IT Excuse Generator

Add to Google

September 03, 2003

New Scam Targets Small Business

In the late to mid 1990s social engineering exploded and started to be learned by the masses. Thousands of teens from all over the world, and every economic background, ran rampant on AOL trying to scam AOL members and AOL Community Leaders (the hosts that supervised the chats) into handing over their passwords. They quickly learned that they could easily scam other members out of their credit card numbers too. The Nigerian Bank con-artists that previously targeted their victims by US mail and fax started to shift their efforts online. Then even two-bit conmen realized they could go after many more marks using e-mail rather than resorting to one on one scams in supermarket parking lots.

Now the old crop of AOL snerts that learned social engineering in the 1990s have grown into adults but, sadly, most haven't given up their old habits. In fact it seems most of them have finely crafted their pitches and are trying new scams in an effort to steal credit identities.

This afternoon I could have easily became a victim. Unlike recent email scams, this wasn't by email but rather by US Mail and telephone.

It actually started yesterday when I received a collection letter that claimed to be sent by Dun & Bradstreet and was for an unpaid insurance policy with a company I've never dealt with. At first I thought it had to be some sort of mistake. I was sure all my policies were paid current and it was definitely impossible for something to have been sent to collection without some type of prior notice from the company itself. It was also for an odd amount; $2,301.00. Not too much that most small businesses receiving such a letter would think its way too high to be remotely believable and not too little where it could be completely ignored.

After carefully reviewing the letter I found a few discrepancies and oddities. First, this letter had a stamp instead of being metered or by permit. Corporations rarely use stamps. The logo and return address appeared to have been printed on a laser printer, not by a printing press. Its postmark was also different from its return address, which interestingly google and yahoo maps couldn't find. While the letter itself was typed and somewhat professional looking, I noticed that it wasn't a mass produced type letter. It appeared to have been produced specifically for me, also printed on a laser printer, and was hand signed. I found this especially odd because Dun & Bradstreet is a huge collections company. I thought to myself that they must be highly automated and couldn't be personally printing and signing letters like this in mass, especially for such a small collection amount.

In essence the letter only advised that a specific collections officer was assigned to my case and he'd be calling within the next few days to collect some information and try to arrange for repayment. A telephone number or email address for me to contact him first (or anyone else at D&B) was glaringly absent. I had no choice but to wait for the call.

My wait was not long as he called today, late in the afternoon. He had an easily recognizable New Jersey accident and seemed to be reading from a rehearsed script. It attempted to scare the target into believing that this would affect the company's credit, as well as the target's personal credit, if payment wasn't arranged with him today.

I explained that I had not signed any policies with this insurance company and that I even double checked with my independent agent to make sure that I've never dealt with this company. He apparently turned the page on his script and then went into a story on how they often make these mistakes. He then went on to say if would provide them with some information about myself and the company they could double check their records and fix this today. Having felt that this was certainly a social engineering attempt I started to fed him false information just to find out everything he wanted to know.

The most damaging information requested was my parent's and even grandparents names, my Social Security number, the name and positions of all the company's officers, and the company's tax ID. The strangest information requested was my eye and hair color. I guess which could be used on a false ID.

After collecting all the information he apologized again for the mistake and sounded like he was beginning to ending the conversation. I decided to jump in and try to get him to admit to what he was doing. I quickly thought of telling him that I used to do carding and spam (both not true!) and that I knew all along right from the letter that it was a con. He laughed and said, "I've been doing this for 5 weeks. Everyone is scared and believes it." I tried to find out if he was doing this on his own or if hes working for someone else and he was too cryptic with his response to make sense of it. I asked if I could do this scam with him and tried to get his number so I could call him about it when I got home but he just said, "no" and hung up.

After thinking about the conversation I feel his script was very masterly thought out and was well rehearsed. He was super convincing and everything sounded innocent enough in the way it was asked that I can believe everyone contacted does fall for it.

I took the letter to the post office and filled out their mail fraud form. I hope to repeat the entire conversation to an inspector directly but who knows if they'll ever follow up or not. Everyone knows how the post office works.

This just proves that everyone must be guarded and skeptical of anyone asking for personal information. Listen to your gut and that little voice in your head. If something is too good to be true, it is. If a company you're already doing business with contacts you because they need your information again don't believe it.

Posted in My Business by usrbingeek at 2003-09-03 16:04 ET (GMT-5) | 1 Comments | Permalink


If I were you, I'd also contact the State Attorney General:

Good luck with the situation.

Posted by: joy at September 4, 2003 10:50 PM

This web site is provided "as is" with no representations or warranties, and confer no rights. We are not liable for omissions or typographical errors contained in the content. Use at your sole risk.
The opinions expressed here do not necessarily represent any other entity or party we may have a connection or affiliation with.
usrbingeek, usr bin geek,, #!/usr/bin/geek are trademarks of usrbingeek LLC. All other trademarks and tradenames are property of their respective owners.