Monday, August 18, 2008

How To Spot a 419 Scam

419 scams come in different forms and flavours but they all have their sights on one goal only, your money. In this article we will take a look at the importance of spotting a 419 scam and what to look for in a 419 scam.

Brief Background of 419 Scams
This is a very brief description of a 419 scam and I will not even scratch the surface here. Several aspects of the 419 scam goes beyond the scope of this article and I plan to discuss them in future articles. The 419 scam (Nigerian Four-One-Nine) got its name from the article of the Nigerian Criminal Code dealing with fraud. Scammers often demand upfront payments for dubious reasons like processing fees, legal expenses or to bribe certain officials, therefore the scam also became known as Advance Fee Fraud. A 419 scam starts with an unsolicited e-mail from a scammer promising a huge sum of money, but the scammer will create the impression that you need to make a couple of upfront payments before you can lay your hands on this non-existent fund. These upfront payments are normally a drop in the bucket, compared to the huge sum of money you will receive in the end. This makes the scam very attractive to unwary and uninformed people, who are desperate for some extra cash.

The Importance of Spotting a 419 Scam
Prevention is the most important reason behind the successful identification of 419 scams, but this is not the only reason. Registrars, hosting companies, Internet Service Providers and Law Enforcement also need to familiarise themselves with the common characteristics of 419 scams, because their support and cooperation play a huge part in the battle against 419 fraud.

Unfortunately, many registrars and hosting companies fail to take a stand against the fraudulent activities of 419 swindlers. Registrars refuse to suspend the domains of known scammers and hosting companies fail to enforce their Acceptable Use Policies (AUP). There is a reason why registrars and hosting companies are hesitant to suspend the accounts of 419 scammers... Money! These swindlers are their clients, so they are happy to host their fraudulent websites and support their spamming services. With some registrars unfortunately, you will never win, not even if you are Sherlock Holmes. They are simply ignorant to the 419 scam problem and do not care about the lives being destroyed by these scams.

To all the unethical registrars and hosting companies out there, don't tell me you have a hard time identifying Advance Fee Fraud websites, if you own a groceries store, will you knowingly sell Marijuana to your customers? Perhaps that was a stupid question. If you don't mind hosting a fraudulent website, you will probably have no problem selling Marijuana to your customers. But what is the big difference here? If the cops catch you selling illegal drugs to the public, you can kiss your store goodbye, but it is a common misconception that the cops won't do a thing against a registrar who refuses to suspend the domain of a fraudulent website. The actual reason why registrars get away with murder is because complainants do not want to go through all the hassles of filing a complaint with the police and the cops sometimes do not have a clue how to approach a case like this, even if there are laws you can use to your advantage. Yes, I am aware that your local police department won't have any jurisdiction over a webmaster in a foreign country, but even if they did, you are unlikely to get anywhere with a case like this, if you don't have deep pockets and the registrars know that.

I understand that registrars cannot go suspending domains left and right on a mere request or tip from the public, they have to conduct a thorough investigation before they can take any action. Abuse departments are swamped with fraud reports each day and on top of that I believe they get their fair share of false reports as well. Members of the public need to get their facts straight before reporting a fraudulent website to a registrar, this improves the turnaround time of abuse complaints and makes the work of the abuse departments that much easier. I'm not saying you must conduct a full-scale investigation (unless you feel the need to do so), simply take the time to gather all the evidence and present the information to the abuse department in a logical and organised manner. So many people resort to a quick e-mail like "Hey, check out this site, I think it is fraudulent." or "Hey, this guy sent me a fraudulent e-mail and this is his e-mail address, please take him out". Good, you raised awareness about possible fraud, but tell the abuse department why you think the website is fraudulent. Don't just send them an e-mail address of the suspect, send them a copy of the e-mail that was sent to you and don't just forward the damn thing inline, forward it as an attachment or include the full header of the e-mail along with the body. The abuse department will eventually find the e-mail address of the suspect in the copy that you sent to them.

Proper identification of 419 scams by members of the public will make these scams less effective and will eventually lead to a decrease in 419 activities. So lets take a closer look at the characteristics of a 419 scam.

