Catfish; Facebook Scam

I have a Facebook account, with my real name, real photo. I’ll connect to anyone I’ve met. From time to time I get invites from rather random people.  Somehow a lot the random people seem to be in the military.

Today’s invite was from John Carter. Here’s his Facebook profile.

Screen Shot 2016-01-12 at 11.32.36

So I did a little reverse image lookup and found an article from the Washington Post that begins.

Gen. John F. Campbell, the top U.S. general in Afghanistan, has taken to Facebook with a warning: Think twice before assuming profiles you see of him on the Internet are real.

It goes on to say that his team have discovered more than 700 fake profiles. General Campbell has his own Facebook page on which he explicitly states that he has no other profiles.

So what is this about? It’s the beginning of a catfish scam, an example of social engineering.

Social engineering is a technique used in many frauds, it relies on the fraudster persuading the victim into revealing confidential information or taking action that they wouldn’t have planned themselves. Often the fraudster creates an elaborate scenario to achieve this, and may create an online/social media persona to carry out the fraud. When a such a persona is created the fraud is know as “catfish”.

Steps in the catfish process;

  1. Catfish Scam Artist is active in a Facebook community or online game, seeking vulnerable target. Often they target someone who is older, lonely, isolated, not particularly knowledgeable about technology. They’re talented and picking the most gullible.
  2. Catfish builds rapport and makes friend request, the relationship may move to a deeper friendship or even a romantic or (cyber)sexual one.
  3. Catfish sets up scenario for the financial fraud to begin, they will create a legitimate sounding need for money. Perhaps for medical expenses for themselves or a close family member. Very often the first amounts needed are small but the ‘condition’ worsens and expenses rise.
  4. When challenged the Catfish will go on the defensive and provide some evidence of their fraud such as some form of medical report, but these “documents” are fake. (As a side note I have seen fake rental agreements, medical records, financial bonds, passports and ID documentation).

Dr Phil regularly does exposé episodes, and provides ten tips on checking potential catfish.

The fake romances can scam thousands or hundreds of thousands of dollars from their victims, in a further clip from the case above Dr Phil adds up the cost and gets a total approaching 200,000 USD. It is estimated that these fraud types are worth 82 million dollars in the US alone. That’s roughly a quarterly profit figure for Apple.

I’ve worked on cyber-security issues in a former job, I’m too suspicious to fall for this. I hope warning other people will help.

I’ve Been Blocked!

I’ve been blocked from following @AsiaExpatGuides from my @changememe twitter account.

Screen Shot 2015-04-12 at 11.39.36I have other twitter accounts so I can see that their last tweet was on the 29th of May.

I think it’s because I questioned the veracity of their testimonials, in detail, and pointed out some signs that their company might be a fake. I note that the fake testimonials are back online, you can make a comparison from their page to my slideshare.

It seems the images I’ve identifed as being used fraudulently have re-appeared on the site on the testimonials page. However at one point they did have the logos of various companies on their site and these have been removed – apparently I’m not the only one watching.

I consider Asia Expat Guides blocking me as a badge of pride, but I’m also wondering; is there a fraud office in Singapore?

8 Signs a Company May Not be Legit

Every so often you come across a commercial website offering a great price on a service you’re interested in. But if it’s not a big brand how do you know it’s a legitimate company?

Here are some things you can look at to make your own mind up.

1 Generic Email Address

If a company is established enough to be running a website, an office location and have collected a portfolio of satisfied clients, it’s unlikely that they would use a free, generic email address.

I started out thinking this wasn’t a big deal, maybe a new company might use gmail etc; but I spoke to some freelancers. They gave me a resounding “no”, while gmail might be the email tool you use, you want a business specific email address as soon as possible.

2 Invalid Office Address

Screen Shot 2013-11-24 at 10.41.52 AMThe screenshot at right shows an office address listing that is incomplete – Boulevard Haussmann is 2.53 kilometres long without a building name or street number this address is incomplete. This image was taken from a site that has now been taken down because the business was a fraud.

If a company provides only a PO Box or the address is a rented office space I wouldn’t automatically think the company was not legit – but it would be a red flag. And the bigger the company was claiming to be the bigger the red flag.

This is relatively easy to check – put the address as given into Google and see whether the company comes up listed at that address from other sources (ie; not the company’s own website). Or use Google Maps, if the country the company claims to be in allows Google Street View you’ll see the building. (Try putting 1600 Amphitheatre Parkway into Google maps to see how this works).

3 Inconsistencies on the Website

These two screenshots are both taken from the same website;

Screen Shot 2013-11-24 at 11.09.45 AMHere are the links to the quotes; 300 international expats vs 1000 satisfied clients.

I’ve also seen examples where the company claims to have thousands of employees but only lists one small office – I know with remote working on the rise this is increasingly possible but it’s not likely. And if a company has done it successfully there will be articles about how famous they are for having a remote or virtual workforce.

Legitimate companies work hard to make sure the information on their website is up to date and correct. Gaping errors like this cast doubt on the credibility of the company.

4 External Inconsistencies

It’s always interesting to check when a company, or the company’s domain name was registered. In the case of Asia Expat Guides, who claim to have been operating for four years, the domain name asiaexpatguides.com was only registered in February 2013. Given that the target audience is geographically distributed it seems unusual that they waited three years to create a website.

Screen Shot 2013-11-24 at 11.34.09 AMFor many countries the company registration database is open and free for a basic search so it’s relatively easy to check that as well. The Singapore business registrar allows you to search for registration results, but you’d have to pay to see a detailed report.

Here is the result of a search on “Asia Expat Guides” from the Singapore business registrar, the first four digits of the registration number correspond to the year of registration.

Screen Shot 2013-11-24 at 11.59.09 AMSo the company Asia Expat Guides Pte. Ltd. was only registered in Singapore this year.

5 Fake Twitter Presence

Most companies are now active on Twitter and a legitimate twitter account will have;

  • a branded avatar (not the newbie egg)
  • regular tweets
  • a following that matches the company size
  • real followers

The first three any company can solve rather quickly, the last one they cannot fake. And it turns out it’s not that difficult to figure out who are real followers – and there’s a tool out there which makes it even easier. Here are the results for AsiaExpatGuides;
Screen Shot 2013-11-24 at 11.52.05 AMProbably everyone has a follower or two that score as fake. But 82%? The only way you can build such a poor quality following is to buy followers. In this case 1300 of them.

Again a legitimate, reputable company should not be doing this.

6 Zero LinkedIn Presence

LinkedIn has become the social media platform of choice for professionals, the proportion of people using LinkedIn from any one company will vary per industry and per country – here’s a breakdown of user demographics from 2012.

So if a company only states that they are a “global finance service company” I’d expect thousands of LinkedIn search results (remember the search results will include people who no longer work at the company; my current company returns 6x the number of current employees). For a small professional services company that states it has one or two hundred employees and that hasn’t been operating that long the number might be closer to 1x existing employees. Check – but be aware that unless you’ve changed your account settings those people will be able see that you’ve viewed their profile.

7 Fake Customer or Partner Lists

If you have doubts about a site look for customer references or lists of partner companies, and consider contacting those companies. Large companies will be doing business with thousands of other companies so sometimes it’s hard to research but I have always been happy to looking into companies that use our name on their site – it’s part of protecting our company name.

In all the enquiries I have checked it has been a minority that turn out to be legitimate partners, no more than 20%.

8 Suspicious Testimonials

One way for a company to gain credibility is with customer testimonials, but what if those testimonials are fake?

I wrote about my research into the testimonials on the Asia Expats Guide site a while ago. When I first looked at their site there were many testimonials which seemed a little off; perhaps it was a student from Pakistan using very American slang, or that the photo didn’t really look like someone with the amount of experience stated in the testimonial. So I decided to dig.

I looked at Linkedin, not everyone uses it but I found that among sixty testimonials not one name matched a profile and also had a photo match. So I did an image search; just using the URL of the actual image in Google’s image search. And found that most of the images used by Asia Expat Guides were lifted from other public sites. This only works where the image is very similar or identical to an image used somewhere else on the internet.

So Brent Keith’s image has a URL http://asiaexpatguides.com/wp-content/uploads/2013/03/test61-148×117.jpg, but an image search shows that he turns up a quite a different site, with the name Grant Hallstrom.

Screen Shot 2013-11-27 at 9.45.50 AMYou can check the other examples of Asia Expats creating fake testimonials in my earlier blog post.

I really encourage everyone to be smart about this, it’s easy to create an online presence for a fake company, but there will be cracks in the facade, and there are easy ways to check.  If you can’t find good resources supporting a company’s reputation take your money somewhere else.

Doxxing

I heard this for the first time recently, despite being online for hours of every day for the last 15 years, and despite witnessing a couple of examples of it.

So what is it? Here’s the definition the Urban Dictionary gives, you’ll note it’s from 2008

Screen Shot 2013-09-03 at 12.54.04 PM
Some examples;

  • in an anonymous forum someone figures out who you are IRL (in real life) and publishes your real name.
  • your social security number ends up on a site based in the former soviet union – and you’re the First Lady, Michelle Obama
  • the head of FBI’s home address was posted online (although an out-of-date address)

It sounds like a problem, and it could be in some cases, but it’s legal. Or at least it’s legal to re-publish public information.

If the information is obtained by hacking or by social engineering then a crime may have be committed, and if the information is used to infiltrate emails, commit fraud or to threaten someone that is a crime.

But publishing public information? Not a problem.

Which means we should all be smart about how much information we share online, but as the number of devices we use grows, and the amount we communicate online grows this gets harder.

Rental Scam

Screen Shot 2013-09-16 at 7.20.55 PMThis scam has a few variants but the general steps are simple;

  1. The fraudster advertises an apartment for rent in a desirable area for lower than the market rate
  2. The victim responds
  3. the fraudster is unfortunately out of the country/away so asks for the victim to send a deposit to secure the apartment.
  4. The victim sends the money
  5. The fraudster is never heard of again.

The advertisement could be placed in a print newspaper, an online site, or on a fake site built for the purpose.  Sometimes a legitimate bank or insurer is mentioned in the advertisement or subsequent emails to reassure the victim.

In more sophisticated versions the fraudster uses a real apartment for rent and copies the information from legitimate advertisements just changing the contact information. In some cases the scam has gone as far as letting the victim move in – and be kicked out or arrested for trespassing.

It’s become a common scam yet still seems to trap people regularly. Many sites have created lists of warning signs, but one rental company, apparently tired of the scams has created a nifty online tool for assessing rental ads, answer a series of ten questions and see a probability that the ad is a scam. They show you some simple online tricks you can use to assess the ad, and there’s also an email look up tool.

But the summary is; if it sounds to good to be true – it probably is.

Images; for rent / CC BY-NC-ND 2.0

Scam File; Asia Expats Guide still lying

I posted last week that Asia Expat Guides used fake testimonials on their website to which I got this rather interesting response.

there are 7 billion people in the world some will look alikeWhich is a fair point, sometimes people do look alike. I had a very confusing conversation with a woman in a hairdresser’s once, I was convinced she was a former colleague. Turns out, we’d never met.

This is not sixty of those cases. I’m not confusing a likeness, I am saying that Asia Expat Guides has copied photos from around the internet, invented names, and created a glowing review of their own services.

This is unfair on the people whose photos were stolen, it’s unfair on people considering Asia Expat Guides’ services; it’s lying, it’s fraud.

Here’s a slideshare of some of the ones I’ve identified so far, including the those Asia Expat Guides have removed. You’ll see a screenshot of the content Asia Expat Guides invented, alongside a screenshot of the image from the original site, with a link to that site.

Despite my blog post and tweets throughout last week, Asia Expat Guides continues to use photos of people assigning random names and endorsements to them. It’s clear that permission was not given. It’s also clear that they have done this knowingly, since they’ve removed the endorsements of some of people that I have pointed out.

But the fake testimonials remain, so I am presenting here a selection of the testimonials Asia Expat Guides publish with screenshots of the real person that I could track them down.

(If the slideshare isn’t presenting well on your screen, here’s the direct link; Scam File: Asia Expat Guides )

Scam File; Lying Testimonials Online

I must not tell liesWith more and more business being done online websites will often add customer testimonials to their sites, a real face and a real story add credibility.

Unless those testimonials are fake.

I recently received an email from Asia Expat Guides promoting their expat services, helping people relocate into Asia. I went to their site and started checking out their testimonials. First surprise – there were a lot of them; 64 in total. Seemed to be a wide range of people from lots of countries, but something about the sameness of the testimonials raised a red flag.

I found very little online using the names and information given so I started digging into the images; here’s where it got really interesting.

Asia Expats Group lies Jeff Goldman

“Jeff” is really happy about the help he got moving to Vietnam, only he turns out to be John Franklin, of John Franklin Ministries, in Kentucky, USA.

Asia Expats Group lies Eugene Scheveka

“Eugene” has a lot of spare time now that the cleaning of his apartment is sorted out in Vietnam, so much so that he’s apparently started moonlighting as John Price, the Director of the International School Monaco. Hell of a Commute.

Asia Expats Group lies Ibrahim K

Ibrahim is finding it so much easier to get around in China and chat with his neighbours, luckily he found time for an interview, looks like the interviewer was confused though – he keeps calling him Samir Ahmed.

Asia Expats Group lies Jessica LangsethJessica’s worked really to get this job and is loving the challenges and excitement of the expat life. It was a refreshing change from her job as Rosanne Paul, Real Estate agent.

I’ve checked every image from the testimonials, sixty of which I could track to a real name,  none of them match the information Asia Expat Guides provide.

Asia Expat Guides say they’ve helped hundreds of expats; if that’s true why couldn’t they find 5 or 6 real people to write a testimonial?

They also say they’ve been in business for four years. Four years – and the website domain was only registered this year?

I smell a rat. A big one.

Images;

hand image; Tell lies /mnwatts/ BY-NC-SA 2.0
all other images taken from Asia Expat Guides 07/08/13

Patent effect

Screen Shot 2013-05-12 at 11.02.32 AMPatents have been around in various forms for hundreds of years, their purpose was to grant the patent holder exclusive rights so that they could benefit financially from their invention from from competition for a limited period of time. The purpose was to encourage innovation.

In today’s digital world patents seem to have the opposite effect, innovation is happening much faster than the time-frame of a patent. Often an innovation is an improvement on an existing, patented, software programme or a combination of existing technologies or the application of a new technology to an existing process.

This has opened up the digital world in particular to a whole new industry of Non-practising entities, companies who acquire patents but never manufacture anything, more commonly known as patent trolls. These companies work by filing patents as technology is developed but never inventing anything themselves, and then suing manufacturers or, more recently, users for patent infringement. The recent case of Personal Audio suing a number of high profile podcasters is a great example of how this works.

Settling such a case costs around 2 million USD and takes 18 months if you’re successful so it’s not surprising that companies tend to settle rather than go to court – and as the settlement includes a non-disclosure clause it’s rare to hear the details of the cases. But there’s one exception. Drew Curtis, founder of fark.com talks about how he beat a patent troll.

Patent toll or non-practising entities turn out to be bad for the economy, estimates put the damage at between 29 billion USD per year, and 83 billion USD per year, and that’s just the USA.

New Zealand has solved the problem of patent trolls for software – which is the most common subject in patent troll cases – by declaring that software is not patentable. It’s a decision welcomed by IT professionals in the country, who see it as promoting innovation. An added benefit is that it kills the opportunity for patent trolls. Other countries have also limited the patentability of software, how long before the US changes their view?

image Speaking of software patents /opensource.com/ CC BY-SA 2.0

YouTube and Fraud; they don’t care.

Right now there is a video hosted on YouTube that is part of a real estate scam.

How do I know this? Because the real estate scam uses my company’s name, and someone emailed me a complaint.

The scam works by posting an advertisement online offering an apartment in a great location at a low rental rate. If you respond you are asked to send two or three months rent/bond and promised the keys once the money is received. Of course the apartment doesn’t exist, and you will never see the keys. Or your money for that matter.

So I tried to alert YouTube to this legal problem, but because my company’s name does not appear in the video I alerted them to a scam. I sent my email in English. For some reason I got two responses in Dutch. Fine. I responded to one explaining that the video was part of a fraud, and attaching the original complaint email.

I got another answer in Dutch, telling me that YouTube has developed a number of channels where I can report an issue with a video. The option most closely matching my question is “For other potential abuse or security issues please visit our Abuse and Safety Center”

So I click on that option, which takes me to a set of country links… but only five countries. Which is weird, but the underlying information is about what spam/phishing are, than any tool to allow me to report an issue.

Report Spam and Phishing in US, Canada, UK, Australia and New Zealand

So I’ve tried twice to alert YouTube to a video that is part of a fraud, but it does not appear that a real person has read the emails or certainly no action has been taken. Meanwhile the video has got another two hundred views.

Of course I am taking responsibility for resolving this because there is a reputational issue for my company, but how can I get YouTube to take responsibility for what is also a reputational issue for them?

And for the 900+ viewers of the video, how many of them will lose money before YouTube wakes up and takes action?

post script one week later; video still there with 1322 views

post script one month later; video still there with 1705 views

post script June 2013; video still there with 1948 views, reporting system improved and incident reported once again.

post script September 2013; video still there with 2499 views, reporting system improved and incident reported once again. YouTube say 24 hour review. I’ve been trying this for almost a year.

Scam File; Advanced Fee Fraud or The Nigerian Scam

Anyone with email must have seen the forward fee fraud emails, promising you a large win in an email lottery – if only you’d pay these fees. They’ve become known as “Nigerian scams” or sometimes “419 scams” after the part of the Nigerian penal code that covers this fraud.

The format of the scam has a long and dishonorable history, starting well before the internet with a version known as the Spanish Prisoner.

The emails are typically poorly written, and most people ignore them. But not all – and in 2009 (the most recent credible report I can find) the estimated total amount of money defrauded was 9,387,810,000. That’s the low estimate. It’s equivalent to 2.9% of Nigeria’s GNP for the same year. It’s more than Apple’s revenue in 2009 – and they had significantly higher costs of operation.

So if the emails are so bad, in some cases laughably bad, who falls for it? Only the most gullible.

In fact the we’re asking this the wrong way around, it turns out that the scammers are deliberately creating emails that act as filters. The scammers are targetting those who are gullible and who have limited experience online, they therefore create emails that people with online experience will ignore. Even indicating the nationality “Nigerian” is done deliberately – to warn the non-gullible off. Which makes sense, if you’re a criminal on the internet lying about your name, some lottery or inheritance and producing fake documents showing the money in an account, telling the truth about your nationality has to serve some purpose.

image online fraud /Ivers McGraw CC BY-NC-ND 2.0