You know on the Internet you can be anyone you want to be, right?
Anyone who has spent time playing online games, visiting dating Websites
or online poker rooms knows this. I routinely invent identities that
allow me to accomplish whatever it is I need to do online without
compromising my personal privacy. I use one persona to subscribe to
various news services, another to play online games and another one to
chat with young hackers about their activities and motivations.
It really wouldn’t make sense to go into an IRC chat room and announce
that I’m a network security analyst for one of the choicest hacking
targets in the world, and expect to get any really good scoop out of the
experience. On the other hand, I play ‘Joe stupid hacker wannabe’ pretty
well, when necessary.
The reason I tell you this is to share another, more interesting, event
with you. Recently, I received a certified letter in the U.S. mail
addressed to one of my online aliases. This dispatch contained two
letters and a check. We’ll get to the check in a moment, but the two
letters were very interesting to read.
The first regarded a lottery award claim final notification from an
address in London, Ontario, Canada. According to this letter, I was
awarded a portion of a second-tier lottery prize, based on a ticket
number (with a serial number for validation) and the winning numbers.
Most importantly, my share of this award would be a lump sum payment of
$139,221.76 U.S.
Now, I think this is very cool. The only problem is that I don’t play the
lottery. Ever. And certainly not by alias. I’m pretty sure I didn’t win
anything. But let’s move on to the next letter to shed more light on
things.
The second letter explained that because there were fees and taxes
involved in processing the winnings for this lottery, the award
notification company had arranged for financial sponsors to provide the
necessary funds to release my lottery winnings immediately upon the
completion of the claim process. All I need to do, they tell me, is
provide them with my bank routing numbers for them to arrange a wire
transfer of my winnings to my account. Right. Like that’s going to
happen. Or, maybe they’ll just wait until I deposit the check in my
account, and then they’ll have the routing numbers from the cancelled
check.
Of course, the check itself is probably high-grade rubber, or stolen, or
something else that would cause law enforcement to be interested in me
for bank fraud. At the very least, I would end up getting whacked for
the bounced check charges from my financial institution.
Interestingly enough, it very clearly states in the letter that I should
be careful not to make this award public until after the funds have been
deposited. I wonder why they wouldn’t want me to go to the press about
this major windfall I was planning on turning into a philanthropic
foundation. Maybe I’m supposed to wait until after they’ve emptied my
bank account and ruined my credit.
What’s wrong with this picture?
The phishing people are expanding into new markets to conduct their
scams. They’ve moved steadily into phone scams. We hear about more people
getting phone calls regarding problems with their credit card accounts.
They are informed of fraudulent activity associated with their card, and
the ”account manager” needs account data for verification. Believing
the caller is trying to help them, they provide card numbers and
expiration dates over the phone to perfect strangers. They never consider
verifying the caller’s identity or whether they have a legitimate need
for that data.
Now, scam artists have begun to move into other arenas. Surely, people
will think that if they received this letter, signed by a real person
even, it must be true. Look, the letter is even signed in ink. Except,
the person named in the letter doesn’t exist. (Here’s a thought: If the
recipient of an award doesn’t exist, is there any reason why the
originator should?)
I’ve also seen cases where individuals receive faxes addressed to them and
marked ”URGENT & CONFIDENTIAL”. It offers great wealth to the person
who will just send their banking data to an individual representing
himself as the Director of Project Implementation for the Ministry of
Energy and Mineral Resources, South Africa. Doesn’t that sound
impressive? A quick Web search on the area code listed in the fax reveals
it was transmitted via a Maritime Satellite phone. Somewhere in
international waters, the South African Director of Project
Implementation wants you to volunteer your financial accounting data.
Another Web search on the name and address of the lottery company in
London, Ontario gave similar results. Not only does the company not
exist, the street in the address does not exist. The phone number is
obviously valid or how else would they arrange the ”payout”?
Fortunately, these people have not escaped the attention of law
enforcement.
The Royal Canadian Mounted Police and U.S. postal regulators continue to
develop leads and investigate individuals involved in these scams. It’s
difficult because the perpetrators running these operations use cellular
telephones and stay one step ahead of investigators.
Now about that check.
It appears to be a legitimate cashiers check drawn on a well-known U.S.
bank for a significant amount of money. We know the bad guys don’t play
with their own cash, and the check is certainly good enough to pass
muster at most legitimate check cashing institutions. A bank, however,
would probably spot it as a fake. If I were to deposit it into my
checking account, they would still have my bank routing information.
In any event, cashing the check itself is bank fraud and punishable by
federal jail time.