What To Look For In a 419 Scam

  1. The subject of the e-mail, as well as the name and e-mail address of the sender:

    By analysing the name and e-mail address of the sender in conjunction with the subject line of the scam e-mail, you can easily identify a 419 scam before opening it. Spotting a 419 scam at first glance minimises the risk of falling for the scam and saves you time (you don't have to read through all the mumbo jumbo of the scammer). This also simplifies the task of reporting 419 scams to cyber security authorities.

    Typical characteristics of subject lines, names and e-mail addresses used in 419 scams:

    • Scammers love to disguise their true identity with the names of high profile figures like State Presidents, Ministers, Ambassadors, Directors, etc.

    • Subject lines are often typed in uppercase letters only.

    • They use free e-mail services like Yahoo, GMail, Hotmail/Live, or a free ISP e-mail account. These free e-mail accounts are used in cases where one would expect an e-mail from an official e-mail address and surprisingly enough, there are still people who fall for this lame trick.

    • There is often an overdriven use of formal and professional titles like Mr, Mrs, Dr, Barr, Sgt., Lt, etc.

    • Subject lines often have a false sense of urgency. See example (b) below.

    • The name of the sender is repeated in the subject line. See example (h) below.

    • Many scammers mistake the Subject for the From field and vice versa. Refer to example (q) below.

    • Generic greetings like, "My Dear", "Dear Beloved", "Greetings to you", "Dearest Brother" or "Dear Sir/Madam" are sometimes used as a subject line.

    • Many scammers are hypocrites who pretend to be devoted Christians and will use subject lines like: "GREETING IN THE NAME OF OUR LORD JESUS CHRIST", "My Dear Beloved in the Lord", "Goodness Of God Will Be Upon You", or "YOU ARE THE LORD CHOSEN ONE".

    • Subject lines contain notices about "Payments", "Lotteries", "Bank Drafts", "Compensation", "Funds" and other financial related terms.

    • The subject line often contains an instruction to contact a specific individual, department or organisation. For example "Contact my secretary", "Contact the fiduciary agent", "Contact the bank official", "Contact the ATM Department of..." or "Contact FedEx".

    • Scammers always come up with the strangest and most outrageous e-mail addresses, especially in scenarios where it is quite obvious that the e-mail account is fake. For example, a scammer pretending to be an official from the FBI will use a silly e-mail address like The FBI have their own domain and e-mail servers, so there is no valid reason for using an e-mail account from another domain, or a free e-mail service like Yahoo! or GMail.

    • It is common practice among 419 scammers to use an e-mail address that consists of a formal title, a name and surname. For example, Mr. John Doe will use an e-mail address like

    • It is very popular among 419 scammers to start their subject lines with the words: "From the Desk Of".

    • Lottery scams often have a reference number for the subject line. For example "Award Notice (Ref: LSUK/2031/8161/05)"

To illustrate the characteristics mentioned above, I included a few examples of subject lines, e-mail addresses and fake aliases used by real 419 scammers:

    1. From: Robert S. Mueller, III

    2. From: Mrs. Inessa Gutseriyev
      Subject: An Emergency! Please Act Asap!!!

    3. From: Mr Fred Johnson
      Subject: GREETINGS!!Good News

    4. From: Lt. Gen. David Lee

    5. From: FRED MOORE

    6. From: Finance Nigeria.
      Subject: From the desk of: Dr. Shamsuddeen Usman

    7. From: Lottery Board

    8. From: Mr. Vincent Cheng
      Subject: From: MR. V H C CHENG.

    9. From:

    10. From: Mrs. Alice Jones
      Subject: Dear Beloved, PLEASE GET BACK TO ME

    11. From: Jubouri Omar
      Subject: Request for Business Partnership

    12. E-mail:

    13. From: Seek Of God Ministry Church
      Subject: Rev Pastor mulla welcoming you to seek of god

    14. E-mail:

    15. From: MR. EDES ABEBE
      Subject: ARE YOU TRUST WORTHY?

    16. From: Dr. Henry Martins
      E-mail: (Spoofed)

    17. From: Warm Greetings From Nokia Company
      E-mail: (Spoofed)
      Subject: From Nokia Company

    18. From: DR. GREGORY DAVID

    19. From: (SGT) Eric Yonenson
      Subject: Dear Friend


    21. From: BARR MIKE BEN

    22. From: EURO-PW LOTTERY v6.0

    23. From: frankegwu11

    24. From: Mrs. Kate Williams
      Subject: Claim Your Bank Draft of $500,000.00

    25. From: Thomas Michael
      Subject: Reference Number 799BV90.

      E-mail: SARAH@YAHOO.COM
      Subject: With God all things are possible

This is not an exhaustive list of characteristics, but is certainly a collection of the most common characteristics found in the subject lines, e-mail addresses and names of 419 scammers.

  1. Questions you need to ask yourself before analysing a 419 scam any further:

In order to answer these questions you need to open the e-mail and read its contents. At this point, you don't need to pay attention to specific details in the e-mail, you only need to determine what the e-mail is all about.

    • Is the e-mail an unsolicited and unexpected job, loan or business offer from an unknown individual?

    • Is it about a lottery or competition you never entered? (Remember: Having your e-mail address randomly drawn from a list does not count as a valid entry for a competition).

    • Have you received a huge donation from a non-profit organisation?

    • Are you appointed as the next of kin of a total stranger?

    • Do need to help a foreigner to clear a consignment box, containing millions of dollars, declared as something else to a diplomatic courier service?

    • Is the e-mail supposedly from an American Soldier, doing service in Iraq, who discovered millions of dollars and needs to get the money out of the country?

    • Is the e-mail an unsolicited request to take care of orphans, send Bibles to a church or offer financial assistance to sick and hungry people in Africa?

    • Are you appointed, as the beneficiary of a fund, where the owner of the fund is currently dying of cancer?

    • Is the e-mail about the recovery of money or assets that were never stolen from you in the first place?

    • Have you been awarded an unsolicited bank draft for your philanthropic efforts?

    • Is the e-mail about an outstanding/delayed payment for a contract with some government, but you never entered into such an agreement or you never even conducted business with them at all?

If you answered YES to ANY of these questions, you are most definitely dealing with a scam.

Now ask yourself the following questions:

    • Did you expect the e-mail?

    • Do you know the sender in person?

    • Did the sender mention your name in his/her initial e-mail?

    • Does the sender have any other personal information about you (besides your name)? If so, did the sender supply a valid, trustworthy source of where he/she obtained the information?

If you answered NO to at least 50% of these questions, you are most likely dealing with a 419 scam.

Always remember the golden rule, if it sounds to good to be true, it probably is!

  1. Analysing the contents of the e-mail:

    If the name and e-mail address of the sender, the subject line of the e-mail or the story of the sender leaves you clueless about the legitimacy of the e-mail, you will have to analyse the contents of the e-mail in greater detail.

    The following characteristics are telltale signs of a 419 scam e-mail:

    • The Reply-To e-mail address is different from the originating e-mail address. Scammers do this to ensure they receive your reply, in case their service provider shuts down their e-mail account. Some scammers will spoof the "From" e-mail address with an official e-mail address, like the e-mail address showcased in example (q) and provide a free e-mail address in the Reply-To field.

    • If the sender does not provide a Reply-To e-mail address, he/she will specify an alternative e-mail address, in the body of the e-mail. In example (q) above, the scammer provided the e-mail address "" along with a telephone and fax number (+44 701 115 0131 and +44 704 576 7986 respectively). These numbers will obviously not belong to Nokia, but since they are in the U.K., the scammers cleverly chose to spoof the "From" address with a domain.

    • Sometimes the sender does not only provide a different Reply-To address, but also a completely different alias. The scammer wants to create the impression that you are sending your replies to a completely different person, but it is actually the same scammer operating both e-mail accounts, each one under a different alias.

    • The whole e-mail, or large portions of it, is typed in capital letters.

    • The e-mail starts with a generic greeting (as already discussed). Most scammers simply shoot in the dark when they distribute their scam e-mails, so they don't know your name and will therefore not mention it in the e-mail. (Never assume an e-mail is legitimate just because the sender knew your name. I have seen several 419 scam e-mails where the scammer already knew the name, last name and even the physical address of the recipient).

