Stranded in London

Be careful. Your friend isn’t really there and wasn’t robbed at gunpoint

by Sid Kirchheimer, AARP Bulletin, July 12, 2010 | Comments: 0

When you receive an e-mail from a deposed Nigerian king requesting help with money, you know it’s time to hit the delete button.

But when such a plea comes bearing a familiar name and e-mail address, there’s more incentive to read the message—and maybe even send off some cash. And apparently some people do, making the stranded-friend scam the hottest e-mail hoax of the summer.

In this ruse, you receive an e-mail supposedly from someone you know saying that he or she is stranded abroad (typically in England or Wales) and needs a quick cash loan to return home, typically requested in the form of a Western Union wire transfer.

The usual sob story: I was robbed at gunpoint and lost everything. This scam actually starts weeks or months earlier, with the hacking of someone else’s e-mail account—not yours. The hacking is usually done in one of two ways, says John Kane of the National White Collar Crime Center, which runs the Internet Crime Complaint Center with the FBI.

Scammers can infect an e-mail user’s computer with malware that logs keystrokes, providing the crooks with account user names and passwords. Typically, the malware is installed invisibly when the computer user clicks on an enticing online link.

Another approach scammers use is to distribute “phishing” e-mails—such as information requests purporting to be from your e-mail provider or bank—and collect passwords and other personal data that allow the hacking. They send millions of phishing messages at a time, “so even if their response rate is a fraction of a percent, that’s a lot of potential victims,” says Kane.

Once they have a user name and password, the scammers sign on, and may change the password—with that, they take control of the account and lock the real owner out. Then they send out a stranded-friend plea to you and other people on the account’s contacts list.

This type of swindle was detailed last year by Scam Alert, but recent activity has triggered new warnings this summer from the Internet Crime Complaint Center, the FBI and others.

Even some of us at AARP have been hit. In the past few weeks, one of my colleagues, his daughter and brother-in-law all got “stranded in London” messages from different accounts. The e-mail account of another colleague was taken over by the scammers.

And I just received one, purportedly from an AARP member with whom I exchanged e-mail some time ago, thereby putting my e-mail address in her contacts list.

Played along

To see what would happen, I played along. From an alternative e-mail account with a phony name that I use to investigate spam, I offered to send “Joy” the money needed to get her home from the United Kingdom. But understanding how stressed she must be at having been “robbed at gunpoint,” I suggested dispatching the rescue loot directly to her hotel to save her a trip to the local Western Union branch.

The scammer, claiming to be Joy, responded twice. The amount I was supposed to send was upped to $1,950. I was given no hotel name but instead the name of a supposed hotel manager and a phone number. A quick Google search showed that the phone number—a listing in England—had been used in this scam before.

A few days later, the authentic Joy realized her e-mail had been hacked, and apologized for the bogus alerts.

What to do about the stranded-friend scam:

* If you receive this or any e-plea for money, don’t respond or click on any attached link. That should keep you, your money and your computer safe. But even a simple e-mail reply to the scammers brings you to their attention and could make you the target of future hassles.

If the stranded story somehow sounds plausible, authenticate it with a phone call to the friend.

* Never use your primary account to answer unsolicited e-mails from strangers. If you do choose to respond, open a free account at such services as Hotmail, Gmail or Yahoo.

* Protect your own e-mail account by frequently changing passwords and running virus scans. You may be able to increase malware detection by adding another anti-virus product to your usual regimen; freebies include Avast and Ad-Aware.

* If your e-mail account gets taken over by hackers, your first step is to call your provider, which may have a remedy action plan. If “help me” notices from your address continue to plague your friends, you may want to open a new primary e-mail account.

Sid Kirchheimer writes about consumer and health issues.