Wednesday, February 11, 2026

OSF - 2.40 - scams - naive AI?

In a posting about recent activities on Moltbook, someone made the observation that AI agents are pretty naive.

The observation was in regard to the ability of agents to successfully perform various tasks, but my professionally paranoid mind immediately went in another direction.

As we use them more, and particularly as we use them on the Internet, AI agents are going to get scammed.  Since I'm writing up a bunch of material on scams right now, this is kind of top of mind for me.

OK, probably most AI agents don't have any money, so, I can hear you say, how can they get scammed?  Well, they do have access to something of value: they have a lot of information about *you*.  In order to make them more useful to you, you've given them a lot of information about you.  You've probably given them access to a lot of your online accounts.  (Possibly you've given them access to your bank accounts and credit cards, in order that they may make purchases for you?)

And this, of course, is only one way in which AI agents could be scammed.

Somebody could claim to *be* you, and give them new orders.  Botnets on steroids?

I suspect somebody needs to think about this ...


Posted by at No comments:

Tuesday, February 10, 2026

OSF - 3.10 - spam - red flags advance fee

OK, most of these will have something to do with variations on advance fee frauds.


First of all, we've got this one.  You may not recognize it as advance fee fraud, because, in this initial message, it just says that you have won the lottery.  However, lottery winnings, particularly for a lottery that you have never entered, have become a very common come-on for advance fee fraud.

This is, of course, very fancy and official looking.  After all, nobody could go online and get the logo for FIFA in order to create a fake, could they?  It's even got a barcode, so it *must* be official!  (There are lots of sites on the Internet that will help you create all kinds of barcodes.)  In terms of lotteries that you have never entered, it says that it is your *email* address that has won.  That sounds reasonable, right?  Well, it has become an indicator that this is, in fact, an advance fee fraud.  That particular rationale has been used in a lot of examples of this type of fraud.

You will notice that it does not, initially, mention any kind of fee.  But you'll also notice that there are all kinds of oddities in regard to releasing the funds to you.  For one thing, it says to keep this confidential.  That is common in order to discourage people from discussing this message with others, and possibly being warned that it *is* a fraud.  Also, the money is to be released to a bank in South Africa.  This then allows the scammers to claim all kinds of bank transfer fees, and you'll have no way to verify that, because it isn't likely that you live in South Africa.

They seem to want a lot of information about you.  Even if you only replied with that data, and refuse to pay any fees, They could likely collect and use, or sell, that information for subsequent phishing scams.

Then there is the fact that, even though this is supposed to be associated with FIFA, the contact email is a GMail account, which anyone can create.  Then there is the verification of the winning number, which is to be via the PowerBall lottery in the United States.  (They probably pick a combination of numbers that *has* been drawn in the PowerBall lottery.  Which would have nothing to do with a FIFA lottery.

Oh, and the FIFA lottery?  You don't win money in the FIFA lottery.  You win the chance to pay FIFA a lot of money in order to buy tickets for one of the FIFA games ...



This is a message I received, recently, that was the opening of the gift card variation on advance fee fraud.  I replied to it, wondering what it was about, and got this in reply:


I did a bit of digging on this one, and this person is, actually, Senior Pastor at the church noted above.  But the message is undoubtedly not from him.  I have received messages in a similar vein, from unknown people, people that that I do know, and even relatives.  In this case, their email address and account have been obtained, probably through a phishing attack, and then is used for this type of scam.  As with the grandparent scam, the rush and urgency will require, at some point, that you send the gift card numbers, probably in another email, and then, as previously noted, the value is used and gone.



In this list, notice that several mention cash or benefits.  Once again, supposedly you have come into some kind of windfall, and you only have to claim it!  (*After* you pay the fees, of course.

But also notice that at least four of the messages are addressed to "Josefina."  One of the things that I am very used to is people incorrectly giving *my* email address as *their* email address.  So I have lots of email messages addressed to Ralph, Rufus, Roger, Ruth and others instead of my actual name.  And I'm used to spammers trying to *guess* at what my name might be.  But how do you get "Josefina" out of my name, or email addresses?  So I started to suspect that this is actually deliberate.  The scammers, trying to trick the greedy, and deliberately addressing a name that is very uncommon.  Social engineering comes into play again, since they assume that some people will feel that they can get in on cash that is rightfully Josefina's!  (And, figuring that they are pulling a fast one, will not be as aware of the fact that they are the ones getting taken ...)


And this is probably something along the same line.  The greedy will possibly assume that they can get away with someone else's Bitcoin purchase, by intercepting the email invoice that has gone astray.  And they are less likely to be watching for the indications that this is, in fact, a fraud.


At one point they were doing a lot in this regard with casino winnings.



Another very common variation in the advance fee space is in regard to inheritances.  Someone has died, and you are part of the estate.  Sometimes somebody has died, and you actually *aren't* part of the estate, but an unscrupulous barrister is willing to split the takings with you.  Beware of all enterprises involving the purchase of new identities.


Posted by at No comments:

Monday, February 9, 2026

OSF - 3.05 - spam - red flags 1

OSF - 3.05 - spam - red flags 1

So, here are some indications that the email, or text, that you have received may have some issues that you might be concerned about.


Actually, here's one to be concerned about, regardless of whether it's a text or a call.  Supposedly I have received a call (which I didn't pick up) from 604-555-1212.  If you watch a lot of TV or movies, you will recognize the 555 exchange.  It is, in fact, a reserved exchange, regardless of the area code it is under.  There are some numbers in it that are used purely by the telephone companies, for internal purposes.  There are no legitimate numbers that will call you from the 555 exchange, and that is why TV and movie phone numbers always use that exchange: nobody does, and nobody will.  (555-1212 was, at one time, and in some areas, used as a directory information number.)


This comes under the heading of, "if it seems to good to be true, it probably is."  All (well, *almost* all) of these messages are offering you something for free.  You have won a free prize, and all you have to do is confirm your account (which lets them steal your account) or pay the shipping fee, or the handling fee, or both fees, one after the other, and then possibly an additional fee after that ...  Sometimes this is a version of advance fee fraud, and they will be after you for multiple fees.  Sometimes they are after your account, and you may think that your account is of no value: after all, it's not a *bank* account.  But email accounts, social media accounts, and other "free" accounts can have a lot of value, even beyond the nuisance value of having to get a new email account and contact everyone.  For example, these days, a great many other accounts are tied to your email account, and you could lose all of them, as well.

This type of attack is a kind of subset of the larger class known as phishing attacks.  These are messages that attempt to obtain information from you, that can be used in other attacks.  Very often the information is about you: person information, but not necessarily *too* personal.  For example, what were your parent's names at birth?  Since many systems suggest that you use your mother's maiden name as a security question, this is information that can be used to break into your accounts.