    • The sender pretend to care about the well-being of your family with greetings like: "Good Day, How are you today? I presume all is well with you and your family." Believe me, 419 scammers don't give a damn about your family, they are only trying to earn your trust by pretending to care. Other 419 scammers have an apologetic attitude right from the start, for example: "Dear, Please accept my sincere apologizes if my email does not meet your business or personal ethics."

    • The recipient of the e-mail needs to reply with personal details like his/her full name, telephone and fax number(s), residential address, birth date, gender, name and address of Next of Kin, banking details, occupation, marital status and nationality. Some scammers request a scanned copy of your photo ID, international passport or your driver's licence, so they are not only after a photo of yourself, they also want your identity number or social security number.

    • Scammers often request some ridiculous information from their victims. For example your e-mail address (they already made contact with you, why would they need your e-mail address again?), the country that you live in (even if they already asked for your residential address and/or nationality) or the amount of money that you won (in the case of a lottery scam).

    • The most common telephone numbers provided by 419 scammers are from South Africa (country code +27), Republic of Benin (country code +229), Nigeria (country code +234) and Netherlands (country code +31), but I've also seen telephone numbers from Sweden (country code +46), China (country code +86), Turkey (country code +90) and Malaysia (country code +60).

    • Scammers always put a lot of emphasis on keeping the knowledge of the prize money or inheritance fund strictly confidential. There is a good reason for this, they don't want you to talk to other people about this because someone might realise that you are being conned and inform you that the e-mail is a scam.

    • 419 scammers insist on using Western Union or MoneyGram to transfer funds to them.

    • Scam e-mails contain loads of spelling errors and horrible grammar. However this is not a rule of thumb. Many 419 scammers have upped the standards and compose highly professional e-mails these days.

    • 419 scams involve huge sums of money, but the victim normally shares in only a small part of this fund. However, the alleged fund is so huge that even a small percentage of the fund can mean millions of dollars for the victim. This makes the scam very attractive to the victims, even if they only get a small cut out of the deal.

    • Many 419 scammers create the impression that they have been in contact with you in the past and that they failed to transfer some huge fund to you on a previous occasion. It is really hard to believe that people will fall for such a lame story, because if you can't recall doing business with these idiots, why would you reply in the first place. This only proves that 419 scammers are capitalising on the weakness of greedy people.

    • 419 scammers can sometimes be quite philosophical, for example they will say something like this in the introductory line of their scam e-mail: "This letter must come to you as a surprise, but I believe it is only a day that people meet and become great friends and business partners." Yeah, whatever! It is only a day that people meet and become scammer and victim.

    Characteristics of specific types of 419 scams:

    • Lottery Scams nearly almost have a line that reads something like this: " were selected through a special internet ballot system from 40,000 individuals and companies E-mail addresses." Some Lottery scammers put it like this: "...draws was [sic] carried out through random sampling in our computerized E-mail selection machine TOTAL from a database of over 1,000,000 Email addresses drawn from all the continents of the world,and the Globe divided into Zones."

    • Most Lottery Scams have a silly disclaimer like this: "NOTE:You are to keep all lottery information away from the general public especially your Winning numbers. This is important as a case of double claims will not be entertained and will amount to disqualification of your already won prize."

    • In many Next of Kin Scams you miraculously have the same last name as the deceased, however the scammer quite conveniently forgets to mention the last name of the deceased in the initial e-mail. The trick here is to get the victim to reply with his/her personal information and then use the last name of the victim on the forged death certificate and relevant documentation.

    • Although it is not a rule of thumb, most Company Representative scammers offer 10% of their "income" to their victims. For some reason they like to use 10%, but I have seen scams where they only offer 5% and other, "more generous" scammers who offer up to 30%.

    • An Inheritance Fund Scam normally involves a corrupt banking official who allegedly stumbled across an abandoned account of a deceased billionaire, or it is someone who can't access the inheritance of a family member due to various reasons. The scammer often needs your help to get the money out of his/her country.

    • Inheritance Fund Scammers often provide links to news articles to back their facts (or should I say lies). For instance a scammer will use a plane crash as a basis for his/her story and provide links on a news site like

    • In a Bank Draft Scam, the scammer refers to a previous deal that failed and now you have to contact his/her secretary because he/she left you a bank draft and hasn't been able to send it to you, because he/she is busy with other "investment" projects.

