Advance Fee Fraud – more than a problem of semantics

Every minute of the day, somewhere in the world someone is being defrauded online. The media, the ordinary people and experts use different names for the same problem. If it happens to a business, it’s called online fraud. If it targets a state it is called cybercrime. If that targets a regular Internet user it is called a scam.

We all agree that fraud is a crime. The rest is a matter of semantics …

The malicious parties committing fraud are also known by various names. If they are targeting a business, they are called hackers. If they are targeting a state they are called cybercriminals. If they are targeting an ordinary person they are called scammers. The same party targeting a bank with the exact same malicious activity as consumers, will be considered a fraudster by the bank, but will be called a scammer by the media for targeting consumers.

We have laws against fraud, online or not, and the commercial arena invests billions each year to prevent being victimized while also proactively mitigating online threats. We also have laws against cybercrime, governments are investing billions each year to protect their interests, their institutions and their integrity. When it comes to average people defrauded online, we have a system where victims are blamed for being a victim and and that is where it ends. If the victim is lucky, there might be a recognition of the abuse, but hardly any chance of justice or restitution unless you are a famous person. The laws might apply, but it appears not implemented in the same way.

We have people so specialized in the online crime arena, that the average Internet user cannot even begin to understand what they are talking about when they are talking about online crime. Not understanding the experts leaves the victims feeling inferior and even less willing to communicate with the others or even the experts. Most of the experts are talking from a commercial or governmental interest arenas. Victims of Advance Fee Fraud are not part of that arena. Ironically most of the experts do not even understand the convoluted details of Advance Fee Fraud.

We have financial systems in an online environment trying to shift responsibility for risk and loss to anyone else if possible, instead of implementing valid options to avoid and prevent online abuse and fraud. We see the same blame shifting paradigm at the providers of online services.

On the other hand, we have non-recognized, yet knowledgeable people, trying to warn others and save them from fraud by exposing online fraud. This is done in to promote consumer protection. Sadly, their good intentions are not enough most of the time. They cannot do more than to expose the cyber fraud, while proactively reporting it to those whose services are abused and attempting to escalate such cases to the appropriate authorities after a fraud incident. By then consumer protection is too late and we are trying to pick up the pieces after failed protection.

In this equation we have the law enforcement authorities established to protect their citizens from any form of abuse and usually failing because of issues having nothing to do with their mission, facing jurisdictional problems, lack of resources or verifiable information for online crimes. Then other factors intent on protecting their finite capacities comes into play, the typical ‘loss above or below’ a certain amount, statistically known  most serious and most reported threats, while other less reported online fraud slips between the cracks. In the meantime they are forced to deal with physical world infractional events that needs to be solved.

Basic online badness


Using the Internet to acquire somebody else’s money in illegitimate ways can take many forms. We encounter malware infecting the victim’s computer and encrypting it for ransom, or getting access to their content without the victim’s consent or knowledge, with the intention of reusing that content to defraud the owner of that computer, their network or friends.

In phishing we encounter a malicious link or email impersonating a real entity with the purpose of harvesting login credentials like passwords, usernames or similar authentications we use to identify ourselves to an online service, compromising our email address, our online profile on a social platform, our bank account, our credit card details or any other of our online activities.

Then we encounter Advance Fee Fraud; a lie based on the idea of offering something that doesn’t exist with the victim having to pay upfront to obtain it.

We have clear statistics for malware and phishing. Yet when it comes to Advance Fee Fraud, nothing is clear. While we may have a generally accepted definitions of it, many of the elements used in  Advance Fee Fraud are incorrectly labeled as phishing. Many of its elements are not even recognized as fraud, rather considered social engineering. It is one of the most under reported areas of online fraud and where consumers have the least protection. There is no standard accepted procedure for dealing with Advance Fee Fraud and prosecuting, nor concerted efforts to stop  it, despite growing annually for more than two decades and being an entry level crime for later serious threats.

Background for confusion


Using words without knowing their meaning can only confuse people and it’s maybe a good time to  clarify this mess. We all use common terms, but we understand different things when using them. We’ll consider the term hacker.

In the real life, hacking was initially the ability of a person to mess about with something in a way to investigate it, improve it or give it a new purpose. It was neither good nor bad. Online hacking was a progression of real life hacking, messing about with the new technology.

Later a portion of hackers evolved into a movement fighting for the freedom of information and for the right of knowing what states and corporate entities tries to hide from them. It was done by gaining access to computers or networks and then viewing and copying data without the intention of destroying it or maliciously harming the computer. Sharing that information publicly was the purpose of the hacking. The perception of hacking as good or bad, depended on the type of information exposed and who was exposed in it. This was a subjective view. Obviously this was a threat to any state and made illegal.

At the same time, hacking extended into finding vulnerabilities in programs and reporting those vulnerabilities to avoid the program getting under malicious control. Allowing hacking became accepted in advanced forms of protection, counting on the help of independent people testing online platforms, interfaces or programs to identify any potential vulnerability before someone will use it maliciously.

On the opposite side there are crackers, using their technical skills to gain access to a computer or network with malicious intent, from spreading viruses or malware to stealing money or information that can be sold further for stealing money.

In and between we find the script kiddies, wanna-be hackers fooling themselves that they are hackers by obtaining software created by someone else, and using it without having any idea how the software really works.

The conflict between hackers and corporations or states resulted in hackers being labeled as bad. Even parties trying to expose flaws for better security were targeted and sometimes still are, for the embarrassment they may create. Media played a major role in this conflict creating stereotypes, either good or bad, likewise societal views on who was exposed. It took some time until the roleplayers understood the difference between various types of hackers. The final decision was more or less to work with the good hackers to stop the bad hackers. Only after this point did the media paint a different picture in the public mind. Now it was about so called “white hats” being the IT sec wizards trying to do good, and the “black hats” as the bad ones trying to harm. The damage was already done in the collective mind, unable to understand all this confusion or to make any distinction between white and black, simply using the term hacker in the negative way.

The players


Let’s look at the ones defrauding victims online and named in different ways.

Far away from this entire conflict, the scammer is usually someone without any technical skills, whose only skills are deception, holding out false promises and asking to be paid in advance for it.  The promises can be prizes, money or even fictitious love and promises of a future together. The money he steals can be used in two ways. The stupid scammer lives a lavish life, wasting the money in a bling-bling lifestyle meant  to impress others. The smarter one, while also splashing out, will use some of the stolen money to invest in something he doesn’t have to refine his fraud; knowledge and help. Where can he buy that from? From the ones knowing how to abuse the online environment to their advantage, the black hats.  

The Advance Fee Fraud seen today would be near impossible without the entire infrastructure built and created with money obtained from fraud. Stolen money is being used to pay  for fake sites used in fraud, while stolen credit cards are used to register/validate profiles online. Many of these stolen credit card details are purchased with stolen money. This money is paying for bulletproof hosting (where these providers self-blind to the numerous reports they receive) where fraudsters keep their fraudulent websites alive. This stolen money is buying privacy for the fraudster while he exposes victims details online, easy to be found by anybody knowing where to look for it and allowing further abuse of those victims. The stolen money is being used to pay for SEO campaigns, sometimes allowing fraudulent presences to be better positioned in the search engines results as the real entities. In certain countries, stolen money pays for bribes needed to keep the culprits out of jail. Fraud may even fuel a large portion of a community’s economy.


The playground


An important part of our lives is spent online. Internet commerce thrives in the good and the bad. The regular innocent Internet user is the main testing ground for anyone able to gain enough information and use it to achieve proposed goals.  

On one side of the screen we have the victim, usually alone and operating a computer, mobile phone or, to use the new phrase, Internet of Things device, without knowing exactly how that device works but  having an expectation of it working properly. He does not understand the various levels that can be compromised, rather simply trust other specialists to take care of that.

On the other side of the same screen are entire crowds of malicious parties trying to steal his money, his identity or abuse the target in some way.  

The victim may have anti-virus software able to protect him from malware or phishing, but sadly there is no software able to protect him from Advance Fee Fraud.

Internet users are the main source of identities and credentials stolen to be reused for stealing more. They are the silent majority, victims of online abuse, learning from bitter experiences that complaining will do them no good and will not solve the problem. There is no one out there to protect them despite trying to protect themselves. Even so, they share their details with other entities for online services. When an online platform, corporation or a state institution database is breached, the information stolen is that of Internet consumers using those online services.

Common internet consumers have become the training ground for cyber criminals. They are the first receivers of the phishing links when they are asked to click and confirm their login details. They are the first ones receiving documents infected with malware, dragging their devices into infrastructures of infected devices called botnets, used in more advanced types of cybercrimes. They are the testing ground for all kind of lies and pretenses. If the tests are working on them, the bad actors confidently expand the targets to higher paying targets. Typo-domains so long used against consumers are now extremely problematic in Business Email Compromise (BEC) targeting businesses with great success.


