Don't open the package...


In the film, The Transporter, there are several rules for using the courier service Jason Statham offers. One is "Don't open the package."
In this utterly ridiculous spam-scam, someone using a gmail address that Google should be required to verify rights to but chooses not to, is pretending to be a courier - and to know what's in the package. The silly thing is that even if he was a courier and even if he did open the package he would not know the information upon which the fraud is predicated.
From: MR. Mohammed Richard kizzaemmanuel.sb@gmail.com
Reply to: dhlcompany582@gmail.com
Subject: Attention: This is very urgent.
Body: Attention: This is very urgent.
This is the 2nd time I am sending you this
notification letter regarding your
(ATM MASTER CARD) and I haven't received any positive
response from you.
This is Agent Mohammed Richard, the senior agent from DHL
Delivery Company.
I'm currently at JFK International Airport right now
with your
Package of ATM CARD worth a sum of $1.8million USD.
I have only 24 hours to be on my way to your home
address,
Please reconfirm your info to me right now to enable
me to connect
my flight to your home address without any further
delay,
NAME: ========
ADDRESS: =============
CLOSER AIRPORT: =======
OCCUPATION ===========
Direct phone number: ======
The details of this package and the value declared by
the shipper was
ATM MASTER CARD AND UNDISCLOSED ACTIVATION PIN IN
ENVELOPE.
EMAIL: officialdhlcouriercompany@gmai...
Thanks for your kindness and understanding, hope to
hear from your soon, God bless you.
Best Regards,
MR. Mohammed Richard
DHL Senior Delivery Officer.
-----------------
Yes, that is exactly as it appeared in mailboxes.
The "to" address is shown as "undisclosed-recipients
The delivery address is in a BCC field.
The return address includes "dhl"
The separate e-mail address in the body also incluides "dhl."
No company sends a card and an activiation PIN in the same envelope.
But it might work. Rubbish as it is, it does create, from the outset, a sense of urgency. Some might fall for it.
As usual, Google could have, should have, taken steps to reduce the effectiveness of this scam by performing basic KYC on the account holder, by not permitting different "sent" and "reply to" addresses, by not allowing the creation of e-mail addresses containing recognised or recognisable brand names. It should also have in place e-mail monitoring systems to check outgoing mail for signs of phishing. This might be seen as a privacy issue but if that's the case, Google could differentiate between verified accounts and unverified accounts, monitoring only the latter.
