Warning: Escrow Scam

It’s nothing new. But it’s a scam that’s working well for criminals. It’s the “Escrow” scam, and my brother was nearly conned this week. Here’s what happened, and how you can protect yourself from falling victim to the same con.

Not a New Scam

Bob Sullivan reported on MSNBC.com in 2002 about this exact fraud:

Dec. 17, 2002 – In July, MSNBC.com warned Internet users that fake escrow Web sites were the latest scam. Six months later, the scam has widened considerably, and it now appears to be among the most successful Internet cons ever. By taking advantage of Net auction winners’ inherent trust of escrow sites, the con artists are stealing as much as $40,000 at a time from big-ticket auction winners. Their total take may well reach into millions of dollars so far. And while federal authorities, including the Department of Commerce and FBI, are investigating, there seems to be no way to slow down the con artists. Read the rest of the article.

Let’s be clear. Legitimate escrow companies are great. They perform a valuable service in protecting sellers and buyers against fraud. They work so good, however, that scammers like to name-drop the legitimate escrow companies to play on unsuspecting people’s sense of trust. Sullivan says, “to an untrained eye, it can be impossible to tell the difference.”

My brother’s story

My brother saw a posting for a car on Kijiji.com that seemed like a great deal. Through the site, he contacted the seller looking for more information.

Note: I am obscuring my brother’s information, but not the con artist. His information I will post in detail. Watch out for him, and others like him.

From: post@kijiji.ca
To: alannacodiga@gmail.com
Subject: Reply to your “2000 Honda Civic” Ad on Kijiji
Date: Wed, 28 Oct 2009 18:50:19 -0700

Hello! The following is a reply to your “2000 Honda Civic” Ad on Kijiji:

From: xxxxxxxxxx@gmail.com
some pictures of the interior would be nice

The seller responded the next morning.

On 2009-10-29, at 7:39 AM, David Jeko <mybabyboy1090@live.com> wrote:

First of all i want to say that the car is in perfect condition, without faults or dents, no scratches or any kind of damage, without engine problems, no hidden defects, the car has not suffered damage.The title is clear. The interior is as new condition and was never smoked in. The price I find it very reasonable, I ask for it $2,500. The problem is that I had to leave with my family in United States as my wife has been promoted and we had to move here where she got the new job transfer for 5 years.

The car is still in Canada, at our home that we intend to keep and not sell because we will return after my wife’s 5 years contract will end.

Here I uploaded all the pictures with the car:
http://www.flickr.com/photos/44046012@N06/?saved=1

I am the only owner of this car and it has been babied since day one. It has 126000km but runs like new. I never drive hard or redline.

All the maintance is up to date, I will even throw in an oil and fuel filter (Brand new Honda spec) so you are ready for the next change. Since day one synthetic oil Mobil 1 or Royal Purple. It has High Kilometeres because I’m on the Highway everyday for work. It gets about 600km to a 40 litre tank.

Options :
CD player Leather seats Passenger airbag Driver airbag
Anti-lock brakes Air conditioning Power locks

I want to close the transaction in person, pick up only no shipping involved, that means i will come in a week-end or a specific day we agreed on and meet to close the deal in person.

I have advertised the car in several cities so please tell me in your next email in witch city are you located just to know how far are you from the car.

Wow! That sounds fantastic! My brother wants to know more.

From: xxxxxxxxxx@gmail.com
To: mybabyboy1090@live.com
Subject: Re: Reply to your “2000 Honda Civic” Ad on Kijiji
Date: Thu, 29 Oct 2009 12:56:19 -0600

I’m in Edmonton area, where is the car? Very interested, how long would it take to see it?

The seller responds:

On 2009-10-29, at 1:52 PM, David Jeko <mybabyboy1090@live.com> wrote:

Hello, the car is garaged in Edmonton and only me and my wife got the keys from the house where the car is garaged that means I must be there in person to view and test drive the car. As you know i am in United States and to move forward with the deal i wish to use escrow.com who will keep the money until you get the car under your name (I come from US to Canada, meet you and close the deal in person).I have checked out www.escrow.com with the better bussiness bureau and was relieved to see a AAA rating. I do agree that the escrow.com company seems to be the best way to mutually protect ourselves. They also give an inspection period we must agree on. That’s why i prefer to go thru a escrow.com.This is my wife idea and i can say it is the most suitable to close the deal. I will also pay the fees involved ( escrow.com fee and transfer fee). www.escrow.com is the most reputable middleman company in the world.

This payment means to me your a serious buyer, i mean ,i wont come all the way back home and you wont show up. I hope you understand my reasons and agree with me.Basically they keep the payment until we close the deal. If you are satisfied they will wire me the money if not they will refund you the payment. Is very simple and secure

Let me know if this is acceptable with you?

