PHISH NETS

YOUR MONEY

Our Top Story last week was about the abusive use of the global top level domain called “best.”  Malicious emails ending in DOT-best continued to pour into our inboxes all last week. And so we wanted to use this week’s Your Money column to bring more attention to this continued abuse and warn readers NEVER to click on any email that comes from a “.best” or leading to a “.best” domain.

The first two examples want you to think they are news reports from USA Today or CNN or both!  What they both have in common is the claim to be sensational “breaking news.” Of course, this is just a social engineering trick to manipulate your clicking behavior.

Other malicious emails claimed to be about flight simulators, messages from God, and a message from the Mayo Clinic about shrinking “tummy fat” by drinking a special brew.  All nonsense and subterfuge. In addition to the screenshots of the emails below, here are seven other “best” domains that are malicious clickbait….

Keto Sweets <recipes @ roselle[.]best> 

STRIKEPEN <survival @ mysecust[.]best>

Seduction Ingredient <datingtips @ regremo[.]best>

Ervin Figueroa <selfdefense @ scarniti[.]best>

Steve Ball <success @ newalie[.]best>

Hair-Loss Prevention <hairloss @ hoeative[.]best>

Reverse Your Diabetes <reversediabetes @ ditester[.]best>

Deception is simply too easy on the Internet and criminals take full advantage of that fact. It doesn’t matter whether we refer to email, text, a social media post, advertisement, a website, or voice message, deception is rampant and easy to perpetrate.  Here are three different examples of Internet fraud. We’ll begin with the most egregious… a letter that arrived at a United States business through their old-fashioned fax machine from the Canadian Law Office of Manfred Whiteman, LLP. The fax, though difficult to read, clearly asks the recipient to contact Attorney Whiteman with regard to an unclaimed life insurance policy valued at more than ten million dollars.  Apparently, Attorney Whiteman is looking for a partner to carry out a fraudulent claim to an insurance policy owned by a recently deceased client. Barrister Whiteman says that “you” share the same last name as the deceased person, though he doesn’t tell you what that last name is.

What makes this scam remarkably shocking is that Attorney Manfred Whiteman appears to be a complete fraud.  Manfred Whiteman has a very detailed website, complete with an estate blog and learning center to detail his background and expertise in Estate and Trustees Law.  His logo shows that his law practice was established in 1978. But the entire website was stolen from a real Canadian Attorney named Edward Olkovich.  Barrister Olkovich has even posted an article on his website warning people that someone is impersonating him.   Let’s look at the facts as we’ve uncovered them about Canadian Barrister Manfred Whiteman:

1. We used two Canadian websites to look up Attorney Manfred Whiteman and both websites showed no record at all for Manfred Whiteman:
   “Find a Lawyer” with the Candadian Bar Association
   Search field at the Law Society of Ontario
2. Manfred Whiteman’s website, was registered 35 days ago on August 23, 2019, using a private proxy service and is being hosted on a server in Germany.
3. A Google search for Barrister Manfred Whiteman turns up nothing beyond his website.  Neither does a search for him on LinkedIn.com.
4. Manfred Whiteman’s website lists his office address as 621 Victoria St W #116B, Whitby, ON L1N 0E4, Canada.  Google maps doesn’t show any office building or any verifiable structure at this address.

We sent the following email to three email addresses listed for Barrister Manfred Whiteman on Sunday, September 29:  
Mr Whiteman,

I am a reporter of online fraud and threats, and publish my findings through a blog called TheDailyScam.com.  Recently I was contacted by a business that had received a fax from someone identified as you, and representing your law firm.  The fax states that you (or someone claiming to be you) is looking for a partnership with the fax recipient so that you both can claim and share in an insurance claim for one of your recently deceased clients by the name of Robert Matthews.

I would like to speak to you about this fax and your services in general.  For example, your website logo says that you’ve been practicing Estates and Trusts Law since 1978.  Yet I am unable to find your name on either of the following websites which provide search services for Barristers/Attorneys in Ontario, Canada:

1. Canadian Bar Association
2. Law Society of Ontario

I am also having difficulty finding anything about your law firm or your professional career, other than your website. These concerns, along with the fact that your website was registered only about a month ago and is being hosted in Germany raises doubts about your legitimacy as a Canadian Barrister.

Would you be willing to provide me with some means to verify that you are indeed a Barrister, registered with the Canadian Bar Association?  If you prefer to have a recorded Skype conversation or recorded call over the phone, I would be happy to do so.

Thank you for your consideration to my request.

Best wishes,
Doug Fodeman

We received the following response from Mr. Whiteman on September 30:

Dear Doug Fodeman.

I thoroughly appreciate your concern regarding this impersonation and character assassination; i am not within the circle of location, as i believe that whom ever that is behind this dark act must be brought to book. Please do anything within your means and save my name, once i return from my summer holiday i will personal give you a phone call. Kindly drop your info.

Best regards,

Manfred Whiteman |Principal Attorney (Advocate)

Our second example of deception concerns a very simple, and interesting email that appears to have come from a French teacher’s email account at a public school in New Milford, Connecticut.  The subject line reads “A Donation to You.”

Besides the obvious question why someone would want to make a donation to you, why is this fraudulent?  The answer lies in the “reply-to” address. The overwhelming majority of emails are set up so that a reply goes back to the email address from which the email was sent.  However, 419 Scammers almost always send an email from one address and set up the reply to automatically go to a different address than the one used to send the email. The reply-to address used in this email is different than the sender’s address and goes to a Gmail account held by “cfranpat” –not a name that is connected in any obvious way to the name of the sender’s email.

For our last example of deception we’ll turn once again to job scams.  Below is an email received by one of our readers. Someone named “Keith Wood” claiming to be the Hiring Manager for CNOOC Oil Base Group Limited, China’s largest producer of offshore oil and gas, contacted her about a job. 

It took no time at all to see that CNOOC has a few domains such as CNOOCltd.com and, as mentioned in the email, CNOOC.com.cn.  However Mr. Wood sent his email from the generic domain info[.]com.  Furthermore, he asks that you contact him via a Gmail address.  Why isn’t he using any of the real company’s domains to send or receive email?  The answer, by now, is obvious. “Mr. Wood” is not real and neither is his email!

As we said, deception is rampant and reading with a critical eye, giving attention to details is critically important in today’s digital age.