How the Emailspiel Caught a Scammer

It all started on the morning of Monday 2 February 2015 shortly after 9am.  My operations manager received an email purporting to come from a retired lady client of ours requesting a valuation.  I’ll call the client Josie – not her real name.  A short while later an identical email came addressed to me. The email address checked out with the one we had on file but we had a bad feeling about it, the syntax seemed odd, so we replied stalling and asking if she had any plans for the cash, a new car maybe?  A reply came back requesting that we initiate a transfer ‘to secure a vital business deal’.  This rung alarm bells and we never transfer money based purely on an email request anyway, we always phone the client to check any request is really from them. So, we tried phoning Josie.  Getting no answer to our calls we left messages on her mobile answering service.  In between times we kept the email conversation going with some generic information about timescales and methods of making payment.  Then Josie called.  She knew nothing of the emails we’d been sent.  Checking with her phone company it turned out she’d been sent two emails to her smart phone that morning.  Not recognising the sender she’d deleted the first but had opened the second without realising it.  Attached to it was a virus which ripped her entire contact list from her phone and allowed the scammers to clone her AOL email account.  I’m guessing they went through her contact list, found two email addresses at our domain, checked out our website and seeing we are in financial services, put two and two together to realise Josie probably had money with us.

We advised Josie to speak to the police immediately and to change her passwords.  We also asked if she’d be happy for us to string the scammers along to see if we could get more information on them. She gave us the go ahead and the ‘emailspiel’ started.  I call it the ‘emailspiel’ – email play – because the idea behind it was inspired by the Second World War funkspiel (radio play) counterintelligence operation run by the German Abwehr to lure SOE agents into Holland.  My idea was to lure the scammers to our office where West Yorkshire CID would stand in for the Gestapo.  I also phoned Action Fraud.  After wasting the best part of an hour, they weren’t interested, assuring me there was no chance of catching them and advised me to discontinue contact.  They did however assure me that my information was valuable.  Yeah, right.

With the go-ahead from Josie our emailspiel commenced.  We emailed the scammers asking ‘Josie’ for the sort code and account number she wanted to use.  If nothing else I was determined to get the bank account frozen.  I figure that the more accounts are taken out of use the harder it is for these people to operate.  ‘Josie’ replied saying she was out of the country and wanted to use a different account to her normal one – exactly what we’d expected.  We noticed that her emailed replies were timed earlier than ours.  We figured she was in a timezone an hour or two east of GMT – central or Eastern Europe.  That was another danger sign. At this point my Ops Manager getting nervous with visions of upset Russian mafia hitmen turning up in Castleford, so I took over the correspondence.  I played along, wishing ‘Josie’ luck with her new business venture and saying I was sorry to see her go.  They were hooked.  In came an email asking how fast the funds could be transferred.  This email was interesting.  Josie’s surname has an ‘I’ in it.  The latest email however had a double-I where the single I had previously been.  Josie having changed her password, the scammers had lost their cloned AOL account.  Hoping we wouldn’t notice, they’d set up a near-identical alternative. We noticed.

I replied giving a seven to ten working days timescale for payment and again asked for her bank details.  By now it was afternoon. They replied giving bank account details at a branch in Manchester for an accountholder with an Asian name – I’ll call him Mr K. They wanted £29,080 transferring.  Straight away we contacted Action Fraud asking that they have the bank close the account.  Action Fraud said they couldn’t help.  I’d need to do it myself.  I started referring to them as ‘Inaction Fraud’.

Having a branch of the same bank here in Castleford we went in, explained the situation and asked them to contact their internal security people.  To our amazement they said that as their internal systems were so slow it would take weeks for the report to get to the right place if it ever got there at all and we’d be better off contacting the branch direct.  I was starting to understand why fraud is such a massive problem and why the scammers so often get away with it. I wrote to the bank but never had an acknowledgment of any kind, despite several chase letters. Hopefully the account was eventually frozen.

To keep the scammers warm we faked up a ‘sold’ contract note and told them the deal had been done.  They thanked us politely.  The next day they emailed my Ops Manager again ‘to confirm the process of the sales today’.  I replied saying she was in Australia on holiday for six weeks and saying it would take 10 days for the payment to clear.  Fast forward six days and on 9th February they emailed again asking for an ‘ongoing sales update’.  I sent a one-liner saying we were waiting for the product provider to pay out. 13th February. They emailed saying they’d waited 9 days.  Correct!  We kept them hanging on.

