June 30, 2021

Imagine waking up each morning knowing the identities of thousands of people who are about to be mugged for thousands of dollars each. You know exactly when and where each of those muggings will take place, and you’ve shared this information in advance with the authorities each day for a year with no outward indication that they are doing anything about it. How frustrated would you be?

A counterfeit check image [redacted] that was intended for a person helping this fraud gang print and mail phony checks tied to a raft of email-based scams. One fraud-fighting group is intercepting hundreds to thousands of these per day.

Such is the curse of the fraud fighter known online by the handles “Brianna Ware” and “B. Ware” for short, a longtime member of a global group of volunteers who’ve infiltrated a cybercrime gang that disseminates counterfeit checks tied to a dizzying number of online scams.

For the past year, B. Ware has maintained contact with an insider from the criminal group that’s been sending daily lists of would-be victims who are to receive counterfeit checks printed using the real bank account information of legitimate companies.

“Some days we’re seeing thousands of counterfeit checks going out,” B. Ware said.

The scams used in connection with the fraudulent checks vary widely, from fake employment and “mystery shopper” schemes to those involving people who have been told they can get paid to cover their cars in advertisements (a.k.a. the “car wrap” scam).

A form letter mailed out with a counterfeit check urges the recipient to text a phone number after the check has been deposited.

Most of the counterfeit checks being disseminated by this fraud group are in amounts ranging from $2,500 to $5,000. The crimes that the checks enable are known variously as “advanced fee” scams, in that they involve tricking people into making payments in anticipation of receiving something of greater value in return.

But in each scheme the goal is the same: Convince the recipient to deposit the check and then wire a portion of the amount somewhere else. A few days after the check is deposited, it gets invariably canceled by the organization whose bank account information was on the check. And then person who deposited the phony check is on the hook for the entire amount.

“Like the car wrap scam, where they send you a check for $5,000, and you agree to keep $1,000 for your first payment and send the rest back to them in exchange for the car wrap materials,” B. Ware said. “Usually the check includes a letter that says they want you to text a specific phone number to let them know you received the check. When you do that, they’ll start sending you instructions on how and where to send the money.”

A typical confirmation letter that accompanies a counterfeit check for a car wrap scam.

Traditionally, these groups have asked recipients to transit money via wire transfer. But these days, B. Ware said, the same crooks are now asking people to forward the money via mobile applications like CashApp and Venmo.

B. Ware and other volunteer fraud fighters believe the fake checks gang is using people looped into phony employment schemes and wooed through online romance scams to print the counterfeit checks, and that other recruits are responsible for mailing them out each day.

“More often than not, the scammers creating the shipping labels will provide those to an unwitting accomplice, or the accomplice is told to log in to an account and print the labels,” B. Ware explained.

Often the counterfeit checks and labels forwarded by B. Ware’s informant come with notes attached indicating the type of scam with which they are associated.

“Sometimes they’re mystery shopper scams, and other times it’s overpayment for an item sold on Craigslist,” B. Ware said. “We don’t know how the scammers are getting the account and routing numbers for these checks, but they are drawn on real companies and always scan fine through a bank’s systems initially. The recipients can deposit them at any bank, but we try to get the checks to the banks when we can so they have a heads up.”

SHRINKING FROM THE FIREHOSE?

Roughly a year ago, B. Ware’s group started sharing its intelligence with fraud investigators at FedEx and the U.S. Postal Service — the primary delivery mechanisms for these counterfeit checks.

Both the USPS and FedEx have an interest in investigating because the fraudsters in this case are using stolen shipping labels paid for by companies who have no idea their FedEx or USPS accounts are being used for such purposes.

“In most cases, the name of the sender will be completely unrelated to what’s being sent,” B. Ware said. “For example, you’ll see a label for a letter to go out with a counterfeit check for a car wrap scam, and the sender on the shipping label will be something like XYZ Biological Resources.”

But B. Ware says a year later, there is little sign that anyone is interested in acting on the shared intelligence.