This particular spam came via text, but it points up a warning that applies to texts, email, and even Websites.  The message says to make a claim at https://bit.ly/ICBCcove .  There are a couple of points to make.  The first is the https.  Some people may have been told, or believe, that this provides for some level of security.  It doesn't provide any security against scams or frauds.  The second issue is with regard to the site bit.ly.  This site is a URL redirector.  It is usually used simply to shorten URLs, but it can also be used to specify a particular name.  So, just because it *says* ICBC, it doesn't really mean that ICBC has anything to do with it.  Since it is a redirector, all it really means is that you have no idea where this link is sending you.  Always be somewhat suspicious of these types of links.


This is a fairly common type of spam, and scam.  These particular people are trying to steal your email account, and, as noted above, there are a variety of uses and values that they can obtain from it.  The red flags here start with who this email is from.  on the top line, towards the right, you will notice that the email is from someone at AOL.  I really can't see why someone in authority to remove your account, at Microsoft (*not* Micro Soft), needs to use an AOL account for email.  Also, as I pointed out, Microsoft is unlikely to spell or format their own name incorrectly.  The 48 hour time limit is yet another use of social media to panic people and get them to make decisions in haste, and without considering these factors.  (The "Dear Customer" salutation is also a bit of a flag.  If you actually *are* a customer, presumably they know who you are.)  The mention of the account not being updated on their servers is another oddity: *you* don't need to update *their* servers.

This particular message came to an Outlook ( Microsoft) account that I have and do use.  Outlook is particularly bad at spam filtering, and (rather oddly) particularly at identifying and filtering this kind of messaging attacking their customer's Outlook email accounts, which are often tied to other Microsoft services.  As noted, I do receive legitimate email on this account, but much of the time I find that at least three quarters of the messages I receive via Outlook are attacks on the Outlook account itself.  (Just something to consider when you are choosing email services.)

More to come ...


Posted by at No comments:

OSF - 2.35 - scams - discord attacks

OSF - 2.35 - scams - discord attacks

Once again, as I did before when I talked about how organized these groups and attacks can be, I have to be very careful when discussing discord attacks.

This can be very easily seen as political, primarily because it actually *is* political, although not necessarily in the ways people think about political issues.  A number of the examples that I am going to use are related to nation-state actors, and you may think that in the first place I am attacking certain countries that may be identified with this type of activity, or that, not being a nation state yourself, this doesn't apply to you and you don't need to worry about it.  These ideas are not correct.

As I have said, for almost forty years, I have been researching, and working in, information security.  And I get to talk to people in related communities, like the intelligence community.  Those are the spies.  And the counterspies.  And we talk about things like disinformation.

Now there's misinformation, which is just when you make a mistake, and you believe something that's wrong.  That's bad enough.  But disinformation is when somebody deliberately tells you a lie, designed so that you will believe it.  This has been happening for as long as people have been fighting, and that goes back an awfully long way.  As a matter of fact, possibly we can go right back to Cain and Abel.  God comes to Cain and says, where is your brother  And Cain tries to tell a lie, without even telling a lie.  He just says, am I my brother's keeper?  But God, of course, sees through this and it doesn't work.

Now, when you are dealing with human beings, and not God, it works a little better.  So, someone tells you a lie.  And they tell the lie that they know you are going to believe.  Because it's a lie about someone you don't like.  And the person who tells you this lie, knows that you are going to believe it, because you are willing to believe the worst about the person that you don't like.  So, you believe that lie.  And you repeat that lie.  You tell that lie to other people, because, of course, you want to cause trouble for the person that you don't like.  Or, at the very least, you want to warn other people about the person that you don't like.

So, you have now become a liar.  Oh, maybe you will object that you don't know that it's a lie, but you're repeating a lie anyway.  So, in fact, you are a liar.  And you know what else you are  You are now a weapon.  You are the weapon of the person who told you the lie in the first place.  That's what disinformation does.  It weaponizes lies, and it weaponizes people.  And if you believe, and repeat those lies, you become the weapon.  You become evil, or at least a part of evil.  You are working for evil.

You didn't mean to, of course, but that's the way things ended up.

Now, one of my other fields is emergency management.  We deal with disasters.  And one of the things that we know about disasters, is the disasters bring out both the best, and the worst, in people.  There are going to be people who try to help during a disaster.  And then there are those who are going to try and take advantage of the situation.

But the pandemic has been different.  For me, personally, the pandemic has been very disappointing.  The pandemic seems to have given everyone permission to be their very worst.  To misbehave, although misbehavior is far too weak a term for what we have seen during the pandemic.  The pandemic has given everyone permission to be racist.  To consider anyone who believes in a different political party or stance to be evil.  To allow people to engage in violence on the streets because they don't like another person's skin color, or facial characteristics, or the political symbol that they put on the back of their car, or they don't like the fact that somebody has an "I got vaccinated" sticker on their shirt, or they don't like the fact that somebody has a vaccines kill bumper sticker on the back of their car.  And everybody just seems to think that because you don't agree with me, I have the right to beat you up or run into your car, or post lies about you.  Oh yes, we're dealing with the lies here.

We'll come back to the lies in a bit here.

As I've said I've been very disappointed during the course of the pandemic by the way that people have been misbehaving.  And I expressed this to a friend and she said, well, it's because they're all grieving.

Now, of course, one of the other things that I am is a grieving widower.  And I have been studying grief.  And I have been studying the ways that people behave when they are grieving.  And in discussing this with a friend, she said, that's because they are grieving.  And suddenly, because of what she said, everything came into focus.  Yes, people have been grieving.

Grief is about loss.  And, during the pandemic, everybody has lost something.  Maybe it wasn't a close friend or family member who died.  Maybe you lost a job.  Maybe you just lost an opportunity.  Maybe you just lost the ability to go down to the pub anytime you wanted for a beer.  But everybody has lost something.

Those who are grieving experience a range of emotions.  But one of the most common is anger.  We are angry about our loss.  But, as human beings, we are not particularly good at identifying why we are feeling anger, or indeed any good at identifying any strong emotion that we are feeling and what it actually is.  Our brain tries to find a reason for the strong emotion that we are feeling.  The reason that it generates doesn't have to be correct.  It doesn't even have to make sense.  It's just a presentation that our brain makes to us about why we are feeling some strong emotion.  So, very often, we feel that we are angry at God.  Or at the universe.  (Or even the person who died, which makes no sense at all.)  Or at that person who has skin of a different color.  Or at that person who holds a different political view.  It's their fault.  Whatever it is.

Thus, we have a whole bunch of people who feel very, very strongly that those people over there are responsible for my pain.  They are angry.  Whether they have any valid reasons or not, they are angry.  And they are taking it out on those people over there.  Maybe they won't actually perpetrate physical violence against them.  But they are certainly willing to believe anything bad about them.  And to repeat any lie that they hear about them, as long as it paints them in a bad light.

There's another thing about grief: desperately intense loneliness.  If you are grieving, you are not just grieving the loss of relationship with one particular person.  You seem to be grieving the loss of relationship in general.  And, therefore, it's almost a cliche that when mom dies, dad, all too soon, falls for some inappropriate female, and forms an inappropriate attachment.