16th February.  A terse email arrived complaining that no funds had been deposited yet.  I replied saying the provider had paid us owing to the anti-money laundering regulations preventing them paying it to a third-party account.  I offered to deliver the cash to the Manchester contact or, alternatively, they could collect it from us.  They came back asking us to pay the funds over to Mr K by bank transfer but I replied pleading the anti-money laundering regulations and suggesting they send their friend to pick up the cash.  Back they came again asking that just £5000 be transferred – not the £29,080 they’d originally requested – and telling me to keep £500 for my trouble.  Nice try!  We stonewalled citing the anti-money laundering regulations and again asked them to ‘pick up the cash’ but to give me a couple of days’ notice. 

They bit.  On Tuesday 17th February they confirmed Mr K would pick up the cash.  They asked where we could “hook up”.  I suggested an M62 service station.  I wanted to keep it away from the office in case of any rough stuff, plus I figured that a service station would be easy for the police to seal off.  Visions of scammers legging it cross-country over snow covered Pennine hills…

While all this was going on, I was talking to the local CID – or trying to.  My calls were going unreturned and nobody appeared to be taking it seriously.  I needed to play for time while the cops got organised.  Or at least got interested.  It wasn’t looking good for organising something on the motorway.  My next ploy involved inventing a new staff member ‘David Hardy’ who told the scammers that “Mr Liversidge has had to fly out to Brussels on urgent business”, putting off the collection to the following Monday. 

Back came a stroppy email complaining about the delay.  ‘David’ replied saying they’d need to pick the funds up from the office.  We offered a 4pm appointment for Friday 20th February.   They took the bait and emailed a scanned driver’s license to satisfy our demands for ID evidence.  The collection was to be made by a Ugandan lady I’ll call Mrs N.  She was to from our office at 4pm Friday 20th February 2015.  The meeting was on.  The only problem was, that with less than 24 hours to go, I still had no real interest from the police.

Thursday evening 19th February.  I finished my regular BBC spot and called into the main Killingbeck police station in East Leeds.  Explaining the situation, the CID got interested at last.  I drove back to Castleford to meet two detective constables and to give a witness statement.  That was as much as they could do.  They were off the next day.  I’d need to go through it all again with two different officers the next day.  Great.

Friday 20th February.  A detective called.  This guy at least was on the ball.  I told them to keep the uniforms away from the office in case it was being watched.  We agreed that they’d come in around 3pm to be in place before Mrs N arrived.  Plain clothes officers would be in the street.  We sat drinking coffee and chatting, me and the two detectives, waiting for 4pm to arrive.  The game plan was that once Mrs N rang our doorbell the cops would hide in the back room in earshot while I engaged her in conversation to see what her story was.  My PA, Toni, was to go in the back room with them just in case it got rough. 

There was a lot of joking around.  I could tell from their faces that they though it would be a no-show.  Then one said “What if they do turn up and they’re carrying a sawn-off?”  It had occurred to me that things might get heavy.  Supposedly one woman would be coming alone but who was to say there wouldn’t be somebody with her?  By my desk I had an old gas-lift leg from a broken office swivel chair.  Fifteen inches long, steel, an inch and a half in diameter and weighing a full kilo.  At the first sign of any kind of weapon I had every intention of connecting it with the offender’s head.  They wouldn’t have got up again.

At 4pm my phone rang.  Mrs N was in the street and looking for our office.  Toni and the cops scrambled into the back room.  On our cameras I could see she was alone.  I buzzed her in and asked her to sit in my office.  I asked how she knew Josie.  Through her brother supposedly.  He and Josie were going into the art business.  They were in New York buying stock.  Except that I knew the real Josie was at home in Huddersfield.

The cops had heard enough.  In they came and made the arrest.  A plain clothes female officer was let in from the street and we gave her the back room to search Mrs N.  She was very cool and claimed to be an innocent dupe who’d been set up by her brother.  Maybe she was. Whatever the reason, she wasn’t prosecuted.  Her brother is still wanted as is Mr K.  We did all we could but it was an uphill struggle from start to finish.  There seems to be little will in law enforcement to defeat fraud and so long as the will is lacking, the fraud pandemic will continue.

Neil F Liversidge