The alliance between the scammers and black hats found the average Internet users can be used and abused as pawns to protect their own anonymity and safety. Romance scams victims may receive a death sentence after being deceived into smuggling drugs, online fraud victims end up in jail after being unwitting money mules and somebody trusting the internet to find a job may be arrested for reshipping stolen goods bought with stolen money and credit cards. Innocent unwitting consumers are the pawns in criminal money laundering initiatives.

The public reaction is almost predictable, blaming and shaming the victim for believing a lie, making the victim responsible for the fraud no victim was ever asking for.  Many a time companies and even the authorities partake in this.


Behind the sceneS


The victim might be alone while communicating with a scammer, but the scammer is not alone. He is a member of a fraud syndicate. The syndicate has a whole infrastructure controlling resources and elements needed for a successful scam. The victim is profiled and analyzed prior to the fraudster starting to “work” the victim. The ring leader pays for the scripts the main scammer uses, pays for the phone numbers, mobile or VoIP. He provides the names and locations of the people receiving the stolen money for money laundering. Many of the recipients are actual victims themselves as mentioned before, having no idea they are using their real identities while laundering money for the fraudsters. The ring leader decides on domain names and pays for the domain names used to perpetrate the fraud,  also paying the ones creating websites for those domains – enter the faker maker.

The faker makers is the technical person that does everything needed to keep the required websites active, from registering the domain name, setting up email accounts, hosting and creating the website to rehosting it if the site gets suspended.  This is the real story that makes the scam succeed, that hardly ever gets told.

We have two main types of domain names used in Advance Fee Fraud:

  • Email only domains having no content:
    These domains are used for the deceptive email address such a domain can provide. The domain will typically have no matching online content, or when a party goes to the domain name in their browser, it will redirects to another legitimate website (often one being spoofed). The main deception is based upon the choice of domain name that would appear in the target victim’s email box. Any further potential online redirection after this is opportunistic to further the deception in the fraud attempt by creating a false sense of association.


  • Domains used for content:
    The content may be stolen from one or more websites, may impersonate the company it was stolen from or be stolen as a crime of convenience. However the content may be totally bespoke as well, yet deliberately deceptive nonetheless. The choice of domain name is a good indicator of intent. A totally unique name for a loan company with a domain name with the word loan in it, would be an example of common loan scam usage. Tactics may be used to hide the content from the casual passer-by. The content may be hidden in folders with an empty or blank landing page. Likewise sub-domains such as login.bad-domain.tld  as opposed to the generic bad-domain.tld may be used. The victim is sent a link in communications to the malicious website, not unlike phishing.


Fake banks


The fake bank is  used in all types of online fraud. There are two types of fake banks:

  • Fake Persona Accounts
    These are ones where the victims is asked to go and verify the “existence” of money the scammer claims to have or have access to and wants to share with the victim. These are typically used for fake accounts of dead person where the victim is asked to be next of kin of this person, or also commonly for the accounts of fake characters used in romance scams asking their victims to help them with the guarantee of a payback.


  • Personalized Accounts
    Here an account is created in the victim’s name, sometimes after being asked to create an account at the fake bank. This is used for  receiving money the scammer promised to deliver and a fictitious amount is entered into a mock accounting system to create the illusion this is real money. This usage is typically seen in lottery scams, inheritance scams, loan scams or typically where the victim expects a payment during a business transaction. An excuse always exists as to why the fraudsters can’t use the victim’s own account and a new one has to be created at the fake bank.


Fake suppliers


These fake sites impersonate a wide range of suppliers, from parties claiming to sell pets, electronic goods, though drugs and fake documents like visas and passports, to high priced items like agricultural equipment, properties, gold and precious stones.  Many of the underlying items used as bait to defraud and the methods used to target consumers, allows us to guess the origin of the fraudsters with amazing accuracy.


Fake couriers


The fake sites impersonating couriers are used in all types of online fraud. It might be used in a job scam where the victim needs to receive visa and work permit, a non-delivery scam with a victim waiting for a product bought online, where the victim believes they will receive a parcel from a loved one. In all the cases involving fake couriers, the victim will receive a link to a tracking page and login details to check the parcel status. Typically this is personal victim data entered into a mock courier database. The courier is typically used to extract more money from the victim using a myriad of excuses, also leading to impersonation of the authorities,  blackmail and extortion.


