Payment Processing Fraud
Scammer Group Activities

 .NExT Web Security FraudAid
Geographical Locations | U.S. Citizens | Methodology | Mixed Draft | Employment Offers | Employment Applications | Mailing Lists | Form Letters | Main Diagram | Home | Close Window

Geographical locations for group members involved in this scam:

Nigerian scammers: West Africa, South Africa, Kuwait, Western Europe (mainly England, The Netherlands, and Spain), Canada, Japan, US (mainly in Texas, California, Georgia, Virginia, and Florida).

Eastern European scammers: Mainly Romania, Latvia, the Ukraine, Lithuania, Hungary, and Moscow. NOTE: Nigerian and Eastern European scammers can be found working together on any one Payment Processing Scam.

Methodology of the scam (from the viewpoint of a scam group leader and in no particular order):

Note: Knowing involvement of US citizens:

There are US citizens who have been successfully recruited as knowing participants in these scam groups. These individuals may be identified as those who have never attempted to deposit or cash a counterfeit draft. Recruitment attempts are an on-going part of the scam and most frequently arise when a scam target calls the scammer’s bluff or through social engineering (see Methodology of the scam below). While lower echelon group members loudly protest when accused of being a scammer, higher echelon group members will attempt to recruit. However, recruited members must adhere to the rules and regulations governing the group, and group members who do not follow the rules may be dealt with very roughly and are at risk of physical violence.

  1. Obtain account information and draft stock in the following methods using identity thieves, hackers, and malware purchased from crackers:

    • Theft of checks from mailboxes.

    • Buying cashier’s checks at various US banks for minimum amounts.

    • Social engineering of employees at financial institutions, government disbursement agencies (local and federal), Traveler’s check providers, and money order providers to obtain blank draft stock.

    • Social engineering of company employees to obtain passwords to financial records.

    • Sending information-gathering malware (malicious spy ware and virus spy ware) to company computers and personal home computers via email, web sites with embedded malware, or direct attack to reap passwords to financial information.

  2. Create drafts using the following methods:

    • Using remote logon to personal and corporate computers to order electronic checks from online bank accounts.

    • Using stolen credit card information to purchase money orders. NOTE: The two methods above are used both by scam group members and by counterfeiters who sell drafts to scam group groups.

    • Using reaped account information to open unauthorized accounts at online services such as QChex.

    • Using online services such as QChex to open non-existent accounts. In this situation, routing numbers, account numbers, and account names are fabricated or combined from other counterfeit checks in the scammer's supply. The contact number for the financial institution is for a throwaway cell phone (untraceable prepaid cell phone). A depositor or banker who calls the number to verify the check is actually speaking with a scammer who states that the check is good.

  3. Sell personal information obtained from victims to ID buyers and sellers.

  4. Sell account information and blank draft stock obtained from victims to counterfeiters.

  5. Purchase counterfeit drafts from the supplier.

  6. Set up fraudulent web sites that offer employment and Internet stores that show non-existent products for sale.

  7. Set up Classified Ads in local newspapers and online Classified Ads web sites selling non-existent products.

  8. Set up eBay accounts selling non-existent products.

    NOTE: Both of the above are frequently created using the personal information of the Payment Processing Scam Victim.

  9. Set up Classified Ads in local newspapers and online on Classified Ads web sites that offer payment processing and reshipper jobs for a foreign company.

  10. Scan employment/job search web sites for resumes (the most popular are Craigslist, Monster, HotJobs, and CareerBuilders). Scan work-at-home web sites for work wanted ads.

  11. Post employment offers on employment/job search web sites.

  12. Buy email address listsl and send out payment processing, collection, and reshipper job recruitment emails using form letters.

  13. Answer the replies using form letters tailored to the victim’s reply.

  14. Acquire personal information from the victim both by asking the victim to complete an employment application and by embedding malware into the HTML code of the email correspondence to the victim.

