Here at ToolGuyd, we receive a lot of emails. Many are from readers, new visitors with questions, PR professionals, and marketing contacts, but there are also very many spam and scam emails.
There are also scam and spam emails, with most being obvious, but some are very carefully crafted.
2014 Fraud Attempt
Following is an email I received a few years ago. The name, institution, and contact information has been changed.
This one was highly suspicious from the start.
The University of Third Earth,We need quote for the below items
Victor Journeyman 540/510 edge TM series outfit w/h315fc 0384-2036 …50PCS
Complete cutting torch Model H315FC ….100PCS
Moldel CA 2460 ….100PCS
Provide us the pricing with attach quotation for the listed items with delivery cost.
Note: Our Institute Terms of Payment is by Purchase Order/NET 30 .
Looking forward to read from you.
Director Of Purchasing
University of Third Earth
Tel: Reasonable Number
Fax: Reasonable Number
E-Mail: [email protected]
The grammar was “off,” and there was a misspelling in the email address. But the impersonation was close, with the same area code, a reasonable-looking phone number, the correct address, and the right format for the name in the email (such as mummra vs. mumm.ra or mumm-ra).
With that 2014 fraud attempt, I assumed they were trying to get me to ship goods to a different location, leaving me (or a real seller) hanging when it came to payment. Or maybe they were trying to get our contact or business information, for use in scamming potential buyers.
It screamed “this is a scam,” and I forwarded it to the university’s information security department.
In that case, the edu.com email address was the big red flag. There are strict criteria about what kinds of institutions are eligible for an .edu domain. Not everyone knows this.
Once the edu.com aspect caught my attention, I checked and saw that the email originated outside the USA. I would say that the bad grammar was also a red flag, not in general, but with respect to what I would expect from a large university’s purchasing director.
This Week’s Fraud Attempt
Yesterday, I received another fishy-looking email. Again, the name and institution name has been changed.
This email was suspicious, due to the email address, but appeared to be much more expertly crafted than the previous one.
The “reply to” email address was listed as [email protected]
The University of Eternia seeking quotes for the item below on an “FOB Delivered.
Note: The below item #1. The University desires to acquire this equipment through a net 30 terms.
(#1) FLUKE 87-5 SERIES V DIGITAL MULTIMETER……..Qty 75
Pricing shall be FOB Destination with all applicable freight paid by the vendor.
Pricing shall include delivery charges.
All of the following items must be submitted with your quote:
The University is required to have a W-9 (modified) on file for every company with which it does business.
Please include with your pricing packet a completed W-9.
I checked the university’s website, and the contact’s email was listed as [email protected]
The email originated from the USA, but on the opposite end of the country.
It *could* be legitimate, or at least I was not 100% certain that it was fraudulent. I emailed the purchasing contact at their web-listed email address, informing them that if they sent the email they should be aware that ToolGuyd does not manufacture or sell tools, and that if they didn’t, someone was posing as them, and I would be forwarding it to the information security department.
Today, I followed through and sent the email to that university’s web security team.
It’s hard to know whose attention to bring this to, but universities and large organizations typically have an anti-phishing webpage with an email address you can forward suspicious emails to.
Before I hit *send,* I looked at the “whois” data.
Domain Name: ****-EDU.COM
Registry Domain ID: [redacted]
Registrar WHOIS Server: whois.enom.com
Registrar URL: http://www.enom.com
Updated Date: 2019-04-24T17:07:10Z
Creation Date: 2019-04-24T17:07:10Z
Registry Expiry Date: 2020-04-24T17:07:10Z
Registrar: eNom, LLC
Registrar IANA ID: 48
Registrar Abuse Contact Email:
Registrar Abuse Contact Phone:
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Name Server: DNS1.NAME-SERVICES.COM
Name Server: DNS2.NAME-SERVICES.COM
Name Server: DNS3.NAME-SERVICES.COM
Name Server: DNS4.NAME-SERVICES.COM
Name Server: DNS5.NAME-SERVICES.COM
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of whois database: 2019-05-15T13:56:27Z <<<
What this means is that the ****-EDU.COM domain is less than 3 weeks old. It *must* be spam. If not spam, a scam, or the start of attempted fraud, then it’s a highly terrible and unthinkably bad practice. No organization or educational institution that has a .edu domain and email addresses will suddenly decide to use an edu.com domain.
While some of you might see edu.com as a big red flag, not everyone will. These scams keep going because people unfortunately keep falling for them.
There are some valid ****-edu.com or email addresses, but definitely not for the organizations whose purchasing managers were impersonated in these emails.
All of the above is more meant as an FYI for small sellers, suppliers, and retailers. If I was a sales representative and had sent in documentation as requested, there’s no telling what would have happened. The impersonators are likely looking to dupe sellers into sending unpaid merchandise, but it’s also possible they’re phishing for information to use in nefarious ways, possibly to scam buyers or potential buyers.
When in doubt, vet a buyer or potential buyer before doing business. Look at their domain name registry information, for example. For educational institutions or large commercial businesses, purchasing contact information might also be available online.