Fake authorities


Domain names  impersonating the authorities are a major part of Advance Fee Fraud and can be found in various shapes and forms, from domains impersonating law enforcement in various countries (FBI, Interpol, Homeland Security, DEA) to the United Nations, Red Cross, Embassies and lawyers. These type of sites are used mostly in recovery scams, but also in other types of scams and are meant to confirm to the victim the “legality” of the fraudster’s financial requests, many times using coercive methods. Typically the law enforcement domains will not have online websites, rather being used for email only purposes.


There will hardly ever be a single scammer dealing with a victim, nor a single fake site used. Once a victim pays up, another request follows.


We see harvesting campaigns disguised in attempted romances,
We see email only domains used in romance scams originating from East Europe –, some having the same domain owner (registrant) as hundred of other domains, already blacklisted for spreading malware. As we can see, sometimes these may spoof well known email providers like GMail to deceive potential victims.


Cases of fake sites used for a single type of scam are the exception and not the rule. Following a complaint from a victim searching for a loan online,  we uncovered a nest of over 200 fraudulent linked domain names operated from Benin, West Africa, targeting mostly victims in Europe: After the initial nest was reported and the domain names suspended, the fraudsters moved fast to create a new nest of domains:


Mostly, what we see are fake sites used with the same victims while the fraud moves ahead. A military romance scam starting on a dating or social site will lead to a fake delivery company for example. Researching a military romance scam defrauding a victim, we identified a Nigerian fraudster whose online activity goes on since 2004, despite of all the legal ways and reports used to stop him, 314 fraudulent fake sites on our last check: This party is also using many domains registered with fake registrations claiming to be European, getting privacy protection in the new GDPR implementation, yet living in Nigeria in reality. Of late he’s been using .EU and .CA domains for his infrastructure.


In some other cases, a romance scam will lead to fake banks. Researching a scam attempt involving a fake bank, we end up with a nest of 196 fraudulent domains and websites used in online fraud orchestrated from Nigeria:

We saw web-developers from Ghana creating fraudulent domain names for Advance Fee Fraud:


We saw a domain used as a Keybase botnet controller, having the same registrant as few fake sites used in Advance Fee Fraud:


We see escrow scams operated from Eastern Europe: and Then we see escrow scams associated with rental scams:

There are cases of job scam domains (searching for money mules or agents for reshipping stolen goods) originating from East Europe and registered with stolen identities. Some of these domain names are used for spreading malware: This party has been at it since 2012, each time using another stolen identity to register hundred of new malicious domains in waves.


We saw supplier scams originating from the Cameroon:  and


Sometimes, the fraudsters creating the fake sites are also impersonating fake characters in romance scams:  


Sometimes the people involved in the registration process of domain names are actively involved in the Advance Fee Fraud.


A Nigerian reseller living in Malaysia and targeting victims in Asian was reported at He had his reseller account suspended due to continuous fraudulent activities, only to thereafter twice more obtain reseller accounts facilitating the same exact fraud, each wave of attacks requiring mitigation. This facilitator moved to another “tolerant” registrar providing blanket proxy protection. This fraud wave saw over 17,000 known victims targeted.


Another Nigerian living in Malaysia and targeting victims wordwide was exposed at His sites were mostly fake oil companies where the fake characters used in romance scams claimed to work, fake banks where the same fake characters pretended to have their bank accounts while spoofing real banks, showing their victims they have enough money to pay back the money they are asking for, and fake courier companies. He was reported for the first time in 2007. In 2014,  he managed to become an Internet domains reseller for various Registrars. As a reseller, he was abusing his reseller position, altering his scam site registration details, trying to cover his tracks.


There are cases of so called web-developers not only creating fake sites but also coordinating the frauds: The Decyber gang has been active since 2010. Last year, their portfolio included close to 500 fake sites. In the initial stage, they were impersonating banks and courier companies. Some of the fake banks created were using made up names, while others were impersonating real banks all over the world. In the more recent years, the fake sites maker portion of this group expanded their activity from various forms of Advance Fee Fraud to binary options fraud, phishing and also malware.  


Another case we researched, following complaints received from victims, shows how a Nigerian scam syndicate uses fake sites impersonating real owners of various US real estate companies while targeting US victims, while also simultaneously running romance, gold and loan scams:


The above are all only cases reported to us by victims or potential victims. Knowing how many consumer forums are actively exposing Advance Fee Fraud, we can say that the research we do is only scratching the surface. A closer look at an Advance Fee Fraud case can show how developed the fraudulent infrastructure abused is.


Victims complaining to us are also reporting the cases to their local law enforcement authorities. They are contacting their banks, showing how they got defrauded. Banks usually say the victims were negligent and there is no way they can recover the money they lost.


