Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.
Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.
Already using Google+? Find us on Google+ for the latest security news.
Recently an elderly member of my family asked for some help with an online service. Dave (name changed to protect the innocent) is in his eighties and uses his PC for email and browsing but little else.
This is a pretty normal situation for anyone working in IT or even familiar with computers, you quickly become the go-to helper for any and all computer problems.
The request was a simple one: help set up a PayPal account. But there was more below the surface of the apparently simple request.
Dave was helping a friend sell a used household generator. He had found a buyer for the generator and agreed a price. But the buyer wanted to use PayPal for the payment, claiming he'd been scammed using other methods in the past.
Here's the email that the prospective buyer sent Dave:
[Dave], I won't do what you will be requesting for the payment because have been scammed in such a way in 2 months ago but the main problem now is that I can't have a state to state transaction that will not include adequate security level, I can't send any form of cash via western union or Cashier/Certified Check or bank payment for payment to anyone even money order or Debit Card just because have been scammed in such a way in 2 months ago, could you believe the same thing happened to my Cousin in Texas last 3 weeks and is getting too much.Please do think of giving a trial to PayPal to see how it works they are well secured with their services, I assured you will be highly surprised with how everything will work out fine so you can open PayPal account it's free no charges for opening even is very easy to operate well secured.
Expecting your opinion on this. Thanks
Using an online payment system that includes dispute resolution sounds like a reasonable precaution, although a close reading of the PayPal user agreement indicates that their dispute resolution may not cover personal payments.
The language in the email snippet above is similar to that used in various online scams - but Dave doesn't spend all day reading scams on the internet so he took it at face value.
Dave's PayPal account would only be used to receive payment so when setting it up we did not attach a payment method to the account. That way if the account is ever compromised no-one can use it to drain Dave's bank account or make charges to his credit cards.
Once the account was set up Dave contacted the buyer with his PayPal details. That's when things started to look a little fishy.
Within a few minutes Dave received three emails that claimed to be from PayPal. Fortunately, for the purposes of this blog entry, Dave made print-outs of the emails he received (redacted versions of which are reproduced below):
1) Notification that $1,750.00 had been credited to his PayPal account. $1,200 for the generator and $550 for shipping and handling.
2) Notification that a temporary hold has been placed on the payment until a portion of the payment is forwarded to a shipping agent.
3) Instructions for paying the shipping agent.
Dave found this to be confusing but also suspicious and asked me for more advice.
At this point the scam is clear.
Dave is being asked to send $500 by Western Union before the payment for the generator is released to his account. Instead of receiving money he must first make a payment.
This is known as 'advance fee fraud'. The scammer will disappear with Dave's payment and instead of selling a generator he'll be $500 poorer.
There are plenty of clues in these emails to indicate that a scam is in progress, both for the technically proficient user and for the Daves among us.
Let's look at the last of the three emails - the instructions for paying the shipping agent:
From: "service@paypal.intl"
To:
Subject: Payment Assurance: Please Read This And Follow Instructions *** Western Union Scan Receipt Needed For Verification ***
Dear
This message is originated from PayPal Company. The payment we received from has been made successfully and the money has been credited into you PayPal account but it will not show in your PayPal account. However, since this money is meant for a purchase or a service that involve a Shipping Company.We have to receive a confirmation that you have sent the pick up agent fee to
We also want you to understand that we have choose this customer care email address as to monitor the transaction between you and and we want you to know that we have to receive the Western Union Scan Receipt so that we can have your account credited with the fund pending. We want you to know that we have many people on our desk that we attend to and many may not understand the new safety policy that is why we have choose to use email to monitor some transaction... So we will greatly appreciate if you could get back to us here so that we can process and credit your account fully.
Be informed that this transaction is only available and can only be tracked and traced via email,so do reply back to us if you have any question about the transaction and not via phone call.
There is a laundry list of clues here telling us that the email is not
legitimate:
The contents of the other two emails also show some suspicious features:
Although a shipping company is named the Western Union payment is to be sent to a private individual at a residential address.The PayPal images that are included to make the email appear legitimate are actually from third party image hosting sites, not from PayPal.
All of these can tip you off that the scheme is a fraud. Dave, however, used the most powerful anti-fraud tool: common sense.
He realized that the agreed price for the used generator plus the supposed shipping fee
was actually more than the cost of a new generator. Why would anyone pay more for an old generator than a new one?
Remember, there are many fraudsters out there but you don't have to be an IT security guru to protect yourself. Just pay attention to what you're doing. If something seems too good to be true or just doesn't make sense then you should keep your money well away from it.
Follow @SophosLabsElderly typing fingers image from Shutterstock.
