There is a horrific scam going around that uses just about every trick in the book – and effectively at that – to get you to send the scammers some money. It uses social engineering, urgency, Facebook hacking, and email hacking, and looks so genuine that we have no doubt that many have fallen for it. It comes from your friend’s actual account, and starts out by saying “This message may be coming to you as a surprise..” It then goes on to say that “we were mugged” and that the muggers stole “all our cash, credit cards and cellphone but thank God we still have our lives”, and then begs “I need you to help me out with a loan to settle our bills here…” It sounds so real – and after all it comes right from your friend’s account – how can you refuse? But refuse you must, because it is a scam.
Here is the full text of the message that we are in posession of – read more about it below the text of the scam:
This message may be coming to you as a surprise but I need your help. Few days back my family and I made an unannounced vacation trip to London,UK. Everything was going fine until last night when we were mugged on our way back to the hotel. They Stole all our cash,credit cards and cellphone but thank God we still have our lives and passport. Another shocking is that the hotel manager has been unhelpful to us for reasons i don’t know. I’m writing you from a local library cybercafe..I’ve reported to the police and after writing down some statements that’s the last i had from them.i contacted the consulate and all i keep hearing is they will get back to me. i need your help ..i need you to help me out with a loan to settle our bills here so we can get back home . I’ll refund the money as soon as we get back. All i need is $1,850 USD..Let me know if you can get me the money then I will let you know how to get it to me.
The version we have in hand says that our friends were on a trip in England, but we have seen versions that claim trips to other countries. Here is the thing – our friends are British, and living in the States, and so that they would be on vacation in the UK is entirely plausible.
How did the scammers know how to customize this message so that it would seem legitimate to our friends’ group of friends (all of whom received this message, as the scammers had hacked both their Facebook and email accounts).
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
CashApp us
Venmo us
Paypal us
Well, that’s the key – the scammers had hacked their Facebook and email accounts. In which there was enough information to allow the scammers to customize the scam until it sounded like it really could have come from them – it was entirely believable. And the “reply-to” email address – the email address being monitored by the scammers, is customized (again) to be identical to the real email address of the hacked account, save for one small change. Meaning that these scammers are creating custom messages and associated scammer-monitored email addresses for each account they have hacked!
Diabiolical.
[Ed. note: This is the same methodology that the scammers are using to sell people’s houses out from under them. Scammers are getting much more sophisticated, folks.]
As it happens, the way that we knew right off the bat that it was a scam (besides that this is what we do for a living) is that this particular friend happens to have a graduate degree from Oxford University, and is exceedingly well-written, and they would never write a note that is so poorly constructed.
But without that insight, and without our background? We could easily have fallen for this.
Don’t you!
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
CashApp us
Venmo us
Paypal us
“How did the scammers know how to customize this message so that it would seem legitimate to our friends’ group of friends?”
A scammer can collect a name, e-mail address and matching signature text from messages posted to a public (or semi-private) mailing list archive. The scammer constructs a spoof e-mail using a forged From: header and a Reply-To: header that directs responses to the scammer’s address. The body of the message contains the plea for money and the matching sig. The forged e-mail is then sent to a large number of e-mail addresses harvested from the same mailing list (which, the scammer hopes, will include friends and acquaintances of the pretended sender).
Using that technique, it is NOT necessary for the scammer to break into the pretended sender’s e-mail or Facebook account. Likewise, the scammer does not need to steal the pretended sender’s address book.
This comment is posted on behalf of a reader Gregory Gross, who is having problems with the captcha (anyone else?):
It looked fishy from the get-go, and in each case I called up the local phone of the supposed sender. Each had already been notified. Both the fishy and legit’ INBOX was being monitored by the hacker until the owner changed his/her password. I sent notice to the hacker of getting a fix on [him] just as a jab, and the exchange went cold.