Someone tried to scam me out of $18,840. They failed but I played with them so that I can share with you how a typical cyber-crime works. It starts out with an email asking me for a price quote. These emails are sent to sales agents whose job it is to sell, sell and sell some more. I got one of those emails. Of course, I recognized it as a scam but, I thought I’d have some fun with them first. And, in the process show you how the scam works.

Please note that I am duplicating the email conversations verbatim, except for my email address. Keep in mind that the telephone numbers provided by the fraudsters are unlikely to be actual numbers to the university.

I got an email Monday, February 10, 2020 to one of my business addresses. Recognizing it as fraud I decided to have some fun. So, I replied to the email from one of my holding company (ItNix) email addresses. I thought ItNix, although only a digital holding company would be perfect as it is related to technology.

Here is what I got.

Dear Sir/Ma,
How you doing? I’m Micheal Smith the Purchasing Director of The University Of Utah,The School would like a price quote submitted on HP toner Cartridges Listed below:

*HP 824A Cyan LaserJet Image Drum (CB385A)
*HP 90X Black Original LaserJet (CE390X)
*HP 657X Yellow Original LaserJet (CF472X)
*HP 502A Yellow Original LaserJet (Q6472A)

PAYMENT TERMS: NET15

Indicate all prices FOB to our Address.we require your provision of this Order with the payment Due in 15 Days and also indicate when your price quote will expire.we are so honor to be served by your company.

Acknowledge by getting in torch with a quotation.

Best Regards,

Micheal Smith
Purchasing Director
The University Of Utah
msmith@purchasingutahedu.net
http://www.utah.edu
Tel:801-382-7024
Fax:801-874-3552

Before I go on, I was in a playful mood, so rather than respond in my name, I decided to create a persona salesperson. His name is Donald Rump. Hopefully most of you will get it.

I , or rather, Donald Rump eagerly replied:

Dear Michael Smith,

Thank you for the opportunity to bid on your HP toner cartridge order.

We are happy to submit a price quote as follows:

*HP 824A Cyan LaserJet Image Drum (CB385A) – $295.00
*HP 90X Black Original LaserJet (CE390X) – $199.00
*HP 657X Yellow Original LaserJet (CF472X) – $299.00
*HP 502A Yellow Original LaserJet (Q6472A) – $149.00

We are happy to extend NET15 Terms to the University of Utah.

We hope you consider our quote. We can ship your order immediately. All we need is the quantity, the address to ship the order to and a university PO #.

I look forward to your order,

Donald Rump
ItNix
Phn: +1 408 666 4545
Fax: +1 408 666 4457
e: redacted
w: itnix.com

The telephone numbers I included in my reply are fake. I thought the Rump name and the “666” numbers would be a giveaway, but apparently not.

Here is how the scam works. The scammers pretend to be a large governmental entity looking for bids on consumable supplies, specifically expensive ones. In this case they are toner cartridges that cost between $200 and $500 each. They are hoping someone, like Donald Rump will get excited about a huge sale and respond with a quote. They really don’t care about the prices because they want you to ship them the products and they then resell them online.

Pure profit for the scammers.

The scammers rely on governmental entities using purchase orders to make purchases. In the simplest explanation, a purchase order is like a post-dated check, where the company, ItNix, ships the product expecting to be paid for the products in 15 days, in this case.

So, Donald Rump is anxiously waiting for the cha-ching order to come in.

It came, in the form of a fake purchase order and a W9 form.

The purchase order looks legitimate enough. But it is not. Donald Rump was likely super excited as he calculated his commission on an $18,840 sale. The scammers were likely salivating on getting $18 thousand dollars’ worth of merchandise for free to then sell it for cash online.

Knowing that this was a scam, I scrutinized the PO. I was surprised that this scammer took some time to make things look legitimate. In my response to their request for a quote, I did not include a business address. I overlooked that.

But the scammers apparently Googled ItNix and found an old address and conveniently included it in their fake PO. However, the Donald Rump keeps making me laugh each time I see it.

The obvious indication that this is a scam is that the warehouse that they want me to ship their toners is an apartment complex. You can see that in the Google map of the address.

I wanted to see how far I could take this, so Donald Rump responded by thanking the scammers for the “order” and to let them know that it would ship on Thursday.