    • Some Inheritance Fund Scammers pretend to send you the money via a pre-paid Visa or Maestro ATM card.

    • The Job Offer Scam normally involves a job in a foreign country, so the victim has to apply for a visa. This is how the scammers make their money. Victims have to pay a small fee to a certain company who will arrange the visa for them. I refer to a small fee because the fee is normally a little dust particle compared to the remuneration being offered to the victim.

    • The Compensation Scam often involves scammers who pretend to work for the United Nations or the FBI. These scammers pretend to compensate victims of 419 scams. How lame can you get?

    • ATM Card Scammers pretend to be very kind by paying certain processing fees and a drug law clearance fee on your behalf. The drug law clearance fee is to certify that the money issued on your name, do not stem from any money laundering activities. This is only for the bluff and the scammers only try to give their victims peace of mind. They can cook up any bloody certificate, you will still be an accomplice in money laundering if you assist them in moving funds through your bank account.

    • 419 scammers, using the story of the soldier in Iraq, who discovered a huge sum of money, always have some obscure plan to get the money out of the country. The most common one is transport via a diplomatic courier who has diplomatic immunity.

    • Several 419 scams about some kind of pending payment will state something like this: "...we were notified that you have waited for so long to receive this payment without success, we also confirmed that you have met all statutory requirements in respect of your pending payment."

    • Diplomatic Immunity Payment scammers often use the lame excuse that electronic fund transfers have resulted in payments being made to incorrect bank accounts, so they are shipping you the money in cold hard cash. These scams often contain a notice like this: "Note: The money is coming on 2 security proof boxes. The boxes are sealed with synthetic nylon seal and padded with machine." The scammers often claim that they declared the contents of these boxes as "Sensitive Photographic Film Material".

    • Some Inheritance Fund scammers allocate the funds in the ratio of 60% for the scammer, 30% for the victim and 10% for processing fees.

This is by far not a comprehensive list of 419 characteristics. Most of the specific details in this article will become outdated as time goes by. Today, many 419 scammers claim in their initial e-mail that they have paid the upfront fee on behalf of the victim. Many victims will bail out when the scammer mentions an upfront payment, so the effectiveness of these scams declined over time and the scammers had to improvise. However these fools will mention some kind of payment at some stage in the scam and vigilant people will bail out once again.

419 scammers never conform to any kind of standard, so it is hard to lay down a rigid set of rules for identifying 419 scams. 419 scams are just like any other kind of spam, there are millions of spammers out there, but a lot of these spammers use the same templates and techniques. After a while the templates and techniques become common knowledge and the spammers need to find new and innovative ways of infiltrating our mailboxes and our minds.

One thing that will keep up with the evolution of 419 scams is common sense. No one will ever be able to teach you all the tricks in the book, because there will always be at least one trick you didn't think of. Reading between the lines, being vigilant and applying a bit of scepticism towards e-mails from an unknown source, can be a very effective weapon against online fraud.

No 419 scammers were harmed during the writing of this article.

About the Author

Coenraad is webmaster and founder of Cyber Top Cops, leaders in Internet security, analysers of security software and raising awareness about internet fraud and malicious software.

Saturday, August 02, 2008

Cyber Top Cops Goes Spammy (or rather SHPAMEE)

You may have noticed that my last article was published more than 2 months ago. I may have been absent from the blog, but I was not taking a break. I devoted all my time and attention to a new project aimed at educating the Internet community about Internet crime. All my hard work finally paid off and I am proud to announce that the project is finally ready for launch.

Today marks the launch of a new educational initiative called the SHPAMEE project. SHPAMEE is short for Spam, Hoaxes, Phishing and Malware E-mail Examples and replaces the current Hoaxes, Spams & Scams section of our website. The main goals of the new project will remain the same as the old one, but the SHPAMEE project features several new enhancements and improvements over the old project:

  • Full headers of e-mail examples will now be published.
  • Names (aliases) and contact details of perpetrators will no longer be removed from the examples, but will be published along with the examples.
  • More emphasis will be placed on the techniques used by spammers to bypass spam filters and these techniques will be highlighted more prominently.
  • E-mail examples will be categorised and grouped more effectively, combined with an integrated search feature, something that was missing from the previous project.
  • An RSS feed will be updated each time when a new example is published. This will help users to stay up to date with the latest examples published on our site. The RSS feed will also be used as an alert service, where possible, to warn subscribers about the latest spam outbreaks (however the main purpose of this project remains education).
  • E-mail examples will be discussed in greater detail.