We, and forums similar to us, are reporting frauds and the perpetrators in an easy way for anyone searching for that information to find before being too late. Victims of identity theft are warned about having their identity stolen and used for Advance Fee Fraud. The fake sites discovered are reported to the Registrars with the needed proof showing how they are used to defraud victims online. Bank accounts used in Advance Fee Fraud are reported to the banks as money laundering information.  

In most of the cases there is little or no feedback from authorities.

Defrauding innocent victims online under false pretenses is not just a scam, it has a legal name, fraud. Orchestrated crime needs to be punished. Advance Fee Fraud is slipping through the cracks in an online toxic environment, eroding trust daily.  Advance Fee Fraud is seen as the funny Nigerian Prince, not recognized as a danger at the same level as phishing or malware, yet it holds the exact same danger for consumers and later when evolved, commerce. Advance Fee Fraud requires the threat recognition it deserves. Without acknowledging it as such, there is no awareness or willingness to prevent it, attack it, estimate its effects or even evaluate its magnitude and growth. Statistics are mere assumptions based upon willing victim reports, those brave enough to face ridicule and blaming.

Currently we are seeing formal legal procedures to mitigate bank spoofs being described as phishing, when it’s not. This also disavows much similar abuse. This causes confusion for the investigator and consumers trying to understand what is happening. Advance Fee Fraud desperately needs consistent definitions and formal recognition as an abuse threat not only undermining the integrity of consumers and the internet, but also as one undermining basic human rights.

We need consistent definitions and terms of reference. Without that, we are living in different worlds, pretending to speak the same language, but unable to understand what the other is talking about.

It’s finally complete!

A few weeks ago I started putting together what’s essentially a “webcam blackmail 101” presentation.  I’m pleased to announce it’s finally complete.  A lot of information has been added since it was first mentioned.  You want to know what ages the people who come to use are?  We have it.  Their location?  That’s there.  How many scammers come from what places?  Check.  There’s even a video showing how the scammers create their fake webcams.  If you want to check it out, you can find it at


Not so much a new project as a “side” project.

So, let me explain.  As you may or may not be aware, we do a lot of work related to sextortion/webcam blackmail here.  A lot of other people are also talking right now about the same subject, but there’s a lot of misinformation out there.  Too many “experts” spouting off Chinese whispers versions of advice and getting some of the really important stuff wrong.  I felt the time was right to put out what I feel is a “definitive” guide.  It’s one based on over 6 years’ experience in dealing with these scams and over 25,000 forms containing scammer data.  This one isn’t really for the victims of the scams though, but for everyone else.  Some of the information will be similar to our steps, but again it’s for more of a general overview of the scam, how it works and so on.  It’s still a work in progress right now, as I tend to write up what’s needed all in one go and then rewrite, add to, take away from, shuffle around and generally alter my work until it barely looks like the first draft anymore.  I’m kind of 95% happy with it as it is right now, but there’s still no doubt going to be changes made to it over the next few weeks.  If you want to check it out, go to and please let me know what you think.

Last time it was “stupid”, this time it’s “greedy”.

Early this morning, I was checking my social media feeds and spotted this comment from Avast! on Facebook:

Earlier that day I’d picked up a copy of a newspaper that had an article on sextortion we’d worked with them on.  The last quote from me in that was “Don’t let shame kill you”.  Now I’m seeing this company publicly call victims of “all online scams” greedy.  They also posted it on their Twitter feed, but this time the wording was slightly different:

Not “All online scams” this time, but rather “Online scams”.  This shows someone took the time to edit the wording before posting it.  Due to this, we’ve made the decision to no longer recommend Avast!” antivirus on our site and have removed the links to their download page from both our steps and the “read this first” thread.  We’ve also removed their software from our own computers and switched to a different company.  It’s a constant struggle fighting the “victims are stupid and greedy” myth, and posts like this only make it harder.  Now we’re not denying that some people get caught up in scams due to their own greed, but many become sucked in due to naivety, desperation, even the desire to do good.  Are charity scam victims greedy?  Are “work from home” scam victims greedy?  Are romance scam victims greedy?  What about the victims of hitman scams?  Grandparent scams?  Phishing?  “Tech support” scams?  I could go on.  Dismissing all scam victims as greedy is not only lazy reporting, but puts victims at risk.  We at ScamSurvivors refuse to support anyone who makes such sweeping, harmful statements.  We should all be better than that.

Who do people insist on using the “S” word?

