There’s a new scam making the rounds, and it has some unusual features. It’s commonly called the Laryngitis Scam, and it bypasses a lot of the useful tips I gave in the previous article about detecting the difference between real and scam emails. It’s worth learning about, because there’s no reason why you couldn’t be the next target.
The scam
Picture if you will… my client Janine has finished a long day and is looking forward to an evening of crochet in front of Downton Abbey when her phone makes that little tinkle noise that heralds an email. She opens it up, and there’s a message from Kym, the treasurer of the local tennis club. (All names and pastimes have been changed to protect the innocent. For example, Janine has never played a game of tennis in her life, and much prefers frisbee golf.) The message reads:
From: kymwilkins1957@outlook.com
To: j9smith@gmail.com
Subject: Hope you can helpHi Janine,
Sorry to email you out of the blue. I was hoping you could help me with something.
Don’t try to call. I’ve got a nasty case of laryngitis and it hurts to speak. I hope email is OK.
Thanks,
Kym, Deep Bay Tennis Club
Janine is one of my most on-the-ball customers, and she knows what a scam email looks like. But she examines this one, and it ticks all the boxes for a legitimate message:
- calling her by her actual name, not “Friend” or “Sir/Madam”
- coming from someone she knows
- email address looks right – it’s not the scammers’ usual x09j09709@dodgymail.ru sort of thing
She figures it must be real. She replies, and the story unfolds. Kym’s niece is in hospital with cancer, and Kym wants to get her an Apple gift card, but she doesn’t know how to do it. She hopes Janine can help. Janine isn’t much more clued-up about technical things than Kym is, but she figures she can work it out. She helps Kym buy the $500 card online, and Kym says thanks and signs off. All by email, with not a word being spoken in person.
And just like that, Janine has been diddled out of five hundred dollars by someone with an almost perfect scam. And no, it’s not Kym; Kym is completely unaware of any of it.
So how does it work?
I always say that, when it comes to computers, paranoia is a virtue. You can never be too careful! And Janine was careful, but not quite careful enough. In particular, she looked at the From address and saw that it was kymwilkins1957@outlook.com, which is almost right. If she’d checked in her address book, she’d have seen that Kym’s proper address is kymwilkins1957@gmail.com. But why would she? That’s a level of paranoia that even I consider a bit Over The Top! And second, when she tried to pay for the gift card by PayPal, the security system there stopped the transaction on the grounds that it was clearly a scam, but — and this is really maddening — it didn’t tell her why! So she assumed it was a bug in PayPal, and went ahead and used her credit card instead. For some reason the credit provider didn’t detect that the transaction was unusual, and allowed it to proceed. This will come in handy later.
Here’s how it started. A month ago, before all this happened, Kym is at her computer, doing a bit of paperwork for the tennis club. She realises it’s nearly time for annual membership dues to be paid, so she whips up a quick email to all the members, explaining what the new prices are (everything’s more expensive nowadays) and reminding them that they can pay by credit card. She grabs the member list out of her Excel spreadsheet, pastes it into the CC section of her email program, and hits Send.
Regrettably, one of the people who receives that email has a virus on their computer, or some sort of tracking software. We don’t know who. What that means is: the email from Kym with the names and email addresses of all the recipients in it falls into the hands of some nasty people somewhere in the world, and from then on the game is afoot!
The scammers craft their scam carefully. From the text of the stolen email, they know Kym’s name, her writing style (short and to-the-point, or verbose and woffly, or whatever) and a rough guess as to her age and interests. From the CC line they have a bunch of email addresses, most with first name and surname added in by the mail software. After creating a fake email account on Gmail to match Kym’s Hotmail address, they get to work. To each of the people in the list, they send the scam email. The mention of laryngitis is to side-step the possibility of being caught out, and it tends to work.
The aftermath
So what is the result? Out of thirty scam emails sent out that day, fourteen go unanswered: maybe the recipient doesn’t read emails all that often, or maybe they smelt a rat and deleted it. Seven are replied to with various levels of rudeness by people who recognise the scam and are not afraid to express their disgust. And of the remaining nine, five go so far as to fall for the whole spiel. For their hard work, the scammers make $2500, which may be 131,614.85 rubles or 2,371,444.50 won or $1,623.20 in US dollars, depending on where they’re based. Actually, the exchange rate isn’t quite as precise; gift cards are a shady form of currency and the numbers rarely reach their best potential. But it’s enough to keep them in borscht or noodles or deep dish pizza for a while.
Back home, Janine fairly swiftly realises she’s been had. She gets in touch with the real Kym, who does not have laryngitis of course, and finds out that several other club members have called her already. She’s just about to send out an email to everyone to warn them, which is a good idea. Kym suggests that Janine should call an expert to have a look at her phone and laptop and see if anything can be done, and that’s where I come in: I advise her to call the bank and get them to lock her bank account for now, and she says she’s already done that and they’ve asked her to get both devices looked over by an expert.
So I come by, and I check everything. This is a social engineering scam, not a technical one, so there’s nothing to find on any of her devices because all the scamming is done inside people’s heads. I show her the telltale fact about the almost-correct email address, and I fill out a form certifying her devices as safe, but that’s all I can do.
I couldn’t get Janine’s money back, but fortunately her bank had more options. I didn’t find this out until months later when I happened to be visiting Kym to fix her printer (what can I say — it’s a small Valley) and I heard that the bank had taken responsibility for not warning her about the unusual transaction, so they refunded her the $500 even though it was long gone. Good for them! But not every bank is that good to their customers, and I’ve had customers who have lost a lot more to other scams.
How to avoid this scam
So what can you do about this sort of thing? First of all, be aware that gift cards are a convenient way to transfer money across international borders, so don’t trust them! Janine knows now that any mention of gift cards is a good reason to hang up the phone or delete the email, so she won’t be caught that way again. And second, any time anything suspicious happens, do as Janine did and call your bank immediately. They will lock your accounts, which can be inconvenient, but getting them unlocked is just a matter of getting someone like me to give your computers and phones a clean bill of health, which I do using paperwork I developed in conjunction with the excellent staff at my local Bendigo Bank.
Meanwhile, if you’re sending out emails, don’t use the CC section at all: put your own address in the To section and use BCC, which stands for Blind Carbon Copy. That will send individual emails to each listed recipient without including all the other addresses. That will be enough to prevent your email being used as the basis of this particular scam, at least until the bad guys invent a new trick.
I hope this is educational and maybe even entertaining, but I also hope it gets across an important point: the scammers are getting smarter, and it’s not just the people you expect who get caught out. Janine knew the warning signs, she did everything right, and she still got scammed. She’s not the only one! It’s something we all have to be aware of, and it helps to know what to do if you get caught. Coming up next in this series: what to do when the scammers get you!