Remember, universities won’t do business under schoolname-edu.com email address or domain.
Reminder to Buyers
But, this is a good time to remind buyers of a prior post: Scam or Not? Tips for Assessing Unfamiliar Online Tool Stores.
A reader emailed me a few days ago, asking if the super-low prices on an unfamiliar tool website were too good to be true.
Following the screening process suggestions in my post, I was immediately convinced that the site was a scam. The online retailer in question doesn’t have their phone number or address listed, there weren’t any working social media links, and according to its Whois information, the domain name was registered less than one month ago.
I can only recall ONE example of a “is it too good to be true?” online retailer that turned out to be legitimate, and that’s for a store launched by an ebay seller who buys fountain pens overseas and ships them to the USA for less than you can buy them for here.
Yesterday’s email, which I’m convinced was an attempt at fraud, was expertly crafted. In that case, the only red flag was the -edu.com email address. How many sellers are aware of that? How many sales associates?
It’s only a matter of time before scammy online retailers become more sophisticated and convincing as well. Be careful!
I work financial crimes and fraud for a living at a bank for 16 years now. There is literally no shortage of ways criminals operate to defraud people. With the advent now of purely electronic communications and people not making a phone call, gotta be cautious.
A fool and his money soon shall part.
I’m laid back and chill but the penalties for these crimes need to be severe (when they can be prosecuted). I’ve read horror stories about people getting into serious trouble by falling for a scam. We’ve all been duped at one time or another and it’s so easy to make things look legit these days.
White collar crime penalties and prison sentences will never be more severe. Ever.
Why? Well I’m sure you can understand how white collar criminals and politics and race plays a part.
Definitely easy-ER to get duped for sure. Emails like this though with pathetic grammar and contact demands is an obvious sign.
End of the day, an ‘ANYthing.com’ is a .com and not an .edu, .gov, etc. – no matter what precedes the .com. A obviously flawed and very weak scam using an obvious tell.
Exactly right. this was a .com domain, not a .edu domain. Of course, the Top Level Domain (TLD) used in an email does not imply any trust. Fraud can and does come from any TLD.
well not even phone calls are clear either. with spoofed numbers and the ability to register a VOIP number in a different region, etc.
My mother in law was scammed out of $5k dollars via online
Come on. How?
With SMTP traffic, looking at the “from” email field is not always a dead give away. If ever in doubt, review the email header information and check out the server trail.
The from field can easily be spoofed. The only reason not to spoof the “from” field, is if they’re looking for you to respond to their email. If it’s just a link or an attachment they’re trying to drop, the “from” field means nothing.
Lots of crafty phishes out there these days. Keep a vigilant eye, consider paying for an email filtering service, turn off Microsoft office macros, and consider not being logged in with an administrative user at all times.
Many email clients are much better at highlighting this, with “this sender might not be who they say they are” warnings and such.
When someone tried to impersonate us to get tool samples, they tried spoofing too, and it was red-flagged in the email shared with me.
I get spam, scam, and fraud emails all the time. Usually, they’re easy to identify and ignore. The latest one, however, was really sophisticated in comparison. Combined with the low frequency of -edu.com fraud attempts I’ve seen, I thought it was an important scam that readers should be aware of.
I worked for a franchise that was the target of scam emails. They would spoof our addresses, sometimes creating entirely new ones, and email offers that sounded very legit. Customers would jump at the “great deal for loyal customers” and hand over credit card info. The scam emails were never flagged despite coming from another country. The IT department was even working with Google to try and get them flagged, but couldn’t get anywhere. It severely damaged our reputation.
I work for a university that many of you have hear of. We get some absurd spam/phishing emails. Normally we get multiples a week. Most look awful and are obvious. Some are really good though. Always have to be careful these days.
This type of thing didn’t happen before computers and the internet came about and made it so easy to obtain our identity and information. Technology has given people the opportunity to become gutless chickenshit cyber criminals who never even have to meet you or know what you look like to steal from you or steal your identity. The problem lies inherently with the gift and the curse of what technology is and what it has done for us and what it has done against us. And 99% of the assholes who perpetrate these crimes never see the justice they deserve which is why people are so inclined to do it. It’s too easy and there’s very little fear of the consequences.
It’s not new at all. It is, however, easier to do on a grand scale, and quite a bit harder to prosecute. See https://www.theatlantic.com/technology/archive/2018/05/98-years-of-mail-fraud/559661/ .
Interestingly, because of the low cost per invite but the high cost of replying, it’s often actually in scammers’ interest to be obvious scammers. Microsoft led the way on this research: https://www.microsoft.com/en-us/research/publication/why-do-nigerian-scammers-say-they-are-from-nigeria/ . Groups like 419 Eater (https://en.wikipedia.org/wiki/419eater.com) capitalize on this by wasting the scammers’ time. Check out https://www.ted.com/talks/james_veitch_this_is_what_happens_when_you_reply_to_spam_email?language=en for an entertaining talk on exactly how they go about doing that.
There have always been con artists, swindlers, and thieves who prey on others for profit.
I have hear of many universities, I bet yours is in fact one of them lol In all seriousness though, I do try to do as little online as possible because of this commonality.
I work on IT and I will like to spot an error regarding “its SSL certificate has a 3-month duration”. The new trend is to make the certificates duration shorter in order to improve security.
The purpose of a certificate is not to validate that the business is real or fake, they are used to give you the assurance that your interaction with the other party is secure. If I own the domain “thisisascam.com” I can request a HTTPS certificate and it is completely legit. Is the user responsibility to decide if they want to make business with “thisisascam.com”.
Thank you, I appreciate it!
I don’t disagree with you. Perhaps mistakenly, I considered the SSL certificate a sort of “sprinkles on the frosting” type of signal. E-commerce sites that I am familiar with typically have proper certificates, or at least certificates that fit within expectations, and of the scammy retailers I’ve seen, many have free 3-month Cloudflare certificates, and others ones that don’t seem *right* in other ways.
I’ve assumed that the nature of the SSLs were to help eliminate any potential paper or bank trails should scammed customers seek retribution.
Grammar. It’s a dead giveaway. When I read that email example, I see no sophistication at all. I see them all the time posing as my email or bank or eBay, PayPal, the list is endless and always easy to spot because of grammar. Remember never to use links unrequested in an email. Random requests to “update” information are nonsense. But, if you feel must check to be sure, exit from the email and take the normal pathway to your trusted sites. Be smart, your bank is never going to suddenly ask you for your ssn.
I delete garbage emails daily and don’t think twice. Why would you follow up with what might be the actual institution? Who cares. It’s spam, garbage, move on. People must be stupid, no common sense or never had anyone smart enough to teach them growing up. So much more to do and worry about. Email is about 30 years going now. Delete crap emails and go about your day. I educate my child on this. Adults who have to be educated on this don’t have the capacity to exist. Oh by the way your Nigerian uncle died and left you a million dollars. You can claim if you send me a single Bitcoin to this wallet address: jkbskbjkb852558ksggsk
I wouldn’t. But small businesses or suppliers might.
I get a lot of emails of this nature, including many legitimate-seeming ones from businesses, industry (such as car assembly plants), academic institutions, and even military personnel (such as aircraft techs).
The more polite emails receive a polite “I’m sorry, we do not sell tools,” reply from me. US military always receive a reply or point in the right direction.
When doing purchasing research, I will sometimes contact smaller companies, usually regarding specialized equipment. Some get back to me, others ignore my questions and emails, presumably because I’m too small of a customer.
A small business seller or supplier might be open to large contracts or institutional purchases and relationships and might miss something like a -edu.com email address flag.
The fact is, scams like this one continue because people do fall for it.
Actually, most organizations have an “abuse” email to forward the email to. Reporting it may not help you, but it might keep someone less sophisticated from getting suckered.
You can usually email “[email protected]/hotmail/outlook/yahoo/whatever.com
For Amazon it is [email protected]
Many of the emails either originate from, or include an, email address from gmail, hotmail or outlook and they will shut down those accounts.
When I reported the previous incident to the info security dept. of the university they were impersonating, they indicated they were trying to get a registrar to shut down the offending domain.
They told me that had been trying “for months.”
The problem is that with something like a ****-edu.com email address, there’s nothing gmail/hotmail/etc can do. If it’s routed through a business gmail account, maybe.
When someone contacts me through the contact form, my server routes the incoming mail, and so I only see the reply-to address.
We’ve got three people trying to do this to our business now. One of them wants us to ship a $6000 bathtub to Poland, using their shipping company (with a gmail.com email address), and wants to pay over the phone with a credit card. The other two aren’t quite as insane, but close.
So…yeah. I’m the one that emailed Stuart about whether or not a tool website was too good to be true. Unfortunately I emailed him after the fact and had spent $200 on what I was hoping was a smoking deal on much-needed tools. My only saving grace is that I paid via PayPal and the payee was actually verified. Which means that it’s covered under the PayPal guarantee. I had called the phone number on the website along with emailing them and obviously got no response at which point I contacted PayPal and opened a case. I now have to wait 10 days for them to respond before they will issue me a refund …I know, I know, I’m an idiot…. buyer beware…. too good to be true and all the other sayings that I should have heeded before buying anything. Anyways thanks Stuart for taking the time to look up that website and warning me.
Phew, I’m just glad you didn’t use a credit card!
When in doubt, play it safe.
There is very strong pull with these websites, and people find the deals hard to believe but sometimes even harder to resist.
Sometimes a retailer will have low pricing on specific things, but if it’s not a reasonable promo, then it’s something like liquidated or closeout tools. When a website has EVERYTHING on sale for a fraction of their retail value, it’s usually too good to be true.
I DID take chances once, which is how I ended up with a 26″ Beta tool cabinet for $20 from Amazon. =)
Working for a public school, we get these things all of the time. The most recent ones were all written from an email address that looked exactly like our superintendent’s or principal’s, except with a .com at the end. So, [email protected] . All of the emails were marked “urgent” and had some serious school emergency listed in them that we had to send some information or click onto links that looked like systems we use to “correct”. I never took the bait, but I know others in the district did.