messing up a Paypal scam

37 ways to mess up a PayPal scam

Night at Hellsö marinaI have a boat for sale. The sea is still one of my big passions, but I simply have too little time to use it. So I decided to let it go. I will buy a bigger one later, when and if I have more time. It’s still winter in Finland and all the small boats are on dry land covered by snow. But spring is approaching and the boating fever is spreading. It’s the right time to publish an ad on the net.

Soon I get a mail from a nice young lady. Let’s call her Mrs. Witney De Villiers, as that is what he or she called herself. (Probably a randomly picked false identity, any similarity to real existing persons is purely coincidental.) She was very keen on buying my boat and we had a nice conversation over a couple of days. I did unfortunately not sell the boat, but I got a nice story to tell instead. I will not bother you with all the details, so here’s a shortened version with all the important parts included.

– Hi, I’m in Mexico and I want to buy your boat. How long have you had it? What’s the final price? (Well, I’m in Finland and this is the point where I became more or less convinced that it is a scam.)
– I have had it for five years.
– OK, the price is fine. I want to buy it. Please take down the ad. What’s your PayPal account info so that I can make a payment? I’ll cover the PayPal charges. (Needless to say, the ad remained up.)
– Good news. I can accept wire-transfer which would be a lot cheaper for you than PayPal. (She can’t accept if this is a traditional PayPal scam.)
– Sorry, but I can’t do wire-transfers now. I only have access to PayPal because bla bla blaa …. (Yes, another scam-indicator.)
– OK, I created a PayPal account. Here’s the account info. But there’s some paperwork we need to handle before we proceed. Please fill in the buyer’s part of this attached contract and mail a scanned copy to me. I also need a picture of your photo ID. (The provided PayPal account info was false.)
– Great! I have made the payment. “Check your mail as there should be a confirmation mail from PayPal. I made an extra payment of 3650 € and I’am sure you noticed that, you’ll have to send the extra amount to the Shipping Company through Western Union right away, so that they can come ahead for the pick up and also you should send your address where they have to come for the pick up and also the necessary Western Union Payment Information.” (All the key elements in this very traditional scam becomes visible at this point. This is where you should realize what’s the name of the game, if you haven’t figured it out already. A faked mail from “PayPal” appears in my spam folder.)
– Hold your horses. We need to do the paperwork first. See my previous mail.
– “I want you to know that I have made an arrangement for you to receive the copy of my ID and my other necessary data for the boat. I want you to know that the courier representative coming over for the pick up has all he said documents in an enclosed confidential envelope with him which he will deliver to you in person.”
– Well, we really need to close the deal and have a legally binding agreement before we can arrange for transportation.
– “I understand your concern and certify that all sales is final. Your show of concern has given me a very good fact that you are indeed an honest seller hence, the reason why I am using this medium to confirm to you that all sales is final and I am satisfied with the present condition of the Boat.. so you can now proceed with the western union and get back to the paypal with the western union scan receipt so they can release all the fund into your account immediately..More so, send me a copy of the western union receipt… i look forward to read from you…” (Contract and passport files attached. Oh gosh what a poorly faked British passport!!!)
– Thanks, but you forgot to sign the contract.
– “Oh sorry, I write my name as the signature.. i hope to receive a copy of western union receipt from you today…” (That “signature” was typed, not handwritten.)
– Just want to let you know that I need the SIGNED contract before 3 PM. Otherwise I will not have time to go to the bank. And I’m traveling tomorrow so I will be unable to handle transactions. (To create urgency is a common scammer tactic. ;) )
– “Have signed on the contract.. i wait to read from you with the western union receipt..” (Printed, handwritten and scanned this time. It’s 4 AM in Mexico when this part of the conversation takes place.)
– WTF!!! The bank refused the transaction. The recipient is on some kind of international blacklist, apparently suspected for criminal activities. (Well, I wasn’t completely honest here.)
– “How about you go there and split up the money in to 2 and send on two transaction.”
– I’m certainly NOT going to send any money to a blacklisted company!
– “here is another shipping company info [another private person in US] I wait your story again” (We enter the threatening phase. A while later a mail appears in my spam folder. “PayPal” will take “LEGALACTION” and hand me over to FBI if I don’t pay in 24 h.)
– What are those clowns at PayPal up to now? They talk about some legal action against me even if I haven’t entered into any legally binding agreement to transfer money. Do you have any clue, or maybe I should contact PayPal directly and ask what they think they are doing? (Let’s see how/if they react. Contacting PayPal would reveal the scam instantly.)

