Caught a Fraudster trying to Steal Broker Identities

[AgentSmith]

No idea where to put this in the forum.

We are advertising on Google Ads so we get lots of odd calls and emails.

I took a call, the line was not great so it was a little hard to hear the caller. I originally thought the caller was dispatcher looking for loads. If you have ever spoken to an 5-ton domestic USA dispatcher you will know what I mean.

They said they were a shipper looking for quotes and had a load to move the next day. I looked up the company and they are a very large manufacturer in the food ingredients industry. They emailed the details of the pending shipment.

I looked up the individual who called / emailed and they do work for the company in question.

I was suspicious but still needed to do some digging and it was getting late in the day. I quoted the shipment and they liked the rate.

The next morning they said they need a few docs to get us set up as vendor. The docs requested were:

• Broker authorities
• Surety Bond
• Insurance certificate
• W9
• Banking details
• References
• SCAC code
• Any certification like DG or CTPAT

This is not an unusual request for a new customer from a large organization.

They also called my cell as it is in my email signature pressing me to send the docs and followed up again later letting me know they will need the driver's license number as well.

I did a lot more digging and determined this individual was not genuine and was attempting to get a lot of information from us -- guessing to impersonate us for nefarious purposes.

I eventually declined the load.

I left out a lot of details because I dont want to let this individual or group know how I determined this was a fraud, it was an amateurish attempt and dont want to help them improve.

Plus the individual in question has my cell number and I don't need them bombarding my phone or mass spamming my email in retaliation for the post.

I do know I was not their first target.

If anyone wants to know specific details I will respond only to DMs from well known members.

 

[Nawk]

The amount of Fraud and underhanded stuff going on right now is incredible.

Full marks to you for leaving out the details that made you realize they were fake. Our once safe little group here... has grown to quite the size and not all I'm afraid are above board.

We reject new carriers at my place all the time (too new, too many violations or whatever)... I've noticed that often times the "obvious" fraudsters will say something like "Oh I'm so sorry. we're really a great company... can you please tell me why we're rejected?"

I NEVER advise why a carrier is rejected. Why would I? So that I can help them to become a better crook? My answer is always the same... "You don't meet our criteria."

Appreciate your sharing this story Agent Smith

 

[loaders]

It saddens me as well that we have to spend such an inordinate amount of time vetting new suppliers. In the not too distant past, it was checking potential new clients that ate up most our day. There are still fraudulent shippers out there, but the number of criminal entities trying to scam you, one way or another, is frightening. Constant, unrelenting diligence is required every time you entertain using a new supplier. Good ones will not, or should not be troubled if you bombard them with questions and requests for documentation or references.

 

[mtltrans]

There are sometimes emails that come in that appear to be from legitimate organizations using real names that are, in fact, phishing scams. One time, we got an email from a large corporation in the USA and the signature seemed to match up with someone that could be found on LinkedIn. The common denominator, however, was that the email addresses used in such scam emails are NEVER in the format that the company uses. In fact, it's usually something like Joe.Blow@[whatever].biz or they use the company name and then add something else. The trick to know if it's real or not is to go into the email headers. You do this as follows:
1. open the email
2. click File
3, click Properties
4. at the bottom, scroll the Internet Headers.

The headers show you the path and how you came to receive the email. In those headers, you can identify the IP address of where it came from, kind of a digital fingerprint of its origin.

Here's an example from a phishing email that tried to get people to click a link. I've highlighted the origin IP address in bold red letters:

