Internet Skeptic Blog

Posted by: Bob Bayn on Jun 8, 2016

"Help! Send Money!" Scam Analyzed

We've all heard of, and probably seen, a "Help! Send Money" email scam. Here is how a recent one plays out:

From: Hector Heathcliffe [mailto:HectorH@aol.com]
Sent: Tuesday, June 7, 2016 4:04 PM
To: Skeptical Employee <Skeptical.Employee@usu.edu>
Subject: Favor
 
I need you to do me a favor. Please reply when you get this.

Thanks,
Hector

You know Hector, you've even exchanged email messages. So you reply:

From: Skeptical Employee <Skeptical.Employee@usu.edu>
Sent: Tuesday, June 7, 2016 4:04 PM
To: HectorH@outlook.com
Subject: RE: Favor

Hello Hector!  What can I do to help you?

Did you notice the little hint about the mischief? Hector sent the message from his AOL account, but you just replied to an Outlook address! That's right, email message can have a different "Reply-to:" address that often doesn't show up until you reply and see it on the To: line. Anyhow, the spammer responds back from that HectorH account that he really owns:

From: Hector Heathcliffe <HectorH@outlook.com>
Sent: Tuesday, June 7, 2016 5:34 PM
To: Skeptical Employee
Subject: Re: Favor

Glad you replied back. I need you to do me a favor, I am currently out of town and need to send some money to my cousin in  Manila, Philippines for an upcoming surgery. The accepted form of payment is through western union, and I have tried sending from here but it failed. Please i need you to help me make the western union transfer from your end, i will have the money returned back to you when i get home by next week.
 
Please let me know if you can have this taken care of so I can send you the required details.
 
Regards,
Hector

Well, this is an interesting story. You didn't know that Hector had a cousin in the Philippines! But you still have to reply one more time to get the info you need for the Western Union transfer. Are you going to do that? Maybe you would if you wanted to play detective and report your findings to Western Union's fraud unit. It might be a good idea for them to be on the lookout for someone else who will follow those same fund transfer instructions. It could be another mutual friend of yours and Hector's.

Meanwhile, maybe the real Hector is alerted to the mischief and changes his password. But the spammer is probably already done with his AOL account. The messages are "out there" and any replies and subsequent communication will be to the Outlook account that is safely under the control of the spammer. The spammer can deploy his mischief to anyone who responds to the original email, hours or days later. Someone needs to report that spammer address to abuse@outlook.com (which we did).

Why do we even have this example? We owe thanks to an Internet Skeptic who forwarded the exchange to phish@usu.edu.  You can be an Internet Skeptic, too. Just forward suspicious or malicious email messages (preferably as an attachment) to phish@usu.edu for evaluation of the mischief and subsequent reporting, blocking and alerting other recipients.