Beware the Mailman, the Phone Call and the Email
eSecurityPlanet columnist Linda LeBlanc recently received two letters and a check. What actually was delivered was a lesson in defending yourself against fraud.
Anyone who has spent time playing online games, visiting dating Websites or online poker rooms knows this. I routinely invent identities that allow me to accomplish whatever it is I need to do online without compromising my personal privacy. I use one persona to subscribe to various news services, another to play online games and another one to chat with young hackers about their activities and motivations.
It really wouldn't make sense to go into an IRC chat room and announce that I'm a network security analyst for one of the choicest hacking targets in the world, and expect to get any really good scoop out of the experience. On the other hand, I play 'Joe stupid hacker wannabe' pretty well, when necessary.
The reason I tell you this is to share another, more interesting, event with you. Recently, I received a certified letter in the U.S. mail addressed to one of my online aliases. This dispatch contained two letters and a check. We'll get to the check in a moment, but the two letters were very interesting to read.
Now, I think this is very cool. The only problem is that I don't play the lottery. Ever. And certainly not by alias. I'm pretty sure I didn't win anything. But let's move on to the next letter to shed more light on things.
The second letter explained that because there were fees and taxes involved in processing the winnings for this lottery, the award notification company had arranged for financial sponsors to provide the necessary funds to release my lottery winnings immediately upon the completion of the claim process. All I need to do, they tell me, is provide them with my bank routing numbers for them to arrange a wire transfer of my winnings to my account. Right. Like that's going to happen. Or, maybe they'll just wait until I deposit the check in my account, and then they'll have the routing numbers from the cancelled check.
Of course, the check itself is probably high-grade rubber, or stolen, or something else that would cause law enforcement to be interested in me for bank fraud. At the very least, I would end up getting whacked for the bounced check charges from my financial institution.
Interestingly enough, it very clearly states in the letter that I should be careful not to make this award public until after the funds have been deposited. I wonder why they wouldn't want me to go to the press about this major windfall I was planning on turning into a philanthropic foundation. Maybe I'm supposed to wait until after they've emptied my bank account and ruined my credit.
What's wrong with this picture?
The phishing people are expanding into new markets to conduct their scams. They've moved steadily into phone scams. We hear about more people getting phone calls regarding problems with their credit card accounts. They are informed of fraudulent activity associated with their card, and the ''account manager'' needs account data for verification. Believing the caller is trying to help them, they provide card numbers and expiration dates over the phone to perfect strangers. They never consider verifying the caller's identity or whether they have a legitimate need for that data.
Now, scam artists have begun to move into other arenas. Surely, people will think that if they received this letter, signed by a real person even, it must be true. Look, the letter is even signed in ink. Except, the person named in the letter doesn't exist. (Here's a thought: If the recipient of an award doesn't exist, is there any reason why the originator should?)
I've also seen cases where individuals receive faxes addressed to them and marked ''URGENT & CONFIDENTIAL''. It offers great wealth to the person who will just send their banking data to an individual representing himself as the Director of Project Implementation for the Ministry of Energy and Mineral Resources, South Africa. Doesn't that sound impressive? A quick Web search on the area code listed in the fax reveals it was transmitted via a Maritime Satellite phone. Somewhere in international waters, the South African Director of Project Implementation wants you to volunteer your financial accounting data.
Another Web search on the name and address of the lottery company in London, Ontario gave similar results. Not only does the company not exist, the street in the address does not exist. The phone number is obviously valid or how else would they arrange the ''payout''?
Fortunately, these people have not escaped the attention of law enforcement.
The Royal Canadian Mounted Police and U.S. postal regulators continue to develop leads and investigate individuals involved in these scams. It's difficult because the perpetrators running these operations use cellular telephones and stay one step ahead of investigators.
Now about that check.
It appears to be a legitimate cashiers check drawn on a well-known U.S. bank for a significant amount of money. We know the bad guys don't play with their own cash, and the check is certainly good enough to pass muster at most legitimate check cashing institutions. A bank, however, would probably spot it as a fake. If I were to deposit it into my checking account, they would still have my bank routing information.
In any event, cashing the check itself is bank fraud and punishable by federal jail time.