Three clever scams

from the September 2006 Actrix Newsletter
by Rob Zorn

It seems that scams have become an integral part of the Internet. There are many famous ones that most of us know about, such as the old 419 scam where you're asked to help some poor victim in Africa move a whole pile of money out of the country before the evil government there gets its clutches on it. It's usually the same government that killed his father, or tortured his wife or something. You provide him with some money (because his is all inconveniently tied up) and in return you'll get 20% of the 45 million, or something like that. Of course, you forward him the money, or give him access to your bank account, and he suddenly disappears. There's a warning about a variation on this scam in this month's snippets under the General section.

Then there's the old phishing scam. Something has gone wrong with your bank account, and you need to log in urgently again to fix it. "Here, quick, click this link and you'll be taken to the log in page." But you're not taken to the log in page. Instead you're taken to a copy of the banking site that is really somewhere else, and your log in details are in fact captured by these nefarious villains. Or, when you go to the site, a key logger is downloaded onto your computer that will capture all your key strokes and send them off to the scammers (but this will generally only happen if you're silly enough to be surfing with unpatched software and out-of-date virus protection).

Here are three scams that have been doing the rounds lately.

Scam No 1 - The Old Double Hoax Trick

I received an interesting variation on this one recently. It claims to come from the Commonwealth bank in Australia. I'm not one of their customers, so that was the first clue that it was a fake. In an ironic parody of itself, the e-mail warned me that there was a hoax e-mail circulating attempting to get Commonwealth Bank customers to participate in a survey, but that this e-mail was fraudulent. I should go to the site they linked to and quickly log in to protect my account from all future hoax e-mails. You can see a copy of this e-mail here.

Now this is all very vague, and doesn't make a lot of sense, but that doesn't matter. What they're after is to quickly delude those who don't really know much about how the Internet works into making a mistake without thinking. After all, the e-mail is warning me about dangerous hoaxes. It couldn't be a dangerous hoax itself could it? Oh yes it could, and oh yes it is.

Most people in New Zealand aren't Commonwealth Bank customers, so they'd just ignore it and maybe think it was a bit odd that they'd received it. But if you were a Commonwealth Bank customer, you may not find it so strange, and that's just what the scammers are hoping. When you click the link in a phishing scam e-mail, the site may look genuine, but it won't be. Hopefully, from their perspective, you'll be too flummoxed and fearful to notice any subtle differences. 

This is how a classic phishing scam works, and if you don't know how to recognise these, you really should. Your bank (or Trade Me, or eBay, or PayPal or whoever) will never ask for your personal details in an e-mail, and they will never provide a link to a log in. They may invite you to log in to see some new announcements or features, but they will advise you to use your own bookmarked link, or to just browse to their site normally.

Scam No 2 - Laundering the Phish

The second scam offers me a job opportunity that is just too good to miss, though if I take them up on it, I may find myself not needing to worry about income for 5-7 years (while I become a guest of Her Majesty's government). This one offers me a fantastic job as an escrow operator. I can work from home for just 1-3 hours per day and earn $30,000 per year, plus bonuses. That sounds like me!  All I need is to be over 21 (and I am, just) honest, responsible and prompt (I can work on these things) and have one or several bank accounts. The job just involves receiving money into my account(s) from the company's clients and then paying it into the company's accounts.

It sounds ideal, but it's not hard to see what I'm really being offered here. I think I'm really being offered the opportunity to launder money for the people that operate phishing scams. Once they have people's bank log in details they need somewhere to transfer the money to, and the difficulty they face is getting the money out of the country. They transfer the money to me. I transfer my own personal money to them, and then get to keep the money transferred. I am sure someone with a better knowledge of international banking could explain this in more details, but the concept is fairly simple.

I am promised all sorts of career growth if I work hard at this, and they sound like a really supportive bunch of people. However, when the suits from Internal Affairs come knocking on my door suggesting that next time I'm passing the High Court I should probably pop in and explain myself, you can bet these supportive people will be nowhere to be found, as will be the case with my own personal funds that I so trustingly transferred. Worse still, I'll have to give all the money transferred to me back to their victims.

I may escape prison if I can prove I really am stupid and was duped, but somewhere along the line I'll have known full well that something dodgy was going on...

Anyway, you can see the e-mail offer I received here. The bottom line is, reputable jobs are not offered via unsolicited e-mails (spam) and if they were they'd be better written. Anything that sounds too good to be true probably is, especially on the Internet.

Scam No 3 - The Old Domain Name Scam

This one does the rounds every now and then, and has just been in the news again. It often works through the post rather than via e-mail. The idea is to send a letter that is really an invitation to register a domain, but make it resemble an invoice in the hopes that someone will just unthinkingly pay the amount.

It works like this.

I may own the domain These people look me up in the domain registry and see that the domain is not owned by anyone. So they send me the invitation, made to look like an invoice. My secretary or accounts person receives the letter, knows I own something with buzzthecat in it, doesn't read it very carefully, and thinks it is a bill for renewing my domain. So he pays the amount. In fact I have now bought a new domain that I didn't really want, and there are general surprises all around when the real invoice to renew rolls up in a few months time.

Now if you read the letter carefully (and there's a copy here) it definitely does say that it is an invitation to register a domain, but I believe (and so does the Commerce Commission) that it is a deliberate misrepresentation all the same. It's made to resemble an invoice and the company's name (this time its NZ Domain Registration Ltd) is made to sound like an official body. The prices are ridiculously inflated too. The cost is $225 for two years registration, and if they're charging that they can afford to be giving away mp3 players! Actrix will give you the same two-year deal for $124.90.

You may say I'm a dreamer, but it's still my hope and expectation that these sorts of scams will decline over time. I am sure that far few people fall for phishing scams, for example than used to, simply because they're commonly known about these days. But as long as there is that one in 100,000 that will still fall for it, they'll keep coming. Hopefully, if you've read this far, that one in 100,000 is not going to be you.