Gone Phishing: Internet Scams on Craigslist
Buying and selling over the internet has never been easier. With burgeoning to-do lists and ever more hectic pace of life, the ability to transact business online has been a virtual godsend to many people who dread lengthy trips to the shopping malls, fighting crowds of shoppers, and standing in never-ending check-out queues. But online shopping has also become a fertile breeding ground for all sorts of cyber criminals who daily defraud thousands of people by successfully masquerading as legitimate buyers and vendors.
Recently I became a victim of one such attack in what the FexEx security and fraud investigator has described as a classic case of “Phishing.” My case, she explained, was identical to the hundreds of others she deals with every week, trying to stem the ever-swelling tide of online personality theft and computer crime. I became a target, as it turned out, not of a single cunning individual but of an entire carefully planned operation that spanned countries and continents.
The whole thing started when I placed an ad on craigslist.la to sell my brand new iMac G5 computer. Unlike the more impersonal ebay, craiglist is something of a virtual community that tends to draw a kinder, gentler and hipper breed of individual. I have bought and sold things on craigslist before and always with positive results. In the flurry of emails that followed the placement of my personal ad, I discovered a florid communique from a would-be buyer in Africa. The email, written by someone who it seems learned English from reading Chaucer, informed me that it was my very good fortune to have an immediate offer to purchase my computer. The letter went on to explain that his business partner (who was based in America) would be contacting me at once to arrange payment and shipping details. He made no effort to haggle over the price but made an odd request that the item should be gift-wrapped at the buyer’s expense.
Next day I was contacted by his “partner,” from an innocuous-sounding yahoo account under the name Brenda Moore. I had no immediate local offers to buy the computer and did not want to drag the process out so after some deliberation, I agreed to sell it to these folks, with the understanding that they would pay me with a money order through Western Union while the package would be shipped to Nigeria via Federal Express.
Several other grammatically bizarre emails followed from Brenda Moore, confirming payment through western union and with a pre-printed shipping label for Federal Express. I have been skeptical until I got what looked at first glance like an official notice from Western Union that the buyer’s payment has been received and approved and waiting for me to collect it. There was one catch, however. I had to ship the item first and supply the tracking number before the payment was released. This was meant to protect both the buyer and the seller. Again, this seemed plausible enough so I did as I was told, had the computer gift-wrapped, printed out the shipping label on my computer, and dully handed the package off to the FedEx deliveryman.
Being by nature an impatient person, I immediately telephoned Western Union to let them know that I shipped the package and to find out when I could expect my money order to arrive. After shuffling me through several incomprehending operators and business departments, I eventually wound up with a service representative at BidPay that handles Western Union’s online auction payments. I proceeded to give them the transaction number only to discover that there was no such number in their computer. My name was not there either. I tried to explain what happened, still hoping naively for a clerical error. But when I mentioned that the package was heading to Nigeria, the service rep made it very clear that I was a victim of an internet scam, the very same scam that affects hundreds of ebay resellers who deal in computers and electronics.
I called FedEx in a desperate effort to intercept my package before it wound up on a ship bound for Nigeria. Luckily the driver was still in the area. I raced to find him and managed to wrest the package from his hands before it vanished into the shipping void. At this point, the only things I lost were my pride and the $11 I paid for the gift wrap.
I decided to look further into the matter and began to decipher the information hidden inside the emails I received from Brenda Moore and her associates. It’s easy enough to play the amateur sleuth these days, given all the legitimate means available online to locate individuals by their email address, IP, website, etc. In the mess of HTML gibberish that accompanied the shipping label, I was able to ascertain the name, address, and phone number of the person who owned the fedEx account that was used to ship my item. The culprit, as it turned out, was a criminal defense attorney out of Maine with a history of defending assorted conmen. Armed with this info and some other bits I was able to glean from the emails, I proceeded to contact the FedEx fraud investigation department and the local FBI.
I felt good that I was doing my citizen’s duty to expose a clique of criminals who prey on innocent cyber consumers like myself. But the feeling lasted all of a minute as I ran into red tape. The fedEx imvestigator proceeded to tell me that her hands were tied. This was a matter for the Secret Service but even they were finding it difficult to get cooperation from the government of Nigeria that was sheltering these enterprising con artists. A conversation with the FBI led me to an inter-agency fraud prevention web site where I was supposed to fill out a form letter to explain what happened to me. I filled in the blanks and dashed the form off into cyberspace, to languish with the thousands of others pending investigation. None of the information I discovered about the perpetrators seemed to have any value. The FedEx agent told me the Nigerians use stolen credit cards, fake email addresses, and a sophisticated network of web sites, auto responders, and knock-off form letters to perpetrate their scam. The best they could do for me was to warn me to be careful next time. This was small comfort for someone who hoped to see justice done.
I went back to look at the emails once more, drifting once more into the character of an armchair Sam Spade. The bad grammar was an immediate giveaway. If only I bothered to read through the emails carefully the first time around. This was a clear symptom of a cyber atttention deficit disorder. Myself, like many others out there, glance through correspondence instead of taking the time to read through it. The evidence of forgery was right on the surface. Every form letter Brenda sent me or that I got from the fake western union account was awkwardly worded. It seemed to sound like someone’s idea of form letter, vaguelly official and full of catch phrases but making little sense on the whole. “We are processing your payment,” said my confirmation email form westerunionmoneyorde@financesource.com, “and we’ll contact you after more processing.”
Ultimately I sold the computer to a very nice web desinger who paid cash, showed up in person, and took away the computer with no drama and fanfare. Brenda Moore wrote to me again with an offer to buy more electronics and make an immediate payment. Part of me wanted to keep up the charade and play the dummy to the end. Brenda still hadn’t caught on that the gig was up and was still playing her part to the hilt. I told her I had another item to sell. She offered immediate payment, no questions asked, and of course requested that I gift wrap the item. Since I still have the buyer’s address in Nigeria, I wondered if I should send something befitting the occasion, a gift they would never forget. It was just so easy to picture the con men’s smiling faces, over a beer in a remote electornics-filled shop in Nigeria, untying the golden bow and unwrapping the fancy giftwrap paper, having a laugh at the expense of the naÃ?¯ve American waiting by his computer for his non-existent Western Union check to arrive.