Employment Scam

Interesting story of an old-school remote-deposit capture fraud scam, wrapped up in a fake employment scam.

Slashdot thread.

Posted on June 10, 2019 at 6:18 AM • 16 Comments

Comments

Denton ScratchJune 10, 2019 9:37 AM

Sorry, I don't get it.

Lee says "Thus began a two-day odyssey that nearly ended with my new "employers" draining the contents of my bank account." Umm, how does he figure that? The prospective employer sent him a cheque, and asked him to deposit it, and then send him a scan of the deposit receipt.

How does that enable the scammer to drain the contents of Lee's bank account?

Lee references an article by someone called Alison Doyle, on the balancecareers.com website, and says that the article explains the remote deposit capture fraud. But that article doesn't mention any fraud with the structure that Lee is describing. Googling "remote deposit capture fraud" results in descriptions of a fraud in which the *depositor* defrauds *the drafter* by double-dipping - depositing the same cheque twice.

There's a comment to Lee's article, that purports to explain the scam: the cheque is forged, against the account of some apparently-respectable business, and won't be honoured. The recipient thus doesn't get the promised funds. But this wasn't in prospect, in Lee's case; I assume he wouldn't have shelled out for a new computer and printer without first seeing the cheque clear. And anyway, how would him buying that kit have benefited the fraudster?

My guess is that the deposit receipt that the fraudster wanted Lee to scan and send contained information that the fraudster could use to take control of his account. But that isn't explained anywhere; and if it's true, then presumably that applies to all cheque deposit receipts, not just to remote deposit capture receipts.

Anyhow, if it's the receipt that is the key to the scam, then all deposit receipts should have the words "EAT ME NOW!" printed on them in large letters. Like, it's just nuts if a deposit receipt is all you need to take over a bank account.

I think Lee's probably full of it.

RealFakeNewsJune 10, 2019 10:52 AM

@Denton Scratch:

I reached the same conclusion; if there is any scam here, it is related to the receipt.

I otherwise fail to see the scam.

The method of finding work/getting paid seems how most remote jobs work.

An agenda against remote-working?

QERikwYRSu5zrq87N9yzy69ZAfDjYW June 10, 2019 1:22 PM

The scam is probably something along the lines of them saying that they accidentally sent a check for too large of an amount and then asking for you to wire them back money. That or they ask you to buy things for the job from them/an affiliate or some other form of "fee" needed before you can start working. Either way, you think the amount of money they are asking for is less than the check that they just sent you which lowers your guard because you don't see the scam.

mrfoxJune 10, 2019 2:19 PM

@Denton Scratch, @RealFakeNews

The check the "employer" sent is (obviously) fraudulent, but the bank might not notice in time before the scammers in turn issue more fraudulent checks, this time against the victim's account (which is why they want the deposit slip). One of the article comments has a good detailed explanation.

Jesse ThompsonJune 10, 2019 4:57 PM

@mrfox Well, the deposit slip doesn't give the full account number of the receiving account, does it? Without that full account number, nobody can try to issue fraudulent checks against your account.

Key point, don't tell strangers (or if you can help it, even friends) your bank account number. :S

MikeAJune 10, 2019 5:26 PM

Telling others about your bank account number is almost inevitable if you use a paper check, which has your account number (and the bank it is drawn on) printed for all to see. I, too have some questions about getting a usable set of numbers off a deposit slip. It has been years since I got a slip with the full account number, or for that matter a credit-card receipt with the full account number. I could _guess_ that in this case the account number on the check from the "recruiter" would be one for which they had access to the online statements, so they could see the "destination address", but that also leaves questions.

Back to checks... IIRC Don Knuth had a problem when a recipient of one of his "bug bounty" checks posted an image of the check to some social site, and fraudsters used that info to steal from that account. This was some time ago so my memory of the details could be fuzzy, but I have to wonder if this was the motivation for founding the Bank of San Serriffe

Ah, yes, explained at:

https://www-cs-faculty.stanford.edu/~knuth/news08.html

SpaceLifeFormJune 10, 2019 5:39 PM

Deposit Receipt may only reveal partial account number, but, other pieces of information that attacker can glean routing number from (possibly/probably) from other means like prior attacks.

Then, brute force the account number thru trial and error.

Online. Over the weekend.

Denton ScratchJune 10, 2019 6:55 PM

@mrfox:

Yeah, I read that comment. That's not the same scam. He's describing a double-dipping fraud.

I still think it's to do with the details on the scanned deposit receipt. But it's too bad that Lee didn't actually explain how he thought the scam worked. Lots of people will just crumple up a deposit receipt, and chuck it in a bin. If that scrap of paper is enough to "drain" a bank account, then that really should be the bank's responsibility, not the account holder's.

Why do USAians persist in using cheques? I received a cheque recently, drawn by the Florida Treasury Department against Wells Fargo Bank. You'd think that would be pretty sound, but it took six weeks to fully clear, and I was forced to carry the risk of the cheque being intercepted en-route from my bank to Wells Fargo (it traveled by unsecured surface mail). I rang the Florida Treasury, and asked them to make the payment by normal electronic inter-bank exchange, but they refused.

