A MyBroadband researcher recently played along with an obvious advance-fee scam email and gained insight into how these con-men trick victims into parting with their hard-earned money.
Advance-fee scams, also known as 419-scams, are when a con artist get victims to pay them a fee with the promise of a large payday afterwards.
Examples of hooks used by such scams are that you have won a foreign lottery, inherited money from a long-lost relative, or that an exiled prince needs to use your bank account to funnel money from his home country.
We created a new Gmail address for this test and always used a VPN when accessing this account to ensure none of our real information was accidentally leaked to the scammer.
Soon, an email arrived announcing that a large sum of money in our name was unclaimed and that we should urgently contact them to release the funds.
We sent an email back to the listed address to ask for more information.
The scammer told us that he was an accountant responsible for handling a deceased estate of £5 million (R100 million).
He said that he had been unable to locate any family of the deceased, and this has become a problem for him.
Coincidentally the deceased person had the same surname as the one we used on our throwaway email account, and the scammer said he would be able to pay the money out to us.
All he asked was some compensation for his efforts, that way, both parties would win from the transaction.
The scammer emphasised that the whole deal should be kept confidential throughout his response, as otherwise, someone else could lay claim to the money.
After a few back-and-forth emails pretending to check that everything was above board and legal — which it certainly was not — the scammer tried phishing for our personal information.
To entice us, he provided some of his information. This included a copy of his UK driving license, which was an obvious fake.
A reverse image search on the licence led us straight to a website where anyone could make these fakes.
Our scammer did not even bother to change the license number from the default the website provides.
We quickly created a fake identity using the exact same site, using the name and other details we had provided thus far. We also matched the jurisdiction of our fake ID to the location where our VPN placed us.
For the next part of the scam, we were asked to send an email to one of the accountant’s contacts at the bank where the money was being held and create an account.
The email ended in @accountant.com. After some Google searches, it was clear that scammers commonly use this domain.
During this process, the scammer also explained how much money he had to spend thus far to get all the paperwork from the lawyer.
At this point, the “bank” requested a bunch of information to open the account into which our windfall could be transferred.
The “bank” claimed to require some of the legal documents which the “accountant” had.
We were able to verify that the scammer was the one behind both email addresses by leaving some critical pieces of information out of our replies, only to have them confirmed by the other party.
Once the scammer had walked us through this masquerade of red-tape, the “bank” required an activation fee of £1,250 to open the account.
By this point, the scammer had tried his level best to convince us that everything was aboveboard and that he had spent a lot of time and money to get the deal this far.
He laid it on thick, attempting to guilt his victim into hopefully paying the fee.
Soon after asking for the activation fee, we tried asking for some more information only to find that both the “accountant” and “bank” emails had become unavailable.
Our scammer was apparently shut down before we could tell him that he’d been had.
When it comes to avoiding online scams, there are a few basic principles to keep in mind:
- If it’s too good to be true, it usually is.
- If it’s an alarming email from your bank, SARS, mobile operator, medical aid, or similar institution that asks you to click on a link and then fill in some information — don’t. Rather type in the institution’s web address manually to see if the information in the email is on their website too.
- Don’t give up private information unless you know who you are talking to.
- Never give out your usernames and passwords.