Research

Understanding the operations of a scam

Fraudsters at advertising websites for private item sales

Currently, in Sweden, we’re facing a big issue with scammers trying to buy items for sale on various auction websites, but when you initiate contact with the potential buyer things get nasty and you might lose money. This is nothing new, and most of the auction websites have written about this to inform their users, but they do not explain in detail how these scams actually work – their FAQs only advise people to be careful. So I know that there are a lot of questions unanswered for worried users.

Since one of these scammers tried to scam my wife, I decided to follow their scam and document the entire process, so that I could inform not only law enforcement but also our readers on how these scams actually work. When you know how the scam works, it will be much easier to spot them and avoid being scammed.

So, let me give you the background.

Our daughter got a new bike, so we decided to sell the old one on Blocket, the biggest website for personal ads (buying/selling) in Sweden.

scam_1

After a few days my wife received an SMS (which unfortunately has been deleted). The SMS came from a Polish number, and the person wrote in very good English. They said that they were interested in the bike, but wanted to have more information, and gave my wife an email address. I told her NOT to reply via SMS but to email the person, because sometimes the bad guys send SMS from premium numbers, which means that when you reply to the SMS it will cost you much more than a normal SMS.

I told my wife to be very brief in her answers, which you can see in her initial email response below:

scam_2

As you can see, the person starts to ask valid questions about the bike, which means that it’s not a bot, it’s actually someone who manually responded to this ad. I have no idea how they select their victims, but it is obviously a manual process.

We decided to take this even further, to see the next step in the scam, so we replied with the information about the bike – there was also still be a chance that the person was not a scammer and really wanted the bike.

scam_3

It was after this email that everything started to get nasty. They accepted our offer, but what was so strange was that the person confirmed their Polish identity. Even if you look up the person on social media their identity seems to be Polish. So we decided to continue.

The person asked for our name, PayPal details and the total price, which we obviously sent them. They also said that they were going to cover the shipping cost for the bike, and had already involved a shipping company.

scam_4

We shared our information, and waited for them to reply. They were VERY fast in replying to all the emails; it almost seemed as though there were a lot of people with access to the same mail account, but we weren’t able to confirm this. In the email they sent just before the money transfer they also included an address in Poland. This address hasn’t been confirmed, but we are trying to find out who lives at that address which can be found in the screenshot below. Within minutes they just stated that they had completed the transfer, which you can see in the second screenshot.

scam_5
scam_6

I did get two emails from something that looked like PayPal, but when you look more closely you can see that the email is not coming from PayPal at all. This is a very clever, but common, trick that is also used in phishing attacks.  When you look at the email you can see that it’s actually being sent from service@e-pay-team.com which is hosted on Google Mail.  What is so interesting with this email is that it’s most likely created manually too, because it contains details such as the price we asked for the bike.

scam_7
scam_8

At this point no money had been transferred to my PayPal account – the emails were just fake. The fraudsters next tried to get me to transfer the shipping cost, in this case 1700 SEK (about $200 USD), from our account to the company “P.S.S Logistics”. The process they outlined for transferring the money was to visit a Western Union office, and transfer it to this shipping company; but when you look more closely at the emails they sent, they wanted us to transfer it to a private person. There is a company called “P.S.S Logistics”, but its registered in South Africa, the fraudsters started to use this name, but when you transfer the money it goes to an individual named “Bamise Seon” in Nigeria.

scam_9
scam_10

At this point I wondered if the scammers were working with hacked accounts, because all of the individuals exist on various social media networks. For example, the person who keeps email using the Polish name “Pawel Dylewski” can be found on Google Plus. And the individual in Nigeria can be found on Facebook. If you look closely on the screen captures I took from Facebook, you can see that there are two identities, one female and one male, and they are both connected to each other by the same name. In the screenshot below you can see that it’s written: “Send HER a friend request”, which indicates that this profile belongs to a female. You can also see that she has one friend, a person with the same name, but with a profile picture of a man and more information.

scam_11

I am currently working with PayPal, Western Union, Google and law enforcement, to share the intelligence I have collected, but I also want to share this story. We need to inform everyone who is actively selling/buying things online to keep a close eye on the details. If the deal sounds too good to be true, in most cases it is.

