12/19/2006

Making money on the Internet

The "payment officer" scam is a huge success lately. At least I think it is because everyone is doing it. A couple months ago I was getting one of this once in a while, now I get a couple everyday.

In case you've missed it, the scam work like this:
You're offered a job as payment officer (or any other name), your duty is to receive payment from customers and send the money to your boss at headquarters. You get to keep a percentage of every transaction (usually 10%). So far so good, it really sounds like a sweet deal, maybe too sweet. But "entertain no fear my friend" (as nigerians always say), the reason why the company is doing it is because of 9/11, patriot act, laundering controls, etc that makes too complicated for our customers to pay from USA to foreign countries (exactly what you're supossed to do).
How this "job" really works? You get bad checks, forged or stolen. The bank usually let you get the money before the check goes all the way round. By the time the check bounces, you've already sent the money to your boss and the bank wants it back. The reason why the bank gives you the money in advance is because you're good for it, they don't care about the check (as far as I know this system applies only to the USA). The scammers knows is and that's why they'll push you to send the money as soon as possible, they know that the time frame is limited before the whole thing blows up.

The inside of the "company" it's a band with access to the real stuff and freelance "bosses" recruiting marks over the net. Once your boss gets you on the hook, you're presented to the company as a prospect. If they like what they see (your name, address, ID, job position, etc) they'll contact you as "customers" and start the transactions.

Now there's an extra twist to this scam. Instead of a check they make a transfer straight into your account. I'm still wondering about this, because it means that somehow they have control over an account with enough money or credit to do it. I suspect that nigerians scammers are into the phishing business too. If they get hold of a user/password combination for a bank account, they wait for the opportunity to make a transfer to a payment officer's account. If they time the operation properly, the payment officer will send the money before the victim of the phishing finds out. From that point, it's someone's else problem.

It's hard to believe how easy it is, but it is.

I took many of this jobs. My idea was to make them send the checks to someone who cares and can do something about it, law enforcers I mean. But I'm still trying to find one who does. In the meantime, I made them send the checks to dead ends where they got lost. I don't want to give much details about it in case they read this blog. The good thing is that each check that they send to me is a check that won't hurt someone else. So far, only this year, I catched almost half a million dollars. And this is only those I could get some kind of confirmation.
Some of the checks were sent through regular mail and I had no way to confirm them, maybe they were not sent at all. Others were sent by courier, Fedex or UPS, and I verified that using the tracking number. For some, I also received a copy of the original waybill. This is great because it gave me information about how it was sent, from where, how it was paid, etc. The bad news is that they're all dead ends. Paid in cash at the counter (no real name or return address) or charged to a hijacked account (real name and return address but it's just another victim).

Transfers are hard to handle for me. A couple times I sent bogus account numbers, some worked (no complains from my boss) some didn't (a lot of complains). I can't tell what happened. It's obvious that if you do a transfer from the bank's web page and the destination number is wrong, the system should warn you about it. But why some seemed to work? Maybe they didn't, the "company" called my bluff and decided to cut my "boss" out of the loop. The chances of typing a good number randomly are incredible low.

It's a real problem because transfers is becoming the most popular way to scam. One reason could be that it's a lot more easy for the mark. Most people is reluctant to get checks from strangers, but the transfer is money already in your account. You have to do nothing, sign nothing. It really feels like you're not taking responsibility for it, it's just in there waiting for you. The other reason could be that phishing is working and they have control over many bank accounts. Forged and stolen checks require hard work and are limited, accounts taken by phishing require less work and are coming fresh daily. If I'm right and there's a connection, it's a scary scenario.

And probably is. The transfer scam is being used in connection with the advanced fee frauds. If you don't pay the fees for your lottery prize, your inheritance papers or your contract certificates, they will offer you to deal with a financier who's willing to pay for it. But, because the financier is inside the lottery/court/government, he can pay by himself. The payment has to be done from you personally. So the money is sent to you first, then you have to resend it to wherever it is that it has to be sent. And how it's going to be sent to you? A bank transfer.

As you can see, it's always about creating a missing link in the money chain. They may have access to the money but if they use it directly or send it to their own accounts, the chain goes to them. When you send the money to them through Western Union or Moneygram (to a fake name somewhere in Africa where they can get it without an ID), the chain is broken and you're the last link.

The bank on top of the phishing ranking (at least in my mail accounts) is the Bank of America. I don't think is something about the security level of their online system, it has to be something about the way money can be transferred from their accounts. I've sent them a message with details about it. I think that they should try to catch some of this jobs and make the scammers do the transfers to controlled accounts. The scammers have control over some of their customers accounts and there's no way to find out which ones. Besides, the mark is going to be one of their customers too. If they do it, the hijacked accounts can be secured as soon as they're identified, the customer informed about the situation. I'd like to know that my bank is doing things like this to protect me, the publicity will improve the image of the bank and bring awareness to the general public about the phishing problem. The cost is minimal, I can do it on my free time. A lot more can be done from an organized group working full time. But, so far, no answer.

Law enforcers are not interested, neither is your bank. You have to take care of yourself kids. I won't be here watching your backs forever :oP