US-CERT Recognizing and Avoiding Email Scams
A 419 advance fee fraud begins with an email that looks like this:
Date: Wednesday, August 24, 2008 5:55 PM -0700
From: "Mr. Henry Bassey Udoma" <henrybassey_udoma@example.com.ar>
To: mrtarget@example.com
Subject: From: Henry (Regarding Dr. H. Paul Jacobi)
From: Henry (Regarding Dr. H. Paul Jacobi)
Hello,
I am sending you this private email to make a passionate appeal to you for assistance. Kindly accept my
apology for contacting you this way and forgive me if this is not acceptable to you. My name is Henry
Bassey Udoma; I am an auditor at one of the Nigerian Banks. On Tuesday, 19 January, 2006, one Dr. H. Paul
Jacobi a foreigner, made a numbered time (Fixed) Deposit, valued at £10,550,000.00 (Ten Million, Five
Hundred and Fifty Thousand Pounds) for twelve calendar months in my Bank Branch.
Upon Maturity, we sent a routine notification to his forwarding address but got no reply. After a month, we
sent a reminder and finally we discovered from his company that Dr. Paul A. Jacobi was aboard the Egypt
Air Flight 990, which crashed into the Atlantic Ocean on October 31, 2006. After further investigation, it was
discovered that he died without making a WILL and all attempts to trace his next of kin proved abortive….
These schemes work by getting the victim to take the initial bait, then slowly convincing him or
her of the legitimacy of the plot through a series of forged documents, carefully crafted
communications, and even visits by the victim to the country of origin for meetings with bogus
“officials” in phony “government offices.” At key junctures in the scam, the perpetrators will ask
the victim to advance them money to pay bogus fees or bribes. Additionally, they may extract
what amounts to an extortion payment by threatening to cut the victim out of the plot. Once the
perpetrators believe they’ve gotten all they could from the victim, they cut off communication
and vanish.
In short, if you discover an email in your inbox proposing a complicated arrangement to secure
and split funds in a foreign land, you can safely assume someone is trying to ensnare you in a 419
scam.
Social Engin
eering/Phishing Email
Social engineering is a strategy for o
btaining information people wouldn’t normally divulge, or
prompting an action people normally wouldn’t perform, by preying on their natural curiosity
and/or willingness to trust. Perpetrators of scams and other malicious individuals combine social
engineering with email in a number of ways.
Phishing Email
Phishing emails are crafted to look as if they’ve been sent from a legitimate organization. These
emails attempt to fool you into visiting a bogus web site to either download malware (viruses and
other software intended to compromise your computer) or reveal sensitive personal information.
The perpetrators of phishing scams carefully craft the bogus web site to look like the real thing.
4