What a coincidence: the car is in Edmonton, right near my brother! As the seller says, “Escrow.com is the most reputable middleman company in the world.” They’re a brilliant way to keep both buyer and seller safe. And it works just like he says: my brother pays escrow.com, he lets them know that he got the car as promised, escrow.com wires the money to the seller, everybody goes away happy.

Read on…

From: xxxxxxxxxxx@gmail.com
To: mybabyboy1090@live.com
Subject: Re: Reply to your “2000 Honda Civic” Ad on Kijiji
Date: Thu, 29 Oct 2009 19:15:25 -0600

What’s the vin number? I’d like to do a check on the car.

A reasonable request. However…

On 2009-10-29, at 1:52 PM, David Jeko <mybabyboy1090@live.com> wrote:

From: David Jeko <mybabyboy1090@live.com>
Date: October 30, 2009 9:14:59 AM CST
To: <xxxxxxxxxx@gmail.com>
Subject: RE: Reply to your “2000 Honda Civic” Ad on Kijiji

I will send the VIN number to escrow.com, they will check it and keep it until we meet to close the deal. They say is not safe to give any vehicle information to unautorized persons. Don’t worry the VIN will be sent to escrow.com, I will write it in the transaction form (it was also required) when I start the transaction

All you have to do is to register with escrow.com. After that, you must send me your full name, address and the email address you have registered with them and I will start the transaction. They will contact you by email with the transaction details and payment details. After the payment is secured by escrow.com I will be notified and I will come to Canada to meet you and close the deal in person. If you do not find the car as I described to you, you will notify about that escrow.com and they will give you the money back. Is very simple.

Hmmmm. No checking whether the car has a lien, has been in an accident, anything like that? What could my brother do with the VIN? Maybe find out who the seller really is… or that the VIN doesn’t match the promised car…

At this point, my brother contacted me.

Finding out more

I brushed up on my google-fu and got to work.

Lo and behold! A very similar situation was reported by user lms2009 in the forums at BankRate.com (note the similar email address: mybabyboy1092@yahoo.com. User Pendragon reported:

Well, I’m sorry to be able to confirm that this guy is in fact a scammer. (John Mosec)

He just ripped off my 17 yr old daughter for (Can) $2500 for a 2000 Honda civic (Blue). Ad on “KIJIJI.com”

He used the exact M/O as described in the starting post, the only difference was the “Escrow agent’s” name… “Michael Safa.”

He was supposed to be in California, but the money was received in Chicago. I was too late getting involved to be able to intervene she had already sent the cash to the “Agent” .

He is using different ip addresses for almost every email, with exception to the “Escrow emails which all originate from “Received: from bombay.jangomail.com ([38.192.4.42]) ”

OrgName: PSINet, Inc.
OrgID: PSI
Address: 1015 31st St NW
City: Washington
StateProv: DC
Postalblockquote: 20007
Country: US

ReferralServer: rwhois://rwhois.cogentco.com:4321/

NetRange: 38.0.0.0 – 38.255.255.255
CIDR: 38.0.0.0/8
NetName: PSINETA
NetHandle: NET-38-0-0-0-1
Parent:
NetType: Direct Allocation
NameServer: NS.PSI.NET
NameServer: NS2.PSI.NET
Comment: Reassignment information for this block can be found at
Comment: rwhois.cogentco.com 4321
RegDate: 1991-04-16
Updated: 2005-10-05

RTechHandle: PSI-NISC-ARIN
RTechName: IP Allocation
RTechPhone: +1-877-875-4311
RTechEmail: ipalloc@cogentco.com

OrgAbuseHandle: COGEN-ARIN
OrgAbuseName: Cogent Abuse
OrgAbusePhone: +1-877-875-4311
OrgAbuseEmail: abuse@cogentco.com

OrgNOCHandle: ZC108-ARIN
OrgNOCName: Cogent Communications
OrgNOCPhone: +1-877-875-4311
OrgNOCEmail: noc@cogentco.com

OrgTechHandle: IPALL-ARIN
OrgTechName: IP Allocation
OrgTechPhone: +1-877-875-4311
OrgTechEmail: ipalloc@cogentco.com

# ARIN WHOIS database, last updated 2009-02-25 19:10
# Enter ? for additional hints on searching ARIN’s WHOIS database.

OrgName: PSINet, Inc.
OrgID: PSI
Address: 1015 31st St NW
City: Washington
StateProv: DC
Postalblockquote: 20007
Country: US
Comment: rwhois.cogentco.com
RegDate:
Updated: 2008-12-12

ReferralServer: rwhois://rwhois.cogentco.com:4321/

AbuseHandle: COGEN-ARIN
AbuseName: Cogent Abuse
AbusePhone: +1-877-875-4311
AbuseEmail: abuse@cogentco.com

AdminHandle: JKN12-ARIN
AdminName: Knowles, John
AdminPhone: +1-703-657-7904
AdminEmail: jknowles@cogentco.com

NOCHandle: ZC108-ARIN
NOCName: Cogent Communications
NOCPhone: +1-877-875-4311
NOCEmail: noc@cogentco.com

TechHandle: IPALL-ARIN
TechName: IP Allocation
TechPhone: +1-877-875-4311
TechEmail: ipalloc@cogentco.com

# ARIN WHOIS database, last updated 2009-02-25 19:10
# Enter ? for additional hints on searching ARIN’s WHOIS database.

The whole forum thread is well worth reading.

