I'm not going to talk about romance scams in this post. There's enough information here already so there's no need to repeat ourselves. Let's take the last post in our 419 section right now as an example of what to look for in our first instance.
viewtopic.php?f=6&t=109321
This is what we have in that email:
With due respect ,
The bank official knows that you are not able to receive your fund.
They have decided to transfer $100,000 from your funds to your
personal account, so you can settle your bills. You will need to apply
for an ITCC document to enable the transfer to take place. This
document will cost $350. Please if you are okay with it, let us know,
so we can give you the payment information.
Mr. Allen Goodluck
Central Bank of Nigeria
Now let's post that again with the reason we can tell it's a scam:
With due respect ,
The bank official knows that you are not able to receive your fund.
They have decided to transfer $100,000 from your funds to your
personal account, so you can settle your bills. You will need to apply
for an ITCC document to enable the transfer to take place. This
document will cost $350. Please if you are okay with it, let us know,
so we can give you the payment information.
Mr. Allen Goodluck
Central Bank of Nigeria
Why is this a scam? It's asking for money up front. It's what's called an "advance fee fraud". Sometimes it's that simple. Let's look at the email headers next. These are the hidden parts of the email that you need to specifically look for. Every email provider has a slightly different way to see them. It could be "view source", "properties", "show original" or something similar. Once you have these, you can see the path the email took, which can be a great indicator of where the email really came from or what the "reply to" email address is. A scammer can fake or "spoof" an email address, but they still need a working email address to receive any replies. Here's the headers from the email:
Received: from 127.0.0.1
Return-Path: <tskfcce@gmail.com>
X-Originating-Ip: [209.85.222.49]
Reply-To: ag837519@gmail.com
From: Acting Central Bank of Nigeria <tskfcce@gmail.com>
Date: Mon, 21 Aug 2023 04:49:03 -0700
Message-ID: <CAD=3e9etT9Di_Rmf7DApjJVpPfUOxoPpG7G3LT=6Qo3wddTc0Q@mail.gmail.com>
Subject: With due respect ,
To: undisclosed-recipients:;
And with the things to look for:
Received: from 127.0.0.1
Return-Path: <tskfcce@gmail.com>
X-Originating-Ip: [209.85.222.49]
Reply-To: ag837519@gmail.com
From: Acting Central Bank of Nigeria <tskfcce@gmail.com>
Date: Mon, 21 Aug 2023 04:49:03 -0700
Message-ID: <CAD=3e9etT9Di_Rmf7DApjJVpPfUOxoPpG7G3LT=6Qo3wddTc0Q@mail.gmail.com>
Subject: With due respect ,
To: undisclosed-recipients:;
No official company will use a free email account. They'll use a legitimate account from their own website. If they try to fob you off with an excuse as to why they're using Gmail instead then it's a scam. See the "undisclosed-recipients" bit? That email was sent out to a number of people, not just you. Not difficult, right?
You'll see the bit in blue. That's what's known as an IP address. Sometimes you can trace the route an email took by following the IP addresses from top to bottom. Think of it like watching the progress of a letter or parcel you've ordered, but in reverse. You need to be careful with these though as some email providers only show the IP address up to their datacenter. Using the parcel analogy, it would be like being able to trace the item you arrived, but only up to the moment it was booked into the courier's depot and not from when it was collected from the start location. The one in this example shows 209.85.222.49 which leads to Google. Be wary of this as it can lead you to thinking a scammer is somewhere he's very much not.
What if the scammer makes their own site though? Then they wouldn't need a free email account. This time let's look at viewtopic.php?f=6&t=108962
Hello
I hope this message finds you well. I am an account Auditor at
Santander Bank Plc. I am writing to you with a confidential business
proposal that presents a unique opportunity for partnership in the
transfer of a significant inheritance fund. For more information
please contact my personal email : ameen@merit-services.com
Ameen Hammadi
This one is a little smarter, but if you check the headers again you'll find this - this time with the important bits highlighted immediately:
Return-Path: <interc.delivery@gmail.com>
Reply-To: ameenhammadi52@gmail.com
From: Ameen Hammadi <interc.delivery@gmail.com>
Date: Fri, 11 Aug 2023 04:08:29 +0100
Message-ID: <CAPCD-=LANfiFp1N-Ch5PmAMgdH-TOe_ptAeEGXOvuPjkSRzd4A@mail.gmail.com>
Subject: Beneficial
To: undisclosed-recipients:;
Hit the reply button and it'll be sent to a Gmail account. You wouldn't have known that without looking at the headers though. It goes deeper still. What if you look up the email address they gave? There are several free sites you can use to see when a website was made and how long they paid for. I won't name them as the ones we think are best seems to change from time to time. What does that tell us about the site?
71 days old
Created on 2023-06-11
Expires on 2024-06-11
Updated on 2023-06-11
Just 10 weeks old and has a one year expiration date. Even worse, the screenshot of the website in question shows you they haven't even put any content on the site:
- screenshot2.jpg (23.96 KiB) Viewed 1740 times
You guessed it, fake. It can cost less than the price of a pint of beer to run a website for a year if you only want to use it for scams.
Scammers may buy site names that at first glance look like the legitimate one, but may have a very subtle difference. They could for example use GoogIe instead of Google. Can you tell the difference between them? No? One uses an l and one uses a capital i. l and I look so alike if you're not looking for it. If you copy and paste it directly from the email into the search then it'll pick up that difference for you.
But what if they do have content on the site? That's where Google and all the other search engines out there come into play. Check everything, and I mean EVERYTHING on the site. The images and the text would have been stolen from elsewhere. Most of the time a simple search will show you where it was stolen from as well as any other fake sites using the same information.
All this will take you just a few minutes, but can prevent you from losing everything. Most importantly, if you do find out that the email you received is a scam, don't reply to them and do post the details up here. People are saved because that information is out there for them to find on sites like ours. If this information helped you, help us to help others too.
