By Jenny Neyman
Hal Smalley spent his Thursday night being transported to the magical realm of Neverland while attending a preview performance of the Kenai Performers’ winter musical “Peter Pan” at the Renee C. Henderson Auditorium at Kenai Central High School. When he turned in that night, it was to his bed in his Kenai home.
But when Smalley woke up Friday morning it seemed he was still in the land of make believe. He was in London, stranded in a traveler’s nightmare with his bag containing his passport and credit cards stolen. At least, that’s what everyone in his Yahoo e-mail contacts list was told, as they received a message from Smalley informing them of his plight and asking that they e-mail him or call his hotel at the phone numbers provided for details on how to send him money, so he could buy a plane ticket and settle his hotel bill in order to get back home.
Smalley was unaware of his supposed vacation, much less the disastrous turn it had taken, until he logged into his e-mail Friday morning and saw messages from several of his contacts asking if everything was OK, if he really was in London, if he really needed help, or if he was aware that his e-mail account had apparently been hacked.
The message was apparently sent far and wide, judging from the responses he got. Smalley is a member of the Kenai Peninsula Borough Assembly and a previous member of the Kenai City Council, resulting in a lengthy contacts list.
“They didn’t say they were going send money, but there were a couple who were wondering if it was true. They hadn’t seen me for a few days. And some who had seen me at ‘Peter Pan’ were wondering, ‘My gosh, how could you get to London so quickly?’” Smalley said. “I told them I got a little bit of ‘Peter Pan’ pixie dust on me. That will do it every time.”
Smalley is the latest of several community members to fall victim to the “I’m-stranded-somewhere-foreign-and-need-money-to-get-home” e-mail scam. It’s an insidious variation on more typical e-mail hoaxes in that it looks like it could be valid. Many schemes soliciting bank account information or money transfers come from unknown e-mail accounts and are sent to blanket lists of recipients — email@example.com, firstname.lastname@example.org, email@example.com, etc. These often end up relegated to junk filters so the account holder isn’t bothered with them.
When these scam messages do make it to an inbox, if the unfamiliar sender doesn’t raise enough of a red flag, the content of the message often gives it away as a hoax. The text is usually very poorly written and purports something outlandish — a prince in Africa needs your bank account number to transfer an inheritance from some heretofore unknown supposed relative, or something along those lines.
This, however, is different. A victim’s e-mail account is hacked and the perpetrator sends messages to everyone in the contacts folder, so the message comes from a valid e-mail address belonging to someone the recipient knows. The text of the message also is fairly well-written and well-spelled. There are only a few errors in punctuation and capitalization — “Apologies for having to reach out to you like this, I made a trip this past weekend to London, UK and had my bag stolen from me with my passport and credit cards in it. The embassy is willing to help by letting me fly without my passport, I just have to pay for a ticket and settle Hotel bills.”
“The English is much better than some of the standard stuff that comes — ‘You’ve won this lottery you need to contact such and such,’” Smalley said.
He doesn’t think anyone who got the phony messages was duped to the point of sending money, but the whole thing was a frustrating hassle, and a bit of a wake-up call.
“I thought I was being real careful online, but you can only be so careful,” Smalley said.
He is careful in releasing any information online, doesn’t open e-mails if he doesn’t recognize the sender, is even more careful in opening attachments, and disregards any out-of-the-ordinary messages or requests he gets to divulge account information, much less a Social Security number, credit card number or any other personal information.
“There are people out there whose minds are just working overtime,” he said. “Hopefully no funds have been transmitted anywhere, but the sad thing is all it takes is once for it to be a successful venture.”
Smalley decided not to take any chances and simply abandoned the Yahoo account that had been compromised. He set up a new one with a new password, but lost his contacts list and all the e-mails he had been saving in the old account.
“It’s not a worm, from what I’ve been told. It’s just somebody gets into your information. They have the computer technology to search and find a way to get into your account, and send from it,” he said. “The only thing you can do is just set up a different account that hopefully will be secure and never, ever attacked again.”
The experience makes him even more cautious about posting personal or business information online, he said. But as an elected official, he’s required to share some sensitive information that he rather wouldn’t.
Spurred by the VECO corruption scandal, where Alaska legislators were bribed to curry their support, the Alaska Public Offices Commission now requires much more detailed financial disclosure statements from public officials. The Kenai City Council decided to opt out of the new reporting requirements, adhering instead to 2007 disclosure standards. The assembly, however, hasn’t opted out, so any business dealings resulting in $500 or more must be reported, and will eventually be posted online.
“Anybody you’ve ever hired for anything, their name, address and the amount of money paid. For contractors, all of their previous clients and bids that you have made would be on there, which really opens you up wide open. Even if you hired a baby sitter for more than $500 over the course of a year, their name is listed,” Smalley said. “It’s just far too intrusive. It does not need to be that way.”
Smalley said the stricter reporting as a response to the corruption scandal isn’t a good way to address the problem. It’s onerous and potentially dangerous to post sensitive information online, and an added hurdle of paperwork probably won’t be enough to stop those looking to inappropriately influence lawmakers — or lawmakers open to being influenced, Smalley said.
“The new requirements were kind of a knee-jerk reaction to what happened in Juneau. ‘Oh, yeah, if those people would have put all this stuff online, this wouldn’t have happened? Like, not,’” Smalley said. “I hope somebody will make the decision to review that. We’re not hiding anything. Nobody wants to hide anything. We want to make public what should be made public.”