Next I got a long mail pointing out how honest this lady is and how keen she is to do business with nice and honest sellers like me. But she can’t unfortunately do anything about the PayPal actions as the purpose of all that is to protect both the seller and buyer. She points out that even a smaller sum would be enough to release the payment into my PayPal account (ok, we are in the bargaining phase). At this point I decided that this blog post is becoming far too long and chose to not respond at all. She didn’t get back to me either. They probably realized that they are not going to get 3650 € from me and gave up.

As you have noticed, I became wary at a pretty early stage. There were several details in this conversation that made me suspicious. 37 to be more precise:

  1. The boat is of a local brand made for the Finnish market and totally unknown pretty much everywhere else. Why did she want this particular brand and model? Boats are also different in Mexico and Finland. My boat would be a real oddity over there.
  2. The boat is far too cheap to make it feasible to ship across the Atlantic.
  3. Smaller boats are inexpensive and widely available in the US. Buying one from Europe would be madness even if shipping was free.
  4. Buyer showed very little interest in the object. A 10 years old boat is not a bulk item. Every such boat has a soul of its own. One would be mad to buy without seeing it.
  5. Only one question was asked about the price. And it was no problem to proceed even if I ignored that question. Well, price doesn’t matter if you have no intention to pay.
  6. The buyer paid a lot more interest in the payment process than in the object of the deal.
  7. The buyer was extremely keen to pay and close the deal, but not to make any official papers that would prove her ownership. It should really be the buyer who cares about the papers and the seller who cares about payment, and not the other way around.
  8. Messages in the beginning of the conversation were very generic boilerplates. They were designed to work for any kind of goods. It doesn’t sound very convincing when selling a boat and the other part insists on talking about “the merchandise”.
  9. No other method of payment worked except PayPal. Naturally, as their scamming technique is based on PayPal.
  10. I’m supposed to make a payment to a courier company, which indeed do exist. The address to receive the payment has however nothing to do with that company. Both courier companies seem to use private persons in US as their billing contacts. Strange.
  11. A common tactic throughout the conversation was to ignore questions and requests that were not part of the script. They were addressed only if they stalled the process.
  12. The buyer had no problem “sending the money” even if the provided PayPal account was false. “PayPal” also had no problem sending mails to this non-existing account holder.
  13. The scam includes sending a fake message from PayPal stating that the money is on hold until the shipping agent has been paid. This fake is obvious if you know how PayPal works or know how to check the sender’s true mail address.
  14. The whole scenario match the very common scam where the victim is lured to pay money to someone and is promised more money later. The Nigerian scams belong to the same group and use a logic that is quite similar.
  15. At one point they claim to be satisfied with the present condition of the boat. They have made no attempt to find out in what condition the boat is.
  16. This Mrs. Witney De Villiers seems to be a true cosmopolitan. She is using an address and phone number in Mexico for this deal but her passport is British. At one point she also mentioned a phone number located in the British Virgin Islands. A Google search revealed that young ladies with an identical picture are living in at least two different places in US, but are using different names.
  17. If the husband of Mrs. De Villiers is still around, then he should do some Googling too. Seems like at least two dating sites have profiles with the photo of his wife.
  18. If you look European and hold a British passport, one could assume that you know English. But I guess that means nothing, people are so sloppy with grammars nowadays …
  19. And the passport. Oh gosh! Where should I start? The name has apparently been replaced, very bluntly, I might add. The first thing that strikes the eye is that the new name is in a different font than the rest of the passport. The font isn’t even close. But they did at least get the color right. All text is black. That’s an achievement considering their overall Photoshop skills!
  20. The background behind the replaced name does not have surface structure that is coherent with the rest of the passport.
  21. They didn’t apparently know how to scale pictures in Photoshop as the passport’s photo is smaller than the place reserved for it. (The photo of “Mrs. De Villiers” can be found on the net with more than sufficient resolution to fill the whole space.)
  22. The empty space around the passport’s too small photo is very badly cloned.
  23. If replacing part of a text line, make sure the new text is vertically aligned with the old text. It looks funny otherwise. Using the same text size also helps. And yes, I mentioned the font already.
  24. The passport’s signature is readable. But wait a minute! It reads Gabriella B and not Witney De Villiers!
  25. The embedded metadata in the passport’s picture file reveals that it isn’t saved by a camera’s firmware. The file comes from Adobe Photoshop CS4 for Windows.
  26. The content of the optically readable bottom lines do not match the standard for passports.
  27. Got a contract with a typed signature instead of handwriting. The habit to handwrite signatures should be fairly well known globally.
  28. When I finally got a signed contract, the signature bears no similarity to the signature in the passport, even if both are supposed to be signed by the same person. They didn’t even try to mimic he signature in the passport.
  29. The signed contract seemed to be scanned with a Konica Minolta multifunction device. “Mrs. De Villiers” mentioned however earlier that one of the reasons why she couldn’t do wire transfers was that she was out boating. Well, she could of course be cruising with a well-equipped boat, but buying mine would be a big step down in that case.
  30.  “Mrs. De Villiers” is very keen to get the receipt of the transport agency payment herself. The faked mails from “PayPal” do however clearly state that it is PayPal who need the receipt to clear the transaction, and not the buyer.
  31. This young lady in Mexico seems to have unusual working hours or staff that works shifts to answer her mail. Replies are received promptly throughout the European working hours.
  32. When the payment is delayed they start to threaten the victim. “PayPal” claims that legal actions will be taken if the payment isn’t made, and the seller hasn’t fulfilled that part of the “agreement”. Interesting in a situation where the seller hasn’t made any legally binding commitments to relay money.
  33. When they enter the threatening phase, they try to use FBI to scare the victim. Finland is not part of the US, which the scammer may or may not know. Looking up the name of the local police, or even using Europol, could have increased the scare-factor. They do mention the “World Law Enforcement Agency”, but selecting an existing agency might have been more effective.
  34. The first threat mail arrive less than 48 h after the initial notification that “PayPal” has a pending transaction. No previous mails do however contain any information about a deadline for the payment or anything about legal consequences if no payment is made.
  35. At one point she started bargaining and suggested that I should send at least some money ASAP and the rest when I have got the money on my account. 20 minutes later I receive a mail form “PayPal” that clearly states that the full 3650 € must be paid before the funds are released. There were many more discrepancies between the messages from “Mrs. De Villiers” and “PayPal” even if both came from the same source.
  36. When the bargaining starts, she mentions that I can pay a smaller part first if I’m short on cash and need to borrow money. Well, a couple of days ago I claimed that I had tried to transfer the whole sum, so it should be clear that I have the money.
  37. Some of their boilerplates seem to have been in use for many years. Googling key phrases will reveal the scam immediately and point to discussions and warnings that are several years old.
Fake passport. Some parts blurred to protect victims of identity theft.

