Google Analytics


To search for specific articles you can use advanced Google features. Go to and enter "" before your search terms, e.g. CSS selectors

will search for "CSS selectors" but only on my site.

Sunday, May 9, 2010

Down on your luck? We can make it worse.

The scammers are at it again. I recently received an email from ECIT GROUP LTD. The email appears to be coming from Workpolis. The From address appears to be <>.

If you receive an email via GMail, you can open the menu with "Reply" and there will be an option for Show Original. When you show the original it will display the full email header. Here is the email header for the message I received:

Received: by with SMTP id n10cs78111ibh;
        Fri, 7 May 2010 15:54:15 -0700 (PDT)
Received: by with SMTP id m11mr642898wbw.165.1273272854287;
        Fri, 07 May 2010 15:54:14 -0700 (PDT)
Return-Path: <>
Received: from ( [])
        by with ESMTP id e7si7418364wbb.9.2010.;
        Fri, 07 May 2010 15:54:14 -0700 (PDT)
Received-SPF: neutral ( is neither permitted nor denied by best guess record for domain of client-ip=;
Authentication-Results:; spf=neutral ( is neither permitted nor denied by best guess record for domain of
Received: from pbcpttnl by with local (Exim 4.60)
 (envelope-from <>)
 id 1OAWQv-0005e2-PJ
 for; Sat, 08 May 2010 00:54:13 +0200
Subject: Executive Financial Manager Position
From: <>
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 8bit
Message-Id: <>
Date: Sat, 08 May 2010 00:54:13 +0200

Most email programs will take bits from the email header and display them, hiding the rest. You'll see the Subject, To, From and Date fields. You might see the Reply-To address as well. When you click reply, you will almost definitely see the Reply-To information.

Notice how the From address and the Reply-To address are completely different. That should be your first clue something is odd. Above the To field is the route the email took to get to me. You don't need to know a lot of the details but just look at all the machine names and notice that does not appear in anything above the To field. On a quick glance it looks like the email came from I haven't checked but I would guess that is a web hosting company. Anyone can buy an account from them and set up email accounts and a website.

The idea is, the criminal creates an email account and possibly a website using a general hosting company. Anyone can do this, including you. They will pay for the account in such a way as to make it hard to find out who they really are (stolen credit card). Minutes after they create the email accounts they spam millions of people with their scam email. A few hundred people respond and give them personal information (bank information, credit card, identity, etc.). They take all that information and disappear.

People like me will report them and MAYBE someone will investigate. They will find the site was created with a stolen credit card. The criminal logged in from a stolen account. Usually I can log into a company, from there log into a second company, to a third computer, etc. Different ways of logging in and hopefully somewhere in that chain of logins someone will not be keeping record of my log in. For example, I might have installed a virus on your computer and used your computer to log into the web hosting site. So when the police get the logs from the web hosting site, it leads back to your computer. When they get a warrant for your computer they find a virus on your computer and no logs. Dead end.

The best thing you can do is (a) don't fall victim to these scams and (b) tell your friends.

General rule of thumb is that NO ONE asks for personal information via an email. This scam says:
Have a chequing account at ROYAL BANK OF CANADA (RBC)
They are telling you right up front you have to have an RBC chequing account. This immediately rings warning bells for me. Other warning bells:

  1. They promising you money. Sometimes it is millions but sometimes it is just a good income.
  2. They want personal information. Not just credit card information. When you call RBC they validate you are who you say you are. The more information I can gather about you, the better chance I have of pretending to be you.
  3. The From address and the Reply-To address are completely different.
  4. They continually claim to be reputable. We are recognized by the Better Business Bureau, we are registered with the Chamber of Commerce, etc. Maybe they even are. But why do they feel the need to convince you they are legitimate?
Bottom line, if it sounds too good to be true it probably is. If something doesn't seem right, i.e. you have an odd feeling about it, no matter how small, investigate. I'd say 10 times out of 10 that odd feeling turns out to be right on the money and they are a scam.

Remember that the scammers have been doing this for years. They are MUCH better at this then you are. If logically it seems legitimate but your gut says something is wrong, your gut is probably right. The only way for you to find out what you are missing is to be taken or find someone else who has been taken. Sometimes I walk away from a situation without solid proof it is a scam but (a) at least I wasn't taken and (b) sooner or later I find out what the scam was and realize I was right to walk away.

No comments: