...that I was about to be scammed. Really stupidly if I look back, but the impression that you have on the spot is different. Here's what happened:
Some weeks ago I had put up an ad on ebay about a device that I wanted to sell. Nothing had happened until today, when the ebay guys have sent me a note that I will have either to take the ad out, or repost it. So I took their advice, and no sooner had I reposted it (the just-in-case / doesn't hurt approach) than I got an email for somebody! Yay! The person wanted the device for its last price, made no comments, and when I said that the process will take a while, the person insisted that I send her (it was a she) just the stuff that I have with me. And ASAP, and she was giving me a generous 60 euro for the shipping to the UK! I said, hm, nothing bad so far. So at her request, I sent her the bank details of my account (harmless) and waited. What happened next was a bit more interesting: the person's bank, apparently, sent me 2 emails to tell me that they would release the agreed sum only when I send to the bank the shipping order code for the device. And that was supposed to be done in 5-6 hours!
Apart from the fact that "hey, that's some nerve there: I have the device, I send it ASAP, and I still risk of losing both the device and never getting the money" , I realized the email address was kind of strange - the domain, instead of ending with .com, ended with .net, and instead of containing the bank name, had a conspicuous "officeemail" in the body. So that triggered a little alarm... So I looked at the emails again, and noticed:
I would indeed have fallen for the CEO saying thanks in the end, it's true and I admit it. But the other details caught my eye. The truth is, still, that mostly connaiseurs would know about these things, but not a normal person who's new to this game. And I was also lucky - these possibly Nigerian guys were sloppy. They left out so many glitches, that the more time I spend looking at the actual emails, the more other glitches I find.
So the question is what would have happened had the bad guys not been so sloppy? If you eliminate the typos, and the CEO, and the picture banner that wouldn't load just right -- basically, the things that were about form and details, then what would be left?
So, if I were to start a list of what to look for and what to do when you are in such a situation, I would put there:
Some weeks ago I had put up an ad on ebay about a device that I wanted to sell. Nothing had happened until today, when the ebay guys have sent me a note that I will have either to take the ad out, or repost it. So I took their advice, and no sooner had I reposted it (the just-in-case / doesn't hurt approach) than I got an email for somebody! Yay! The person wanted the device for its last price, made no comments, and when I said that the process will take a while, the person insisted that I send her (it was a she) just the stuff that I have with me. And ASAP, and she was giving me a generous 60 euro for the shipping to the UK! I said, hm, nothing bad so far. So at her request, I sent her the bank details of my account (harmless) and waited. What happened next was a bit more interesting: the person's bank, apparently, sent me 2 emails to tell me that they would release the agreed sum only when I send to the bank the shipping order code for the device. And that was supposed to be done in 5-6 hours!
Apart from the fact that "hey, that's some nerve there: I have the device, I send it ASAP, and I still risk of losing both the device and never getting the money" , I realized the email address was kind of strange - the domain, instead of ending with .com, ended with .net, and instead of containing the bank name, had a conspicuous "officeemail" in the body. So that triggered a little alarm... So I looked at the emails again, and noticed:
- lots of spelling mistakes / typos
- the name of the bank (Scotiabank) was written sometimes in one word, sometimes in two
- lots of capital letters
- the CEO was thanking me for the service, but his name didn't correspond with the name of Scotiabank that Google gave me
- how in the world could a bank verify the shipment number that I give them without knowing what service provider I used?
- how in the world could a bank care so much about the process and need the code, in the first place?
- the picture banner contained references to the 175th anniversary of the bank, but ... that was in 2007!
I would indeed have fallen for the CEO saying thanks in the end, it's true and I admit it. But the other details caught my eye. The truth is, still, that mostly connaiseurs would know about these things, but not a normal person who's new to this game. And I was also lucky - these possibly Nigerian guys were sloppy. They left out so many glitches, that the more time I spend looking at the actual emails, the more other glitches I find.
So the question is what would have happened had the bad guys not been so sloppy? If you eliminate the typos, and the CEO, and the picture banner that wouldn't load just right -- basically, the things that were about form and details, then what would be left?
- the connection between a bank transfer and a shipment order (since when bank transfers can stop depending on another person than the one who sends the money?)
- the impossibility to verify the correctness of the shipment number that I would have supplied
- the email address that looked strange, unfit for a bank.
So, if I were to start a list of what to look for and what to do when you are in such a situation, I would put there:
- the "this feels spooky" approach, also knows as intuition. If you 'feel' there's something fishy, don't do what they tell you until some time passes and you get some proofs that the action will be authentic. Problem: when your intuition says "go for it!".
- the "better if he makes the effort first" approach, in cases like ebay. You risk less if you get the other pay or send you the object first, but if you are malicious, well, doesn't work. Problem with this approach: even if both parties are honest, there can be a deadlock when one waits for the other to make the first step.
- the "check out for the hologram" approach. This works well with (bank)notes, but less well with emails. But if you have an email, then you can look for signs of authenticity like references, signatures that are not plain text or pictures, links. Problem with this approach: you can spoof references, you can spoof links easily, and even a lawful signature can have a bug that renders it fake for no real reason. But you need to look for something concrete other than "because this person says so".
- the "check out for legitimate contact data" approach. It's more difficult to spoof domains that are already taken, but true, not impossible.
- the "common sense in the real world" approach, or what guarantees can they give me that I won't end up with nothing. This is seldom easy, and technology-wise, not yet attainable...
I would surely add using reliable payment services. As far as I know there are scamproof payment methods. People who use ebay also use paypal as payment service. And paypal assures you can get your money back if you respect their deadlines for reporting scams.
RăspundețiȘtergereAlso inform yourself about web things you decide to use. If you don't know it, be extremely cautious when spending your credit or sharing your personal info. For example today I just received an e-mail from "Windows Live team" demanding me to replay with name, account, password, birthday and location. Of course this is easy to recognize as scam but it's an example.
The solution is to put in your mind a self-triggering alarm that will go red each time you're asked to give money or data even when the source seems reliable.
well, you guys've said pretty much everything there is to say.
RăspundețiȘtergeremy suggestion is: check everything 10 times before you click the ok button!
and when the email refers to accounts, passwords and other security stuff, check it 100 times!
and another tip would be to read carefully all the user and account info for the sites you are using. there should be written what they are allowed to require from you. in case there is no such info, hold back on using the site, or contact them as soon as you receive such an email as yours. a call or an email is definetly cheaper as giving your whole data to a scam group!
actually there is also another one: pick a sentence that you find a bit odd and look if Google recognizes it. There can be lots of surprises! Ho Ho Ho!
RăspundețiȘtergere