Understanding the operations of a scam
Currently, in Sweden, we’re facing a big issue with scammers trying to buy items for sale on various auction websites, but when you initiate contact with the potential buyer things get nasty and you might lose money. This is nothing new, and most of the auction websites have written about this to inform their users, but they do not explain in detail how these scams actually work – their FAQs only advise people to be careful. So I know that there are a lot of questions unanswered for worried users.
Since one of these scammers tried to scam my wife, I decided to follow their scam and document the entire process, so that I could inform not only law enforcement but also our readers on how these scams actually work. When you know how the scam works, it will be much easier to spot them and avoid being scammed.
So, let me give you the background.
Our daughter got a new bike, so we decided to sell the old one on Blocket, the biggest website for personal ads (buying/selling) in Sweden.
After a few days my wife received an SMS (which unfortunately has been deleted). The SMS came from a Polish number, and the person wrote in very good English. They said that they were interested in the bike, but wanted to have more information, and gave my wife an email address. I told her NOT to reply via SMS but to email the person, because sometimes the bad guys send SMS from premium numbers, which means that when you reply to the SMS it will cost you much more than a normal SMS.
I told my wife to be very brief in her answers, which you can see in her initial email response below:
As you can see, the person starts to ask valid questions about the bike, which means that it’s not a bot, it’s actually someone who manually responded to this ad. I have no idea how they select their victims, but it is obviously a manual process.
We decided to take this even further, to see the next step in the scam, so we replied with the information about the bike – there was also still be a chance that the person was not a scammer and really wanted the bike.
It was after this email that everything started to get nasty. They accepted our offer, but what was so strange was that the person confirmed their Polish identity. Even if you look up the person on social media their identity seems to be Polish. So we decided to continue.
The person asked for our name, PayPal details and the total price, which we obviously sent them. They also said that they were going to cover the shipping cost for the bike, and had already involved a shipping company.
We shared our information, and waited for them to reply. They were VERY fast in replying to all the emails; it almost seemed as though there were a lot of people with access to the same mail account, but we weren’t able to confirm this. In the email they sent just before the money transfer they also included an address in Poland. This address hasn’t been confirmed, but we are trying to find out who lives at that address which can be found in the screenshot below. Within minutes they just stated that they had completed the transfer, which you can see in the second screenshot.
I did get two emails from something that looked like PayPal, but when you look more closely you can see that the email is not coming from PayPal at all. This is a very clever, but common, trick that is also used in phishing attacks. When you look at the email you can see that it’s actually being sent from firstname.lastname@example.org which is hosted on Google Mail. What is so interesting with this email is that it’s most likely created manually too, because it contains details such as the price we asked for the bike.
At this point no money had been transferred to my PayPal account – the emails were just fake. The fraudsters next tried to get me to transfer the shipping cost, in this case 1700 SEK (about $200 USD), from our account to the company “P.S.S Logistics”. The process they outlined for transferring the money was to visit a Western Union office, and transfer it to this shipping company; but when you look more closely at the emails they sent, they wanted us to transfer it to a private person. There is a company called “P.S.S Logistics”, but its registered in South Africa, the fraudsters started to use this name, but when you transfer the money it goes to an individual named “Bamise Seon” in Nigeria.
At this point I wondered if the scammers were working with hacked accounts, because all of the individuals exist on various social media networks. For example, the person who keeps email using the Polish name “Pawel Dylewski” can be found on Google Plus. And the individual in Nigeria can be found on Facebook. If you look closely on the screen captures I took from Facebook, you can see that there are two identities, one female and one male, and they are both connected to each other by the same name. In the screenshot below you can see that it’s written: “Send HER a friend request”, which indicates that this profile belongs to a female. You can also see that she has one friend, a person with the same name, but with a profile picture of a man and more information.
I am currently working with PayPal, Western Union, Google and law enforcement, to share the intelligence I have collected, but I also want to share this story. We need to inform everyone who is actively selling/buying things online to keep a close eye on the details. If the deal sounds too good to be true, in most cases it is.
The scheme in bullet points:
- You receive an SMS from a potential buyer containing an email for further contact?
- In some cases the SMS is sent from a premium number, so when you reply you will be charged for the premium service.
- Once the email conversation starts, the buyer wants to pay with an online payment service – for example, PayPal – offering full payment, including shipping.
- They send FAKE emails pretending to come from PayPal, stating that their money has been transferred to your account. But the money won’t be transferred to your account until you have completed the deal.
- The deal can only be completed if you transfer money for the shipping costs to a shipping company – for example, via Western Union.
- The shipping company does not exist, it’s actually the personal account of the scammer; which means that they want you to transfer a sum from your own pocket in the hope that they will pay the full amount (including the amount for your item) into your PayPal account.
Some useful tips when communicating with strangers over Internet:
- Please do not use SMS to communicate, because fraudsters might use premium numbers to charge you a lot of money.
- Please double-check any email address: for example, in this case it did not come from “paypal.com”, but “e-pay-team.com”.
- Never transfer any money to anyone; and always make sure you have received payment BEFORE you ship the item you are selling.
- Never pay with a credit card unless you are 100% sure that the website is legitimate; try to use secure payment methods such as PayPal.
PS: We sold the bike today. To a REAL person