Almost every interview I do, I make a point of saying that scam victims aren’t stupid.  Naive maybe, uninformed, possibly unaware, but not stupid.  Today I see someone again refer to scam victims as stupid, and it pisses me off!  What made this one worse is that it was an “industry insider”.  We have a hard enough time as it is trying to shake perceptions that scam victims are greedy or stupid as it is, without having to fight people within our own ranks who feel it fine to throw this kind of crap around.  I’ve met scam victims face to face on many occasions, and not one of them could be described as “stupid”.  I’ve met people who ran their own companies, who were smart, well spoken and who had simply made an error of judgment.  But yes, let’s go the lazy route and joke about “stupid victims” shall we?

Ways to help spot a phishing email.

Recently I had a conversation about phishing emails on Twitter.  Today a perfect example of a phishing email to use for a tutorial popped into my inbox.  Phishing emails are ones that try to fool you into clicking on a link a scammer has control of, while thinking you’re clicking on a completley different one (your bank for example).  It could be to trick you into giving them information or to load a virus on your computer.  Let’s pick the one I have apart to see the signs that it’s a scam.  Firstly, if you receive an email with links, the safest thing to do is not click on it.  If you get an email from your bank etc. and you’re worried, then go directly to the site itself rather than click on the link.  However, some of us like digging deeper.  Some of us even go as far as to get as many details as we can so we can attempt to get the fake site shut down.  This is for the more curious of us.

The very fact I received it at an address specifically set up to collect scam emails tells me it’s fake.  However, we’ll skip over that fact and look at the email itself.  I’m using a PC to do this.  Those using touch screens won’t be able to do all these steps, but can still do some.  Here’s a screen grab of the email in question.  If you click on it, you can see a larger version.

Even from this, it’s obvious to me it’s a scam.  Take a look at the email address.

Why would “Diamond Bank Plc” send out an email from a completely different domain?  The scammer could have faked the email address to make it appear as if it had come from the bank, but didn’t in this case.  That site used in the email actually does exist, and has been around for a while.  It’s likely the scammer has hacked into the site to use as a way to send out emails.

Let’s hover over the link.  This is the single step you usually see as advice, but as you’ll see, there’s much more an inquisitive mind can do.  Hovering shows up a completely different link.

Gee, that’s not the bank’s address now, is it?  Scammers can alter the link to make it appear as if it’s genuine.  Not in this case though.  This is a nice, easy one to spot.  The site is genuine and likely another one hacked by the scammer (or hacked by someone else and the details sold to the scammer).

What next?  Well, let’s take a look at the bank’s logo.  By right clicking on it and copying its address, we get this link.

The image link is from a Google search and not the actual site.  Real emails would link directly to the actual image on their own server.  Some scammers do that of course, so while it’s something to check, don’t take it as being genuine just because the image is from the right place.  Everything we’re doing are pieces of a picture, one that’ll show the email to be a scam.

Now, here’s something cool regarding that image.  When I took its location, stripped out all the Google stuff and put it into my browser, the way the word “content” is broken up throws up an error page.  Want to see it?

Click here to see the magic. The link will open in a new tab.

See, I told you it was cool!

We haven’t even looked at the headers yet.  Let’s do that now to see what we can see.  My catcher account is a Yahoo one, so I click “More” and “View raw message”.  Other accounts may have “Show original”, “show headers” or something similar.  What you should see at this point is a lot of text, most of which will look like garbage.  We’re going to look at a few things here, and let’s start with the originating IP address.  This can be another piece of that picture if we’re lucky.  IP addresses in headers are a clue to the route the email took to get to you.

The IP address in this case is so let’s look it up.

Let’s look around for another IP address to see what that gives us.  Your location will be on the top, theirs on the bottom.  Sure enough, we find one last IP address just below the one we showed earlier.  You can ignore the one starting with 192.  That just an internal number that identifies the computer to any other devices connected to the router.

Before we get to the other IP address, did you spot that site address, and did it ring a bell?  It’s the same as the details from the previous IP address.  We’ve now got three possibly compromised websites listed.  OK, so back to the new IP address.  Where does that lead us?

Now there’s a place we all recognise as a hot bed of scammer activity.  Seems we’ve found the actual source of the email at last.  We’re not in an episode of CSI though, so we can’t go any further than that on the IP address route.  Time to move on to see what else we can find.  How about those links?  We’re going to look at the coding of the links.

