about their significance later.
I did as requested. What’s the hold up? Did they run a search on those names? I decide to send a follow-up message on October 28, 2022.
Ah! It seems all they needed was a little prompt. A few days later, on October 30, we’re back on track!
Hang on. The initial message was from Elizabeth Robert, referencing Mrs. Margaret Alexander, and now I’m hearing from Rev. Sister Brianna Graham, Payment Manager? Who’s who here?
Ah, now it makes sense. Sort of.
It’s still unclear why is the information I sent initially seems insufficient. Maybe there was a miscommunication and the contacts I provided under previous cover didn’t get passed along. I send it again, with additional details on November 3.
To be sure, I send this post-script on November 4.
Another few days pass, and I’ve had the weekend to think over this a bit. On November 7, still having heard nothing, I bug them again, sending a blind copy directly to the United Nation Development Programme’s (UNDP) Office of Audit and Investigation and dropping the phone number of the third-party entity enlisted on the UNDP’s behalf to investigate fraud and parties impersonating its official programs.
I do research of my own accord to unearth their [non-existent] “business plan” and, on November 8, drop a few more official links.
Another few days go by. Crickets.
I want my money, dammit! I send the banking details of a fake persona generated at http://fauxid.com. I send everything* needed to steal the identity of the persona I’ve created.
* with the exception of a SWIFT code, BIC or IBAN. I withheld these, and other key details, which I’ll reveal in a moment.
Ah! That set things in motion again, and I can overlook the glaring errors because … on November 11, I receive the long-awaited confirmation that my banking details were received in good order!
Ka-CHING! I’ll have my [ill-begotten] funds soon!!
Duh! Stupid me! Immediately I realize that they can’t send my money without the necessary wire transfer code! An honest oversight on my part. I provide it, and a few other revealing tidbits about my fake persona and the contacts whose names I provided initially…
… along with this screenshot. You know, as a friendly reminder.
This exchange over the course approximately three weeks may not break up fraudulent online activity, but it may help halt it, and the time these folks wasted on me is time they might otherwise have spent trying to defraud you.
metaphortuitous.ca 