Anatomy of a Scam

So one of my acquaintances who has mail at verizon.net via AOL got hacked, and I wanted to go through it to show people all the red flags they should be seeing when they get an email like this.

An advance note for the tech savvy: what follows is not any cool pwnage of a scammer. I don’t get them to do anything. This post is meant to be educational for people who might otherwise get caught by such scams, and mildly amusing for people who enjoy weaksauce interactions with a scammer.

First off, before anything else, this is not the kind of email this person would ever send me. We’re not close friends: we’ve done theater together. Also, the email said

I need a little favor from you.

This was the first red flag.

The “From” and “Reply To” are different!

So I looked at who sent it and I saw the first actual red flag. The mail purported to be coming from an email address at verizon.net, but the reply-to address was the same email address at gmail.com. People don’t usually send mail from one email account and expect you to reply to another. Sometimes they do, when they’re juggling different role accounts (like I do: I have my personal email, my work email, and email for various organizations/groups I work with, but I usually have those email addresses set up to forward to my real email, not set up as a reply-to my real email). I wanted to see if these jokers had actually compromised Melissa’s verizon.net email, or if they’d just set up a GMail account and were spoofing her verizon.net address.

I replied, but I replied specifically to the verizon.net address, asking if she had sent this email. I soon got a reply… from the GMail account.

Fun with time zones

This gave me the second bit of evidence that this email is bogus: note when their response says I sent my message. They sent their message to me at 9:12 AM, I sent my response at 15:15 (3:15 PM, for those people who don’t use 24-hour clocks, sometimes called millitary time), and they responded to me at 9:19 AM. How is that possible? Easy: I didn’t send my response at 3:15 PM in my time zone. I sent my response at 9:15 AM. The iPhone they’re using to send these messages is in a time zone six hours ahead of mine. This could be a great deal of Western Europe, but—and I hate leaning into this stereotype—it also happens to be the correct time zone for Nigeria.

But there’s more than just the time zone that makes this stand out as a scam.

I really want to buy a gift card, but I’m not able to, can you send me money over email?

Note how the person is currently out of town and they’re asking for me to buy something for them that’s equivalent to cash. It’s for a friend’s daughter (the first time I saw this scam from a friend, it was for “her niece”). They’ll pay me as soon as they get back.

Now, I just happened to be out shopping while I read this, so I decided to have a little fun with the scammers by replying to them more. I told them I’d gladly help, and I’d give her the information over the phone because we “wouldn’t want scammers lifting the card number from the email”.

Of course, my little jab went completely unnoticed. But I did notice one thing: they had a cover story ready for why they couldn’t accept a phone call. I find it odd, considering every email says that it’s being sent by the AOL app for iOS, but, hey, it’s an excuse.

So I started to play dumb. At this point in my shopping trip I was at the register, and the gift cards were right there, so I picked up the one Google Play gift card they had (gee, are they in demand for some reason now?) and took a picture of the front of the card—the side that’s useless to them.

“Like this?”

I could tell they were starting to drool.

Thank you so much. Kindly remove the card from its pack and gently scratch the back of the card to reveal the pin numbers, then take a bold snapshot of the back showing the pin and have them sent to me via my email. So I can forward them to her with some Birthday Wishes.

Once again thanks.

Melissa

I needed to play dumb some more.

Where are the pin numbers? I don’t see where I’m supposed to scratch!

They tried walking me through the process.

Kindly remove the card from its pack and gently scratch the silver tape at the back of the card to reveal the pin numbers, then take a bold snapshot of the back showing the pin and have them sent to me via my email. So I can forward them to her with some Birthday Wishes.

At this point, I started wondering what a “bold snapshot” was. Did they mean a clear snapshot? I wondered if I should start looking for a filter I could apply that would “bolden” a photo. I finally decided to lean in on the airhead: I googled an image of the back of a Google Play gift card. Like this, I asked?

Not useful in any way

No, no, they said, scratch the silver tape. Finally, I got them to send me a picture of what they wanted.

No doubt these numbers have already been picked clean of every penny.

Kindly check the attachment in this email and do the same as seen.

At that point, I kinda ran out of ideas for what to do, so I stopped responding. But then tonight at 6:39PM (my time, not theirs), they sent a follow up email with the subject line ANY LUCK?

Hi Packy, how has your day been ? were you able to scratch off the Silver tape at the back of the card. Kindly let me know. Looking forward to hearing from you.

Melissa

I’m pondering how to respond. Part of me wants to make up a story about having used a belt sander to remove the silver tape and accidentally sanding the numbers off. Part of me wants to just send them the image of the back of a card I got off Google Image search, whose numbers are definitely already used up. Maybe I’ll do both. 🧐