For those with an understanding of HTML, there’s no need for me to explain.  For those without, ignore all that stuff in the square brackets.  The only things you need to look at are the links. The link you’ll be taken to if you click it is in the quotation marks, and the text you’ll see on the link to make it appear legitimate is next.  That could say anything at all, but the scammer used a web address to make it appear on first glance that’s where you’ll go if you click it.

So, what did we get out of this phishing email?  Hovering showed us it was an obvious fake, but more digging not only showed us where the scam was sent from, but gave us a list of three different compromised websites and let us see the code the scammer used.  Hovering can work in detecting an obvious fake, digging deeper can show you so much more, but not clicking on any links you receive in emails or messages will 100% guarantee you, your data and your computer remain safe.


Sooner or later all of us in the Anti-scam community will suffer from burn-out at some level. For those who do not work in the Anti-scam community think of what we do as a second job. One that you never get paid for in money but only in the satisfaction of doing the right thing. I have worked more than one 8 hour night after working my real life job during the day doing Anti-scam activities. It can be fun posting Scammer information and doing whatever I can to hurt the scammers and help victims find out that they are being scammed and get them back into the real world outside of the scam. But doing this can also wear you down at times. It is no fun hearing a victim tell you that they sent their life savings to their scammer. It is no fun getting an E-mail from a victim who says they took out a loan so they could send the money to their lover ( the Scammer) and will spend years paying that loan back.
So what keeps me going?
One is that I work with a great team here at We all work hard to keep this site up and running and helping victims. Knowing there is a great team of people I work with here makes the work I do easier. But in the end, it’s about helping the victims. It’s about helping those people who have lost everything to the scammers and need our help. Its about posting scammer information so people can find it in a Google search and be warned about the scammer. We do this for the countless victims that we have helped and can post on our website that they are out of the scam and will be ok and those who never will post on our site that we helped them.

New and improved, or just repackaged?

More and more we’re seeing so called “experts” announce some “new” scam that are in fact nothing more than old scams with a slight twist.  The latest one is an email sent out with the person’s password and a claim that their computer has been compromised and footage of them visiting porn sites have been made.  The email starts with this sentence:

I’m aware that XXXXXX is your password.

That part’s new, but it’s the only part of it that is.  The rest is identical to emails we’ve been receiving for almost a year.  You can see the thread in question at

It’s the same format, same threats, even the same method of payment.  This evolution comes about due to the scammers using hacked lists that feature email addresses and passwords.  Here’s samples, first of the ones we received way back in September of last year, then of one of these so called “new” emails.  See if you can spot the similarities:

All in all- if you want me to destroy all this compromising evidence, here is my BTC wallet address- 16NqZUQSH8VbJSzn8Hj1W7dU3geSQ7AehM (it must be without «spaces» or «=aquo;,check it). If you do not know how to use it, you can ask google or youtube for help- its very easy. I suggest, that 290 usd will finish our problem and will destroy our touchpoint in perpetuity. You have thirty hours after reading this message(I put tracking pixel in it, ill know when you read it). If you wont finish transaction, ill share the compromising with all contacts I’ve collected from you.

Now the second one:

Well, I believe, $1400 is a fair price for our little secret. You’ll make the payment via Bitcoin to the below address (if you don’t know this, search “how to buy bitcoin” in Google) .

BTC Address: 1Dvd7Wb72JBTbAcfTrxSJCZZuf4tsT8V72

(It is cAsE sensitive, so copy and paste it)


You have 24 hours in order to make the payment. (I have an unique pixel within this email message, and right now I know that you have read this email). If I don’t get the payment, I will send your video to all of your contacts including relatives, coworkers, and so forth. Nonetheless, if I do get paid, I will erase the video immidiately. If you want evidence, reply with “Yes!” and I will send your video recording to your 5 friends. This is a non-negotiable offer, so don’t waste my time and yours by replying to this email

The amounts change, the Bitcoin address changes, but the threats pretty much stay the same.  They even both mention the “tracking pixel”, though one calls it “an unique pixel”.  This “new” email suddenly doesn’t look so new, does it?  Let’s go even further back and look at the emails that were sent out after the Ashley Madison hack back in 2015.  This thread is at if you want to check it out.  How do they compare?  Let’s take a look at a snippet of one of those emails:

 If you would like to prevent me from sharing this dirt info with all of your friends, family members, spouse, then you need to send exactly 1 bitcoin (BTC) to the following BTC address:

Bitcoin Address:
19qbfGUPRTvZ9yAtRNusbLdyg5Pbe6DSK 4

We are providing a chance to solve this case. You make a payment to the above mentioned btc address. The time ends in the next 24 hours. We will not publish your data and we will not inform your contacts.

You can get bitcoins at an exchange like,,,,,, or a Bitcoin ATM machine

If you pay within 24 hours of receipt then we will delete your record. No payment? Then you will see what happen after this period. Once this period has expired, we can’t do anything more for you. Our website is launching soon. We will surprise your family, friends and colleague with it. We will give you this one last chance.

You may be wondering why should you and what will prevent other people from doing the same, in short you now know to change your privacy settings in Facebook so no one can view your friends/family list. So go ahead and update that now (I have a copy if you dont pay).

Suspiciously familiar isn’t it?  Now tell me again about these new scam emails that are doing the rounds…

What do a sexortion scammer’s threats look like? Here’s an example.

Do not try to cut the cam or stand up otherwise I think you’ll see me act in the minutes that follow.

Listen I remind you that your video is 55% on the site

So to avoid any sort of problem I just give you 2s to restart this cam or I swear I’ll start publishing your video.


Would you like me to send this to the inhabitants of all your present city and to the media like the FIGARO?

Believe me I’m more than determined to rot your life Make your life a shame, a disgrace, a hell, a real disaster, a hell on earth and also I remind you that I’m heartless I have no pity for rot a life and if you have doubts, try and you’ll see

I’m more than determined to rot your life to make it a waste, a garbage can, a shame, a disgrace, a real disaster, a hell on earth and also I remind you that I am heartless I have no pity for rot a life as well as yours.

So tell me, Would you like this video of you to be shared on all these online video sites such as:
CTV Television Network
Canal +
LCP AN / Public Senate
RMC Discovery
Number 23
Antenna 2
The Parliamentary Channel
Europe 2 TV
RMC Discovery
Canal +
Sport Stars Trace

You would like, that this video of you is shared on all these sites I listen to you ??????????

You would like this video of you to be shared on all these sites
I’m listening to you???????????

You want to have a limited freedom because I would not hesitate also to make you famous also in all the NGOs that fight against these kinds of practices of sexual exhibition in lines present in your locality like these person on the pictures I listen to you.

so if all of this seems like you’re having fun, then go, try to play hard, hold my head or even try to play the fugitives and you’ll see if I lose a single moment sharing this video from You with your knowledge and place of work XXXXXX I guess that’s what you want ??

I will send to your contacts the link of your video on youtube and I will create profiles in your name with an image of you extracted from the video and I will also send this image by fax to the tradesmen of your district. I am able to make all that you know?

Believe me I’m not kidding because I would not hesitate a second published this video of you all over the web by placing it on all the major online video sharing sites of the world

I am the devil who is just there to rot you, so you can never escape from me wherever you go, if you try to play hard and run away you will regret it all your life.

In spite of that I would put everything in my power so that the media and the newspapers make noise on you and your video and I will make of you and your video an encyclopedia because your video to harden me enough to rot your life.

Would you like it to be within the reach of all the inhabitants and also to all the inhabitants of your current city: XXXXXX?

According to article 227-23 of the French Penal Code which incriminates any representation (drawings, virtual images, etc.)
You are accused of insulting the public morals of a state, of perverse acts and of pedophilia.

you know very well that this act that you have just made is illegal according to the article 25 of the law 765465 of the 7 OCTOBER, You will be locked up of 5 years of prisons and followed of a fine of 75.000 €.

Would you like this video of you to be published worldwide?

0k Well, if you have this idea to go to the police or gendarmerie run quickly and do it, mas know one thing there you will only make the situation worse and you will pushed me to the end, I swear that people do not will be able to prevent me from diffused, shared, published this video of you in all the world and put it with the port of all your

It’s not just sex that needs to be done safely.

I’ve just read an article on someone playing with romance scammers, and feel the need to point some things out.  It’s safe to say I know a thing or two on the subject, having baited my first romance scammer back in 2006.  Back then it was a different beast, as almost no one was dealing with romance scammers, so we had to learn as we went along.  We made mistakes, but learned from them and became better and safer baiters for it.  The one big thing we learned was never to use our own identity to bait scammers.  Everything from our date of birth to our pet’s name would be made up.  Locations were fictitious and photos would be taken from mug shots and the like.  Even when I do interviews, I use a fake name even if I have to show my actual face.

Now imagine my surprise when I read a story today that had someone using their real details to bait scammers.  Name, photos and location.  Seriously?  This is stuff we realised a dozen years ago was a bad idea, yet people still do it and the media praise them for doing so.  Me, I’m sticking to keeping everything fake and keeping myself safe thank you very much.