Received: from smg3.protected.ca (205.173.252.100) by CAS1.freewire.ca
(10.10.92.13) with Microsoft SMTP Server id 14.3.498.0; Fri, 31 Jan 2025
22:30:52 -0500
Received: from va1.digdom.ca (va1.digdom.ca [64.225.54.152]) by
smg3.protected.ca (Postfix) with ESMTP id 73886260055; Fri, 31 Jan 2025
22:30:43 -0500 (EST)
Received: by va1.digdom.ca (Postfix) id 5F80190E54; Fri, 31 Jan 2025 22:30:43
-0500 (EST)
Delivered-To: rates-mtltrans.ca@va1.digdom.ca
Received: from smp1.digitaldomain.ca (smp1.digitaldomain.ca [3.96.76.145]) by
va1.digdom.ca (Postfix) with ESMTPS id 4EFC790677 for <rates@mtltrans.ca>;
Fri, 31 Jan 2025 22:30:43 -0500 (EST)
Received: from localhost (localhost [127.0.0.1]) by smp1.digitaldomain.ca
(Postfix) with ESMTP id 2C69C1613AC for <rates@mtltrans.ca>; Sat, 1 Feb 2025
03:30:43 +0000 (UTC)
X-Quarantine-ID: <kNaqrdKShi3K>
X-Virus-Scanned: by SpamTitan at ca-central-1.compute.internal
X-Spam-Flag: NO
X-Spam-Score: 5.976
X-Spam-Level: *****
X-Spam-Status: No, score=5.976 tagged_above=-999 required=7.7
tests=[BAYES_00=-0.1, DMARC_NONE=0.1, HTML_FONT_LOW_CONTRAST=1,
HTML_MESSAGE=0.001, HTTP_EXCESSIVE_ESCAPES=0.001, KAM_DMARC_NONE=0.25,
KAM_DMARC_STATUS=0.01, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001,
RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001,
RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SARE_RD_TO_BAD_TLD=2.5,
SCC_5_SHORT_WORD_LINES=1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001,
ST_KGM_MAILBX_SUB_1=1.2, T_MXG_EMAIL_FRAG=0.01]
autolearn=no autolearn_force=no
Received: from smp1.digitaldomain.ca (localhost [127.0.0.1]) by
smp1.digitaldomain.ca (Postfix) with ESMTP id 525711613A7 for
<rates@mtltrans.ca>; Sat, 1 Feb 2025 03:30:35 +0000 (UTC)
Authentication-Results: smp1.digitaldomain.ca;
dmarc=pass policy.published-domain-policy=none
policy.applied-disposition=none policy.evaluated-disposition=none
policy.policy-from=p header.from=netvision.net.il;
senderid=none;
spf=pass smtp.mailfrom=shimur4@netvision.net.il
smtp.helo=mxout4.netvision.net.il
Received-SPF: none (netvision.net.il: No applicable sender policy available) receiver=smp1.digitaldomain.ca; identity=pra; pra="shimur4@netvision.net.il"; helo=mxout4.netvision.net.il; client-ip=194.90.9.27
Received-SPF: pass
(netvision.net.il: c is authorized to use 'shimur4@netvision.net.il' in 'mfrom' identity (mechanism 'ip4:194.90.9.0/26' matched))
receiver=smp1.digitaldomain.ca;
identity=mailfrom;
envelope-from="shimur4@netvision.net.il";
helo=mxout4.netvision.net.il;
client-ip=194.90.9.27
X-ST-Greylist: delayed 901 seconds at smp1.digitaldomain.ca, Fri, 31 Jan 2025 22:30:34 EST
Received: from mxout4.netvision.net.il (mxout4.netvision.net.il [194.90.9.27])
by smp1.digitaldomain.ca (Postfix) with ESMTP id E073216139F for
<rates@mtltrans.ca>; Sat, 1 Feb 2025 03:30:34 +0000 (UTC)
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="Boundary_(ID_sMVo6efmqZAPhKTu2VJB2g)"
Received: from WIN-OGPPCN056L8 ([83.147.54.94]) by mxout4.netvision.net.il
(Oracle Communications Messaging Server 8.0.2.1.20180104 64bit (built Jan 4
2018)) with ESMTPSA id <0SQZ00ELEIDUVQ20@mxout4.netvision.net.il> for
rates@mtltrans.ca; Sat, 01 Feb 2025 05:15:33 +0200 (IST)
From: System Server <shimur4@netvision.net.il>
Subject: ACTION REQUIRED: Server Security ID 1/31/2025
To: <rates@mtltrans.ca>
Date: Fri, 31 Jan 2025 22:15:32 -0500
Message-ID: <31302025011522E61A01BEB8-A4E744F2CA@netvision.net.il>
X-SMG-Information: Please contact the ISP for more information
X-SMG-ID: 73886260055.AB105
X-SMG-Scanner: Found to be clean
X-SMG-SpamCheck: not spam, SpamAssassin (cached, score=2.49, required 5,
autolearn=disabled, HTML_MESSAGE 0.00, HTTP_EXCESSIVE_ESCAPES 1.52,
SPF_SOFTFAIL 0.97, URIBL_BLOCKED 0.00)
X-SMG-SpamScore: oo
X-SMG-From: shimur4@netvision.net.il
X-SMG-Spam-Status: No
Return-Path: shimur4@netvision.net.il
X-MS-Exchange-Organization-AuthSource: CAS1.freewire.ca
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Organization-SCL: 0
X-MS-Exchange-Organization-PCL: 2
X-MS-Exchange-Organization-Antispam-Report:
DV:3.3.16631.866;OrigIP:205.173.252.100