The scheme in bullet points:

  1. You receive an SMS from a potential buyer containing an email for further contact?
  2. In some cases the SMS is sent from a premium number, so when you reply you will be charged for the premium service.
  3. Once the email conversation starts, the buyer wants to pay with an online payment service – for example, PayPal – offering full payment, including shipping.
  4. They send FAKE emails pretending to come from PayPal, stating that their money has been transferred to your account. But the money won’t be transferred to your account until you have completed the deal.
  5. The deal can only be completed if you transfer money for the shipping costs to a shipping company – for example, via Western Union.
  6. The shipping company does not exist, it’s actually the personal account of the scammer; which means that they want you to transfer a sum from your own pocket in the hope that they will pay the full amount (including the amount for your item) into your PayPal account.

Some useful tips when communicating with strangers over Internet:

  • Please do not use SMS to communicate, because fraudsters might use premium numbers to charge you a lot of money.
  • Please double-check any email address: for example, in this case it did not come from “paypal.com”, but “e-pay-team.com”.
  • Never transfer any money to anyone; and always make sure you have received payment BEFORE you ship the item you are selling.
  • Never pay with a credit card unless you are 100% sure that the website is legitimate; try to use secure payment methods such as PayPal.

PS: We sold the bike today. To a REAL person 🙂

Understanding the operations of a scam

Your email address will not be published. Required fields are marked *

 

  1. Keith Rozario

    It’s the same ol’ scam all over again, but this time with a bit more sophistication.

    Seems to be fairly manual as well, which means lack of automation due to either lack of funds on behalf of the scammer, or maybe the internet has gotten better at eliminating automated scams.

    And I just love the fact, this all seems to emanate from Nigeria…..

  2. himagain

    It is extraordinary how many TOTALLY gullible people there are this planet!
    Some of these scams which all seem to go by the name in security areas of “Nigerian scams”, are absolutely pathetic.
    However – some of them are so sophisticated and well designed that I have taught myself to NEVER answer a message in a hurry – but to re-read at least once when ANY specific details are requested – or even demanded!

    This article is so well presented and clear, that I will make it a referral from to my friends (along with Kaspersky safety products and education).

    Thank you,

  3. Wong

    i am from Malaysia. When I try to sell item in mudah.my (a local listing site)
    The scammer (from Nigeria) also contacted me via Sms (but if u are using Whatsapp, they will msg u there). Then others steps are similar with what u have wrote.

  4. HateSpammers

    Even if one were to be fooled all the way up to the email about the money being paid, there’s two things that stand out to me. One is very obvious, the other surprises me that more people don’t pick up on it.

    Anytime you see the country of Nigeria anywhere in correspondence, or through searching information given, that should be enough. If not, then the “company” emails that they send out are another good way to tell that it’s all bull.

    It’s very simple, but it’s very pronounced, to me. No company writes like they pretend the company wrote. I will not give examples in case the idiots read your site, because I don’t want to give them any pointers….but no. No company writes the way they wrote, and that more people do not pick up on that simply floors me.

  5. Adam

    Nicely written and documenting of the process. I hope many people read this from all over the world. The basic tactic used is used by so many scammers and anyone can fall victim to such a scam.

    The first several lines of his reply stating the transfer had occurred raised a big red flag for me as a lot of it just didn’t make sense or sound legitimate and made me go “What!?!”. I seriously doubt PayPal would have policies in place regarding the use of insecure methods of money transfers.

    Also does it sound fishy that someone in Poland would go through someone in Africa to travel that distance just to pick up a bike. Sounds obviously suspicious. But as others have stated, not enough people pick up on things like that and they are in too much of a hurry to make their own validations and ensure the legitimacy of transactions before shipping out the item.

    I’m glad you noticed what was going on and didn’t fall victim to it yourself as well as finding a real buyer .

Reports

How to catch a wild triangle

How Kaspersky researchers obtained all stages of the Operation Triangulation campaign targeting iPhones and iPads, including zero-day exploits, validators, TriangleDB implant and additional modules.

Subscribe to our weekly e-mails

The hottest research right in your inbox