messing up a Paypal scam

37 ways to mess up a PayPal scam

Night at Hellsö marinaI have a boat for sale. The sea is still one of my big passions, but I simply have too little time to use it. So I decided to let it go. I will buy a bigger one later, when and if I have more time. It’s still winter in Finland and all the small boats are on dry land covered by snow. But spring is approaching and the boating fever is spreading. It’s the right time to publish an ad on the net.

Soon I get a mail from a nice young lady. Let’s call her Mrs. Witney De Villiers, as that is what he or she called herself. (Probably a randomly picked false identity, any similarity to real existing persons is purely coincidental.) She was very keen on buying my boat and we had a nice conversation over a couple of days. I did unfortunately not sell the boat, but I got a nice story to tell instead. I will not bother you with all the details, so here’s a shortened version with all the important parts included.

– Hi, I’m in Mexico and I want to buy your boat. How long have you had it? What’s the final price? (Well, I’m in Finland and this is the point where I became more or less convinced that it is a scam.)
– I have had it for five years.
– OK, the price is fine. I want to buy it. Please take down the ad. What’s your PayPal account info so that I can make a payment? I’ll cover the PayPal charges. (Needless to say, the ad remained up.)
– Good news. I can accept wire-transfer which would be a lot cheaper for you than PayPal. (She can’t accept if this is a traditional PayPal scam.)
– Sorry, but I can’t do wire-transfers now. I only have access to PayPal because bla bla blaa …. (Yes, another scam-indicator.)
– OK, I created a PayPal account. Here’s the account info. But there’s some paperwork we need to handle before we proceed. Please fill in the buyer’s part of this attached contract and mail a scanned copy to me. I also need a picture of your photo ID. (The provided PayPal account info was false.)
– Great! I have made the payment. “Check your mail as there should be a confirmation mail from PayPal. I made an extra payment of 3650 € and I’am sure you noticed that, you’ll have to send the extra amount to the Shipping Company through Western Union right away, so that they can come ahead for the pick up and also you should send your address where they have to come for the pick up and also the necessary Western Union Payment Information.” (All the key elements in this very traditional scam becomes visible at this point. This is where you should realize what’s the name of the game, if you haven’t figured it out already. A faked mail from “PayPal” appears in my spam folder.)
– Hold your horses. We need to do the paperwork first. See my previous mail.
– “I want you to know that I have made an arrangement for you to receive the copy of my ID and my other necessary data for the boat. I want you to know that the courier representative coming over for the pick up has all he said documents in an enclosed confidential envelope with him which he will deliver to you in person.”
– Well, we really need to close the deal and have a legally binding agreement before we can arrange for transportation.
– “I understand your concern and certify that all sales is final. Your show of concern has given me a very good fact that you are indeed an honest seller hence, the reason why I am using this medium to confirm to you that all sales is final and I am satisfied with the present condition of the Boat.. so you can now proceed with the western union and get back to the paypal with the western union scan receipt so they can release all the fund into your account immediately..More so, send me a copy of the western union receipt… i look forward to read from you…” (Contract and passport files attached. Oh gosh what a poorly faked British passport!!!)
– Thanks, but you forgot to sign the contract.
– “Oh sorry, I write my name as the signature.. i hope to receive a copy of western union receipt from you today…” (That “signature” was typed, not handwritten.)
– Just want to let you know that I need the SIGNED contract before 3 PM. Otherwise I will not have time to go to the bank. And I’m traveling tomorrow so I will be unable to handle transactions. (To create urgency is a common scammer tactic.😉 )
– “Have signed on the contract.. i wait to read from you with the western union receipt..” (Printed, handwritten and scanned this time. It’s 4 AM in Mexico when this part of the conversation takes place.)
– WTF!!! The bank refused the transaction. The recipient is on some kind of international blacklist, apparently suspected for criminal activities. (Well, I wasn’t completely honest here.)
– “How about you go there and split up the money in to 2 and send on two transaction.”
– I’m certainly NOT going to send any money to a blacklisted company!
– “here is another shipping company info [another private person in US] I wait your story again” (We enter the threatening phase. A while later a mail appears in my spam folder. “PayPal” will take “LEGALACTION” and hand me over to FBI if I don’t pay in 24 h.)
– What are those clowns at PayPal up to now? They talk about some legal action against me even if I haven’t entered into any legally binding agreement to transfer money. Do you have any clue, or maybe I should contact PayPal directly and ask what they think they are doing? (Let’s see how/if they react. Contacting PayPal would reveal the scam instantly.)

Next I got a long mail pointing out how honest this lady is and how keen she is to do business with nice and honest sellers like me. But she can’t unfortunately do anything about the PayPal actions as the purpose of all that is to protect both the seller and buyer. She points out that even a smaller sum would be enough to release the payment into my PayPal account (ok, we are in the bargaining phase). At this point I decided that this blog post is becoming far too long and chose to not respond at all. She didn’t get back to me either. They probably realized that they are not going to get 3650 € from me and gave up.

As you have noticed, I became wary at a pretty early stage. There were several details in this conversation that made me suspicious. 37 to be more precise:

  1. The boat is of a local brand made for the Finnish market and totally unknown pretty much everywhere else. Why did she want this particular brand and model? Boats are also different in Mexico and Finland. My boat would be a real oddity over there.
  2. The boat is far too cheap to make it feasible to ship across the Atlantic.
  3. Smaller boats are inexpensive and widely available in the US. Buying one from Europe would be madness even if shipping was free.
  4. Buyer showed very little interest in the object. A 10 years old boat is not a bulk item. Every such boat has a soul of its own. One would be mad to buy without seeing it.
  5. Only one question was asked about the price. And it was no problem to proceed even if I ignored that question. Well, price doesn’t matter if you have no intention to pay.
  6. The buyer paid a lot more interest in the payment process than in the object of the deal.
  7. The buyer was extremely keen to pay and close the deal, but not to make any official papers that would prove her ownership. It should really be the buyer who cares about the papers and the seller who cares about payment, and not the other way around.
  8. Messages in the beginning of the conversation were very generic boilerplates. They were designed to work for any kind of goods. It doesn’t sound very convincing when selling a boat and the other part insists on talking about “the merchandise”.
  9. No other method of payment worked except PayPal. Naturally, as their scamming technique is based on PayPal.
  10. I’m supposed to make a payment to a courier company, which indeed do exist. The address to receive the payment has however nothing to do with that company. Both courier companies seem to use private persons in US as their billing contacts. Strange.
  11. A common tactic throughout the conversation was to ignore questions and requests that were not part of the script. They were addressed only if they stalled the process.
  12. The buyer had no problem “sending the money” even if the provided PayPal account was false. “PayPal” also had no problem sending mails to this non-existing account holder.
  13. The scam includes sending a fake message from PayPal stating that the money is on hold until the shipping agent has been paid. This fake is obvious if you know how PayPal works or know how to check the sender’s true mail address.
  14. The whole scenario match the very common scam where the victim is lured to pay money to someone and is promised more money later. The Nigerian scams belong to the same group and use a logic that is quite similar.
  15. At one point they claim to be satisfied with the present condition of the boat. They have made no attempt to find out in what condition the boat is.
  16. This Mrs. Witney De Villiers seems to be a true cosmopolitan. She is using an address and phone number in Mexico for this deal but her passport is British. At one point she also mentioned a phone number located in the British Virgin Islands. A Google search revealed that young ladies with an identical picture are living in at least two different places in US, but are using different names.
  17. If the husband of Mrs. De Villiers is still around, then he should do some Googling too. Seems like at least two dating sites have profiles with the photo of his wife.
  18. If you look European and hold a British passport, one could assume that you know English. But I guess that means nothing, people are so sloppy with grammars nowadays …
  19. And the passport. Oh gosh! Where should I start? The name has apparently been replaced, very bluntly, I might add. The first thing that strikes the eye is that the new name is in a different font than the rest of the passport. The font isn’t even close. But they did at least get the color right. All text is black. That’s an achievement considering their overall Photoshop skills!
  20. The background behind the replaced name does not have surface structure that is coherent with the rest of the passport.
  21. They didn’t apparently know how to scale pictures in Photoshop as the passport’s photo is smaller than the place reserved for it. (The photo of “Mrs. De Villiers” can be found on the net with more than sufficient resolution to fill the whole space.)
  22. The empty space around the passport’s too small photo is very badly cloned.
  23. If replacing part of a text line, make sure the new text is vertically aligned with the old text. It looks funny otherwise. Using the same text size also helps. And yes, I mentioned the font already.
  24. The passport’s signature is readable. But wait a minute! It reads Gabriella B and not Witney De Villiers!
  25. The embedded metadata in the passport’s picture file reveals that it isn’t saved by a camera’s firmware. The file comes from Adobe Photoshop CS4 for Windows.
  26. The content of the optically readable bottom lines do not match the standard for passports.
  27. Got a contract with a typed signature instead of handwriting. The habit to handwrite signatures should be fairly well known globally.
  28. When I finally got a signed contract, the signature bears no similarity to the signature in the passport, even if both are supposed to be signed by the same person. They didn’t even try to mimic he signature in the passport.
  29. The signed contract seemed to be scanned with a Konica Minolta multifunction device. “Mrs. De Villiers” mentioned however earlier that one of the reasons why she couldn’t do wire transfers was that she was out boating. Well, she could of course be cruising with a well-equipped boat, but buying mine would be a big step down in that case.
  30.  “Mrs. De Villiers” is very keen to get the receipt of the transport agency payment herself. The faked mails from “PayPal” do however clearly state that it is PayPal who need the receipt to clear the transaction, and not the buyer.
  31. This young lady in Mexico seems to have unusual working hours or staff that works shifts to answer her mail. Replies are received promptly throughout the European working hours.
  32. When the payment is delayed they start to threaten the victim. “PayPal” claims that legal actions will be taken if the payment isn’t made, and the seller hasn’t fulfilled that part of the “agreement”. Interesting in a situation where the seller hasn’t made any legally binding commitments to relay money.
  33. When they enter the threatening phase, they try to use FBI to scare the victim. Finland is not part of the US, which the scammer may or may not know. Looking up the name of the local police, or even using Europol, could have increased the scare-factor. They do mention the “World Law Enforcement Agency”, but selecting an existing agency might have been more effective.
  34. The first threat mail arrive less than 48 h after the initial notification that “PayPal” has a pending transaction. No previous mails do however contain any information about a deadline for the payment or anything about legal consequences if no payment is made.
  35. At one point she started bargaining and suggested that I should send at least some money ASAP and the rest when I have got the money on my account. 20 minutes later I receive a mail form “PayPal” that clearly states that the full 3650 € must be paid before the funds are released. There were many more discrepancies between the messages from “Mrs. De Villiers” and “PayPal” even if both came from the same source.
  36. When the bargaining starts, she mentions that I can pay a smaller part first if I’m short on cash and need to borrow money. Well, a couple of days ago I claimed that I had tried to transfer the whole sum, so it should be clear that I have the money.
  37. Some of their boilerplates seem to have been in use for many years. Googling key phrases will reveal the scam immediately and point to discussions and warnings that are several years old.
Fake passport. Some parts blurred to protect victims of identity theft.