Although it says the email address may be from Israel (.il), the IP address is actually in The Netherlands if you pop that into the website who.is:

IP Whois
NetRange: 194.0.0.0 - 194.255.255.255
CIDR: 194.0.0.0/8
NetName: RIPE-CBLK2
NetHandle: NET-194-0-0-0-1
Parent: ()
NetType: Allocated to RIPE NCC
OriginAS:
Organization: RIPE Network Coordination Centre (RIPE)
RegDate: 1993-07-21
Updated: 2025-02-10
Comment: These addresses have been further assigned to users in the RIPE NCC region. Please note that the organization and point of contact details listed below are those of the RIPE NCC not the current address holder. ** You can find user contact information for the current address holder in the RIPE database at http://www.ripe.net/whois.
Ref: https://rdap.arin.net/registry/ip/194.0.0.0

ResourceLink: https://apps.db.ripe.net/db-web-ui/query
ResourceLink: https://apps.db.ripe.net/search/query.html
ResourceLink: whois.ripe.net


OrgName: RIPE Network Coordination Centre
OrgId: RIPE
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EB
Country: NL
RegDate:
Updated: 2013-07-29
Ref: https://rdap.arin.net/registry/entity/RIPE

ReferralServer: whois.ripe.net
ReferralServer: whois://whois.ripe.net
ResourceLink: https://apps.db.ripe.net/db-web-ui/query
ResourceLink: https://apps.db.ripe.net/search/query.html

OrgAbuseHandle: ABUSE3850-ARIN
OrgAbuseName: Abuse Contact
OrgAbusePhone: +31205354444
OrgAbuseEmail: abuse@ripe.net
OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE3850-ARIN

OrgTechHandle: RNO29-ARIN
OrgTechName: RIPE NCC Operations
OrgTechPhone: +31 20 535 4444
OrgTechEmail: hostmaster@ripe.net
OrgTechRef: https://rdap.arin.net/registry/entity/RNO29-ARIN

You can contact the abuse email address to alert them. Ultimately, if a scammer has used their server to launch a phishing attack, their server logs will have a record of where it came from.

In short, always check the headers and if something looks pretty boilerplate with a bland or logo-free signature (or no official signature) from a well known company, then it is probably a scam.

 

[Rob]

If you could dm me the info ?

 

[Brenda]

This just makes my head hurt

 

[EricG]

There are sometimes emails that come in that appear to be from legitimate organizations using real names that are, in fact, phishing scams. One time, we got an email from a large corporation in the USA and the signature seemed to match up with someone that could be found on LinkedIn. The common denominator, however, was that the email addresses used in such scam emails are NEVER in the format that the company uses. In fact, it's usually something like Joe.Blow@[whatever].biz or they use the company name and then add something else. The trick to know if it's real or not is to go into the email headers. You do this as follows:
1. open the email
2. click File
3, click Properties
4. at the bottom, scroll the Internet Headers.

The headers show you the path and how you came to receive the email. In those headers, you can identify the IP address of where it came from, kind of a digital fingerprint of its origin.