The scammers now got excited as they started counting the money on the way to them. They replied:

Dear Donald,
Thank you for getting in torch. I will be expecting the Tracking Number by Thursday and also what’s the best phone number to reach you at, i tried Calling the Number listed i couldn’t reach out to you.

Best Regards,

Michael Smith
Purchasing Director
The University Of Utah
msmith@purchasingutahedu.net
http://www.utah.edu
Tel:801-382-7024
Fax:801-874-3552

Note the numerous grammatical errors, another giveaway. But, I thought to myself, the gig is up since they tried calling the fake number I gave them.

But I thought, why not, let me call them out indirectly to see what happens.

So, I sent them, rather Donald Rump sent them this email:

Hello Mr. Smith,

We have not been able to verify the PO you sent us. The University of Utah Purchasing Department has no record of the PO you sent us. Please confirm the PO.

We are unable to ship your order until the purchase order is confirmed.

Please verify the PO you sent us and update it as necessary,

Thank you for attention to this matter,
Donald Rump

I didn’t think it would go beyond this, but the scammers aren’t giving up so easily. I bet they are sitting in their underwear waiting for the tracking order for the toners that they are hoping to sell. I got this email in response to me not being able to “verify” their PO.

This is an Approval for the purchased item between your company and the purchasing Dir. Mr Michael on behalf of the school on NET15 Terms.

Kindly go ahead with the order(PO #:UU100220) and get back to me with the Invoice.

As soon as the item deliver to the shipping location your payment will be remitted on terms Agreement.

Yours Sincerely,

Benjamin Goodrich
Account Payable
The University Of Utah
bgoodrich@purchasing.utahedu.com
http://www.utah.edu

And, then “Michael Smith” conveniently followed up on his order with this.

Dear Donald,

I just want to touch base with you, regarding the order status as of today.

Please advise back as we would like to hear from you.

Thank you for your business.

Michael Smith
Purchasing Director
The University Of Utah
msmith@purchasingutahedu.net
http://www.utah.edu
Tel:801-382-7024
Fax:801-874-3552

Probably thinking that the gig was up, the scammers sent me this:

Dear Donald,
I’m Benjamin Goodrich the Account Payable Manager For the School (The University Of Utah). am reaching out to you regarding an On-going Order with the purchase order number below.

PO :UU100220
Order Date : 02/10/2020

SUPPLIERS DETAILS
Company: itnix
Name: Donald Rump
Email: nsp@itnix.us

BUYER DETAILS
Name : Michael Smith
Title :Purchasing Director
Email :msmith@purchasingutahedu.net
Dept/Org : Purchasing – Campus
Dept : ID00366

This is an Approval for the purchased item between your company and the purchasing Dir. with the Name listed above on behalf of the school on NET15 Terms.

Kindly go ahead with the order and get back to me with the Invoice.

As soon as the item deliver to the shipping location your payment will be remitted on terms Agreement.

Yours Sincerely,

Benjamin Goodrich
Account Payable
The University Of Utah
bgoodrich@purchasing.utahedu.com
http://www.utah.edu

It was time to end the charade. So at about 1:00 pm. Eastern time I sent this.

Michael Smith,

The documents you have provided, and the email transactions will be provided to officials in Minnesota for legal action as well as to the University of Utah.

Sincerely yours,
Donald Rump, obviously a play on the name Donald J. Trump

PS. In case you are still clueless, there are no toner cartridges on the way to the apartment complex you wanted them shipped to. But, if you want to wait there, I am sure Minnesota law enforcement would like to speak to you.

As of the time I am publishing this I had not heard back from the spanners. Just in case they send a response, I will be sure to update this post.

And there you have it, the scam from the initial email until it was time to shut it down.

For those wondering, I notified the University of Utah of the attempted fraud for their action.

In their response, the university stated, “The University of Utah along with other universities have been named as part of this fraud scheme that is believed to originate overseas. Phony quote requests are sent to suppliers followed by a phony PO which requests delivery to a non-University location. We have been told that some innocent victims have made shipments which are then routed to the fraudsters and some have been traced to England then Nigeria. We are working with local law enforcement and the FBI on this.”

The also asked me to share this link to a PDF document from their website advising about the fraud. Click here to read the PDF.

(As a funny anecdote, Word kept insisting on changing the name “Rump” to Trump. It must be smarter than I thought)