Recently an elderly member of my family asked for some help with an online service. Dave (name changed to protect the innocent) is in his eighties and uses his PC for email and browsing but little else.
This is a pretty normal situation for anyone working in IT or even familiar with computers, you quickly become the go-to helper for any and all computer problems.
The request was a simple one: help set up a PayPal account. But there was more below the surface of the apparently simple request.
Dave was helping a friend sell a used household generator. He had found a buyer for the generator and agreed a price. But the buyer wanted to use PayPal for the payment, claiming he'd been scammed using other methods in the past.
Here's the email that the prospective buyer sent Dave:
[Dave], I won't do what you will be requesting for the payment because have been scammed in such a way in 2 months ago but the main problem now is that I can't have a state to state transaction that will not include adequate security level, I can't send any form of cash via western union or Cashier/Certified Check or bank payment for payment to anyone even money order or Debit Card just because have been scammed in such a way in 2 months ago, could you believe the same thing happened to my Cousin in Texas last 3 weeks and is getting too much.Please do think of giving a trial to PayPal to see how it works they are well secured with their services, I assured you will be highly surprised with how everything will work out fine so you can open PayPal account it's free no charges for opening even is very easy to operate well secured.
Expecting your opinion on this. Thanks
Using an online payment system that includes dispute resolution sounds like a reasonable precaution, although a close reading of the PayPal user agreement indicates that their dispute resolution may not cover personal payments.
The language in the email snippet above is similar to that used in various online scams - but Dave doesn't spend all day reading scams on the internet so he took it at face value.
Dave's PayPal account would only be used to receive payment so when setting it up we did not attach a payment method to the account. That way if the account is ever compromised no-one can use it to drain Dave's bank account or make charges to his credit cards.
Once the account was set up Dave contacted the buyer with his PayPal details. That's when things started to look a little fishy.
Within a few minutes Dave received three emails that claimed to be from PayPal. Fortunately, for the purposes of this blog entry, Dave made print-outs of the emails he received (redacted versions of which are reproduced below):
1) Notification that $1,750.00 had been credited to his PayPal account. $1,200 for the generator and $550 for shipping and handling.
2) Notification that a temporary hold has been placed on the payment until a portion of the payment is forwarded to a shipping agent.
3) Instructions for paying the shipping agent.
Dave found this to be confusing but also suspicious and asked me for more advice.
At this point the scam is clear.
Dave is being asked to send $500 by Western Union before the payment for the generator is released to his account. Instead of receiving money he must first make a payment.
This is known as 'advance fee fraud'. The scammer will disappear with Dave's payment and instead of selling a generator he'll be $500 poorer.
There are plenty of clues in these emails to indicate that a scam is in progress, both for the technically proficient user and for the Daves among us.
Let's look at the last of the three emails - the instructions for paying the shipping agent:
From: "firstname.lastname@example.org" <email@example.com>
Subject: Payment Assurance: Please Read This And Follow Instructions *** Western Union Scan Receipt Needed For Verification ***
This message is originated from PayPal Company. The payment we received from has been made successfully and the money has been credited into you PayPal account but it will not show in your PayPal account. However, since this money is meant for a purchase or a service that involve a Shipping Company.We have to receive a confirmation that you have sent the pick up agent fee to <name of shipping company> before the money will be available in your PayPal account for spending. This is due to the large increase in the rate of the online scams recorded few year. We have changed some of our rules and regulation to make sure our clients, are safe from scam, PayPal in conjunction with The FBI and The IFCC has invented certain preventive measure to endure the safety of our customers. As part of our security measures, we regularly screen activity in the our system and discovered that the transaction ID 4WR6072127779652U is legitimate and confirmed. So we will require you to send us the Reference Number as requested and as soon as we have confirmed it,your money will be automatically transfer into your account immediately. Please understand that this is a security measure intended to help protect you and the buyer. We apologize for any inconvenience.
We also want you to understand that we have choose this customer care email address as to monitor the transaction between you and and we want you to know that we have to receive the Western Union Scan Receipt so that we can have your account credited with the fund pending. We want you to know that we have many people on our desk that we attend to and many may not understand the new safety policy that is why we have choose to use email to monitor some transaction... So we will greatly appreciate if you could get back to us here so that we can process and credit your account fully.
Be informed that this transaction is only available and can only be tracked and traced via email,so do reply back to us if you have any question about the transaction and not via phone call.
There is a laundry list of clues here telling us that the email is not
- The email addresses in the From: field do not match. Furthermore, the email attempts to explain away the suspiciously non-PayPal-looking email address, but is a little too eager to convince us.
- There is poor grammar throughout the email. While we might accept this in the earlier personal communications it is unlikely in an official form communication.
- The email has been sent to confirm that the transaction is legitimate. Most fraud detection systems warn you when fraud is occurring, they don't bother to issue reassurance when nothing is wrong.
- The payment has been made but will not show in Dave's PayPal account. A perfect way to explain away a payment that never existed.
- Any further communication must be by email because PayPal's phone support personnel won't understand the anti-fraud program. We can safely assume that's because the anti-fraud program does not actually exist.
- It is odd that PayPal, a company whose sole purpose is the transfer of funds would require a customer to use Western Union to transfer funds.
The contents of the other two emails also show some suspicious features:
- Although a shipping company is named the Western Union payment is to be sent to a private individual at a residential address.
- The PayPal images that are included to make the email appear legitimate are actually from third party image hosting sites, not from PayPal.
All of these can tip you off that the scheme is a fraud. Dave, however, used the most powerful anti-fraud tool: common sense.
He realized that the agreed price for the used generator plus the supposed shipping fee was actually more than the cost of a new generator. Why would anyone pay more for an old generator than a new one?
Remember, there are many fraudsters out there but you don't have to be an IT security guru to protect yourself. Just pay attention to what you're doing. If something seems too good to be true or just doesn't make sense then you should keep your money well away from it.Follow @SophosLabs
Elderly typing fingers image from Shutterstock.