I have a boat for sale. The sea is still one of my big passions, but I simply have too little time to use it. So I decided to let it go. I will buy a bigger one later, when and if I have more time. It’s still winter in Finland and all the small boats are on dry land covered by snow. But spring is approaching and the boating fever is spreading. It’s the right time to publish an ad on the net.
Soon I get a mail from a nice young lady. Let’s call her Mrs. Witney De Villiers, as that is what he or she called herself. (Probably a randomly picked false identity, any similarity to real existing persons is purely coincidental.) She was very keen on buying my boat and we had a nice conversation over a couple of days. I did unfortunately not sell the boat, but I got a nice story to tell instead. I will not bother you with all the details, so here’s a shortened version with all the important parts included.
- Hi, I’m in Mexico and I want to buy your boat. How long have you had it? What’s the final price? (Well, I’m in Finland and this is the point where I became more or less convinced that it is a scam.)
– I have had it for five years.
– OK, the price is fine. I want to buy it. Please take down the ad. What’s your PayPal account info so that I can make a payment? I’ll cover the PayPal charges. (Needless to say, the ad remained up.)
– Good news. I can accept wire-transfer which would be a lot cheaper for you than PayPal. (She can’t accept if this is a traditional PayPal scam.)
– Sorry, but I can’t do wire-transfers now. I only have access to PayPal because bla bla blaa …. (Yes, another scam-indicator.)
– OK, I created a PayPal account. Here’s the account info. But there’s some paperwork we need to handle before we proceed. Please fill in the buyer’s part of this attached contract and mail a scanned copy to me. I also need a picture of your photo ID. (The provided PayPal account info was false.)
– Great! I have made the payment. “Check your mail as there should be a confirmation mail from PayPal. I made an extra payment of 3650 € and I’am sure you noticed that, you’ll have to send the extra amount to the Shipping Company through Western Union right away, so that they can come ahead for the pick up and also you should send your address where they have to come for the pick up and also the necessary Western Union Payment Information.” (All the key elements in this very traditional scam becomes visible at this point. This is where you should realize what’s the name of the game, if you haven’t figured it out already. A faked mail from “PayPal” appears in my spam folder.)
– Hold your horses. We need to do the paperwork first. See my previous mail.
– “I want you to know that I have made an arrangement for you to receive the copy of my ID and my other necessary data for the boat. I want you to know that the courier representative coming over for the pick up has all he said documents in an enclosed confidential envelope with him which he will deliver to you in person.”
– Well, we really need to close the deal and have a legally binding agreement before we can arrange for transportation.
– “I understand your concern and certify that all sales is final. Your show of concern has given me a very good fact that you are indeed an honest seller hence, the reason why I am using this medium to confirm to you that all sales is final and I am satisfied with the present condition of the Boat.. so you can now proceed with the western union and get back to the paypal with the western union scan receipt so they can release all the fund into your account immediately..More so, send me a copy of the western union receipt… i look forward to read from you…” (Contract and passport files attached. Oh gosh what a poorly faked British passport!!!)
– Thanks, but you forgot to sign the contract.
– “Oh sorry, I write my name as the signature.. i hope to receive a copy of western union receipt from you today…” (That “signature” was typed, not handwritten.)
– Just want to let you know that I need the SIGNED contract before 3 PM. Otherwise I will not have time to go to the bank. And I’m traveling tomorrow so I will be unable to handle transactions. (To create urgency is a common scammer tactic. ;) )
– “Have signed on the contract.. i wait to read from you with the western union receipt..” (Printed, handwritten and scanned this time. It’s 4 AM in Mexico when this part of the conversation takes place.)
– WTF!!! The bank refused the transaction. The recipient is on some kind of international blacklist, apparently suspected for criminal activities. (Well, I wasn’t completely honest here.)
– “How about you go there and split up the money in to 2 and send on two transaction.”
– I’m certainly NOT going to send any money to a blacklisted company!
– “here is another shipping company info [another private person in US] I wait your story again” (We enter the threatening phase. A while later a mail appears in my spam folder. “PayPal” will take “LEGALACTION” and hand me over to FBI if I don’t pay in 24 h.)
– What are those clowns at PayPal up to now? They talk about some legal action against me even if I haven’t entered into any legally binding agreement to transfer money. Do you have any clue, or maybe I should contact PayPal directly and ask what they think they are doing? (Let’s see how/if they react. Contacting PayPal would reveal the scam instantly.)
Next I got a long mail pointing out how honest this lady is and how keen she is to do business with nice and honest sellers like me. But she can’t unfortunately do anything about the PayPal actions as the purpose of all that is to protect both the seller and buyer. She points out that even a smaller sum would be enough to release the payment into my PayPal account (ok, we are in the bargaining phase). At this point I decided that this blog post is becoming far too long and chose to not respond at all. She didn’t get back to me either. They probably realized that they are not going to get 3650 € from me and gave up.