Why replace the old project? A lot of work was done behind the scenes to simplify our job of publishing these e-mail examples. Too much time went into the preparation of the e-mail examples, so we had to find a way to publish the examples in a more efficient way. I'm still not completely satisfied with the current publishing model and I'm constantly working on improvements, but the new system saves us a lot of time and the time saved during publishing is used to investigate and discuss the examples in greater detail. The number of examples in the database might be disappointing at first, but we plan to add new examples on a regular basis. We could cut back on the time spent on investigating each spam example, to publish more examples in a shorter time frame, but we do not want to sacrifice the quality of our comments and the background information about each spam example. After all, this is what the project is all about, publishing interesting and valuable information about these examples to educate the Internet community. We still have a huge backlog of examples to publish, quite obviously, because there is never a shortage of spam examples to investigate.

But now a little more about the reasons behind the creation of this project.

There is still a huge problem among Internet users when it comes to the identification of spam. I get loads of requests from people who want me to take a look at some dodgy e-mail to confirm whether it is legitimate or not. Most of these dodgy e-mails are 419 scams and it is shocking to see that there are so many people who are still unaware of these scams, not even to speak of their inability to identify these e-mails as fraudulent. Many people might say: "That's easy for you to say, you work with these scams everyday, so it is easy for you to spot a scam when you see one". Perhaps so, but it is not rocket science to identify a 419 or phishing scam, you just need to use common sense and a little bit of scepticism. There are always certain elements in these e-mails that do not add up and the scammers make these mistakes over and over again.

Identifying a spam e-mail before opening it, is crucial, because spam is the cause of several problems like malware, fraud, distribution of illegal and harmful substances, porn, piracy, identity theft and even more spam (yes, one spam e-mail can be the igniting spark for a forest fire of spam). I mentioned earlier that we will use this project as an alert service where possible, but the main goal remains education. Why so much emphasis on education, isn't it more important to get the word out on new threats and outbreaks? Well, from my point of view I believe education plays a larger role in our defences against cyber crime.

My biggest problem with any alert service is the fact that many threats need to occur before one can take notice of them. There is always a delay between discovering a threat and alerting the public about it and a lot can happen during this time. Another drawback about an alert service is the fact that it can only reach the people who are subscribed to the service (unless you make use of mainstream media off course), so not everyone gets the message. Education on the other hand enables people to think for themselves and helps them to asses the situation on their own terms, based on their knowledge and previous experience. This means the threat is isolated more effectively and buys more time for the alert services to get the word out. So I'm not against an alert service, I simply believe that education will enable the community to adapt to new threats much quicker than a community relying on alert services alone to keep them safe. Your best weapon would therefore be a combination of education and alerts.

I guess a lot of people are wondering why we didn't publish the names and contact details of spammers and scammers along with the examples in the previous project. A spammer never distribute spam under his/her own name, so the spammer will use an alias and the originating e-mail address is often spoofed. So the details are basically useless and our focus was never on the people behind the spam, but more on the mechanics of the spam examples. It is more about the things that spammers do than the persons distributing the spam. However we realised that it would be an additional benefit for the community if we published these phony details along with the examples, especially with 419 scams. This means that you that you are not only educating people about the schemes of a 419 scammer, you are also alerting them about the aliases, e-mail address and telephone numbers used by these swindlers. So as you can see we are back at the ideal of combining education and alerts into a powerful weapon against cyber crime.

Through the SHPAMEE project and a series of educational articles in the weeks to come, I plan to educate the Internet community about the common flaws made by spammers. But what if the spammers start to pull up their socks and correct their mistakes? Spammers will always make mistakes and it is our goal to stay up to date with their latest tricks and gimmicks and communicate these deceptive techniques through the SHPAMEE project.

About the Author
Coenraad is webmaster and founder of Cyber Top Cops, leaders in Internet security, analysers of security software and raising awareness about internet fraud and malicious software.