And so what have we seen during the pandemic  We have seen all kinds of people, joining all kinds of groups, groups espousing all kinds of weird conspiracy theories, just so that they can belong.  To anything.  With anyone.

And so we come back to the lies.  Because of the anger, people are willing to tell lies.  They're willing to believe lies.  Because of the loneliness, they're willing to join with other people who believe lies.

And how does all this fit together?

Well, like I told you, some of my friends are spies.  And they have been noticing, that during the pandemic, the campaigns, by various foreign governments, to try and make trouble for those of us who live in democracies, have stepped up the disinformation campaigns.  Because, right now, with everybody angry, and everybody joining with cults and conspiracy theories, everybody is willing to spread lies.  There are all kinds of people who are willing to become weapons of disinformation campaigns.  It's become so prevalent that the intelligence community has a name for it they call it discord attacks.  People who are our enemies are sowing lies knowing that a large number of us will believe the lies, and spread the lies, and even amplify the lies.  Thus making disinformation campaigns very much more successful recently than they ever have been in the past.

Now, as I have said, a lot of the information and research in this particular area involves nation state actors.  And, you may be saying thinking that I am saying that certain nation states are attacking our nation state with particular sets of lies.  And you may be thinking that that is unfair.

The thing is, I am not saying this only about other countries attacking us.  Telling lies, in terms of nation states, is basically known as propaganda.  It is a part of what is known as "soft power."  Soft power is an attempt to influence other countries, without actually threatening or attacking them.  Sometimes soft power can be a positive thing.  For example, most countries are involved with foreign aid: sending money and or aid to other countries.  Obviously, this is an attempt to influence the other countries.  It is an attempt to influence them by doing something positive for them, but there is another term for that: it is often called bribery.  Regardless, it is an attempt to influence other countries, on a nation-state basis, and everybody does it.  It's part of soft power.

Well, discord attacks are soft power as well.  Sometimes it's outright propaganda, but the discord attacks are a little bit less obvious.  Discord attacks are mounted, in terms of propaganda, against different groups in the country that you are trying to influence.  These will be groups that do not agree with each other.  So, what a discord attack will do is to create and submit lies, disinformation if you will, aimed at being targeted in a negative way, against one group, but really, in fact, targeted at the opposite group, by being a lie that the opposing group will want to consume.  It is something that they will want to believe, because it says something bad about the other side.

As I say, so far I have been talking and using illustrations about nation state level discord attacks.  The thing is, it's not just nation states that do these things.  In recent years, this has become extremely common in propagandizing, and attempting to influence either committed groups, or the general public, even within small communities.  People are using discord attacks very frequently, and unfortunately very effectively, particularly within social media.  Some of these discord attacks are aimed at political groups, and, since politics touches pretty much every human activity, I guess you could say that all of this is politics, or political activity.  But this is not necessarily just about right-wing parties versus left-wing parties.  Sometimes it is targeted at small groups within a town, and even within an individual organization.  Anytime there is a division, it seems that people are selling lies to one side, in order to get them inflamed against the other side.

And selling is very often an operative word here.  Particularly in regard to social media, some people are just in it for the money.  Online advertising is still a very significant source of revenue for social media platforms and pretty much anybody else who has a presence on the Internet.  The social media platforms, all of them, push for engagement: the attempt to get the social media user to stay on their platform, read their postings, and spend time reacting to their postings, or forwarding those postings on to other people.  Unfortunately, it does seem to be the case that, for a variety of psychological reasons, the most effective way to keep people engaged on social media is to promote hatred.  To get one group of people upset at another group of people.  And it doesn't seem to matter what the groups are.  As long as somebody is stirring up trouble, and spreading malicious gossip, social media users consume it, and spend more time on the platforms.  That makes the owners of the social media platforms happy, and it enriches the bank accounts of the people who create and spread lies about various issues and groups.

And this is really the entire point that I am trying to make about this kind of attack.  When you read something that upsets you, please do not simply automatically share it with all of your friends.  Find out whether it has any basis in fact, first.  If you are spreading malicious gossip that has been created falsely, purely for the purposes of stirring up trouble, and possibly partly for the purpose of enriching somebody who makes up lies for a living, then you are promoting discord attacks yourself.  You are helping to spread the lies.  You are lying.  You are also helping to enrich the people who create this deceitful disinformation, and do it just because it makes them money.


Posted by at No comments:

OSF - 2.25 - scams - advance fee

OSF - 2.25 - scams - advance fee

In calling it advance fee fraud I'm trying to use the most neutral term here.  It's also the most descriptive.  These scams (and there are a great many variations on this scam) relies upon getting people to pay you money, in advance, with the promise that they will receive an enormous return, at a later date.

No, this isn't an investor scam, but it does tend to turn on the same theme and idea.

But this scam also has a number of other names.  Most people would know it as the Nigerian scam.  It is also known as the 419 scam, which is a reference to the section of the Nigerian criminal code that makes this type of scam illegal.

They sent me to teach in Nigeria.  (Twice.  I think they were trying to kill me.)  Do not joke about the Nigerian scam, if you are in Nigeria.  They don't have any sense of humour about it.  After all, how would you feel, say, as an American, if people started talking about an American prince or other leader and rich person, who promised people lots of money, or possibly that they would provide them with favorable new regulations and relief from taxation or tariffs, as long as they sent him a bit of money now, say, investing in his corrupt and fraudulent cryptocurrency scheme, and referring to it as "the American scam?"  You probably wouldn't like it either.

Fortunately, I was an invited speaker to the First International Conference on Advance Fee Fraud, which was arranged by the Nigerian government.  When I informed the class in classes in Nigeria about this, then they were okay with it, and we could have a reasonable discussion of the fraud.  But they don't like it being called the Nigerian scam, for obvious reasons.

So, I will use an even older name for it: The Spanish Prisoner Scam.  For all I know that there are even older versions of it, dating back to the Peloponnesian war, or even the Trojan war.  But I'll stick with the Spanish Prisoner scam.

So, in that version, you would probably receive a letter telling you this story, that a knight, eager for riches and glory, had left his vast estates, and headed out to the Holy Land for the Crusades.  He did, indeed, cover himself with glory, and obtain great riches, in the ensuing crusade.  However, on the way home, somehow he ended up in Spain, and was taken prisoner.  (Spain, at this time, was frequently under Moorish control, and the Moors couldn't be expected to have much sympathy with someone on the Christian side of the Crusades.)  He is being held for ransom.  If you will send the money to pay his ransom, you will be richly rewarded, many times over, when he gets home to his vast states, and great wealth, and the enormous additional wealth that he has piled up from his activities during the crusade.

See?  You pay a fee, for something, now (the ransom), and you will be richly rewarded later, many times over and above the fee that you are paying for the ransom.  This is the basis of the advance fee fraud.