As you have noticed, I became wary at a pretty early stage. There were several details in this conversation that made me suspicious. 37 to be more precise:
Sounds hilarious, doesn’t it! The scam is so obvious when presented in this way. And forcing the scammer out of the ready-made script makes the act crack up even more. But the sad fact is that people are lured by these guys daily. A lot of this seems to be done in volume so they must be dealing with a significant number of victims every day. Their way to do business very quickly and easily may seem feasible for smaller bulk items, and may not ring the alarm bells in the same way as when dealing with bigger items. Big or small item, it’s always a good idea to take a critical look at the whole case and look for discrepancies like this. Many of the points listed above are on their own enough to spot the scam. Also make sure that they can’t orchestrate the show on their own. Think about what you need to be able to trust the other part, and be persistent about getting what you want. Reluctance to comply is a pretty strong sign that something is fishy.
The core point for anyone who runs into cases like this is however to understand how the scam works. That’s the key to recognizing it in practice. You are promised money but something must be paid before the transaction can be completed. Sounds familiar? Yes, this is basically the same scenario as in the Nigerian scams. The core of the scam is that the money you are to receive is just a promise, but the money you transfer to someone else is real. The PayPal-based scams may be somewhat more effective as many people trust PayPal. It’s not an official bank, but many people think of it as a bank. You may believe that this trusted party is holding the money and securing the transaction. In reality, all you have got is a faked mail. There is no PayPal transaction and the promised money is just numbers written in the mail.
If you fall for the scam and pay, the scammers will vanish like smoke in thin air. PayPal can’t help you as this has nothing with them to do. The scammers have just misused PayPal’s name. And the payment method used to collect your money is always irreversible and provides no security for the sender.
So to summarize. If you ever consider engaging in a transaction with strangers and where money is relayed through you, you should:
What really strikes me is how poorly this false buyer’s role is created. Some simple Google searches is all it takes to reveal the scam. And many discrepancies would have been so easy to fix. Are these guys really “America’s dumbest criminals”?
Maybe, maybe not. The point is probably that you need to be suspicious before you turn to Google. And once there you will find descriptions of this type of scam no matter how well the scammers have tried to eliminate discrepancies in their story. So once you get suspicious, it’s game over for the scammers anyway. The most profitable tactic for them is maybe to run the scam en masse without caring about the details, and just harvest those who won’t get suspicious until it’s too late. Or maybe they’re just stupid and can’t do any better? (Believing that anyone would fall for that fake passport would indicate the latter.)
Well, the boat is still for sale. Anyone interested?
If you like sailing and tall ships, I can recommend this podcast about Pam Bitterman’s book Sailing to the far horizon. It’s a great story about the last years of the community-operated ship Sofia, covering both a lot of happy sailing and the ship’s sad end in the early eighties. But this is not about hippies on a ship, it’s about how we record and remember our lives. In the podcast Pam tells us how the book was made possible by her parents saving her letters home. Perhaps they had a hunch that this story will be written down one day. Going on to state that e-mails and phone calls wouldn’t have been saved that way. That’s a very interesting point that should make us think. At least it made me think about what we will remember about our lives in, say, twenty years? We collect more info about what we are doing than ever before. We shoot digital pictures all the time and post status updates on Facebook. We are telling the world where we are, what we are doing and what we feel. Maybe in a way that is shallower than letters home, but we sample our lives at a very granular rate. The real question is however how persistent this data is? If we later realize we have experienced something unique enough to write a book about, have our digital life left enough traces to support us? Pam wrote the book about Sofia some twenty years later. A twenty year old paper is still young, but that’s an eternity in the digital world. Will you still be on the same social media service? Do you still have the same account or have you lost it. Does the service even exist? And what about your e-mails, have you saved them? How are your digital photos archived? You may even have cleaned up yourself to fit everything into a cheaper cloud account. Here’s something to keep in mind about retaining your digital life. Realize the value of your personal records. You may fail to see the value in single Facebook posts, but they may still form a valuable wholeness. If you save it you can choose to use it or not in the future. If you lose it you have no choice. Make sure you don’t lose access to your mail, social media and cloud storage accounts. That would force you to start fresh, which usually means data loss. Always register a secondary mail address in the services. That will help you recover if you forget the password. Use a password manager to avoid losing the password in the first place. Redundancy is your friend. Do not store important data in a single location. The ideal strategy is to store your files both on a local computer and in a cloud account. It provides redundancy and also stores data in several geographically separated locations. This is easy with younited because you can set it to automatically back up selected folders. Mail accounts have limited capacity and you can’t keep stuff forever. Don’t delete your correspondence. Check your mail client instead for a function that archives your mail to local storage. Check your social media service for a way to download a copy of your stuff. In Facebook you can currently find this function under Settings / General. It’s good to do this regularly, and you should at least do it if you plan to close your account and go elsewhere. Migrate your data when switching to a new computer or another cloud service. It might be tricky and take some time, but it is worth it. Do not see it as a great opportunity to start fresh and get rid of "old junk". If you are somewhat serious about digital photography, you should get familiar with DAM. That means Digital Asset Management. This book is a good start. Pam did not have a book in mind when she crossed the Pacific. But she was lucky and her parents helped her retain the memories. You will not be that lucky. Don’t expect your friends on Facebook to archive posts for you, you have to do it yourself. You may not think you’ll ever need the stuff, just like Pam couldn’t see the book coming when onboard Sofia. But you never know what plans the future has for you. When you least expect it, you might find yourself in a developing adventure. Make yourself a favor and don’t lose any digital memories. Safe surfing, Micke