Here's an example from a phishing email that tried to get people to click a link. I've highlighted the origin IP address in bold red letters:

Received: from smg3.protected.ca (205.173.252.100) by CAS1.freewire.ca
(10.10.92.13) with Microsoft SMTP Server id 14.3.498.0; Fri, 31 Jan 2025
22:30:52 -0500
Received: from va1.digdom.ca (va1.digdom.ca [64.225.54.152]) by
smg3.protected.ca (Postfix) with ESMTP id 73886260055; Fri, 31 Jan 2025
22:30:43 -0500 (EST)
Received: by va1.digdom.ca (Postfix) id 5F80190E54; Fri, 31 Jan 2025 22:30:43
-0500 (EST)
Delivered-To: rates-mtltrans.ca@va1.digdom.ca
Received: from smp1.digitaldomain.ca (smp1.digitaldomain.ca [3.96.76.145]) by
va1.digdom.ca (Postfix) with ESMTPS id 4EFC790677 for <rates@mtltrans.ca>;
Fri, 31 Jan 2025 22:30:43 -0500 (EST)
Received: from localhost (localhost [127.0.0.1]) by smp1.digitaldomain.ca
(Postfix) with ESMTP id 2C69C1613AC for <rates@mtltrans.ca>; Sat, 1 Feb 2025
03:30:43 +0000 (UTC)
X-Quarantine-ID: <kNaqrdKShi3K>
X-Virus-Scanned: by SpamTitan at ca-central-1.compute.internal
X-Spam-Flag: NO
X-Spam-Score: 5.976
X-Spam-Level: *****
X-Spam-Status: No, score=5.976 tagged_above=-999 required=7.7
tests=[BAYES_00=-0.1, DMARC_NONE=0.1, HTML_FONT_LOW_CONTRAST=1,
HTML_MESSAGE=0.001, HTTP_EXCESSIVE_ESCAPES=0.001, KAM_DMARC_NONE=0.25,
KAM_DMARC_STATUS=0.01, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001,
RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001,
RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SARE_RD_TO_BAD_TLD=2.5,
SCC_5_SHORT_WORD_LINES=1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001,
ST_KGM_MAILBX_SUB_1=1.2, T_MXG_EMAIL_FRAG=0.01]
autolearn=no autolearn_force=no
Received: from smp1.digitaldomain.ca (localhost [127.0.0.1]) by
smp1.digitaldomain.ca (Postfix) with ESMTP id 525711613A7 for
<rates@mtltrans.ca>; Sat, 1 Feb 2025 03:30:35 +0000 (UTC)
Authentication-Results: smp1.digitaldomain.ca;
dmarc=pass policy.published-domain-policy=none
policy.applied-disposition=none policy.evaluated-disposition=none
policy.policy-from=p header.from=netvision.net.il;
senderid=none;
spf=pass smtp.mailfrom=shimur4@netvision.net.il
smtp.helo=mxout4.netvision.net.il
Received-SPF: none (netvision.net.il: No applicable sender policy available) receiver=smp1.digitaldomain.ca; identity=pra; pra="shimur4@netvision.net.il"; helo=mxout4.netvision.net.il; client-ip=194.90.9.27
Received-SPF: pass
(netvision.net.il: c is authorized to use 'shimur4@netvision.net.il' in 'mfrom' identity (mechanism 'ip4:194.90.9.0/26' matched))
receiver=smp1.digitaldomain.ca;
identity=mailfrom;
envelope-from="shimur4@netvision.net.il";
helo=mxout4.netvision.net.il;
client-ip=194.90.9.27
X-ST-Greylist: delayed 901 seconds at smp1.digitaldomain.ca, Fri, 31 Jan 2025 22:30:34 EST
Received: from mxout4.netvision.net.il (mxout4.netvision.net.il [194.90.9.27])
by smp1.digitaldomain.ca (Postfix) with ESMTP id E073216139F for
<rates@mtltrans.ca>; Sat, 1 Feb 2025 03:30:34 +0000 (UTC)
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="Boundary_(ID_sMVo6efmqZAPhKTu2VJB2g)"
Received: from WIN-OGPPCN056L8 ([83.147.54.94]) by mxout4.netvision.net.il
(Oracle Communications Messaging Server 8.0.2.1.20180104 64bit (built Jan 4
2018)) with ESMTPSA id <0SQZ00ELEIDUVQ20@mxout4.netvision.net.il> for
rates@mtltrans.ca; Sat, 01 Feb 2025 05:15:33 +0200 (IST)
From: System Server <shimur4@netvision.net.il>
Subject: ACTION REQUIRED: Server Security ID 1/31/2025
To: <rates@mtltrans.ca>
Date: Fri, 31 Jan 2025 22:15:32 -0500
Message-ID: <31302025011522E61A01BEB8-A4E744F2CA@netvision.net.il>
X-SMG-Information: Please contact the ISP for more information
X-SMG-ID: 73886260055.AB105
X-SMG-Scanner: Found to be clean
X-SMG-SpamCheck: not spam, SpamAssassin (cached, score=2.49, required 5,
autolearn=disabled, HTML_MESSAGE 0.00, HTTP_EXCESSIVE_ESCAPES 1.52,
SPF_SOFTFAIL 0.97, URIBL_BLOCKED 0.00)
X-SMG-SpamScore: oo
X-SMG-From: shimur4@netvision.net.il
X-SMG-Spam-Status: No
Return-Path: shimur4@netvision.net.il
X-MS-Exchange-Organization-AuthSource: CAS1.freewire.ca
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Organization-SCL: 0
X-MS-Exchange-Organization-PCL: 2
X-MS-Exchange-Organization-Antispam-Report:
DV:3.3.16631.866;OrigIP:205.173.252.100