Happily, the payment eventually cleared.

PaulJune 10, 2019 6:58 PM

@Denton Scratch,

Some banks use "last deposit amount" as verification of identity and proof of account ownership.

SitaramJune 11, 2019 2:02 AM

question for anyone: is this a "can only happen in the banking system used in the US" thing? I'm a bit confused...

Peter A.June 11, 2019 3:35 AM

@Sitaram: yes it is.

I have no idea why Americans broke their system in such a bad way. They need to keep SSNs secret, their account numbers secret etc. while having to use them all the time.

In Europe, knowing someone else's account number allows one thing: wire him/her some money. The system, as every system, has some room for fraud or pranks, but not as absurd as the American one.

Over here, some banks offer accounts with unlimited free outgoing wires (usually covered by a larger-than-usual per-month fee). Some others charge for incoming wires (especially business accounts). This allowed for massive social media actions against unpopular institutions, urging to send them multiple wires for 0.01 of local currency at no transactional cost to attackers but incurring some loss at the target. Another thing is that banks in my country are no longer obliged to verify the recipient name or address - all that counts is the account number. This have lead to several high-profile frauds by sending big companies' accountants "change of account" letters, on (easily forged) official letterhead of their contractors. If the company accountant fell in for the scam, the next pay for a hefty contract went to the fraudsters... It wouldn't have happened in the now long gone "manual banking" days. The same thing also caused a spread of viruses that replace the target account in the online banking browser request (while showing the correct one on the screen) resulting in individuals or business sending their money to fraudsters. Once you've authorized such a wire there's little time to stop it. Most often it will go out the same day or the next working day at most; sometimes nearly instantly, depending on which system both banks use; or really instantly between accounts of the same bank. So fraudsters would open accounts with many banks (or recruit mules to do so) rewrite the target account to the one of theirs (or mule's) at the same bank and withdraw cash at an ATM as quickly as possible.

This is the cost of processing speed. Time is money, now in inverse proportion.

Petre Peter June 11, 2019 7:15 AM

Sorry, I too didn't understand how does the scam drain the account.
The unemployed can also be easy targets for data harvesting.

parabarbarianJune 11, 2019 9:16 AM

I can think of several ways this could work (Well, not me but people with more criminal talent than I'll ever have). The most obvious is that the preferred vendor is an account controlled by the scammers either directly or by some compromise. As soon as the credit card transaction for the equipment clears, the money disappears into some "haven". The equipment is promised but never shipped. The buyer complains and is refunded as the law allows. In the meantime, the fly-by-night vendor vanishes and the credit card company is out the the money. In case more doltish haven't figured it out yet, the target in that scenario is the credit card company.

In the above scenario, scanning the check and the receipt is just to help keep the fraud off the bank's radar for a little longer than a physical or direct deposit would. The makes it more likely to get past any escrow period limit imposed by the government.

wumpusJune 11, 2019 1:50 PM

Seems an impressively involved way to scam someone, probably using techniques developed in typical Nigerian prince (Spanish prisoner) fraud. There are better ways that don't require standard confidence moves of implying something for nothing, or letting the mark thinks he's pulling a fast one on the con man.

One job I had involved being hired by a temp agency for a specific (large multinational). I think I only talked to people with Indian accents (possibly one with a Mexican accent for the interview, but at the time I thought it could have been Indian as well).

As part of the [US] hiring process, you typically provide banking details to allow direct deposit. When I realized I would be handing this out before actually showing up anywhere for work (all interviews were over the phone), I moved everything in my checking account to savings account (which they wouldn't have access to) before handing over that information.

When it was clear that it was a legitimate job, I moved the money back so I could pay my bills.

Even so, the first check came on paper and thus the bank put a hold on it. Not something you want coming off of unemployment...

ThunderbirdJune 11, 2019 3:03 PM

I assume the actual scam would have been the old "wire us the overage" deal, but they never got that far. The scammer wanted to see the deposit slip to create verisimilitude and if they happened to get the account number that would be a bonus. It was a long article for the amount of actual information, I thought the interesting point was the fake employment interviews.

It isn't really surprising, since H.R. "people" treat prospective employees so poorly that you aren't likely to notice the norms aren't being followed. I understand if you're not offered a job it is unusual to even get an email back.

SitaramJune 11, 2019 10:51 PM

@Peter A.

Thanks. India is the same as you said, too [1].

The conditions enabling the frauds you describe in your third paragraph, exist here also. Wire transfers are near instant, even across banks, with the recipient getting an SMS confirmation within a few minutes.

However, in India it is very rare for someone, especially someone who is operating a business, to close an account. There is generally no charge for dormant accounts, so even if you start operating some other account, there's no reason to *close* an existing one. As such, I suspect any letter -- even on a perfectly forged letterhead -- claiming so will be looked askance, and generate at least a phone call.

At least that is what I think will happen; I should ask around I guess, just out of curiosity.

[1] modulo the damnable "aadhaar" system where, I am somewhat reliably led to believe, if someone can spoof your fingerprints they can take upto 10,000 rupees out of your account per day. Admittedly a higher bar than merely knowing a couple of numbers though :)

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.