Yet another high-profile vulnerability in the headlines, Shellshock. This one could be a big issue. The crap could really hit the fan big time if someone creates a worm that infects servers, and that is possible. But the situation seems to be brighter for us ordinary users. The affected component is the Unix/Linux command shell Bash, which is only used by nerdy admins. It is present in Macs as well, but they seem to be unaffected. Linux-based Android does not use Bash and Windows is a totally different world. So we ordinary users can relax and forget about this one. We are not affected. Right? WRONG! Where is your cloud content stored? What kind of software is used to protect your login and password, credit card number, your mail correspondence, your social media updates and all other personal info you store in web-based systems? Exactly. A significant part of that may be on systems that are vulnerable to Shellshock, and that makes you vulnerable. The best protection against vulnerabilities on your own devices is to make sure the automatic update services are enabled and working. That is like outsourcing the worries to professionals, they will create and distribute fixes when vulnerabilities are found. But what about the servers? You have no way to affect how they are managed, and you don’t even know if the services you use are affected. Is there anything you can do? Yes, but only indirectly. This issue is an excellent reminder of some very basic security principles. We have repeated them over and over, but they deserve to be repeated once again now. You can’t control how your web service providers manage their servers, but you can choose which providers you trust. Prefer services that are managed professionally. Remember that you always can, and should, demand more from services you pay for. Never reuse your password on different services. This will not prevent intrusions, but it will limit the damage when someone breaks into the system. You may still be hurt by a Shellshock-based intrusion even if you do this, but the risk should be small and the damage limited. Anyway, you know you have done your part, and its bad luck if an incident hurts you despite that. Safe surfing, Micke PS. The best way to evaluate a service provider’s security practices is to see how they deal with security incidents. It tells a lot about their attitude, which is crucial in all security work. An incident is bad, but a swift, accurate and open response is very good. Addition on September 30th. Contrary to what's stated above, Mac computers seem to be affected and Apple has released a patch. It's of course important to keep your device patched, but this does not really affect the main point of this article. Your cloud content is valuable and part of that may be on vulnerable servers.
On Tuesday Apple announced its latest iPhone models and a new piece of wearable technology some have been anxiously waiting for -- Apple Watch. TechRadar describes the latest innovation from Cupertino as "An iOS 8-friendly watch that plays nice with your iPhone." And if it works like your iPhone, you can expect that it will free of all mobile malware threats, unless you decide to "jailbreak" it. The latest F-Secure Labs Threat Report clears up one big misconception about iOS malware: It does exist, barely. In the first half of 2014, 295 new families and variants or mobile malware were discovered – 294 on Android and one on iOS. iPhone users can face phishing scams and Wi-Fi hijacking, which is why we created our Freedome VPN, but the threat of getting a bad app on your iOS device is almost non-existent. "Unlike Android, malware on iOS have so far only been effective against jailbroken devices, making the jailbreak tools created by various hacker outfits (and which usually work by exploiting undocumented bugs in the platform) of interest to security researchers," the report explains. The iOS threat that was found earlier this year, Unflod Baby Panda, was designed to listen to outgoing SSL connections in order to steal the device’s Apple ID and password details. Apple ID and passwords have been in the news recently as they may have played a role in a series of hacks of celebrity iCloud accounts that led to the posting of dozens of private photos. Our Mikko Hypponen explained in our latest Threat Report Webinar that many users have been using these accounts for years, mostly to purchase items in the iTunes store, without realizing how much data they were actually protecting. But Unflod Baby Panda is very unlikely to have played any role in the celebrity hacks, as "jailbreaking" a device is still very rare. Few users know about the hack that gives up the protection of the "closed garden" approach of the iOS app store, which has been incredibly successful in keeping malware off the platform, especially compared to the more open Android landscape. The official Play store has seen some infiltration by bad apps, adware and spamware -- as has the iOS app store to a far lesser degree -- but the majority of Android threats come from third-party marketplaces, which is why F-Secure Labs recommends you avoid them. The vast majority of iPhone owners have never had to worry about malware -- and if the Apple Watch employs the some tight restrictions on apps, the device will likely be free of security concerns. However, having a watch with the power of a smartphone attached to your body nearly twenty-four hours a day promises to introduce privacy questions few have ever considered.