Fake passport. Some parts blurred to protect victims of identity theft.

Sounds hilarious, doesn’t it! The scam is so obvious when presented in this way. And forcing the scammer out of the ready-made script makes the act crack up even more. But the sad fact is that people are lured by these guys daily. A lot of this seems to be done in volume so they must be dealing with a significant number of victims every day. Their way to do business very quickly and easily may seem feasible for smaller bulk items, and may not ring the alarm bells in the same way as when dealing with bigger items. Big or small item, it’s always a good idea to take a critical look at the whole case and look for discrepancies like this. Many of the points listed above are on their own enough to spot the scam. Also make sure that they can’t orchestrate the show on their own. Think about what you need to be able to trust the other part, and be persistent about getting what you want. Reluctance to comply is a pretty strong sign that something is fishy.

The core point for anyone who runs into cases like this is however to understand how the scam works. That’s the key to recognizing it in practice. You are promised money but something must be paid before the transaction can be completed. Sounds familiar? Yes, this is basically the same scenario as in the Nigerian scams. The core of the scam is that the money you are to receive is just a promise, but the money you transfer to someone else is real. The PayPal-based scams may be somewhat more effective as many people trust PayPal. It’s not an official bank, but many people think of it as a bank. You may believe that this trusted party is holding the money and securing the transaction. In reality, all you have got is a faked mail. There is no PayPal transaction and the promised money is just numbers written in the mail.

If you fall for the scam and pay, the scammers will vanish like smoke in thin air. PayPal can’t help you as this has nothing with them to do. The scammers have just misused PayPal’s name. And the payment method used to collect your money is always irreversible and provides no security for the sender.

