Image sourced from la Guardia Civil, Gabinet de Prensa
Fraudsters use forged US dollars to trick victims into the legitimacy of their offers
Spear Phishing, a new method of delivering scams has been used to incur losses of up to $3.5 million from Australian individuals.
Written by Saúl A. Zavarce
Travelling around Spain as a Venezuelan has many perks. The Venezuelan accent is exotic, most tourists don’t speak Spanish and the warm nature of the Spanish people is familiar.
I was a local and a foreigner all at the same time, you can imagine the excitement of meeting new people and sharing much about yourself, caring little for the potential consequences.
To find a letter from ‘Paul Lara’ a Madrilene lawyer just a month after having returned sent anxiety right through me. It was a struggle to remember every potential late night misadventure that had landed me in hot water.
To open it and discover I had a ‘€4.5 million inheritance’ from a recently deceased estranged Spanish relative however, was a very amusing relief, albeit an equally dangerous development.
Scams and other forms of fraud are clearly effective crimes. Financial losses arising from scam activity totalled $93 million in 2012, a 9 per cent increase on the amount reported in 2011. One unidentified sorry victim lost $3.5 million in 2012 to this particular type of scam according to the Australian Competition and Consumer Commission (ACCC).
Little thought is given to the trail one leaves behind as a visitor in a foreign country. Credit card payments, ATM use and hotel check-ins all require you to leave some level of personal information behind. How did this scammer find out about me? Do they have access to hostel records, a credit card payment? Maybe I met them face to face?
This type of scam is commonly referred to as an “inheritance scam” or “advanced fee” fraud, a variation of the Nigerian Scam. The premise is that fraudsters target their victims with semi plausible stories about fake relatives or investments of which they are entitled to some monetary amount.
My own letter is of course tailor made for me. It features my name as it appears on social media, the address of the lawyer is only 10 minutes from the hostel I stayed in at Madrid. The envelope makes references to Valencia, another city I recently visited and of course how could I ignore the ‘coincidence’ of having just returned from Spain and having an ancestral connection to it?
All throughout the cordial tone of the letter prompts me to call one of the two numbers listed or to email him and not once referencing any fees or solicitations for bank details.
“Scammers go to great lengths to gain your trust, spending months and even years building a relationship with you.” says ACCC Deputy Chair, Delia Rickard.
Before you can receive any of the money from your inheritance however, it is required that you pay a fee upfront, these could be in the form of legal fees, bank fees or similar. They can range anywhere from relatively low amounts to thousands of dollars.
If the victim continues to pay, the fraudsters continue to bring up false fees, each fee is always “the very last fee”.
“These scams can also pose a risk to your personal safety as scammers are often part of international criminal networks. Scammers have lured unwitting Australian victims overseas, putting people in dangerous situations that can have tragic consequences,” says Ms Rickard.
One such case starting in 2005 saw a Queensland family lose $1.3 million to this type of scam.
In the hopes of building trust between the victim and the fraudster, victims may be provided with official looking documents such as death certificates or power of attorney documents.
This was the case for Steven Baker who visited Europe three times to verify the inheritance at his expense, being taken on an elaborate charade of a Spanish bank where he was shown a case of US dollars, his ‘inheritance’.
“The professionalism of it is just unbelievable, the paperwork, the officials, going to government departments, you would think if they were straight out scammers they wouldn’t have access to government officials and places and the paperwork with all the stamps,” Mr Baker told ABC radio.
What Mr Baker did not know was that not only was the whole thing a ruse, but the money shown to him was also forged.
A video published by the Grupo de Delitos Telemáticos (GDT) de la Guardia Civil, Spain’s cyber crime unit, reveals how the ‘money’ held within these prop safes are photocopied forgeries. Plain printed paper is wrapped in transparent plastic simulating 50 million American dollars in hundred dollar bills.
That video is from “Operation Magi” a sting operation in which six Nigerians, one Colombian and one Spaniard were arrested for their involvement in a crime syndicate conducting Nigerian scams.
The dismantled group was found in possession of 50 mobile phones, several computers and lots of high end jewellery, all used to simulate the charade of officialdom and to facilitate their crimes.
“The group had perfectly distributed functions and hierarchy; the chiefs were responsible for capturing new victims through the Internet. Other members were responsible for carrying out the deception in Spain.” said Comandante Oscar de la Cruz of the GDT.
Professor Jonathon Clough of Monash University, a cyber crime academic, believes the extra effort to use personal information to target a victim and send letters instead of email spam could be an example of spear phishing.
Spear phishing is where instead of spamming thousands of email addresses in the hope of some return hits, fraudsters build profiles and target individuals directly. The spear phisher thrives on familiarity, he knows your name, your email address and at least a little about you.