“It’s so much information that they really don’t want it anymore and they’re not doing anything about it,” B. Ware said of FedEx and the USPS. “It’s almost like they’re turning a blind eye. There are so many of these checks going out each day that instead of trying to drink from the firehouse, they’re just turning their heads.”

FedEx did not respond to requests for comment. The U.S. Postal Inspection Service responded with a statement saying it “does not comment publicly on its investigative procedures and operational protocols.”

ANY METHOD THAT WORKS

Ronnie Tokazowski is a threat researcher at Agari, a security firm that has closely tracked many of the groups behind these advanced fee schemes [KrebsOnSecurity interviewed Tokazowski in 2018 after he received a security industry award for his work in this area].

Tokazowski said it’s likely the group B. Ware has infiltrated is involved in a myriad other email fraud schemes, including so-called “business email compromise” (BEC) or “CEO scams,” in which the fraudsters impersonate executives at a company in the hopes of convincing someone at the firm to wire money for payment of a non-existent invoice. According to the FBI, BEC scams netted thieves nearly $2 billion in 2020 — far more than any other type of cybercrime.

In a report released in 2019 (PDF), Agari profiled a group it dubbed “Scattered Canary” that is operating principally out of West Africa and dabbles in a dizzying array of schemes, including BEC and romance scams, FEMA and SBA loans, unemployment insurance fraud, counterfeit checks and of course money laundering.

Image: Agari.

Tokazowski said he doesn’t know if the group B. Ware is watching has any affiliation with Scattered Canary. But he said his experience with Scattered Canary shows these groups tend to make money via any and all methods that reliably produce results.

“One of the things that came out of the Scattered Canary report was that the actors we saw doing BEC scams were the same actors doing the car wrap and various Craigslist scams involving fake checks,” he said. “The people doing this type of crime will have tutorials on how to run the scam, how to wire money out for unemployment fraud, how to target people on Craigslist, and so on. It’s very different from the way a Russian hacking group might go after one industry vertical or piece of software or focus on one or two types of fraud. They will follow any method they can that works.”

Tokazowski said he’s taken his share of flack from people on social media who say his focus on West African nations as the primary source of these advanced fee and BEC scams is somehow racist [KrebsOnSecurity experienced a similar response to the 2013 stories, Spy Service Exposes Nigerian ‘Yahoo Boys’, and ‘Yahoo Boys’ Have 419 Facebook Friends].

But Tokazowski maintains he has been one of the more vocal proponents of the idea that trying to fight these problems by arresting those involved is something of a Sisyphean task, and that it makes way more sense to focus on changing the economic realities in places like Nigeria, which has been a hotbed of advanced fee activity for decades.

Nigeria has the world’s second-highest unemployment rate — rising from 27.1 percent in 2019 to 33 percent in 2020, according to the National Bureau of Statistics. The nation also is among the world’s most corrupt, according to 2020 findings from Transparency International.

“Education is definitely one piece, as raising awareness is hands down the best way to get ahead of this,” Tokazowski said. “But we also need to think about ways to create more business opportunities there so that people who are doing this to put food on the table have more legitimate opportunities. Unfortunately, thanks to the level of corruption of government officials, there are a lot of cultural reasons that fighting this type of crime at the source is going to be difficult.”


46 thoughts on “We Infiltrated a Counterfeit Check Ring! Now What?

  1. Larry

    I was a non-victim of a Craigslist scam. I listed an item, got an immediate response from someone who said that it looked perfect from my photos, and sent me a check for $1,500 saying to cash it and pay the movers who would come to pick up my item in cash. The check was for twice what I asked, and was more than the new price of the item I was selling. As the check came fedEx from Indiana but was billed to a company in California I put everything together and realized it was a scam. I contacted the company whose FedEx account it was who said they had a case open with FedEx regarding 250 incidents of charges on their account that were fraudulent like mine. The check looked legitimate, the payor was an estate trust, and it was drawn on a major financial institution. I still have the check.

    Reply
    1. Art

      Larry, same exact attempt at scamming me from Craigslist. During the attempt, I managed to get a cell number that lit up the internet searches with attempted scams. The bank and FedX were not interested, seems they already had investigations going. But I never see these guys being arrested. I guess its not as exciting as working on “major” crimes.