  15. Set up Reshipper Victim to receive and forward counterfeit drafts.

  16. Set up Payment Processing Victim to receive funds and forward them to scam group members.

  17. Set up Buyer victim to send payment to Payment Processing Victim.

  18. Scammers located in Japan: set up temporary bank accounts to receive bank-to-bank wires.

  19. Coordinate with and maintain relations with associated scam groups and suppliers: Romanian / Nigerian, hackers and crackers, ID thieves and reapers, counterfeiters.

  20. Develop and create winning employment ads and product ads.

  21. Find web designer and create convincing web site material. NOTE: A popular method of creating web site material is to mirror legitimate web sites and copy.

  22. Keep scam group members in line and teach them successful scam methods such as how to disguise their IP address, how to send out bulk email so it won’t end up in Junk folders, how to post successful Classified Ads, how to design successful product sales ads on eBay, how to tailor form letters to the victim, and how to schedule and coordinate the sending of counterfeit drafts and wired funds to the victim.

  23. Locate web designer willing to create fraudulent web sites or web designers who are unaware the content is fraudulent. Develop convincing web site content. NOTE: One popular method of developing web site content is to mirror a legitimate web site. Some scammers do this by creating 200 or more mirrors of the same legitimate site. On many sites, endorsement logos such as VeriSign, Better Business Bureau, and universally recognized merchant logos, are copied onto the fraudulent site but are missing the appropriate links.

  24. Track scam group member participation in obtaining funds from targets and assign shares of the take based on that participation.

  25. Pay suppliers and send funds to illegal activity groups supported by scam operations.

Mixed draft information:   Top of Page

This has become a popular method of delaying the routing of checks through local and national clearinghouse banks. The reasoning behind the imposed delay is that, as a matter of policy, banks give their depositors a provisional loan against drafts that are in routing. A provisional loan reads as “available funds” on the depositor’s account. The depositor withdraws the funds and wires them per the scammer’s instructions. It may take a month or more before the draft returns as a counterfeit item.

Mixed draft information is used on both QChex-type drafts and drafts created from scratch by counterfeiters.

Employment offers:   Top of Page

Scammers pay to post their fraudulent employment ads knowing the ads will be taken at face value. It is impossible for the owners of online and offline Classified Ads and employment web sites to police postings due to knowledge and cost limitations.

Mailing lists:   Top of Page

Depending on the income level of the scammer, purchased street and e-mail mailing lists may be very out-dated or very selective allowing for specific targeting. Apart from using email culling software, valid email addresses are obtained when email recipients open emails tagged with a receipt and/or respond to phishing and scam emails.

Form letters:   Top of Page

Scam form letters are being created and revised all the time. Form letters that are being market-tested will carry tracking codes (number/letter combinations) at the bottom of the email or surface mail that identify the form letter in order to record the number of responses to different formats. Form letters are created at top and mid-level management based on feedback from both scam group members and victims. Individual scam group members will sometimes try their own hand at revising a basic form letter, but for the most part they are used as furnished.

Although members are instructed to change the names and contact information, it is not rare to see a form letter sent by a sloppy scammer in which the names at the top do not match the names at the bottom.

Ongoing correspondence is also structured. Top and mid-level management teaches members how to generally respond, best responses to specific victim reactions and questions, and response timing. One can see the same phrases repeated time after time, regardless of physical location of different scammer groups.

Employment applications:   Top of Page

Many employment applications have been pirated from legitimate web sites and companies then altered for this scam. The alterations are most noticeable by a change in typestyle where a company name has been inserted, inappropriate spacing, letterhead graphics that sparkle (pixel artifacts) around the edges, and inappropriate employment conditions. Employment applications that appear on fraudulent websites are on pages that do not carry a security certificate (https//) and frequently ask very personal questions that are not in keeping with employment qualification requirements.

© 2006 - 2010 FraudAid / NExT Web Security. All rights reserved.