So to summarize. If you ever consider engaging in a transaction with strangers and where money is relayed through you, you should:

  • Validate the reasons for the transaction. Most proposals of this kind are scams.
  • Make sure that you really know who you are dealing with. Demand proof of identity.
  • Make sure that the money is under your own control before making any payments to others. Cash or a deposit in your own account is pretty safe. (Added: See the comments below for an issue with this.)
  • Make sure that you are not engaging in money laundering.

What really strikes me is how poorly this false buyer’s role is created. Some simple Google searches is all it takes to reveal the scam. And many discrepancies would have been so easy to fix. Are these guys really “America’s dumbest criminals”?

Maybe, maybe not. The point is probably that you need to be suspicious before you turn to Google. And once there you will find descriptions of this type of scam no matter how well the scammers have tried to eliminate discrepancies in their story. So once you get suspicious, it’s game over for the scammers anyway. The most profitable tactic for them is maybe to run the scam en masse without caring about the details, and just harvest those who won’t get suspicious until it’s too late. Or maybe they’re just stupid and can’t do any better? (Believing that anyone would fall for that fake passport would indicate the latter.)

Well, the boat is still for sale. Anyone interested?

Safe surfing,
Micke

Message from "PayPal". Note the sender's address and the scam warning. The warning is actually authentic and copied from real PayPal messages. This may be good advice against phishers, who just know the mail address but not the victims real name. All "PayPal" mails in this case had the correct name in the beginning.

Message from “PayPal”. Note the sender’s address and the scam warning. The warning is actually authentic and copied from real PayPal messages. This may be good advice against phishers, who just know the mail address but not the victims real name. All “PayPal” mails in this case had the correct name in the beginning.

More posts from this topic

8402394000_861ef1b969_z

Mikko Hypponen to Talk Privacy at the Mobile World Congress

This year’s Mobile World Congress (MWC) is coming up next week. The annual Barcelona-based tech expo features the latest news in mobile technologies. One of the biggest issues of the past year has enticed our own digital freedom fighter Mikko Hypponen to participate in the event. Hypponen, a well-known advocate of digital freedom, has been defending the Internet and its users from digital threats for almost 25 years. He’s appearing at this year’s MWC on Monday, March 2 for a conference session called “Ensuring User-Centred Privacy in a Connected World”. The panel will discuss and debate different ways to ensure privacy doesn’t become a thing of the past. While Hypponen sees today’s technologies as having immeasurable benefits for us all, he’s become an outspoken critic of what he sees as what’s “going wrong in the online world”. He’s spoken prominently about a range of these issues in the past year, and been interviewed on topics as diverse as new malware and cybersecurity threats, mass surveillance and digital privacy, and the potential abuses of emerging technologies (such as the Internet of Things). The session will feature Hypponen and five other panelists. But, since the event is open to public discussion on Twitter under the #MWC15PRIV hashtag, you can contribute to the conversation. Here’s three talking points to help you get started: Security in a mobile world A recent story broken by The Intercept describes how the American and British governments hacked Gemalto, the largest SIM card manufacturer in the world. In doing so, they obtained the encryption keys that secure mobile phone calls across the globe. You can read a recent blog post about it here if you’re interested in more information about how this event might shape the discussion. Keeping safe online It recently came to light that an adware program called “Superfish” contains a security flaw that allows hackers to impersonate shopping, banking, or other websites. These “man-in-the-middle” attacks can be quite serious and trick people into sharing personal data with criminals. The incident highlights the importance of making sure people can trust their devices. And the fact that Superfish comes pre-installed on notebooks from the world’s largest PC manufacturer makes it worth discussing sooner rather than later. Privacy and the Internet of Things Samsung recently warned people to be aware when discussing personal information in front of their Smart TVs. You can get the details from this blog post, but basically the Smart TVs voice activation technology can apparently listen to what people are saying and even share the information with third parties. As more devices become “smart”, will we have to become smarter about what we say and do around them? The session is scheduled to run from 16:00 – 17:30 (CET), so don’t miss this chance to join the fight for digital freedom at the MWC. [Image by Hubert Burda Media | Flickr]

Feb 27, 2015
BY 
money drain

Yes, leaking data can cost you money!

