PHUKET: Last February I wrote about a reader who placed an ad in the Gazette, and was strung along by a scammer. The scammer had a long, contrived story that ended with a demand that the person who placed the ad actually send money to the scammer, with threats from PayPal, Western Union and the FBI.
About a month ago, another reader placed an ad in the Gazette and was approached by a different scammer. This second reader graciously allowed me to step in, to see if I could figure out how this guy was operating, and perhaps put an end to it.
Here’s what happened.
The scammer used a Gmail account (paulweasley 01 @ gmail.com) to send a message asking for details about the boat our reader was trying to sell. The reader immediately smelled a rat, contacted me, and I wrote back to the scammer explaining that the reader was out of the country, but perhaps I could help.
The scammer and I went back and forth about the boat and the sales price, and then he said that he would have a shipper coming from the UK to pick the boat up. “I will be paying the PayPal charges from my account and I will be paying directly into your PayPal account without any delay, and I hope you have a PayPal account.”
It just so happens that I have a PayPal account, several of them, so I sent the scammer a dormant PayPal account, listing the shipping pickup address as that of the Kathu Police station. He shot right back: “I have just completed the Payment and am sure you have received the confirmation from PayPal regarding the Payment. You can check your PayPal e-mail for confirmation of payment. A total of US$25,982 was sent, US$24,728 for the item and the extra US$1,200 for my shipper’s charges,which you will be sending to the address below via western union (sic),” and he gave me a bogus name with a legitimate address in Devon, UK.
Of course, he hadn’t sent anything to anybody, much less PayPal, and a quick check of the account verified that he was spewing smoke. So far, everything had been done via Gmail, so there was no way to trace the guy.
Then I got a message from “Service-Intl.PayPal.Com (firstname.lastname@example.org) saying that, using the PayPal Service Option Secure Payment system, the money would be sent to my PayPal account as soon as I sent the US$1,200 to Western Union in Devon.
I checked the web site consultant.com and it’s pretty lame, a database of help wanted ads, with very few ads. So I ran “@consultant.com” through Google and bingo! The email address is being used in scams all over the world. Finally, I checked the email header – the technical stuff at the beginning of the message that you never see – and found that the email itself originated in Lagos, Nigeria.
Checking an email header is a rather arcane pastime, but it’s pretty easy to do. In Gmail, click the down arrow next to the message header and choose “Show Original”. The part at the beginning, before the message itself, is the header. You can do the same thing in Outlook with a free add-in called PocketKnife Peek. When you have the header, go to the IPTracker web site, paste in the header, and it will tell you where the message came from. (There are ways to trick the header, but they’re pretty difficult, and most scammers aren’t up to the challenge.)
In the end, the scammers sent me three email messages all claiming to be from PayPal (one invoking the name of the FBI), all of which originated in Lagos, Nigeria.
So I now had a couple of email addresses, a physical address in Devon, and an IP address in Nigeria. Even if the physical address was completely bogus, it would be trivial for Western Union to track money being sent to this specific person at that address, and bring in the police if the mule showed up to collect.
That’s what I thought. Here’s what I found.
I checked the Western Union web site. They have acres of information about scams. But they don’t have an email address listed: you have to call them (as if I could read out an email header over the phone). It looks to me like Western Union doesn’t really care. Or they’re so overwhelmed with scams they can’t keep up.
So I went to the PayPal web site, and it was like a breath of fresh air. Lots of warnings, with the PayPal notification email address prominently available. I sent PayPal a copy of the message from Nigeria, header and all. I got a nice reply, “Thanks for forwarding that suspicious-looking email. You’re right – it was a phishing attempt, and we’re working on stopping the fraud. By reporting the problem, you’ve made a difference!”
I wrote back to them, to explain it wasn’t a phishing attempt, it was a scam attempt, and enclosed a copy of a different message. In reply, I got the exact same message I received the first time. In all, I mailed PayPal three times, and I doubt that a human being ever read any of the messages.
So I tracked down the Internet Service Provider that “owns” the IP address the scammer was using: MTN Nigeria. The people there were helpful, but the message is disheartening: “all of our 3G network subscribers now sit behind a small number of IP addresses. This is done via a technology called Network Address Translation (NAT). In essence it means that one million subscribers may appear to the outside world as one subscriber, since they are all using the same IP address.”
And without a court order, MTN Nigeria couldn’t trace down the source of the messages. They did, however, forward my complaint to the local police. I won’t hold my breath.
It isn’t just the Phuket Gazette. This is a variant on the Nigerian “419” scam that’s hit Craigslist and just about every online advertiser worldwide. It’s so big that some people claim 419 scams are the second largest industry in Nigeria. No joke. Billions of dollars.
Last week I received a message from another reader who’s been approached by someone who claims to be interested in buying their condo. The buyer is in the UK, and is willing to buy the condo in Phuket sight unseen. The scammer directed our reader to go to a specific site on www.amropro.com and fill out a banking form, so ABN-AMRO could transfer the money to them. If you go to amropro.com, you’ll see a site that looks like an ABN-AMRO Premier Services location.
But appearances can be deceiving, eh? A quick check on the Network Solutions lookup page verified that the site amropro.com is registered to a Mr Omoh Asekome in… wait for it… Lagos, Nigeria, with domain servers hihostnow.com.ng, also in Nigeria.
I’ve notified ABN-AMRO, although it’s unlikely they’ll be able to take the site down, unless they have a branch office in Nigeria. I’ve also contacted the scammer, who now says he’s interested in buying my townhouse in Patong.
Let’s see what happens.
Seth Bareiss holds computer sessions on every-other Wednesday afternoon, from 1 to 3pm. If you have a Windows problem that needs to be solved, drop by one of Seth’s free afternoon sessions, or come to one of our free Sunday morning roundtables at Sandwich Shoppe Chalong. Details in the Events Calendar. Sponsored by the Phuket Gazette and Khun Woody’s Sandwich Shoppes.
Live Wire is Phuket Gazette columnist Woody Leonhard’s weekly snapshot of all things internet in Phuket. Shoot him mail at Woody@KhunWoody.com, follow him on Twitter @PhuketLiveWire, or “like” his page at
— Woody Leonhard
Join the conversation and have your say on Thailand news published on The Thaiger.
Thaiger Talk is our new Thaiger Community where you can join the discussion on everything happening in Thailand right now.
Please note that articles are not posted to the forum instantly and can take up to 20 min before being visible. Click for more information and the Thaiger Talk Guidelines.