Fake passport. Some parts blurred to protect victims of identity theft.

Sounds hilarious, doesn’t it! The scam is so obvious when presented in this way. And forcing the scammer out of the ready-made script makes the act crack up even more. But the sad fact is that people are lured by these guys daily. A lot of this seems to be done in volume so they must be dealing with a significant number of victims every day. Their way to do business very quickly and easily may seem feasible for smaller bulk items, and may not ring the alarm bells in the same way as when dealing with bigger items. Big or small item, it’s always a good idea to take a critical look at the whole case and look for discrepancies like this. Many of the points listed above are on their own enough to spot the scam. Also make sure that they can’t orchestrate the show on their own. Think about what you need to be able to trust the other part, and be persistent about getting what you want. Reluctance to comply is a pretty strong sign that something is fishy.

The core point for anyone who runs into cases like this is however to understand how the scam works. That’s the key to recognizing it in practice. You are promised money but something must be paid before the transaction can be completed. Sounds familiar? Yes, this is basically the same scenario as in the Nigerian scams. The core of the scam is that the money you are to receive is just a promise, but the money you transfer to someone else is real. The PayPal-based scams may be somewhat more effective as many people trust PayPal. It’s not an official bank, but many people think of it as a bank. You may believe that this trusted party is holding the money and securing the transaction. In reality, all you have got is a faked mail. There is no PayPal transaction and the promised money is just numbers written in the mail.

If you fall for the scam and pay, the scammers will vanish like smoke in thin air. PayPal can’t help you as this has nothing with them to do. The scammers have just misused PayPal’s name. And the payment method used to collect your money is always irreversible and provides no security for the sender.

So to summarize. If you ever consider engaging in a transaction with strangers and where money is relayed through you, you should:

  • Validate the reasons for the transaction. Most proposals of this kind are scams.
  • Make sure that you really know who you are dealing with. Demand proof of identity.
  • Make sure that the money is under your own control before making any payments to others. Cash or a deposit in your own account is pretty safe. (Added: See the comments below for an issue with this.)
  • Make sure that you are not engaging in money laundering.

What really strikes me is how poorly this false buyer’s role is created. Some simple Google searches is all it takes to reveal the scam. And many discrepancies would have been so easy to fix. Are these guys really “America’s dumbest criminals”?

Maybe, maybe not. The point is probably that you need to be suspicious before you turn to Google. And once there you will find descriptions of this type of scam no matter how well the scammers have tried to eliminate discrepancies in their story. So once you get suspicious, it’s game over for the scammers anyway. The most profitable tactic for them is maybe to run the scam en masse without caring about the details, and just harvest those who won’t get suspicious until it’s too late. Or maybe they’re just stupid and can’t do any better? (Believing that anyone would fall for that fake passport would indicate the latter.)

Well, the boat is still for sale. Anyone interested?

Safe surfing,
Micke

Message from "PayPal". Note the sender's address and the scam warning. The warning is actually authentic and copied from real PayPal messages. This may be good advice against phishers, who just know the mail address but not the victims real name. All "PayPal" mails in this case had the correct name in the beginning.

Message from “PayPal”. Note the sender’s address and the scam warning. The warning is actually authentic and copied from real PayPal messages. This may be good advice against phishers, who just know the mail address but not the victims real name. All “PayPal” mails in this case had the correct name in the beginning.

More posts from this topic

Porn blog post image

4 People who can see what Porn you Watch, and 4 Tips to Stop it

In the grand scheme of things, there certainly are more important facets to online privacy than keeping one’s porn habits private (government overreach, identity theft, credit card fraud to name a few). However, adult browsing histories are one of the secrets in their online lives people want to protect the most, so it might be disconcerting to know that porn browsing is not as private as one might think. A large majority of web users are lulled into a false sense of security by incognito mode or private browsing, but this is only one of the steps needed toward becoming private online. Here are a few people who have access to this info, along  with a few easy tips that can be taken to prevent this from happening. 1. Anyone on the same hotspot No one is suggesting you should watch porn at your local coffee shop (in fact, please don’t). However, what people surf in places like the privacy of their hotel room should probably stay there. With that in mind, the following statement might be more than a little disconcerting: What you do on Wi-Fi can be usually be seen by pretty much anyone connected to that hotspot. It doesn't require great hacking skills to see what other people connected to the same network are doing. Only traffic on encrypted websites starting with https is always secure, and almost no adult sites fall under this category. 2. Foreign web service providers When traveling, it's easy to forget that what might be culturally acceptable in one country can land you in hot water with the authorities in another. Whether on public Wi-Fi or roaming on the network of a foreign internet service provider, they may be bound by law to report anyone surfing adult material. The personal freedom we enjoy to surf anything we want online is so second nature to many of us by now, we easily forget the same isn't true for others. 3. Analytics and advertisers (often one and the same) It might not bee too surprising to hear that most companies aren't exactly jumping at the chance to be associated with adult websites. For this reason, networks that serve ads to adult websites don't serve ads to "normal" websites, making porn sites mostly self-contained when it comes to using your private information for advertising purposes. Unfortunately, your adult browsing can still be connected to you. Many adult websites implement analytic services, as well as "like" and "share" buttons, that feed into major advertisers such as Google and Facebook. 4. Your employer (in the U.S. and many other countries) Now, we are DEFINITELY not suggesting you watch naughty stuff at work. I mean, they call it NSFW for a reason. However, that doesn’t change the fact that in some countries, companies have an uncomfortable amount of rights to spy on their workers. It’s natural that employers don’t want their workers doing anything illegal, but you still have a right to privacy, even on a work network. What are your options? So what can you do to prevent privacy intrusions? The first and most obvious choice is to not supply any personal information to adult websites. A lot of porn sites require registration in order to comment on videos (if that's your thing) or to view content in higher quality. Keeping a separate email address for adult websites is therefore highly recommended. The other obvious choice is to always have private browsing on, as this prevents cookie-based tracking and embarrassing browsing histories from being saved on your computer. A slightly more technical but still very easy tip is to disable JavaScript from your browser settings while surfing adult websites. A lot of websites don't function without JavaScript, but all the adult websites we tried for research purposes work just fine. JavaScript makes it much easier  to do something called device fingerprinting. This frustratingly intrusive method of snooping involves the use of scripts to identify your computer based on variables such as your screen size, operating system and number of installed fonts. It might not seem like it, but there are enough variables to make most devices in the world completely unique. But the simplest and most efficient method of controlling your privacy is to use a VPN. A VPN (virtual private network) encrypts all your traffic, meaning no one is able to intercept it and see what sites you visit or what you download. It also hides your real IP address, the unique number which can easily be used to identify you online. A top-tier VPN like Freedome also contains extra features like anti-tracking to stop advertising networks from identifying you, and malware protection to automatically block webpages that contain malicious code. The app is easy to use, and available on most platforms. Online privacy is not a difficult or expensive  goal to achieve, and by following these few steps you will be able to surf what you want without worry.

June 13, 2016
BY 
Could the Sony and Hacking Team hacks have been detected sooner?

Hacks in the Headlines: Two Huge Breaches That Could Have Been Detected

The Sony hack of late 2014 sent shock waves through Hollywood that rippled out into the rest of the world for months. The ironic hack of the dubious surveillance software company Hacking Team last summer showed no one is immune to a data breach - not even a company that specializes in breaking into systems. After a big hack, some of the first questions asked are how the attacker got in, and whether it could have been prevented. But today we're asking a different question: whether, once the attacker was already in the network, the breach could have been detected. And stopped. Here's why: Advanced attacks like the ones that hit Sony and Hacking Team are carried out by highly skilled attackers who specifically target a certain organization. Preventive measures block the great majority of threats out there, but advanced attackers know how to get around a company's defenses. The better preventive security a company has in place, the harder it will be to get in…but the most highly skilled, highly motivated attackers will still find a way in somehow. That's where detection comes in. Thinking like an attacker If an attacker does get through a company's defensive walls, it's critical to be able detect their presence as early as possible, to limit the damage they can do. There has been no official confirmation of when Sony's actual breach first took place, but some reports say the company had been breached for a year before the attackers froze up Sony's systems and began leaking volumes of juicy info about the studio's inner workings. That's a long time for someone to be roaming around in a network, harvesting data. So how does one detect an attacker inside a network? By thinking like an attacker. And thinking like an attacker requires having a thorough knowledge of how attackers work, to be able to spot their telltale traces and distinguish them from legitimate users. Advanced or APT (Advanced Persistent Threat) attacks differ depending on the situation and the goals of the attacker, but in general their attacks tend to follow a pattern. Once they've chosen a target company and performed reconnaissance to find out more about the company and how to best compromise it, their attacks generally cover the following phases: 1. Gain a foothold. The first step is to infect a machine within the organization. This is typically done by exploiting software vulnerabilities on servers or endpoints, or by using social engineering tactics such as phishing, spear-phishing, watering holes, or man-in-the-middle attacks. 2. Achieve persistence. The initial step must also perform some action that lets the attacker access the system later at will. This means a persistent component that creates a backdoor the attacker can re-enter through later. 3. Perform network reconnaissance. Gather information about the initial compromised system and the whole network to figure out where and how to advance in the network. 4. Lateral movement. Gain access to further systems as needed, depending on what the goal of the attack is. Steps 2-4 are then repeated as needed to gain access to the target data or system. 5. Collect target data. Identify and collect files, credentials, emails, and other forms of intercepted communications. 6. Exfiltrate target data. Copy data to the attackers via network. Steps 5 and 6 can also happen in small increments over time. In some cases these steps are augmented with sabotaging data or systems. 7. Cover tracks. Evidence of what was done and how it was done is easily erased by deleting and modifying logs and file access times. This can happen throughout the attack, not just at the end. For each phase, there are various tactics, techniques and procedures attackers use to accomplish the task as covertly as possible. Combined with an awareness and visibility of what is happening throughout the network, knowledge of these tools and techniques is what will enable companies to detect attackers in their networks and stop them in their tracks. Following the signs Sony may have been breached for a year, but signs of the attack were there all along. Perhaps these signs just weren't being watched for - or perhaps they were missed. The attackers tried to cover their tracks (step 7) with two specific tools that forged logs and file access and creation times - tools that could have been detected as being suspicious. These tools were used throughout the attack, not just at the end, so detection would have happened well before all the damage was done, saving Sony and its executives much embarrassment, difficult PR, lost productivity, and untold millions of dollars. In the case of Hacking Team, the hacker known as Phineas Fisher used a network scanner called nmap, a common network scanning tool, to gather information about the organization’s internal network and figure out how to advance the attack (step 3). Nmap activity on a company internal network should be flagged as a suspicious activity. For moving inside the network, step 4, he used methods based on the built-in Windows management framework, PowerShell, and the well-known tool psexec from SysInternals. These techniques could also potentially have been picked up on from the way they were used that would differ from a legitimate user. These are just a few examples of how a knowledge of how attackers work can be used to detect and stop them. In practice, F-Secure does this with a new service we've just launched called Rapid Detection Service. The service uses a combination of human and machine intelligence to monitor what's going on inside a company network and detect suspicious behavior. Our promise is that once we've detected a breach, we'll alert the company within 30 minutes. They'll find out about it first from us, not from the headlines. One F-Secure analyst sums it up nicely: "The goal is to make it impossible for an attacker to wiggle his way from an initial breach to his eventual goal." After all, breaches do happen. The next step, then, is to be prepared.   Photo: Getty Images

