julian m bucknall >> Getting spam with my real name

Getting spam with my real name

published: Thu, 6-Jul-2006 | updated: Sun, 23-Jul-2006

A couple of weeks ago I had a bit of a shock: I received a spam email addressed to Julian Bucknall.

Now I'm sure, like me, you get an enormous amount of spam, and have a spam filter of some kind to block it out. Day in, day out, it peddles its fake degrees, dubious pharmaceuticals, dodgy stock, and obvious porn. It tries to hide its message from spam filters though the use of clever HTML. It disguises URL links to look normal.

But none of this spam is addressed directly to you personally, unless you count your name from before the @ sign in your email address (since when has Julianb been a real forename, eh?). So you quickly scan it, consigning it to the electronic bin.

Except last month. Suddenly I was faced with an obvious spam email that started "Dear Julian Bucknall". You can't believe how disorienting this can be. You are plunged into doubt: how did they get my real name? If they have it, which other spammers also have it?

Consider phishing. Yes, just stop a moment and consider a world of phishing attacks when they know your name. You get an email from your bank about something. These days I just look at the salutation. If it says "Dear Julian Bucknall" I assume that it's legitimate. If it says something like "Dear PayPal User," it's really a spam and it's really easy to identify as such.

But if the phishers have names that go with their millions of email addresses? Brrr.

So this email in particular was one of the "We're expanding into the US and we need a local "marketing" representative to accept checks, cash them into their account, and then forward all but 10% to this account in Latvia" type scams. And it is a scam. Perhaps even worse: it can affect your freedom, let alone scam you of money. This is how it works.

Some real checks are obtained in some fashion, generally for small amounts. Using something like acetone, the real amount is cleaned off and a much larger amount written in (say two orders of magnitude more, but less than $10,000). The check is now essentially a fake. (Or the check was a fake in the first place: it's not hard to fake a check.) They send you the check via FedEx or something similar.

You receive the check and deposit it into your bank account. Depending which bank is named on the check you will get the full amount credited immediately. You then issue a transfer of 90% of the money to Latvia, doing your duty as "marketing representative". At this stage, you think you've legitimately done your job and got a neat 10% for your work. For a $2000 check, say, you've just made $200 by going to the bank. Neat, eh?

In reality, you've passed a fraudulent check. You are the perpetrator: it is you who will be facing the police when they come to the door, and come to the door they will.

The "trick" works because, although the bank will credit you pretty much immediately, the check itself, the actual piece of paper, takes a few days to work its way through the system to the issuing bank where it is discovered as bogus. That's well enough time for the real criminals to get their part of the money (an electronic transfer is pretty much instantaneous) and for you to require a pretty good lawyer. Of course, since you passed the check, you're the one who will have to repay the total value of the check as well as appear in felony or even federal court.

Oh and since the transfer to them will necessarily include your bank account details, they could do some further damage.

So this was the email that I received (my comments in square brackets):

Hello Julian Bucknall. My name is Grzegorz Urbanski and I work for a company called FooBarInc [not the name actually used, which is a legitimate company] I found your resume on monster.com because we are searching for reliable professionals across the United States who are interested in a potentially lucrative partnership with an international firm.

FooBarInc is a leading investition [sic] company in Latvia and we are currently expanding our operations in the United States. But because of various banking and legal restrictions, we are unable to open commercial bank accounts in every state. As such, FooBarInc is recruiting partners to conduct simple banking transactions on our behalf.

The process is simple. If you were interested in becoming a US partner of FooBarInc, you would sign an agreement that would make you an official financial representative of our company, able to accept invoice payments on our behalf. Instead of asking our American clients to conduct complicated international payment transactions (which are especially complex for Finland companies {but earlier he said it was based in Latvia]), we have them work with our partners to submit payments. You would then forward the payments to us, a simple transaction for an individual.

FooBarInc pays its partners a 10% commission on every transaction. In addition, we will take care of any incremental tax liability you incur. Depending on which state you are in, and of course on how good business is, your monthly commissions could be as high as $14,000 per month.

If you are interested in working with us, or if you want more information, you can contact me directly at my personal email address [the domain name being a close spelling of FooBarInc].

I'll need your full name and mailing address so I can send you the contract and other paperwork necessary to get started.

I look forward to hearing from you soon.

Grzegorz Urbanski

Now I must hasten to add that this email was an HTML document with the real FooBarInc' logo at the top. The text was divided up into phrases of a few words on each line, in between those lines being other invisible lines of some educational text on how to set up a server, so I had to do some work to extract just the text you could see here.

Notice that monster.com was mentioned. My resume is posted there (ah ha! is that how they got my real name with email address, perhaps?) so I sent off an email to them warning them that it could be that someone was harvesting names from their site. The reply I got was, shall we, dismissive. "The email is the result of a general spam distribution, meaning the email addresses of the recipients were not obtained from a Monster database." Bollocks, say I. It's not them having my email address that's worrying me, it's the fact that they have my email & name combo. Oh well.

In the end, I received three copies of this email from different senders (but using the same legitimate company to hide behind).

So, gentle reader. Never reply to these "work at home" scams. You will be the loser in them, having to repay everything, and possibly even having to serve some time. Note that "you have won the lottery" scams can work in the same way ("to make sure that we have your banking details correctly, please cash this check and route the money to our bank account; once we've validated the details by this method, we'll transfer the $25 million you won").

In fact, any email you get that has a "get money really easily" message is going to be a scam. Don't reply (even though sometimes it's interesting to try and work out how the scam works).

And now, I really read emails that start off with "Dear Julian Bucknall". You never know.

Update: 13-Jul-2006

They never stop trying. Here's one I got this morning (my commments in square brackets).

Dear Julian Bucknall! [Nice cheery "ignore the man behind the curtain, he will fleece you" greeting]

Our company want to suggest you a part-time vacancy - Bank Checks Manager [Methinks you need a Mass Mailing Proofreader.]

Job Description:

The task of the Bank Checks Manager is to process payments between our partner's [You only have one partner? And his what, exactly?], clients and our company via USA checks system. [Uh, huh. And the reason your clients can't pay you directly with checks through the "USA checks system" is what exactly?]

* Willingness to work from home, take responsibility; [Especially when the cops arrive.]

* Honesty, responsibility and promptness in operations; [If you wait too long after cashing the check, you'll be detained before you can forward the majority to us.]

* Familiarity to working on-line, Internet and e-mail skills; [That proofreader post really ought to be filled quickly.]

* US postal address. [So FedEx can deliver the fraudulent checks. Using USPS might add mail fraud to the charges.]

Salary: 900$-2400$ per week. [Guys, big hint: here in the States, the currency symbol goes first.]

If you want to apply for this job, please go to http://open-financial-ltd.info/getjob.php?id=2 Or write to me to job@open-financial-ltd.info

Best regards, Nicos

The website is professionally done enough, but small considering the history and importance of the "company" they've posted and purport to be. I'm guessing they're really based in Latvia as it says, otherwise it's all lies.