Facebook and 419s

This is a 419 (a so-called Nigerian scam letter) received via Facebook. Well, it doesn't look very Nigerian, and it includes a phone number that appears to be in Hong Kong (no, I haven't tried it out). But the letter, though perhaps more literate than some of the African scams I've seen, is standard Advance Fee Fraud, with a little extra oomph in terms of emotional blackmail. 

As Homer Simpson might have said: "Don't arrest me. I have a wife and children. Arrest them…" Sorry, chum, if you expect to send me this sort of guff, I don't feel obliged to protect you against anyone's rightful powers of arrest.

Dear Sir,

I am Xinfa Liu, a Business Relationship Manager for the Guangdong Development Bank in China{Record and files department}.I am contacting you with regards the estate of late Andrew Harvey and an investment placed in our bank 8 years ago.

It is important you keep the contents of this mail confidential and respect the integrity of the information you come by as a result of this mail. I contact you independently and no one is informed of this communication. In 2003,Mr Harvey; came to our bank to engage in business discussions with our private banking division. He informed us that he had a financial portfolio of 8.5 million United States dollars, which he wished to have us invest on his behalf.

Based on my advice, we invested the money around various opportunities and made attractive margins for our first months of operation, the accrued profit and interest stood at this point at over 11 million United States Dollars. In mid 2006, he instructed that the principal sum (8.5M) be liquidated because he needed to make an urgent investment requiring cash payments in Hong Kong. We got in touch with a specialist bank in Hong Kong the Chong Hing Bank who agreed to receive this money for a fee and make cash available to the Mr Harvey. However Chong Hing Bank got in touch with us last year that this money has not been claimed and the money was returned to Guangdong bank in China. On further enquiries we found out that Mr Harvey has passed away, which means he died intestate. He has no next of kin and this is the reason I am contacting you,because you bear the same surname.

What I propose is that since I have exclusive access to his file, you will be made the beneficiary of these funds. My bank will contact you informing you that money has been willed to you. On verification, which will be the details I make available to my bank, my bank will make payments to you. You do not have to have known him. I know this might be a bit heavy for you but please trust me on this. For all your troubles I propose that we split the money in half. In the banking circle this happens every time. The other option is that the money will revert back to the state.

Nobody is getting hurt; this is a lifetime opportunity for us. I hold the KEY to these funds, and as a Chinese National we see so much cash and funds being re-assigned daily. I would want us to keep communication for now strictly by the above contact details. Please, again, note I am a family man; I have a wife and child. I send you this mail not without a measure of fear as to the consequences, but I know within me that nothing ventured is nothing gained and that success and riches never come easy or on a platter of gold. This is the one truth I have learned from my private banking clients. Do not betray my confidence. If we can be of one accord, we should act swiftly on this.

Please get back to me immediately via the above contact details.

I await your response.

So, I wondered, what options does Facebook give you for dealing with stuff like this? Well, you can report it as spam, of course, but while most spam is in some sense fraudulent, that seems inadequate. It turns out, though, that there's another report button next to the senders ID link. Unfortunately, it only gives you two radio button options and a checkbox.

The radio buttons offer you two choices:

  • Credible threat of violence
  • Sexually explicit

The check box simply allows you to ask for the sender to be blocked.

I know there are stories (which I don't have grounds to doubt) of 419 victims being kidnapped, killed or injured when they get too close to the scammers in some sense. But I'm not sure that's what Facebook means by that button. And while I'm not an advocate of sexual harrassment or exploitation, I find it a little odd that there's no option for out-and-out fraud. I know that Facebook has various countermeasures for dealing with the even more various types of fraud that Facebook users are subjected to. Does it really believe that those measures are so effective, no fraudulent message can ever get through?

David Harvey CITP FBCS CISSP
ESET Senior Research Fellow

Author David Harley, ESET

  • Vic

    Got a good laugh out of his removing his surname in the first paragraph for privacy reasons but having not problems revealing it on the second. :)

    • David Harley

      @Vic, that was actually me thinking about preserving a little of my own privacy, and then not following through. :)

  • Patrick

    What gave me a laugh was that under job description they state: Head of Files etc.
    On a more serious note, I do not think they do. But then again what Facebook believes is irrelevant, what the users, share- and stakeholders of facebook believe is much more important.

    Storing information online is always a risky business. Even if a system is as secure as possible there stil is the human factor which plays a role. Easy passwords or not enough knowledge about the way a certain service stores and shares data are very common security issues. And i guess it is pretty hard for you IT security professionals to stay ahead of the "dark side" with the scams they come up with.

  • James Mark

    I received the exact same mail from Xinfa, with my last name inserted of course… wonder how many others have..?
    Also, I find it funny how their writing skills break down as the correspondence proceeds… AND, they never seem to address replies personally other then "Hi", or on occassion Mr. (last name), but never a given name… you quickly realize that you are not dealing with the one who wrote the letter.
    Another blatant case of 'Too Good to be True'.
    The simple things in life are worth so much more !

Follow Us

Automatically receive new posts via email:

Delivered by FeedBurner

1 article related to:
Hot Topic
13 Feb 2011
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.