May 31, 2016
BY 
Sports Cartoon

3 Easy Steps to Stream your Favorite Sports Events, Wherever you are

It’s going to be a busy month for sports lovers from all corners of the world. Hockey fans are currently being treated to both the NHL playoffs and the IIHF world cup, and the coming month will see things like the Champions League final, the US Masters, the NBA playoffs, and to top it all off, the European Championships in football. This presents a problem for many of us. Particularly during the summer, we travel a lot and just might be unable to find a TV screen showing our favorite events. So does this mean we have to miss Kevin Durant sink yet another 3-pointer or be content with next-day highlights of the CL final between Real and Atletico? Thankfully not! The internet allows us to stream games online and watch your favorite matches anywhere, whether at home or under a beach umbrella. Unfortunately, your excitement can often be hindered by messages like “Sorry, this content is unavailable in your country.” This is known as geo-blocking, where the services check your IP address (the unique address of your device) and only allow access if it is located in a specific country. The obvious solution then is to change your IP address to a country where you can access the service. And the easiest and quickest way to do this is with a VPN. How Freedome VPN works The way VPNs work is very simple. Instead of connecting to the internet directly, a VPN first directs your traffic into a secure and private tunnel. The rest of the web won’t see where your traffic enters the tunnel, making your real location and IP address hidden. A VPN like Freedome also lets you choose where the other end of that tunnel is, and THIS determines where any website will think you are. Pretending to be virtually in another country is that simple! How to use Freedome VPN to stream sports Follow these simple instructions to watch your favorite sports live everywhere! Download and install Freedome VPN In the Freedome app, tap the location at the bottom of the screen, and choose your home country where the stream you want to see is available Navigate to the website of the streaming service or search for a legal live stream of the sports event online If on a mobile device, remember to turn “location” off, as some websites use this as an additional method of pinpointing your location It’s as simple as that! More about Freedome VPN Freedome is a hybrid VPN, available for both mobile and desktop platforms. In addition to letting users access content restricted to other countries, it protects your anonymity from websites you visit, and prevents even your internet service provider from snooping on your online activities. There are even a few features lacking in other VPN products, such as automatic blocking of intrusive tracking by advertisers, and protection from malicious websites. Get Freedome from our website to enjoy unrestricted access to the internet while protecting your privacy on the side!

May 16, 2016
BY