      Reply
      1. JamminJ

        Even when there are arrests made… How would people hear about them? Do you rely on the news to cover the arrests? It’s not that law enforcement doesn’t care, it’s that the news doesn’t care.
        Even Krebs, a very niche site devoted to reporting the comeuppance of these ne’er do wells… Still can only report the major crime ring busts.

        Reply
  2. Mahhn

    Your report makes me wonder if these malicious actors in Nigeria are the same organization as the corrupt government personal and possibly the main financial strength there.

    Reply
  3. P Mahone

    “But BWare says a year later, there is little sign that anyone is interested in acting on the shared intelligence.“

    Hello! I’m right here! BWare, let us in the financial sector know how we can collaborate!

    Reply
    1. B. Ware

      P Mahone,
      Contacting Ronnie Tokazowski might be a good place to start.

      😉
      B. Ware

      Reply
  4. W Sass

    Many banks ‘pay’ this out to cover the loss. Same as ‘Credit Cards’. Do they use this as a Tax write off and figure it’s easier to go that way rather than track down the perps.

    You have got to wonder what the totals are in losses these past 10 years with this. Is anyone listening?
    A Pawn Broker, a Car Lot, even Cardsharks will do what it takes to recover their losses.

    But the Banks….what gives?

    Reply
    1. Dillon

      “…rather than track down the perps.”

      Last line of 7th paragraph in article: “And then person who deposited the phony check is on the hook for the entire amount.”

      Banks only like to chase down legitimate customers after bad stuff happens. It’s easier for banks to make an honest person to pay back the $1,000 than for banks to spend $10,000 to track down the real perp that stole $1,000.

      Reply
      1. Kathy B

        Reality Check Time… I work for a small financial institution and we see these fake checks at least once a month. Staff has gotten pretty good at catching them, but the real frustration is when our customer lies and states that the check is for “contract work” or that they know the individual that gave them the check personally or (this one I thought was really imaginative) that they sold an antique doll on online!
        Next Reality… our bond doesn’t cover our loss if the individual is judged to be an “innocent” party and the Police are not interested in proving otherwise. If we don’t catch the check when it comes in the door, we are going to take the loss (part of our cost of doing business!)
        Last Reality, by the time a check is returned to us through the Fed, their local “victim” has already purchased the gift cards or Western Union to some grocery store and the funds have disappeared. Tracking down these people would take federal involvement which just isn’t happening. So the next time you have to pay a fee at one of those fat, rich financials you will know why.

        Reply
  5. Rick Cahoon

    Changing the economic underpinnings of places like Nigeria is also a fools errand if you think it will take less than a generation or three to have an impact. Look at Mexico, while not so much in the digital realm, the cartels have an endless supply of young people who step up to replace the carnage of their fallen neighbor. Nigeria is no different.

    Reply
    1. JamminJ

      Supply side economics would indeed be futile. But demand side, perhaps not.

      Also, interrupting the primary channels could work well against most scams.
      Eliminating the ability to spoof phone numbers or even redirect international calls to appear local… That would really disrupt operations.

      Reply
  6. SHEKIRA R BRAYLEY

    I just received one of these checks through FedEx but the person was using Jason Momoa’s Name and it came from Florida just outside of Miami the check is for $4,350 I’m so scared to cash it because I never had this happen to me…I still have the check and the FedEx Envelope that it came

    Reply
    1. Sherika Dortch

      Do not cash it!! It’s a scam to steal your money out your account, I have the same check. They sent it to me to put a logo on my truck but never did and they contacted me every day to see if I cashed the check, I told them no and they got mad! I told them I also took it to the police and they really got mad!