Lessons Learned

  1. Google is your good, good friend.
  2. Always check the raw email headers, to check that the actual sending email address matches the reported “From” field. lms2009 sent this information to the message board:

    Return-Path: <mrsivam@jangomail.com>
    Received: from mailserv4.its.unb.ca ([131.202.1.27] verified)
    by email.unb.ca (CommuniGate Pro SMTP 5.2.10)
    with ESMTP id 178962708 for MY EMAIL; Wed, 21 Jan 2009 19:33:44 -0400
    Received: from mx1.nbpei-ecn.ca (mx1.nbpei-ecn.ca [198.164.163.194])
    by mailserv4.its.unb.ca (8.13.6.20060614/8.13.6) with ESMTP id n0LNXfgm011492
    for xxxxxxxx@xxxxxxxxx.xxx; Wed, 21 Jan 2009 19:33:44 -0400
    Received: from mx1.nbpei-ecn.ca (localhost.localdomain [127.0.0.1])
    by localhost (Postfix) with SMTP id BAB9614C398
    for xxxxxxxx@xxxxxxxxx.xx; Wed, 21 Jan 2009 19:33:41 -0400 (AST)
    Received: from bombay.jangomail.com (bombay.jangomail.com [38.192.4.42])
    by mx1.nbpei-ecn.ca (Postfix) with ESMTP id 238E014C35D
    for xxxxxxxx@xxxxxxxxx.xx; Wed, 21 Jan 2009 19:33:41 -0400 (AST)
    Accreditor: Habeas
    X-Habeas-Report: Please report use of this mark in spam to http://www.habeas.com/report/
    Message-ID: <2096502282020761@jngomktg.net>
    Subject: Transaction 445321 – Started
    Sender: “Escrow.com Transactions” <transactions@escrow.com>
    From: “Escrow.com Transactions” <transactions@escrow.com>

    Translation: lms2009, Pendragon’s daughter, and if he had gone through with it, my brother would have, received an email that looked like it came from escrow.com. But it actually didn’t. It came from bombay.jangomail.com.

  3. Check the company’s website.

    Now if you’re looking at a scam website, it doesn’t much help, does it. But if the instructions on website don’t match the instructions given by the seller, you know to be very, very careful. That’s where lms2009 was able to clue in that he was being defrauded.

    After I was signed up on as a user on Escrow.com I received an email from the seller saying he started the transaction, followed by two emails from “transactions@escrow.com”. The first email I received gave me a transaction number “445321”, stated what the merchandise and price were, length of inspection period, etc. The second email I received stated the payment details, which said that I should send cash via Money Gram to escrow representative “Michael Kettler” and I was given the same mailing address as what is given on the Escrow.com website. It also asked me to fax a copy of my receipt to the following phone number “1-206-350-8738”. The seller then contacted me and gave me a list of Money Gram locations in my current city of residence and told me he had to select this payment method since it was between the US and Canada and the transaction was less that $5,000. I should also note here that the two emails from “transactions@escrow.com” seemed really legitimate, containing the right escrow.com symbol and address, it seemed very real.

    How I found out it was a scam: I had already read through the payment methods that Escrow.com uses and Money Gram was not one of them. I emailed the support address they give on the website and asked about the Money Gram method and I was sent a reply that this was not one of their methods of payment and was told not to wire the money. I had also read an email that was sent to me by “transactionsecurity@escrow.com” when there was a change made to my user account which gave security tips and one of them stated that Escrow.com would never give payment instructions via email. I was pretty confused for two reasons: the address that I was supposed to send the money to was the right Escrow.com address and I was being sent emails from an @escrow.com email address giving me false payment details. So, next I called the company since they give a phone number on their website for users who are suspicious or feel as if someone is going to scam their money. I called this number and told the man who answered the phone the transaction number I was given and he told me not to wire the money and that it was a fraudulent number. I said thank you and was disconnected before I had a chance to say anything else so I called him back and asked if he wanted any details about the emails I received and I was told that they were already working on it.

  4. DO NOT send money via Money Gram, Western Union, or any other sort of direct person-to-person money transfer. Legitimate escrow companies do not work this way.

Be careful out there. And don’t forget to Google.