Deconstructing a “419” Benefactor Fraud Email

In this post we will deconstruct a typical 419 fraud. The example below is a real email message that was flagged by our system as fraud. After the jump we’ll explain what’s typical about it so you’ll know how to spot similar scams.

Subject: CONTACT FINANCIAL BANK BENIN

From: “Alhaji Bello Banjo,” <patrick_paul@att.net>

To: undisclosed recipients: ;

Body:

BP 2700, Cotonou, , Benin
Primary SIC: National Commercial Banks, Primary NAICS: Commercial Banking
Description: Finance: Banking

website. www.Financial-bank.com
EMAIL ADDRESS:( financialbank45@hosanna.net )

Attn:

We have been trying to get in contact with you, since couples of months,because your INHERITANCE FUND WHICH IS (US$7,000,000.00) is ready to transfer to you as our late customer ENGINEER MIKE UGO. instructed us when he was alive,so please you are advise to email us with your contact home address and your banking details to confirm that you are the rightful owner of this fund before we proceed further transfer.

Sincerly

Alhaji Bello Banjo,

As 419 scams go, this one is pretty average. If you are willing to believe that you have a mysterious benefactor that died and left you a ton of money you’ll have to rely on other clues to figure out that this is a scam. Fortunately there are several.

We’ll start with the ones in the subject:

  • The subject is all caps. By itself this doesn’t really prove anything but for some reason 419 scammers like to capitalize their subjects. Maybe they think yelling makes them more believable.
  • The subject indicates you need to contact somebody. 419 subjects often contain the phrase “PLEASE REVERT IMMEDIATELY” or “URGENT CONTACT”. This one doesn’t indicate any urgency but it does start you thinking about replying before you even read the message.
  • The subject contains “money words”, in this case “FINANCIAL” and “BANK”. Another favorite 419 subject word is “BENEFACTOR”. This is probably intended to get your greed response going and apparently works or they wouldn’t keep doing it.
  • The subject mentions a country in Africa, in this case “BENIN”. Apparently, if you’re going to have a mysterious benefactor, they will most likely be from Africa. We’re not sure why. (BTW, Benin’s eastern border is Nigeria’s western border. Why are we not surprised?)

Next we’ll look at the From and To fields:

  • The “pretty” part of the “From” (this is the part that contains a name or description as opposed to an email address) is “Alhaji Bello Banjo,”. Because “Alhaji Bello Banjo,” sounds like somebody who would be writing you to let you know you have money coming or something. The incorrectly applied comma after “Banjo” indicates a failure to use the mail merge software correctly and is just sloppy (a lot of these guys are sloppy, more on this later.)
  • The address in the “From” field is <patrick_paul@att.net>. You would think somebody in authority at a major bank would use an address with their own name in it and the domain would have something to do with the name of the bank. This is a “spoofed” address but you’re not supposed to notice that.
  • The “To” comes through as “undisclosed recipients” because it was sent to a bunch of people and all of the recipients are blind carbon copied (Bcc). This might show up as an address, possibly even yours, in an email client so by itself it’s not very helpful.

So far we’ve been looking at the parts you might be able to see without even opening the message. Now we’ll look at the body, starting with the official looking headers:

  • The body starts with a few lines containing financial industry terms like “Primary SIC” and “NAIC”. Presumably a bank would put stuff like this in an official email (probably not, but it makes it look more “banky”).
  • Next there’s the website link heading “website.”  (un-capitalized and with a period instead of a colon, you’d think they’d proof read this crap.)
  • The website link itself links to “www.Financial-bank.com”. The website looks decent. It could be a real bank. Of course anybody can link to a bank’s website.
  • The email address heading is “EMAIL ADDRESS”. This time all caps with a colon and parentheses. So much for consistency.
  • The name portion of the address is “financialbank45”. It has a number in it kind of like when you try to get your name at hotmail.com and have to settle for “yourname45”.
  • The domain of the email address is “hosanna.net”. So we’re supposed to believe that this bank can’t afford its own domain.
  • And another thing about the email address: why is the “From” address not the same as the address in the message? That’s mighty suspicious.
  • Finally, the salutation is “Attn:”. This bank knows you’re the heir of this particular mysterious benefactor but they can’t address you by name. Or maybe it’s easier not to use names since this was sent to a zillion other people too.

Now for the actual text of the message:

  • Let’s start with this sample of bad English: “We have been trying to get in contact with you, since couples of months”. As long as we’re suspending our disbelief we might as well accept that there’s nobody at this bank that speaks English. Oh wait, the bank’s website is in both English and French. Maybe they hired somebody to translate it…
  • The punctuation throughout is terrible. Oh, and we forgot to mention that all of the text is bold. This might be a relative of the all caps “Subject”  ie: Bold = Authoritative?
  • And just to make sure you see it, “INHERITANCE FUND WHICH IS (US$7,000,000.00)” is not only bold it’s all caps as well. This is the part where your pupils would turn into dollar signs if you were a cartoon.
  • Next we get the name of your benefactor: “ENGINEER MIKE UGO“. Also all caps. The interesting thing here is it’s “Engineer” Mike Ugo. Not just Mike Ugo. (Whoever that is, your long lost uncle maybe?) Mysterious benefactors are frequently engineers. We guess this is because engineers are always rich. Wait. What?
  • Here’s the meat: “please you are advise to email us with your contact home address and your banking details to confirm that you are the rightful owner of this fund before we proceed further transfer.” Give us your name, address and bank account details so we can empty your bank account, er, send you a bunch of money.
  • Sincerely Alhaji Bello Banjo, (Maybe the comma after Banjo is some sort of African punctuation that we don’t understand.)

Not all 419 emails will have all of these earmarks but they will usually have at least a few of them. The next time you get an email informing you that a long lost uncle that you never heard of has left you a lot of money in Africa you should check it for these traits before handing over your bank account info.

Related Posts

Spam in music?!

- -

OnlyMyEmail is an award winning hosted spam filtering service and business email hosting provider. Our enterprise cloud computing anti-spam solution, the MX-Defender, has the highest capture rate of any spam filter ever tested in the VBSpam Challenge, blocking a record setting 99.9993% of all malicious and junk email.

Our Personal spam filtering system is also a Software as a Service (SaaS) solution and has won both the PC World "World Class Award" and also the PC Magazine "Editor's Choice Award."

OME-Kids is a webmail solution that protects children from spam and other harmful emails. OME-Kids offers unique Parental Controls that allow you to choose the level of security and oversight that's right for your child.

Tags: , ,

Comments are closed.