“You may receive an email from a friend, ‘my trip to wherever has gone horribly wrong, I am trapped overseas, my wallet has been stolen, can you send me some money,’ and it goes out to family and friends of that person. That is a plausible story.” says Professor Clough.
Sergio Alva an IT Security Consultant says that amateur spear phishers could use a technique known as Google Hacking to find private information on the internet from past behaviour.
“It is possible through this to find the titles of YouTube accounts, Facebook profiles, Hotmails and even forum usernames.
“A lot of people have their email on Facebook and social networks. Maybe you have a forum that you comment on, or a group, and as soon as you put your email, name or telephone on them, people can find you there. All that information is there, you just need to look for it.
“Sometimes it’s not that deep, sometimes it is really deep, but it’s still there. And if you know how to do it, you can get everything. Photos, passwords, emails, timetables. ” says Mr Alva
Performing an involved Google search of myself, it was possible to discover a lot more about me than I would have preferred.
By using just my name and location I was able to find my address in the Australian White Pages.
I was able to find my online moniker linked to my name via my YouTube account. Through searching that moniker I was able to stumble upon a video game forum I frequented as an adolescent.
On that forum I openly refer to my nationality as Venezuelan, that I moved to Australia at a young age.
By searching just my surname, it is possible to see Zavarce is a name from Basque nobility, my ancestral connection to Spain makes the likelihood of a relative all the more plausible.
The modus operandi of ‘Paul Lara’ and the crime syndicate he is likely a part of seems quite clear:
By searching my name in Google and other social media, it is possible to discover I am a Venezuelan from Spanish descent (if they weren’t already aware from meeting me).
Through this method it is possible to find my home address.
By writing an ‘official letter’ and making an envelope with all the correct Spanish post office logos, the fraudster attempts to earn my trust by presenting me with a semi plausible story of an inheritance.
I am to then call or email him via the methods provided, with emails likely reaching specific servers, and phone calls going to one of the main prepaid cell phones they have for this kind of activity.
In the search for how Paul Lara would then proceed I contacted Paul Lara via an email address I made specifically for this task.
In the reply, Paul Lara stresses the utter secrecy that this transaction must take while simultaneously attempting to reassure me of the legality of the transaction:
“At this point, it becomes imperative to let you know that my integrity and carrier as a Lawyer(sic) are at stake here, so please be informed that this transaction should be top secret and is going to be carried out under legitimate arrangement that will not breach either the law of your Country(sic) or mine, hence it is risk free.
“I have to tender an application to the Bank presenting you as the next of Kin(sic) to my late client Mrs. Rita Zavarce, So(sic) the bank will contact you within (24 to 48hrs) twenty four to fourth(sic) eight hours from now and whatever related documents the Bank(sic) ask for I shall provide them, You(sic) have to send me your telephone numbers so that we can Speak(sic) verbally.
“Get back to me once the bank contacted you and fill(sic) free to call me any time.”
I of course never got back to him with my number to receive that phone call from “the Bank”, and in fact his emails and attempts to contact me are classic incarnations of this form of scam, grammatical errors included.
According to Scam Watch a website set up by the ACCC to aid consumers regarding scams, the following is typical:
- You receive a letter, message or email out of the blue from a scammer posing as a lawyer or banker and offering you a large inheritance from a distant relative or wealthy individual.
- The offer looks convincing and may use official-looking letterhead and/or logos. It may contain spelling and grammatical errors.
- You may be introduced to a second or even third scammer – such as a banker, lawyer and tax agent – to help facilitate the legal and financial aspects of the transaction.
Scam Watch even has a template letter with some similarities to the letter I received.
Had I continued with the dialogue, at some point Mr Lara would tell me of a roadblock fee I must pay in order to receive my inheritance from the late Ms Rita Zavarce and as long I kept paying, Paul would keep inventing new fees for me to pay.
If that had happened, the likelihood that the ACCC, Australian Federal Police or the Spanish Civil Guard would find, prosecute and return my money is nil.
“There is always the general point that policing is a tiny part of this. You just can’t police this number of transactions,” says Professor Clough
“There is an interesting parallel, in the offline world we all know that if we’re burgled it may not get solved or if our car is stolen it might not get solved, but we insure our cars, insure our homes and insure our valuables, we lock our cars and lock our homes and take steps to mitigate that.
“Part of that is making sure people are a bit more careful online and have changed their passwords and are taking the steps that they would in the offline environment. Policing is always going to be dealing really with the most severe examples and will always be behind in the sense that it’s hugely resource intensive.”
Given I don’t have millions of dollars to lose, it is unlikely my case would progress very far.
Fraud is an ancient crime, the only thing new is that criminals are using new stories and methods. So lock your houses, insure your cars, change your passwords, don’t use unfamiliar PCs to do internet banking and always, always, always fear legal correspondence from foreign countries.