      Reply
  7. Stephanie

    I to have received fake checks. There still sitting in my desk in the envelope it came in with the instruction email. I have also talked to a lot of fake people trying the Love Scam. But once they ask to either send them money thru either paypal, or western union, or they ask for your personal information then they are blocked. Too many scammers out there. Cant trust anyone

    Reply
  8. Cheryl

    My brother had a similar experience received a check via FedEx from a Trust drawn off a well known bank and the girl was from Columbia. The check is for $10,000.
    I told him it was possible the check was counterfeit, and thankfully never cashed it and never heard back from the girl after the 90 days that the check is automatically voided. He still has check, envelope, etc.
    So who does he report this to?

    Reply
    1. Janice hartless

      I have a man in turkey I’ve been talking to for 10 months 6 days now not a word because I want give him my account number and routing number he says its for the company he’s working for I told him no never gonna happen

      Reply
  9. Cam

    I work for a big US based company. Counterfeits of our checks are being used in a similar scheme. They are ok looking checks. Typical versacheck crap. Shouldn’t be fooling tellers and check cashiers but they do. I interview people every week who received these checks and most of them claim they have no idea why. I assume some are too embarrassed to admit they fell for it but some genuinely never got any kind of communication before the check showed up. Not sure exactly what is going on.

    Reply
  10. The Sunshine State

    The Nigerian scammers are also very prevalent on Facebook, creating fake accounts with photos of hot women and then contacting people by IM with their phony scams

    Reply
  11. Brandy D Shepherd

    I received check for a car wrap was contacted everyday until I told them the bank kept the check to turn over to police. They was not happy at all. Told me that they could press charges on me for stealing their money. I told them to prove that I was stealing from them. They went as far as to send me a new check. Told me to go to a different bank…..

    Reply
  12. Andrew Rossetti

    We see dozens of these a month at the financial institution where I work. I’m always amazed at how gullible people are, but proud of my co-workers for being as diligent as they are in protecting our customers as best they can.

    Reply
  13. Joy Peterson

    Let me be the first to say thank you to BWare and to say that I share your frustration. Financial institutions lose hundreds of thousands of dollars to fraud every year. We are required to scan our database for “terrorists”, report suspicious activity to the Feds, track cash transactions, etc. All of this monitoring and reporting and yet nothing ever seems to happen to anyone for anything. It is discouraging and disillusioning about the way things work versus the way we are told things work. Frequently the people that are the targets of these scams are people who can least afford to lose money as a result of getting sucked in. No matter how much evidence you gather and no matter how much money is involved, the “authorities” will tell you it’s below their thresh hold or they have no authority in the country involved. In other words, roll over and accept it as the cost of doing business. In reality, the reason no one cares is that the cost of these scams is absorbed by the people at the bottom including the individual that was targeted and the bank. UPS and FedEx don’t care because they didn’t lose money. Even the bank who had their checks counterfeited doesn’t care because they didn’t lose money. Until the structure is changed so those at the top are bearing at least some of the cost, they will continue to allow it to filter down to those of us at the consumer-facing level.

    Reply
    1. Kenny J

      Well said Joy. No liabilities means no responsibility. Sad but true. This is why cyber crimes are on the rise. No one wants to share the accountability on the chain of spam crime. 😉

      Reply
    2. Emma

      You might be interested in this article- it’s part of an enormous series and there’s a lot that I haven’t read, but it’s a fascinating insight into how those systems fail so continuously.

      https://www.icij.org/investigations/fincen-files/global-banks-defy-u-s-crackdowns-by-serving-oligarchs-criminals-and-terrorists/

      I think this was a particularly illuminating quote:
      “FinCEN, which has roughly 270 employees, collects and sifts through more than two million new suspicious activity reports each year from banks and other financial firms.”
      I always suspected SARs go into a black hole.

      Reply
  14. Carl Kreider

    I have a car listed for sale on a couple of web sites and am getting offers from scammers. One had a Phoenix phone number and sent a check from New Jersey drawn on an Ohio bank. I was to cash the check and send money somewhere to pay the car carrier who was to pick up the car. Similar to the experiences detailed here.