Although it says the email address may be from Israel (.il), the IP address is actually in The Netherlands if you pop that into the website who.is:

IP Whois
NetRange: 194.0.0.0 - 194.255.255.255
CIDR: 194.0.0.0/8
NetName: RIPE-CBLK2
NetHandle: NET-194-0-0-0-1
Parent: ()
NetType: Allocated to RIPE NCC
OriginAS:
Organization: RIPE Network Coordination Centre (RIPE)
RegDate: 1993-07-21
Updated: 2025-02-10
Comment: These addresses have been further assigned to users in the RIPE NCC region. Please note that the organization and point of contact details listed below are those of the RIPE NCC not the current address holder. ** You can find user contact information for the current address holder in the RIPE database at http://www.ripe.net/whois.
Ref: https://rdap.arin.net/registry/ip/194.0.0.0

ResourceLink: https://apps.db.ripe.net/db-web-ui/query
ResourceLink: https://apps.db.ripe.net/search/query.html
ResourceLink: whois.ripe.net


OrgName: RIPE Network Coordination Centre
OrgId: RIPE
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EB
Country: NL
RegDate:
Updated: 2013-07-29
Ref: https://rdap.arin.net/registry/entity/RIPE

ReferralServer: whois.ripe.net
ReferralServer: whois://whois.ripe.net
ResourceLink: https://apps.db.ripe.net/db-web-ui/query
ResourceLink: https://apps.db.ripe.net/search/query.html

OrgAbuseHandle: ABUSE3850-ARIN
OrgAbuseName: Abuse Contact
OrgAbusePhone: +31205354444
OrgAbuseEmail: abuse@ripe.net
OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE3850-ARIN

OrgTechHandle: RNO29-ARIN
OrgTechName: RIPE NCC Operations
OrgTechPhone: +31 20 535 4444
OrgTechEmail: hostmaster@ripe.net
OrgTechRef: https://rdap.arin.net/registry/entity/RNO29-ARIN

You can contact the abuse email address to alert them. Ultimately, if a scammer has used their server to launch a phishing attack, their server logs will have a record of where it came from.

In short, always check the headers and if something looks pretty boilerplate with a bland or logo-free signature (or no official signature) from a well known company, then it is probably a scam.

Email headers They tell a great story. Great resource, also don't forget to verify DKIM info to ensure the source email isn't spoofed by someone with more than a script kiddies mindset.

99% of spoofed email addresses won't pass a DKIM or MX record check when comparing the results to message headers in the message received. that 1% that can spoof properly poses a problem, but other internal controls for vetting should catch that 1%