During the 20th century, a lot of people were receiving letters from Nigerian princes, or people who were head of the Nigerian oil development department, or various other entities, probably based on the fact that nobody was really terribly familiar with the country of Nigeria anyway.  That's how it came to be called the Nigerian scam in recent years.

With the classic advance fee fraud, involving somebody in a foreign country, generally speaking there is a request to help pay the financial transfer fees.  This may be fairly small, perhaps as small as $1,000.  However, after paying that initial fee, then there will be some other difficulty: possibly some additional financial banking fee that needs to be paid before the transfer can be completed.  This time the fee is possibly $2,000.  And then there is another fee, and another, generally increasing every time.  Over time, of course, you end up paying tens or even hundreds of thousands of dollars.  And the reason that people end up paying this amount of money is, once again, social engineering.  Once you have invested a certain amount of money, confirmation bias and other psychological factors tend to kick in, and you become prey to the "sunk cost fallacy."  You have already paid a certain amount of money, you have invested in this process or scheme or project, and so therefore, it stands to reason that you need to continue paying, in order to get your massive reward at the end.  It becomes harder and harder to convince people who are involved in this that the massive reward at the end does not, in fact, exist.

I actually received a printed letter version of the scam in the distant past, and I wish I had held onto it over the years. It was fancy, with embossed and gilded letterhead.  Email scammers don't have to go to the same lengths these days, although some do.


This illustration is a kind of variation on the theme: you have won a huge prize, and just have to pay an administrative fee to get it released.  These guys obviously feel that having graphics and logos (and even a barcode!  It *must* be official!) and looking impressive will distract people from the flaws in this letter.  (Again, we'll go into these ones in details when we get to the "spotting spam" topics.)

There are an enormous number of variations on this.  There may be a rich prince from a foreign country.  There may be somebody who is the head of some development corporation, with access to large amounts of cash.  There may be the wife of some political figure, usually now a widow.  Generally speaking there is some kind of a sob story associated with it.  Very often the people involved are trying to move their vast fortune out of the country in which they currently reside, and are asking for your help in paying financial transaction fees in order to do so.  Or, sometimes, they simply want to use your bank account in order to transfer their great wealth into your bank account, and then you will pay them the bulk of their fortune, once they get out of the country, retaining a large percentage of it as a payment for your help in this matter.  The stories are endless, and, most recently, have turned on vast fortunes that the holder wishes to donate to charity, but is being prevented from doing so by the evil government in their country, and this is why they need to get their Fortune out of the country and need your bank account in order to do it.

As I say, the stories are endless.  But they all have the one central theme: somebody needs you to pay money now, and you will be paid back, and richly rewarded, at some future date.


I have recently found a minor variation on this theme.  Once again, as with the grandparents scam, and various others, this involved gifts cards.  Somebody will contact you, and ask if you do business with Amazon, or if you can help them out with some matter, and, once you have replied to the initial message, (and there is some additional social engineering involved here: when you have replied to the message, you have a tendency to believe that you are part of the ongoing transaction, and you have a greater propensity to go along with their further requests), then in a subsequent message they will say that they are trying to reward some people in a charity, or an organization, and they are asking your help, because they would like to get gift cards, but are not currently in town, and so would you go and buy gift cards for them, and keep some of the cards for yourself, and they will of course pay the entire bill.  Later.

So, sometimes advance fee frauds are relying upon people's greed.  Or, sometimes they are relying on people's wish to help in a difficult situation. Or, sometimes they are based on people's wish to aid in a charitable endeavor. Like I say, the variations on the scam seem to be endless.

Because of the promise of a reward at the end of the process, there is a regrettable propensity, on the part of law enforcement personnel and agencies, to consider that "you can't cheat an honest man," and that victims of advanced fee scams are at fault in the matter.  In some cases, there may be some validity in this.  But this does not take into account the skill in social engineering that goes into a great many of these frauds.  As I say, many times the appeal will not necessarily be solely to the reward that the person will receive.  Often times the story will concentrate on the sufferings of the person who is in distress, and wants to transfer money.  Or, sometimes the version of the advanced be fraud will emphasize a charitable endeavor that is to be established once the funds are transferred.  One of the extremely common versions of this scam that I have seen, for many years, in my spam collection email accounts, talk about transferring money to your bank account, so that that you can then retransfer this money to people who are either an established charity, or are setting up some kind of charitable institution.  In this case, of course, you may not necessarily be asked to pay upfront fees, but, of course, in giving access to your bank account as a repository for these funds, your bank account may be drained.  In another version of this bank account sub-variant of the scam, an actual deposit may be made to your account, and you then transfer out the bulk of that money to another account, and only then, with the machinations and clearances involved in bank transfers, does it become apparent that the original deposit to your account was, in fact, faulty, and no money has been deposited to your account, and you can't get the money back that you transferred out of your account, because you did that transfer legitimately, and the bank can't get your money back because the account you transferred the money to has now been closed down, and so you owe the bank the amount of that transfer.  (See discussions of how these scams are organized.)

(There are also details of variants in the section on spotting spam:


Posted by at No comments:

OSF - 2.20 - scams - organized

OSF - 2.20 - scams - organized

Now, at this point, I want to fulfill my promise to talk about how criminal enterprises, in terms of online scams and frauds operate.

First of all, all the stuff all the movies and TV shows that you have seen about rum runners during the Twenties and the Great Depression, and all the movies that you have seen about drug traffickers in the more modern age, will not be particularly helpful.  This is not about Vinny and his gang walking into a shop, and saying to the owner, "Nice bridal salon you got 'ere gov'n'r.  Be a pi'y if somebody stampeded an herd of cattle through it."

Criminal gangs of all sorts tend to have contacts with each other.  And, of course, some of them will specialize in certain areas, and can sell this expertise to other criminal gangs, who may need that particular service, while operating in a related sort of business.  So, it is entirely possible, and even probable, that gangs who are in the business of drug trafficking, human trafficking, and other elicit activities of that type maybe using the services of specialists in online crime.  For one thing, human traffickers will probably turn to scammers and spammers in order to identify targets that they will want to kidnap, or to advertise false recruiting services.

However, in terms of protecting yourself, it is probably more useful to know that the tasks involved in committing a fraud, and then stealing from someone, laundering the proceeds, or extracting a value from a credit card or a gift card involve a number of different specialties, with different specialized specialists performing different functions in the overall theft.

In the case of the theft of credit card information, your credit card is probably not simply going to be duplicated.  Once you realize that false charges are being made on your credit card, you will probably simply call the bank and cancel that credit card, and be reissued a new one.  Therefore, the credit card will only have value for a short time.  Instead, the organization, which may not be completely under one body, but may be an amalgamation of a number of different groups, each specializing in a different task, may have some people who specialize in social engineering, and therefore handle the fraudulent calls made to you, the people who take the credit card information, and, fairly quickly, make purchases of resaleable items, and have them shipped to people to hold for resale.  The people holding the goods, the people to whom the goods are shipped, and therefore the people who are identifiable in the fraudulent transactions, are, in all likelihood, not criminals at all.  They are, themselves, victims of fraud, recruited by yet other specialists, who have convinced them that they are a part of a legitimate home based business, receiving merchandise, which has been purchased off the Internet, and then reselling and reshipping the merchandise to people who want to buy it.  The management of these holding and reshipping parties, is yet another criminal specialty.

Similar things may happen with regard to gift cards.  If the gift cards are from shops, once again, holding parties, and reshippers, may be dispatched, with the gift card numbers, to purchase resellable items from those shops.  Other types of gift cards will have different means of extracting the value from the card, and laundering the financial benefits.

(These are not the only processes, functions, or specialties that are used in the commission of online frauds.  But these things happen behind the scenes, and knowing about them doesn't help you very much in taking precautions or protecting you against fraud.  The most important point to take away from this is that you are not only up against the person on the phone with you, but a number of others, whom they may not even know.)

As I said, the old movies about rum runners, and the newer movies about drug smugglers, are not very helpful in this in regard to understanding these systems.  However, there is one movie that I can recommend: "The Beekeeper."  Yes, for most of the run of the movie, it's your standard shoot-'em-up.  But, right at the beginning of the movie, there is a five minute segment that really does explain how some of these online fraud organizations work.  The scene has the leader of one such group training conducting a training session for the actual call takers, and goes, step by step, through one particular way of getting someone to install malware onto their computer, and allowing the organization to get access to bank accounts.  (Here ae two versions of video clips from that scene in the movie.)

There are a couple of points that I need to make, but need to be very careful about making.  The first is in regard to theft from bank accounts, and banks.  I am quite sure that just about everybody who works in any banking and financial institution that you will ever encounter are nice people.  However, The Bank, as an entity, is not run by those people. The Bank, as an entity, is run by the owners of the bank, and by policies and procedures.  The people that you will meet, at the front lines, are subject to those policies and procedures.  And The Bank, as an entity, and the people who own The Bank, hire lawyers, and pay other lawyers on retainer, to stay up nights, writing those policies in order to ensure that, if it is a matter of The Bank losing money, or you losing money, The Bank is not going to be the one who loses money.  While the people that you deal with on a daily basis at the bank may very well be very nice people, when it comes to you losing money The Bank, as an entity, very profoundly, does not care.  When The Bank talks about security, it is *their* security that they are talking about.  Yes, I know, The Bank, even as an entity, will make all kinds of statements about keeping your money safe.  And, The Bank, even as an entity, is trying to do that.  But, as I say, if it is a matter of you losing money, or The Bank losing money, The Bank is not going to lose money.

This comes into play in some very interesting ways.  I frequently tell people, in my seminars on online fraud, to prefer using credit cards, to debit cards.  Many people don't even know what the difference is between a credit card and a debit card.  And, the differences in charges to the merchants, have ensured that merchants are making every effort that they can to encourage people to use debit cards, rather than credit cards.  I am on the boards of enough charitable organizations to know that the differences in fees charged, when somebody pays their annual dues with a credit card, versus when they pay their annual fees with a debit card, to understand why merchants do this.  The thing is that credit cards, in Canada at least, provide you with an extra layer of protection.  If somebody makes a fraudulent charge on your credit card, the law in Canada ensures that your liability for that fraudulent loss is limited.  If somebody makes a fraudulent withdrawal using your debit card, that money is gone.  You will not get it back.

The other point that I have to make with regard to the organization of online fraud, is with regard to nation state actors.  Yes, we have had the idea that hackers, and we tend to believe that the online fraud is committed by hackers, are loners, living in a basement somewhere.  With the organization of online frauds and scams, that tends to not be the case any longer.  These are businesses, even if illegal and illegitimate, and tend not to be conducted by loners, but by groups.  Some of the groups may be quite small.  But some of the groups may be quite large.  And, in some cases, there are various nations which have come to terms with this, and even employ these groups that are involved in frauds and scams.

And this is where I have to be careful, because every time I talk about this, somebody thinks that I am making political statements, and blaming certain countries.  I am not trying to be political about this.  Yes, I do identify certain countries, because that is where the facts point.

The facts are that, because of the organized nature of online frauds, and the variety of specialties that are in use, and the extra layers of protection that communicating across jurisdictional boundaries provides to the groups who are operating in this criminal area, groups of criminals involved in the various specialties of online fraud exist around the world, and pretty much every country.  But there are certain countries where the governmental authorities have seen benefits in making connections with these groups.

How do I know this?  Well, I work in information security.  A lot of the technologies that we use are either used by, or of great interest to, people who are working in the intelligence communities.  No, nobody has ever been foolish enough to give me any kind of security clearance.  After all, I'm a teacher.  It would probably be a bad idea to give me actual classified information.  But, I have an awful lot of colleagues, who are working in the intelligence communities, and I've even taught some of them.  Let's face it, a lot of my friends are spies.  No, they are not going to give me classified information.  However, we do discuss related issues, and, while they are not going to give away any secrets to me, you can pick up an awful lot by listening, and, when you make observations about these kinds of things, in that kind of world, sometimes your friends are good enough to let you know when you are right (or, when you are wrong).

Like I said, this is organized.  But the functions may be organized in a variety of ways.  We know that there are camps in places like Bangladesh, Cambodia, and Myanmar, where people who have been recruited and trafficked, are, basically, kidnapped, and held in boiler room type situations, where they are given scripts, and forced to make fraudulent calls.  This is one type of group that can exist in a variety of places.  But sometimes the government takes a more direct hand.



Of these two buildings, one is in Moscow, and one is in St. Petersburg.  Both of them are office buildings and home to a variety of companies.  Both of them are home to a variety of specialized types of businesses.  Businesses involving hacking and online fraud.  The Russian government is happy to contract services from these organizations, and the businesses registered in these buildings.  The Russians may use the hacking services to attempt to gain access to secured information systems for espionage purposes, or they may be probing using hacking services to probe into infrastructure control systems, in order to see if such services can be disrupted.  And, of course, some of the businesses in these buildings are also specialists in certain functions with regard to online fraud.


This picture is of a type of concentration camp in China, in the Uyghur area.  This particular camp is believed to be a center for forcing the conscripted workers to perform hacking and online fraud functions.

China has an interesting, and somewhat schizophrenic, relationship with hackers.  More than two decades ago, we started to realize that China saw hackers in two different ways.  There were the black guests, as the Chinese called them, who were the standard types of hackers that we always considered to be the case in the West: loners, not connected with anyone in particular, and not particularly important.  But there were also the red guests, as they were referred to, who had connections in Chinese business, academia, and even the government and military.  These people would be used by the Chinese government in various espionage operations, and the connections, and uses of these specialists, have only increased over the years.  Therefore, the people who say that dealing with Chinese technology companies is fraught with peril do have significant evidence for their position.

I should say that acting as a hacker, or a fraud operator, in connection with the Chinese government does have its own difficulties.  Recently, a series of operations, that were conducted primarily in Myanmar, had had connections to official Chinese government operations over the years.  However, even more recently, these operations had been conducting attacks against Chinese citizens, and the Chinese authorities finally got fed up with it.  A number of the leaders of this organization were arrested, and the Chinese conducted a number of show trials in bringing these people to justice.

North Korea has been involved in online scams of various types, but has specialized in the theft of cryptocurrency. At this point, a significant proportion of the countries gross domestic product results from that activity.


Posted by at No comments:

OSF - 2.15 - scams - robot press 1

OSF - 2.15 - scams - robot press 1

The next scam that I would like to address is also one that tends to come by phone.  Although there are variations on this scam that will come by email, and sometimes even text.

It is difficult to isolate a particular identity for this scam.  The call may purport to come from your bank, your credit card company, or a business with which you may (or may not), have an existing relationship.  The call may purport to come from the government, particularly a taxation department, or even from law enforcement.  The identifying factor that I tend to use is that, for some reason, the call always starts out with a robotic voice.  You are being called by a robot, a machine.

As I say, the call may purport to come from a variety of sources.  Very often the initial message will say that a charge has been made to your credit card, or a payment is being made from your bank, or an invoice for a business has been charged to your credit card, or you are delinquent in your taxes, or you are *so* delinquent in your taxes that law enforcement is ready to arrest you, and take you to jail.  The call, as I say, usually starts out with some kind of machine based, or recorded message.  The gist of the message is that you owe money to somebody, or have agreed to pay money to somebody, and you are then, most often, presented with two options: press one to accept the charge, or press two to dispute the charge.

Sometimes the message only presents you with an option to press one to dispute the charge.  It really doesn't matter.  The reality is, of course, that you have not agreed to purchase anything, and no charge has been made to your credit card, and you are not delinquent in your taxes.  It doesn't matter whether you press one to accept the charge, or two to dispute the charge: whatever you do you are going to be connected to some kind of a call center, where somebody is going to start to work the scam on you.

Probably in most cases you will want to dispute the charge.  The person that you are connected to for the duration of the phone call will probably be very polite, very helpful, apologize for the error, and try very, very hard to get your credit card or banking information so that they can rectify this problem.  Of course, they are not going to rectify the problem; they are going to try and steal your money, either from your bank account, or from by making charges to your credit card.

There is, of course, some social engineering going on here too.  Probably the reason that the call is initiated by machine partly has to do with the cost of having a machine place to call, which is almost nothing, versus the cost of having an actual person making the call.  But there is an additional factor with regard to the machine making the call, and that is that the robotic or recorded voice makes the call seem more legitimate and official.  We do have a tendency to associate, these days, the use of technology with large corporations.  If the call is being made by a computer, then it must be an expensive computer that is owned by a large company.  That, of course, is complete nonsense these days: computers capable of making these calls can be bought or built very cheaply.  And, in any case, as previously noted, most of these scams are highly organized, and the person that you were talking to, eventually, if you press either one or two, is probably in a call center somewhere, with number of other people who are doing similar calls.

There are some additional social engineering factors at work.  Most people don't keep track of all the purchases that they may make.  Many of the companies whose services you have supposedly purchased are companies which you may, in fact, already use.  It may be a fee for the use of PayPal, or your Amazon Prime account, or the Norton or McAfee security software, which tend to be the ones that most people use, because they tend to be the ones that are packaged most frequently with new computers.  So it is highly likely that you may deal with these services, and are not completely familiar with the anniversary date for your annual payment, and may instinctively want to continue the service, and are there for possibly predisposed to ensure that you do pay.
Sometimes there are text or email versions of this scam.  This one is supposedly an invoice for Norton security software, but has a number of red flags, which we'll cover once we get to the "spotting spam" part of the series.

Even if the purchase is not one that you would want to make, and you may not know whether or not you have made this purchase.  Therefore you may wish to get more information about the purported purchase.  And, of course, when you talk to someone on the phone, in order to give you more information about the purchase, and purely for the purposes of ensuring the security of your account, they will be asking you a lot of questions about your account, such as your account number, your name, your address, the security PIN that you use for this account, and so on and so forth.  All of which of course they do to fully record, and sell on to the people who are going to use your credit card, or bank account, to make purchases and steal your money.

There is yet more social engineering involved: as I say, if you dispute the charge, they will be polite helpful, apologetic, and really eager to help rectify the problem.  And, of course, in order to rectify the problem, they will want to have all kinds of banking information and the information about your credit card.  For the purposes of stealing from you.


Posted by at No comments:

Sunday, February 8, 2026

OSF - 2.04 - scams - four seconds

OSF - 2.04 - scams - four seconds

I'm going to start off with some telephones scams.  And, I suppose I should explain my four second rule.

If you call me, on the telephone, either landline or cell, and I answer and say hello, you've got four seconds to start saying something.  If you don't, I'm going to hang up.

No, this isn't arbitrary.  Four seconds seems to be the minimum time that it takes a typical telephone redirection switch to transfer the call that it has dialed, and that you have answered, to an operator or agent.  (Presumably, it needs that much time to determine that the line has picked up and the call has been "answered," which is fairly easy, and that someone has said "hello," which is less easy.  For a computer.  See the series on AI.)  If I'm calling a company, and my call is being redirected that way, of course I'm expecting it.  But, if I'm at home, and the phone rings, and I pick it up, and there's four seconds of silence, it indicates that somebody is using a robot to call me.  So, most of the time I just hang up.  I don't want to talk to the robot.

Possibly the robot calling is part of a spam or scam.  However, possibly the robot may be calling because it's part of some kind of telemarketing scheme.  I don't want to talk to a telemarketer anyway.  But, even if it's a legitimate business, if they're robot dialing me, I probably don't want to talk to them.  I figure that if it's really important, eventually some person will call me.  Or they'll send me an email, or something else.  But anybody who is robot dialing me, and I don't know anything about it, I'm just going to hang up.

You have four seconds to respond.


Posted by at No comments:

OSF - 2.10 - scams - pay attention!

OSF - 2.10 - scams - pay attention!

Yes, I know.  Some of you are getting bored with this, and thinking that this is awfully simplistic, and you don't need to be told these simple things about keeping yourself safe.

Yes, I know.  This is more a reminder than presenting you with anything startling and you.  Please, pay attention.  Please, please, please.

When I first started giving these presentations, here in town, in fact, in the very first seminar that I presented on this topic, somebody showed up who I already knew.  In fact, I had worked with and helped him out with one of his own projects.  And, when I had finished the presentation, he was kind enough to give me some feedback on the presentation, and tell me that he wasn't impressed.  He was an intelligent person, who had run his own business, and he did not need to be told that scammers use social engineering, and try to instill a sense of urgency in you, and that it was never a good idea to buy a bunch of gift cards, and read the numbers to somebody over the phone.  He did admit that, possibly, there were others in the audience who were less intelligent than he was, and who didn't know these things, and so he did admit that I probably did have to speak to the lowest common denominator.  But he wasn't impressed.

About five months later, I got a call from him.  (In the middle of a family dinner, as it happened.)  He, rather frantically, told me that someone had called up, and using various social engineering tricks, had instilled in him a sense of urgency, and had convinced him to go and buy a bunch of gift cards and read the numbers over the phone.  He now wanted to know how to get his money back.

As I have previously pointed out, this is impossible.

More importantly, yes, security very often sounds simple.  Security very often consists more of reminding people, than informing them of anything new and startling.  Please be advised.  Pay attention to this stuff, anyway.  Your friends and neighbors are being scammed, hoodwinked, defrauded, and stolen from.  And probably all of them thought that this stuff was boring and simple, too.

As I noted, you may think that social engineering is just a fancy way of saying "lying."  In regard to scams, that is probably true.  But social engineering is actually a complicated field, which has legitimate uses in all kinds of areas.  I'm a teacher, and we use it in education.  (I worked with another instructor who had a habit of cycling through a series of changes in tone of voice, tempo of presentation, and emotional presentation, that had nothing to do with the topics he was actually presenting.  He just used it to keep students from falling asleep.)  Social engineering is based on areas of psychology, and there is a legitimate billion dollar industry based on its use.  It's called advertising.  (No, I'm not going to argue with you if you want to say that advertising isn't a legitimate business.  But it's not illegal.)  Huge amounts of money go into studies of how to get people to react the way you want them to.  Think of politicians you don't like.  How do you think they get people to support them?

In the case of scammers on the phone, some of them are really good at it, and may be specialists.  However, it is more likely that the person you are talking to on the phone has been given a script that has been prepared by a specialist in social engineering, and the script has been designed to get the majority of people to fall for it.  Like I said, a bit later we are going to talk about the organizations behind these scams.  They use social engineering to make money.  They've made a lot of money because they are very good at it.

Be prepared.


Posted by at No comments:

OSF - 2.05 - scams - grandparent scams and social engineering

OSF - 2.05 - scams - grandparent scams and social engineering

Now, as I say, I am old.  I am a grandparent, and, in fact, a great-grandparent.  So, I am going to start with the grandparents scam.  No, it is not just because I am a grandfather, and a great-grandfather, but also because talking about the grandparents scam allows me to point out some of the important techniques that scammers will use against you.

This one pretty much always comes by phone.  The phone rings, and I pick it up, and a female voice, sometimes rather shakily, as if the person was in distress, asks, "Grandpa?"  So, of course, being a caring grandfather, I respond, "Sophie?"  And the voice on the other end says "Yes!  Grandpa, I'm in trouble!"

Now, of course, this person is not Sophie.  This person might not even be female.  I have a video of someone, conducting a scam, using a bank of phones in a railway station (which shows you how old the video is), and, using multiple phones, and changing his voice so that he changes gender, job title, and level of authority, is conducting a scam on someone, and using himself, with a different voice, to verify his identity to the person over the phone.  But let's get back to our grandparents scammer.

The scammer on the phone, who I have mentally identified as my granddaughter Sophie, is not my granddaughter.  The person on the phone is using social engineering techniques.  (You can, if you wish, think that "social engineering" is just a fancy way of saying "lying," but there ae a great many techniques, some of them quite sophisticated, and, even when you know about them, they generally do work.)  One of the techniques being, using me to give the scammer information, which the scammer is going to then use against me.  The scammer has only had to say one word, grandpa, and then I have given the scammer the name of my granddaughter.

This is not the only social engineering technique.  These people are specialists, and are using a series of techniques called cold reading, allowing them to "read" information about you, without you being aware of giving that information away.  These techniques are used by entertainers presenting themselves as mentalists and mind readers.

So, by now flustered and distressed myself, I say what about Mavis?  (Making the situation even worse: I have given away another piece of information to the scammer.)  So the scammer goes on to say that, yes, the two of them are together, and they are both in distress.  At this point, the story may vary.  They may be in jail, for a crime that they didn't commit, of course, but, given that it is a Friday night, if somebody doesn't bail them out they are going to be in jail over the weekend, until they can appear before a judge.  As I say, it may be that they are not in jail, but have been in an accident with another driver, it may be that the other driver is intending to call the police and get them thrown in jail unless the damage to the car is paid for immediately.  It may be that they are in hospital, and need funding for medical care.  As I say, there are various types of stories, but the stories all have some common themes.  For one thing, there is a sense of urgency.  The money, and the decision to send the money, must be made right away, it is urgent.  They are in a distressing situation, which is not their fault, but, unless the situation is dealt with right away, they will be in difficulty, and possibly for an extended period of time.  Their need is urgent, but the situation is not their fault, and can be rectified, and the money recovered, at a later date, but they need immediate funding, right now.

This is the grandparent scam.  This is relying on the fact that grandparents do love their grandchildren, and are willing to do pretty much anything for them.  It is also somewhat relying on the fact that the grandparents probably do not have daily contact with the grandchildren.  They probably don't know precisely where their grandchildren are, at any given point in time.  The grandparents believe that they know their grandchildren's voices, but that may be more of a belief than a reality.  When I discuss the grandparents scam, pretty much every time, somebody brings up the fact that artificial intelligence is now capable of generating a pretty good facsimile of any person's voice.  That is true, and there are definitely systems which, given three seconds of recorded audio of someone's voice, can generate an almost flawless version of the person's voice.  But, generally speaking, and partly relying on the fact that voice identification over the phone is somewhat limited by the fact that some of the sounds and intonations of the voice are eliminated by telephone transmission, it is basically the fact that you believe that the person is your grandchild, which makes you identify the person as your grandchild.  Deepfake voice generation is not really necessary, and scammers generally take the easiest route.

So, social engineering is at play here, big time.  There is the fact that you have provided the information which allows the scammer to claim to be your grandchild.  You have provided the name, right at the beginning of the conversation.  The scammer retails a story which identifies a distressing situation.  You do not wish your grandchild to be in distress, and so you are primed to help.  This story that the scammer has relayed also instills a sense of urgency: the money must be sent now, or things will get very much worse, and, in addition, the scammers story indicates that the distress will be of short duration: if you send the money now, the situation will be remedy shortly, and you will receive your money back.  The urgency also shortcuts authentication steps that you might normally take.  All of this is standard fare for the grandparent scam, and for a few other scams as well.

The money is to be sent right away.  It is probably after hours, particularly for a bank, and so sending some kind of wire transfer is not available as an option.  Generally speaking, the way that you were to get the money to the agency on the end of the other end of the line which requires it, is through gift cards.  Sometimes they may also suggest cryptocurrency, but that is still not terribly common, and, of course, one of the major points about the scam is the sense of urgency, and so gift cards seem to present the most viable, and certainly most common, option.

Now, particularly when the situation involves the police, and may require bail money, you should know that the police don't take gift cards.  There are no bail money gift cards available in the store.  The gift cards maybe specified to you, as to a particular type, but, generally speaking, the scammers don't particularly care.  They will instruct you to go to the store, get a bunch of gift cards totaling a few thousand dollars, and then come back, call them back, or sometimes even stay on the line and go to the store, and then read the numbers from the gift cards over the phone.

A little bit later I'm going to go into some detail on the organizations behind these scammers, and particularly, the ability to extract money from gift cards of various types.  At this point, the only thing that you really need to know is that the scammers are organized, and that, as soon as you read the numbers over the phone, the scammer on the other end, even while still talking to you, is reselling those numbers to another specialist in organized crime, whose specialty is extracting the value from the cards.  So, as soon as you read the numbers of those gift cards, over the phone, that value is gone.  It cannot be recovered.  As I say, the scammers are organized, and they have specialized specialists, and that value has been extracted almost as soon as the last digit leaves your mouth.  There is no point in trying to get that value back.  It's gone.

Now, fortunately for the story that I started off with at the beginning of this piece, there is absolutely no one in my family whose name is Sophie.  There is absolutely no one in my family whose name is Mavis.  When my actual granddaughter calls me, and says Grandpa, and I respond Sophie? she knows what is going on, and will immediately respond, in a somewhat exasperated voice, no grandpa, it's me!  They know that I am a security specialist, and they know what is going on here.

What is going on here is that I am giving misinformation to the scammer.  Now, you can do it that way, or you can have a kind of family code word, or password, to identify yourself in a truly distressing situation when you do actually need monetary help.  But, forewarned is forearmed.  Being aware of the nature of the scam, and then discussing it with your family, you can come up with some kind of plan to prevent yourself from being taken advantage of, while still allowing you to help your family if they're truly is a need to do so.


Online scams, frauds, and other attacks (OSF series postings)
Posted by at No comments:

Saturday, February 7, 2026

Grok

The latest Grok ad on the social-media-platform-formerly-known-as-Twitter implies that, had Galileo pulled out a cell phone and called up the Grok app, he would not have been put on trial for heresy.

Mind you, had Galileo whipped out a smartphone and called up the Grok app, he probably would have been burned at the stake for witchcraft.


(Wait.  Does this mean that X is admitting that Grok is based on 16th century technology?)
Posted by at No comments:

OSF - 2.01 - scams - scammers vs spammers

OSF - 2.01 - scams - scammers vs spammers

Even though they are possibly intertwined, and sometimes very tightly, I suppose that I should start out making a distinction between scammers and spammers.

And, in order to do that, I suppose that the Green Card Lottery Spam is fairly instructive in this regard.

Scammers are out to get you.  They want to attack you, and they want to steal things from you.  Scammers are confidence men, and fraudsters, and crooks.  Their intention is to steal from you.  They are bad guys.

Now, a lot of spammers are out to get you anyway.  But, and this was the case with the green card lottery spam, a lot of people just think that spam is the same as advertising.  It's just advertising that's really, really cheap.  At least in the mind of the spammer.  Well, the minds of *some* spammers.  As I say, scammers and spammers tend to be really tightly intertwined, in a lot of cases.

But, there are people who try to make the case that spam is just a form of advertising.  It's just advertising you don't pay for.  Now, of course, if the person who is doing the spamming is running a legitimate business, then they have legitimate business expenses, and legitimate income, and they will have a budget for advertising.  And they will advertise in regular advertising channels.  But, of course, there are always those who are trying to do it on the cheap.  But if they're trying to do it on the cheap, then, very likely, the products that they are trying to sell you are also cheap.

Now, the guy who originated the Green Card Lottery Spam, the originator of the whole field of spam, was actually a lawyer.  The green card is a certain type of visa or residency permit in the United States.  If you have a green card, you are allowed to stay in the United States, and (and this is most important) you are allowed to work and make money while you are doing so.  So in those dim and distant carefree days, before anybody cared what ICE was or did, lots of people wanted to come to the United States and get a green card.  Green cards were available for certain types of jobs, or people coming from certain countries and jurisdictions, and other people could apply for them.  But there was a certain allocation, a certain number of green cards, that would be issued in any given year, and, when various formal applications didn't make up the numbers, then there would be a sort of a windfall allocation of green cards.  These allocations were usually issued to immigration offices in different locations around the United States.  And, if you had an application in at one of those offices, you won the lottery.  You, basically, automatically got issued a green card.

Because of this, people started to think that there was some kind of way that you could game the system.  There was some way that you could predict where the green cards would be issued.  Which immigration offices would get an allocation of green cards at the end of the year.  And, of course, some immigration lawyers, who were less than scrupulous about the actual truth of the situation, would encourage their clients, and particularly potential clients, to believe that they knew how the system worked, and would be able to submit your immigration application to the offices where the lottery allocations would end up.  I have never actually heard that anyone did, really, have such inside information.  And if they did have such inside information, it was more in the way of corruption, than extensive knowledge.  So this myth of the green card lottery was always based pretty much on fraud.

However, lots, and lots, and lots of immigration lawyers did spread the word, and encourage the myth, and solicit clients and customers on the basis that they had an inside track on the green card lottery.  So, the guy who did the green card lottery spam was one of these low-level con artists.  Whether he was actually outright lying to his clients, or just implying that he knew more about the system than it was possible to know, it was basically a fraud.

In any case, he decided to advertise his services, having some kind of an access to a system that allowed him to send email to people on the internet, such as it was, and he did.

This does all mean that there's a bit of a gray area.  Some people think that you need, and sometimes even deserve, to conduct business anyway you can.  And, if sending out a lot of messages, at no particular cost or effort to you, is a legitimate way to advertise for people who need, or might possibly want, your products or services.  But it's still doing it on the cheap.  And, if you really had a decent product, would you really need to use spamming to advertise your product, or service?

So, there is the possibility, that people who are sending you spam are not, necessarily, or inherently, actually crooks.  There might be some legitimate products that are out there being advertised in this cheap way, because the person who has made the product, or is providing the service, just simply doesn't have the money.  So, let's say, that there is a possibility, however small, that people who are sending spam are not actually fraudsters.

The thing is that spam is now a business. And, those who engage in sending spam, on a large scale, with organized utilities to assist it, well, they are crooks.  For a number of years, and actually for a couple of decades, spam was annoying, and increasingly annoying, but it wasn't exactly a business.  And then one day somebody realized how they could use malware, and specifically computer viruses, in order to send spam, and, indeed, to set up a business selling spamming services to someone who want to anyone who wanted to send out spam.  And, most of the time, that meant that people, both those who were creating the spambotnets, and those who were using them, were all crooks.  They were all scammers, and attackers, and fraudsters.  So, these days, the possibility that you will encounter somewhat innocent spam, with no criminal intent, is getting pretty small.

But we'll look at that in some more detail when we start talking about how do I identify spam.  First of all, let's talk about some specific scams, where people are trying to attack you and steal your money, in a variety of ways.


Online scams, frauds, and other attacks (OSF series postings)
Posted by at No comments:
Subscribe to: Comments (Atom)