    Reply
  15. Bob Loblaw

    Ok quick story: I was 12 years old and my 17 year old cousin came home one night and was showing me these speakers he bought from a dude selling them out of the back of a van. My cousin said ‘Can you believe it? I paid $30 bucks for these – Look (he points to the speaker box which said “Retail Value $249.99”) I paid $30 bucks for $250 speakers!’. I said ‘Um, they can just print any amount on the box. I don’t think those are actually worth 250’. He proceeded to tell me that would be false advertising yadda yadda yadda. The point is I was 12 and had enough street smarts to know he had been scammed…

    I just can’t believe people are so freakin stupid they fall for this sh!t… ‘We’ll send you $5k, you send us $4K back.’

    I am seriously running out of empathy for these ‘victims’.

    Reply
    1. JamminJ

      The propensity to fall for scams actually Increases with age.
      That’s why the elderly fall for these all the time. It’s so reliable to target seniors, that it’s baked into the business model and scripts of these scammers.

      Reply
      1. De Mail

        I am suspicious it increases with age. I bet we see this more with the elderly because they are not aware of these types of scams combined with the technology factors behind them. Since they did not grow up in the computer age most are not tech savvy and have not been made aware of these scams before. As the younger generation ages I think most folks will be wiser to it. Of course there will always be ones who lose their wits when desperation takes over.

        Reply
      2. Alex P

        I run a small IT service company and get a lot of calls for help, usually after the fact, with various scams. While people of all ages get scammed, the vast majority in my experience are older folks. I suspect that the scammers find the elderly through public records and target them as potentially easier marks.

        Reply
  16. PattiM

    Hah! As a Research Scientist for the USAF, I got exactly the same reply (from the USAF) about a current, popular rocket-builder who is illegally dumping toxic chemicals, like benzene, in plain sight. Basically, the USAF said, “We don’t care.”

    This is how you really know that our civilization is sliding ever more rapidly into collapse – when sh*t is so bad that even obvious fraud/illegality is openly ignored. (See, for example, Tainter [1998]; Tainter/Patzek [2015]; Chenoweth [2018]; etc.)

    Reply
    1. Dillon

      Have you tried taking your concern to the USAF Inspector General?

      Reply
  17. Nica

    Organized crime has an army of dutiful and desparate minions that collect information which is funneled to the masterminds at the imte. From Bottle pickers, to junkies and many others, they are given funds, or often cheap drugs/hookers/illicit materials that may be looked for in exchange for scouring for personal/business and banking information of any kind. Bottle pickers are a particularly good ruse, as it appears they are going through recycling/trash for bottles only. Pickpockets, smash and grabbers and Break+enters also funnel their information up the criminal underworld. Often via Drug dealers, and other well-networked individuals who sell information to those orchestrating these scams.

    Reply
    1. JamminJ

      Nah, the vast majority of information that scammers use… is either public, open-source, or obtained through data brokers who aggregate and sell information.
      People give up personal information willingly. They sign up for free stuff. Everyone likes free stuff, and are willing to give away their personal information for even the Chance of getting something.
      Then there is social media. People put everything out there into the world. It doesn’t take much effort to vacuum it up and package it.
      Even businesses use social media (linkedin) with tons of information to conduct scams. Scraping the API is easy.

      It’s almost never from dumpster diving in reality. With CCTV cameras and locked dumpsters, there is a lot of risk of getting caught, for a very small chance of getting what? A bit of info that was already out there on the internet.

      Reply
  18. Ed Weiss

    Probably not a good idea using a punny pseudonym if you want stuffy bank people taking you seriously, B. Ware.

    Reply
  19. Big D

    I’ve never gotten any of these (check rcv’d – send some back via W U),
    but if I did, I’d ask “hey, why not just send $$ to me thru W U to begin with ?”

    Reply
  20. lucinda

    i got one and was afraid so I went to Amscot and they verified exactly what I thought, a scam

    Reply
  21. hrafn hrafnsson

    Stop letting banks write off losses
    for scams and the lets see what
    happens.

    Reply
  22. Positive Pay

    MANY KNEW IT WAS A SCAM I worked at a bank for years and people came in frequently to cash these bogus checks as they were drawn on my bank. Many of these people knew it was a scam, but if the bank cashed the check outright, they were going to keep it all. Then the loss is to the bank and not to them. They didn’t attmept to deposit them in their own account and risk having to cover the loss. The fake checks drawn on real accounts were using a ‘positive pay’ service larger companies use, so they could not be verified and cashed in a branch. They were basically a deposit only item so the business can control which checks get honored by sending a file to the bank before the check goes through clearing process telling check #/$ amount to prevent this very type of fraud and others. Think of it as preauthorized deposit-only checks. When the person trying to cash these finds out they have to deposit them somewhere, they suddenly want to open a bank account at this very bank suddenly. I would eventually have to get rid of them, but sometimes I do not know the whole story until I ask many questions. As a salesperson, it is strange my job is is as much preventing a sale as completing one. Often, they lived no where near any branch of this bank and logically no one at the time would bank far from home/work. This is not so much the case anymore digitally of course, but the point is…MANY KNEW IT WAS A SCAM but if they got $200 (funds availablilty required by law) then they would take it. Then of course, they don’t pay it back and end up on CHEX Systems and cannot open a bank account anywhere and that is why check cashing stores exist. There are victims though, I have dealt with that too and my heart aches for some of them, but I have said enough for today.

    Reply
  23. Honeymon

    Lucky usa criminals in europe u cant even deposit small money like 50eur in bank account without going trhough the id check .proccess.
    We all know people in usa can make a lot money with all kind of frauds still carding and all kind of things europe criminals are starving lol
    Guess what usa is landof milk and honey lol

    Reply
  24. Zeric

    Many of the large scam rings are located in countries that are either corrupt or whose legal system looks the other way as long as the victim is from a different country. So if the victim is in country A, and the scammer is in country B, and country B doesn’t cooperate with the authorities in country A…. then it will just keep on happening. There is very little financial institutions or the legal system in country A can do about it. Possibly political sanctions, but that is not likely to happen for this type of issue. People need to educate themselves and not expect others to protect them as it’s pretty much impossible. As soon as one scam or crime ring is shut down, two more pop up. If one is unsure about some business offer or something sounds too good to be true, research it, talk it over with others, tread carefully and slowly. If the person is a scammer, they will be pushy and in a rush to get you to make a quick ill informed decision, that is another red flag. The harder ones to spot are the long cons, like sweetheart scams, but even the there are red flags that show up fairly fast if you are thinking rationally. The reason the sweetheart scams are often successful is that some people are making decisions from almost an exclusively emotional place having turned off any sense of logic or reason. Middle aged and older people who are lonely are especially vulnerable to this as they have few opportunities for love, so when one shows up they try to hang on to it.

    Reply
  25. Martlark

    Checks? It is almost impossible to use checks in Australia. I received one once for a legitimate sale it took me almost a month to find a bank that would allow me to deposit it. Only direct account transfers are used these days. The US financial system is so backwards!

    Reply
    1. Leigh

      Was about to write the same thing.
      I run a reasonably large company, and its been 10 years since I have signed a check.
      I’ve received one check in the last 5 years from a hospital refund.
      USA, Advanced in some area, but oh so backwards in many others.

      Reply
  26. KoSReader600000

    To JamminJ

    “Ben from Pleasant Green did a great video that outlines these scams using fake checks.”- Jamming

    Interesting video on the front money payroll check scam. I wonder if the scammer from Nigeria had someone on his side to confirm his scam was working. This would be Jenny or Jen. This Jenny could have been a phantom persona who used some of Ben’s techniques to insure front money scam chain was working. Payroll accounting requires a lot backend work such as W-2 , W-3 account setup and so on, but not the gifting scam. Some information is missing. As mentioned by other posters if the US Treasurer issued a letter to banks on these front money check scams the banks should play along and cash the checks and with hold the funds as not to alert the fraudsters. If I missed something please correct me.

    Reply
  27. jamals

    I am agree with sjtubrazy cyber lawyer, “Digital data is becoming treasure like important more and more, business data is treasure alike. Leaders of businesses should find out methods to secure their data and defend against rising cyber attacks like ransomware.”

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *