Phishing Season Never Ends in Cyberspace

by Brenda L. Speer on September 17, 2012

On the email listserv for the Colorado Bar Association‘s Solo and Small Firm Section there have been postings lately relating to phishing scams. These postings are by colleagues asking for sanity checks or confirmation of their suspicions that an email inquiry from a potential client is a scam. So far, they’ve all been phishing scams.

I have gotten a lot of these phishing emails over the past several years and I’ve known they were phishing emails and deleted them all without responding. How did I know they were phishing emails? Some of the telltale signs:

  • Inability to spell.
  • Poor grammar.
  • Addressed to “Dear Sir” or “Mr.” (I’m a woman.).
  • Appealing to my vanity by telling me that they found me on the Internet (I have a website, so, that could be and probably is true.) and that they’re contacting me because I’m an expert on collections (I don’t do collections work and know that I am no such expert.).
  • The inquiry came from an international company. (And I had to ask myself, why would an international company contact my small firm in Colorado? Why not some big guns who do big-time work for big-time international companies?)

However, in the past few months, I’ve received two email inquiries that I suspected as phishing scams, but did not immediately hit the ‘‘delete” button. What was unique about these that I even considered them, albeit briefly?

One consideration was that on the off-chance these may be legitimate, I felt I should at least respond and ascertain whether the inquiries were legitimate or not. Also, both of these phishers went to some trouble to give their inquiries more than just a semblance of legitimacy.

Both inquiries were sent to me via my website’s secure email service.

This means these people went to my website, then to the Contact Us page, then clicked on the button to send our firm a secure message, then selected my name from the drop-down menu of recipients in our firm (OK, my name is first on the list, which is probably why I got the email.), then typed or pasted in a message, then attached ‘‘supporting documentation” and then hit ‘‘send.”

Wow! That’s a lot of effort and time baiting phishing hooks.

One email was an inquiry regarding copyright infringement and breach of a licensing agreement, which is within my practice area.

However, this was an inquiry from a Chinese company about an offending U.S. company. And again I asked myself the same question posed above: Why are they contacting my small firm? Not to mention once again I was addressed as ‘‘Mr. Speer” (That’s my dad and he’s not a lawyer nor does he work at my firm.).

This phisher went to even more trouble to make the scam appear legit. He sent me a copy of the licensing agreement, which upon inspection had an obvious obliteration and cut-and-paste over the signature block of the Chinese company. (Hmmm.)

Then, I noticed the email address of the sender was one character off from the Chinese company’s website. (By the way, the website was for a real and legitimate Chinese company headed by a person of the same name included in the email address, as the sender of the email, and as the ‘‘signer” of the licensing agreement.) When I looked at the website that matched the domain name in the email address, I found a parked page. When I looked up this same domain name owner information in the WHOIS database, I found the domain was registered to someone in Canada. When I did an Internet search on key terms involved in this phishing scam, I found it had been reported by both the Law Society of British Columbia and on the AvoidAClaim Blog. If you want more details on this scam, click here.

Then, I decided to have a bit of fun. I responded to the inquiry with these questions:

  • How did you locate and select our firm?
  • Have you used a U.S. law firm before? If so, whom?
  • Why is the domain name used with your email address (chimsghk.com) not the same as the domain name for your company website (chmsghk.com)?
  • Why does the domain name for your email address show a parked page?
  • Why does the domain name for your email address list registration information to a party in Canada?
  • Why does your signature block on the Copyright License Agreement appear to be doctored and pasted in?
  • If the breach by the other party occurred in January 2011, why have you waited more than 1.5 years to take action?
  • We need the name, title, and complete contact information (address, email, phone, fax) for the appropriate person with whom we should connect at the other party.
  • Perhaps you also could explain the attached articles ? (I attached copies of the reports I mentioned above warning of this exact phishing scam.)

To my surprise (Ha!), I did not hear back from this would-be phisher. The worm had slipped the hook.

The other email was an inquiry regarding trademark infringement, which also is within my practice area.

This inquiry was from a Texas sole proprietor. OK, not too far-fetched, but it still seemed out of place.

I looked a little further and found that the trademark at issue was indeed registered at the U.S. Trademark Office (I’m a tad less skeptical now.). The name of the owner of the trademark registration was the same as the sender of the email and the sender had an email address with the name of the trademark owner, but it was a Yahoo email account (Hmmm, another telltale sign: A freebie email account. Skeptometer resets to ‘‘BS”.).

Then I looked a little further and found the alleged website of the company was once again a parked page. (And why would the email address be a Yahoo account rather than having the same domain as the website?) Yet again, the domain was registered to the alleged trademark owner and email inquiry sender, but to an address in—you guessed it—Canada (Note: I know this is a coincidence. I don’t think scammers come only from Canada.).

Wait a minute! This phisher told me he lived in Texas and even gave me a physical address in Texas. When did he move to Canada?

Well, since all these phishing scams involve bad checks provided as a retainer, I decided to test this phisher’s mettle immediately. I responded in part:

My apologies if my response is terse, but we have received several email inquiries lately which have proven to be phishing scams. I am suspicious of your inquiry for this reason. If your inquiry is legitimate, please be advised that we can provide an initial consultation by phone to discuss your matter and the fee is $XXX.00 payable prior to the call by Visa, MasterCard, or Discover.

Again, to my lesser surprise, I didn’t hear back from this phisher either. The phishers can’t scam you with a credit card as easily or readily.

My conclusion: These phishers are relying on passing bad checks as a way to get money out of you. (They pay you a retainer with a bad check or money order; you deposit the check; they request a refund; you pay the refund, but before their check proves to be bad and you learn you’re out real money.) By telling these phishers I only accept credit cards, I’ve found the jig ends before it begins.

Phishers are learning to read the hatch and to select their flies accordingly (No, I’m not a fly-fisher, but my husband is.). So, my colleagues, continue to be wary and keep your skeptometer in working order.

Image by Stomchak.

Comments on this entry are closed.

Previous post:

Next post: