Categories
Scams

How I Worked Out I Was Being Scammed

I received a very large order. But something was a little funny. Here’s how I worked out that it was a scam.

My wife and I run a small business and like many businesses in the 21st century we have a website through which our customers can place orders.

Having a website means anyone can contact us with questions about their order or about anything, really. We get a lot of questions via our Facebook page, but occasionally someone will use the contact page on our business’ website to get in touch.

On the evening of 22nd of September 2020 I received the following message through our website’s contact page:

It was an unusual request as all of our orders are local.

My first thought was that one of our European relatives had told this person about our product and they were so exited that they were willing to have our stuff shipped to Sweden.

I was curious to find out who this was. I searched Facebook for the name “Johnson Ives” to see if anyone by that name could be linked to Sweden. I didn’t turn up any lead from this search.

Maybe I could call them so I could clear up a few questions I had.

It’s not such a big deal nowadays to make a long distance phone call, so I thought I would see if I could call the number. It didn’t have the country code. A superficial search led me to understand that the phone number didn’t make any sense as far as Swedish phone numbers go.

Neither of those points however were a definite indication that this person wasn’t coming to us with a genuine inquiry. Sometimes people mistype things. Maybe he had mis-typed the phone number when filling out the form.

I decided to reply.

The reply came back immediately:

I looked at the time in Sweden. It was the beginning of the work day, so it wasn’t improbable that someone was available to reply to my email so quickly. Of course there are many other countries where this person could have been emailing from. The time simply didn’t increase the improbability of this being sent from Sweden during a normal working day.

The words “down here” are ones I have never associated with Sweden, but this could easily be dismissed if someone is not a native English speaker.

The items this person wanted added up to just under $3000. They went on to include a list in this email. Up until this point I was still considering the possibility that this may be someone that knows us, or knows about us through Facebook.

A number of things in the email stood out to me as looking a little suspicious:

  • They were offering an explanation when I hadn’t asked for one.
  • They could easily source the product in Sweden.
  • Every single item they chose was the bulk package. Not an appropriate seminar giveaway.
  • They were trying to get me excited by making me think this would be a regular purchase.

The email went on to say:

On its face this all seems like it could be a genuine inquiry. It doesn’t seem like an unreasonable request for them to want me to use an agent they recommend.

I looked up the shipping address on Duckduckgo, Google, Google Maps and Google Streetview. I discovered that it is located between a couple of restaurants in the heart of the city of Stockholm and is the address for a labour hire company.

Again, not totally improbable.

I found the company’s website and sent them a short message to ask if they knew about an order for product that was to be delivered to their address, and if they had facilities for a seminar. I didn’t expect a reply as my message sounded like a fishing expedition, but I figured it was worth a shot. I never heard back from them.

The next email I received from this person using the name “Johnson Ives” was for a doubling of the order.

I replied with:

The reply, as before, was pretty fast:

Note that they didn’t give me any useful information.

Penpals? really? I was becoming less and less convinced that this thing was genuine.

I decided to offer free shipping to see how they would respond.

They didn’t like that.

I added a quick follow up:

While awaiting their reply I decided to look up “Mary Curtis” and “Global Cargo”.

There were a lot of similar hits but no exact hits. This is often a red flag. Scammers often use company names that are very close to real company names.

By this time I was still in evaluation mode, but was becoming convinced that it was complete bogus.

I simply hadn’t found any conclusive proof that this person was genuine.

A reply then came with a scan of an expired California drivers license. I was surprised that they sent this so quickly. People don’t just send a scan of their driver’s license over email without at least obscuring part of it.

The driver’s license had Johnson Ives on it but it also had a last name that hadn’t been used in any of the emails yet.

The drivers license had expired in 2018.

If this guy was American he sure didn’t seem like it from his grammar.

At this point I thought I would conduct a search using the terms “shipping scam”.

The first two links didn’t look relevant.

The third search result looked a lot like what was happening to me.

This is how the fake shipping company scam usually works:

A customer contacts a shop via relay operator or e-mail to order a large quantity of product; (Red flags: The email exchanges are often littered with misspellings and poor grammar, and often come from a Gmail, Yahoo or similar free e-mail account.)

The customer wants to pay for the product with a credit card and wants to ship the order a large distance, sometimes the end destination is across the country, sometimes it’s on another continent. The purchasing credit card is usually stolen. (Red flags: Scammers usually place an order for products they could easily get from a local shop, and the credit card billing address doesn’t match the shipping address.)

The customer says they want to use their preferred shipping company to transport the product. The customer asks the business to pay the delivery company directly and says they will send a check or money order the business to repay the delivery costs. (Red flag: Business owners have reported scammers request to use the shipping companies AGC Delivery International, Ox Direct Shippers or Cargo Trust Shipping Freight Co.)