Smalley isn’t the only one from the central Kenai Peninsula to be supposedly stranded abroad lately. Bill Holt, a member of the Kenai Peninsula Borough Board of Education and head of maintenance for the Tsalteshi Trails Association, had a similar case of woe befall him in early September.
It was nearly identical to Smalley’s situation. Holt’s Google e-mail account was hacked and a message sent out to his contacts saying he was stranded in London without his passport and credit cards and was in need of help.
As head groomer at Tsalteshi, Holt sends out trails reports to a large list of skiers, letting them know about snow conditions on the trails, and has another lengthy list of contacts among the school district and others associated with the board of education.
A technician in the Information Services Department at KPBSD contacted Holt to let him know his e-mail had been hacked after seeing about 55 phony e-mails going from Holt’s Gmail account to people with district e-mail accounts, Holt said. He also started getting calls at 4:30 a.m. the day the messages went out wanting to know what was going on.
“I didn’t figure out a way to capitalize on this thing. I should have told everybody I wanted the money in unmarked bills left in an envelope at Kaladi Brothers,” he said.
With a few months’ hindsight Holt can joke about the experience. At the time, though, it was definitely not amusing.
“It was a real bummer. I lost a lot of sleep over it,” Holt said. “Part of the frustration was dealing with the Google people. I like to communicate with people by talking with them. I don’t want to feel like I’m grasping at thin air, I want feedback to help solve the problem. But you cannot just call Google up and figure out what the heck to do. You can’t get a live human to talk to.”
Google sent Holt a message to the e-mail account he had provided as an alternate contact — an ACS account — when he set up the Gmail account, saying his Gmail account had been compromised by someone in Nigeria and was being taken offline. Holt couldn’t even get in to change his password.
He said he spent about 20 hours trying to get his account sorted out and activated again, because he didn’t want to lose all his contacts, saved messages and attachments. After about two weeks he got access again and changed his password, but a few days later he realized that he wasn’t getting replies to any of the e-mails he was sending out. After hours more investigation he found a preference setting that was set up to route any replies to any e-mails he’d sent out to an e-mail account out of Nigeria.
“It got really complicated, so basically I had to start everything over again on my Gmail. I changed my password and reinstated my account but all my contact lists and everything was gone,” he said. “(The contacts list and saved e-mails) have got to live somewhere in some Googley cyberspace place, but I just don’t have the energy to deal with it anymore.”
Holt was able to piece together many of his contacts from an e-mail program on his computer and his new Gmail account seems to be operating fine now, but the experience has left him worried about identity theft and questioning the safety of the Internet.
“I was trying to think if maybe I sent anything that had my Visa number or Social Security number on it. All the FAFSA reports I worked on for my kid’s college. We’ve given out all this financial information that you do online. It’s all supposed to be secure, but there may be a way they can weasel their way in there. Now I wonder if there’s some dark mole that lives in my computer that is getting ready to get me again.”
In talking with the school district’s technician, Holt said it sounds like hackers can spy on people setting up a username and password for online stores or similar sites. Many people use their e-mail address as a username. Once they have that, they can use computer scripts to guess passwords, especially “easy” ones that are common words, such as those found in the dictionary. Sometimes people use the same password for several online uses. Holt used to do that, he said.
“They get somebody using the same password from something else and then they can cross-reference that with your e-mail account and all of a sudden a little bell goes off and they get in,” Holt said. “It’s not like some guy is sitting in a room smoking cigars, drinking bad coffee and looking at it, trying to match things up. They’ve got the technology to just keep trying it until they get one that works.”
Holt now uses different passwords for his various online logins, and is more cognizant of the dangers of online activity.
“A month ago some guy wanted to share some fortune with me that he couldn’t get without some help from me. And it was horribly written, I don’t know if they get anybody who falls for those. But this London one was different. The electronic age definitely has some pitfalls that I didn’t see coming,” he said.
Tips for avoiding e-mail hacking
1. Use a password that can’t easily be guessed. If it’s in the dictionary, even if you add a few numbers or additional characters to it, it isn’t secure. Neither are common keyboard patterns. The longer, the better.
2. Don’t use a password on more than one site. Create unique, difficult to guess passwords for every site requiring one. Store the passwords in a safe place, or there are secure software programs that generate random passwords and store them for you.
3. Change passwords often.
4. Don’t use an e-mail username in other places, especially on trivial or unsecured websites.
The following e-mail text is the general form the scam takes, often telling contacts the sender is stranded in London or some other foreign city:
“Apologies for having to reach out to you like this, I made a trip this past weekend to London, UK and had my bag stolen from me with my passport and credit cards in it.
The embassy is willing to help by letting me fly without my passport, I just have to pay for a ticket and settle Hotel bills. Unfortunately for me, I can’t have access to funds without my credit card, I’ve made contact with my bank but they need more time to come up with a new one.
I was thinking of asking you to lend me some quick funds that I can give back as soon as I get in. I really need to be on the next available flight.
I can forward you details on how you can get the funds to me. You can reach me via email or May field hotel’s desk phone, the numbers are, +XXXXXXXXXXXX or +XXXXXXXXXXXX.
i await your response … “