We have repeatedly countered the arguments that people don’t have anything to hide, and can comfortable ignore the privacy threats on the Internet. That’s a very unwise attitude and here’s some more examples why. We have also talked a lot about on-line scams and how to avoid them. A key challenge for any scammer is to be trustworthy in the eyes of the victim. And this is where your data enters the picture. I have written a story about how a scammer can be more convincing if he knows your travel plans. Let’s cover a more business-oriented case this time. A controller at a firm in Omaha, Nebraska received mails from the CEO asking him to make a series of money transfers to China, and he transferred a total of $17.2 millions. Yes, you guessed it. The sender was not the CEO and a scammer made a nice profit. The obvious lesson we learn in both these cases is naturally that mail isn’t trustworthy. Mail itself does not provide any kind of sender authentication. The sender address is easily faked. Authentication of the other part must rely on the mail contents, a cryptographic signature or information that only the perceived sender can know. And this leads us to the less obvious lesson we can learn here. It looks like the Ohama-scammer had information about the victim. He knew who can handle money transfers. He also knew that the CEO had some business in China, which made the transfers sound legit. He probably also knew that this person doesn’t meet the CEO face to face daily as that would have ruined the scam. Part of this info is publicly available, like the name of the CEO. We don’t know how he got hold of the rest, but it is obvious that it helped the scammer. So here we have an excellent example of how criminals can utilize tiny grains of info to scam huge piles of money. But what should this Ohama-company have done differently? The controller should have called the CEO to verify the transactions. The company should analyze what info the scammer had, and go through their security policies. And that is pretty much what private persons should do too. Learn to think critically when someone approaches you by mail and verify the sender if in doubt. Also guard all your data to make this kind of targeted attack as hard as possible. This company responded by firing the controller. That's not an option for you if you fall for a scam and let go of your own money. Safe surfing, Micke   PS. Was it right to fire the controller? Hard to say. Part of the responsibility naturally lies on the one who was gullible enough to trust an e-mail. But it also depends on if the company had proper rules in place for validating transfer requests. Did he break any concrete rules when sending the money? If he didn't, then the company is responsible too.   Photo by Images Money

Feb 10, 2015
BY 
DoS

What is a DoS attack really?

Ordinary people here in Finland have been confronted with yet another cybersecurity acronym lately, DoS. And this does not mean that retro-minded people are converting back to the pre-Windows operating system MS-DOS that we used in the eighties. Today DoS stands for Denial of Service. This case started on New Year’s Eve when customers of the OP-Pohjola bank experienced problems withdrawing cash from ATMs and accessing the on-line bank. The problems have now continued with varying severity for almost a week. What happens behind the scene is that someone is controlling a large number of computers. All these computers are instructed to bombard the target system with network traffic. This creates an overload situation that prevents ordinary customers from accessing the system. It’s like a massive cyber traffic jam. The involved computers are probably ordinary home computes infected with malware. Modern malware is versatile and can be used for varying purposes, like stealing your credit card number or participating in DoS-attacks like this. But what does this mean for me, the ordinary computer user? First, you are not at risk even if a system you use is the victim of a DoS-attack. The attack cannot harm your computer even if you try to access the system during the attack. Your data in the target system is usually safe too. The attack prevents people from accessing the system but the attackers don’t get access to data in the system. So inability to use the system is really the only harm for you. Well, that’s almost true. What if your computer is infected and participates in the attack? That would use your computer resources and slow down your Internet connection, not to speak about all the other dangers of having malware on your system. Keeping the device clean is a combination of common sense when surfing and opening attachments, and having a decent protection program installed. So you can participate in fighting DoS-attacks by caring for your own cyber security. But why? Who’s behind attacks like this and what’s the motive? Kids having fun and criminals extorting companies for money are probably the most common motives right now. Sometimes DoS-victims also accuse their competitors for the attack. But cases like this does always raise interesting questions about how vulnerable our cyber society is. There has been a lot of talk about cyber war. Cyber espionage is already reality, but cyber war is still sci-fi. This kind of DoS-attack does however give us a glimpse of what future cyber war might look like. We haven’t really seen any nations trying to knock out another county’s networks. But when it happens, it will probably look like this in greater scale. Computer-based services will be unavailable and even radio, TV, electricity and other critical services could be affected. So a short attack on a single bank is more like an annoyance for the customers. But a prolonged attack would already create sever problems, both for the target company and its customers. Not to talk about nation-wide attacks. Cyber war might be sci-fi today, but it is a future threat that need to be taken seriously.   Safe surfing, Micke   Image by Andreas Kaltenbrunner.  

Jan 5, 2015
BY