After the business has paid the delivery company, the scammer’s check or money order won’t go through, leaving the business without the thousands of dollars of delivery costs and with wasted product.

https://www.glassmagazine.com/blog/2020/warning-fake-shipping-company-scam

The emails so far had an uncanny similarity to the shipping scam. The doubling of the order amount was yet another confirmation that this person was running this very scam.

I wondered if I could get more identifying information from this person.

I knew that collecting identifying information from people in Europe without permission can get you in legal hot water.

So far the only information I had been able to glean from their emails was that they had AOL and AOL Instant Messenger email accounts and that they were using a Samsung Galaxy SM-G950F running Android 9. The sending IP address was AOL’s parent company, Yahoo’s mail server in the USA.

I wondered if I could find out what the person’s actual IP address was.

I created a new page on our website and added the following code:

<?php
 
//IP Grabber
 
//Variables
 
$protocol = $_SERVER['SERVER_PROTOCOL'];
$ip = $_SERVER['REMOTE_ADDR'];
$port = $_SERVER['REMOTE_PORT'];
$agent = $_SERVER['HTTP_USER_AGENT'];
$ref = $_SERVER['HTTP_REFERER'];
$hostname = gethostbyaddr($_SERVER['REMOTE_ADDR']);
 
//Print IP, Hostname, Port Number, User Agent and Referer To Log.TXT
 
$fh = fopen('log.txt', 'a');
fwrite($fh, 'IP Address: '."".$ip ."\n");
fwrite($fh, 'Hostname: '."".$hostname ."\n");
fwrite($fh, 'Port Number: '."".$port ."\n");
fwrite($fh, 'User Agent: '."".$agent ."\n");
fwrite($fh, 'HTTP Referer: '."".$ref ."\n\n");
fclose($fh);
?>

What it does is it logs the IP address of anyone accessing the page and creates a log file which I can then download.

Since the code is PHP it is completely invisible to anyone viewing the page source through their browser.

I composed an email with the link, hoping they would take the bait.

He got back to me with:

I checked my web server to see if he had clicked the link.

But he hadn’t.

Damn.

I gave it one more shot hoping this would make him click the link:

He fell for it.

I checked the log file.

Bingo.

The program had logged the type of phone, and the operating system, browser, all of which I already knew from the email headers.

The IP address was the only information that I didn’t have.

Until now.

I entered the IP address into the search bar at https://whatismyipaddress.com

and…..gotcha.

Lagos, Nigeria.

Well, at this point there really wasn’t any doubt about this being a scam.

Knowing that the person was viewing my site from Lagos Nigeria was enough of a confirmation of my suspicions to not proceed with the order.

Greed Clouds Perception

You may think that it was obvious from the beginning that this was a scam. I think something that scammers take advantage of is that when their victim begins to imagine the large sum of money they will get from a transaction the mind begins to reject clues that may indicate they are wrong.

There is a critical point at the beginning, which I call the “Evaluation Period” that is critical.

It is during this time that the excitement of a potential big windfall overstimulates, or overwhelms the mark’s thought process.

Any clues that indicate they have been deceived are pushed aside in favour of the good feelings that come from imagining the big win.

An area in psychology that has been the subject of a great deal of research has to do with differences in how humans view positive and negative information as they age.

In one such study1 psychologists demonstrated that older people prefer to focus on positive events and emotions as they grow older much more than younger people. It’s known as the positivity effect.

This has been demonstrated repeatedly in lab experiments where younger and older people are shown positive and negative images and then asked to recall them. Younger people recall both positive and negative images at the same rate, whereas older people remember more of the positive images.2

Incredulity: Surely They Wouldn’t! Would they!?

Another reason people go along with a scam is that they can’t believe someone would be so heartless.

It’s hard to imagine that someone would leave you straddling a debt of thousands and thousands of dollars while they walk away with only a fraction of that. It seems inconceivable. So it’s easier to simply accept what is happening and dismiss all the little things that are off.

I am reminded of the account in “The Truth About Lies” (Andy Shea) of the man who supposedly beat the polygraph. The story of how FBI agent Robert Hanssen sold secrets to the Russians and then lied about his involvement was made into a film called “Breach” (2007).

Andy Shea relates the moment that Hanssen takes a polygraph test and is asked whether he has had any dealings with foreign nations. He answers “No” and the polygraph operator notices a slight variation from the baseline. When the operator asks him about this, Hanssen says he must have been thinking about his upcoming trip to Argentina for holidays. So the operator dismisses it and Hansson became known for the man who beat the polygraph test.

There are usually small indicators that something is off when a scam is underway. These things are always explained away, sometimes with barely plausible explanations, but because the alternative is just unthinkable, we dismiss those small indicators.

Sources:

1. L. L. Carstensen and J. A. Mikels, “At the intersection of emotion and cognition: Aging and the positivity effect” Current Directions in Psychological Science, Vol. 14 (2005)

2. Doug Shamel, “Outsmarting the Scam Artists” (2012)

Leave a Reply

Your email address will not be published. Required fields are marked *