Example of fake winning notification email:
FROM:THE DESK OF THE VICE PRESIDENT.
PROMOTIONS/PRIZE AWARD DEPT.
BATCH NO: PTP/8573421009//7765
REF. NO: PTP/79065-07855//7765
WINNING NOTIFICATION / FINAL
This is to inform you of the release of EUROMILLONES SPANISH
SWEEPSTAKES LOTTERY/INTERNATIONAL PROGRAM held
on the 24TH of NOVEMBER, 2004. Due to the mix up of
number,the results were released on the 26th of
NOVEMBER 2004. Your email attached to ticket number
20/39/45/75/ with serial number 6954398765 drew the
lucky numbers of 30-56-73-46-23 which consequently won
the lottery in the 1st category.
You have therefore been approved for a lump sum payout
Of (1,000,000.00) One million euros only in cash.
Due to mix up of some numbers and names, we ask that
You keep your winning information confidential until
your claims has been processed and your money remitted
to you. This is part of our security protocol to avoid
double claiming and unwarranted abuse of this program
by some participants.
All participants were selected through a computer
ballot system drawn from only Microsoft users from
over 20,000.00 companies and 3,000,000 individual
email addresses and names from all over the world. To
begin your lottery claim, please contact our agent
below that have been appointed for the processing of
your claim with the email address below, to begin the
processing of your claim:
CONTACT NAME: MARTINS ALBERTO
AGENT:ONXY FINANCE AND SECURITY S.A
CITY/ COUNTRY: MADRID,SPAIN
FREE SERVICE NUMBER: 0034 618-157-904
Note that all winning must be claimed not later than
24th of December 2004. After this date all unclaimed
funds will be included in the next stake. Please note
in order to avoid unnecessary delays and Complications
please remember to quote your reference number and
batch numbers in all correspondence. Furthermore,
should there be any change of address do inform our
agent as soon as possible.
Congratulations once more from our members of staff
and thank you for being part of our promotional
Note: Anybody under the age of 18 is automatically
This email was sent from Spain: 12.red-83-38-214.pooles.rima-tde.net [184.108.40.206] on Wed, 08 Dec 2004 12:43:35 +0100
inetnum: 220.127.116.11 - 18.104.22.168
descr: TELEFONICA DE ESPANA
descr: Provider Local Registry
status: ASSIGNED PA
remarks: For ABUSE/SPAM/INTRUSION issues
remarks: PLEASE CONTACT THROUGH LINK
remarks: or send mail to email@example.com
remarks: any mail to firstname.lastname@example.org will be ignored
Example of response from fake security company:
Thank you for your response, Please find application form attached, endeavor to fill-in the apprioprate info and return it as soon as possible by fax.
Alternatively you can also send it via email attachement if you find it difficult to get through our fax.
Also endeavor to notifiy us by email as soon as the fax is sent to our office to avoid any delay.
Await your prompt response and acknowledgement.
The "claim application form", a Microsoft Word document named "Claim Application Form Doc.B2.doc" that accompanied this email lists "ARAB & CO." as the company and "ARAB" as the author, the same as in the "CITY TRUST LOTTERY". It was last saved by someone logged in as "Quaisar". Another Word document emailed to the same person was called "CERT. OF DEPOSIT 2.doc", with a company name of "Cibernet" and an author "x". It was last saved by a user logged in as "Naeem".
Are these deliberate acts to lay a false trail, or does this scam maybe involve Moroccans or other Arabs living in Spain? We don't know yet.
Here were the message headers:
Received: from netscape.net (mow-d26.webmail.aol.com [22.214.171.124])
by air-in04.mx.aol.com (v103.7) with ESMTP id MAILININ43-589a41c2d8c821;
Fri, 17 Dec 2004 08:02:00 -0500
Date: Fri, 17 Dec 2004 08:02:00 -0500
To: emailaddress ("FIRSTNAME LASTNAME")
Subject: Re:CLAIM FORM ATTACHED
X-Mailer: Atlas Mailer 2.0
Content-Type: multipart/mixed; boundary=-------418341da2046b89c418341da2046b89c
This indicated the email was sent from 126.96.36.199 in Spain:
inetnum: 188.8.131.52 - 184.108.40.206
descr: Infraestructura Red y Servicios IP
descr: Comunitel Global S.A.
status: ASSIGNED PA
changed: email@example.com 20000531
descr: Comunitel Global PA Block
changed: firstname.lastname@example.org 20041007
person: Monica Vales
address: COMUNITEL GLOBAL S.A.
address: Consorcio de la Zona Franca
address: Area Portuaria de Bouzas
address: 36208 VIGO (PONTEVEDRA)
phone: +34 986 21 40 44
fax-no: +34 986 21 40 41
changed: email@example.com 19990215
person: Tomas Lestayo Martinez
address: Avenida de Manoteras, nº 44
address: 4ª planta, módulo D
address: 08039 ESPAÑA
phone: +34 91 2963321
fax-no: +34 91 2963310
changed: firstname.lastname@example.org 20020416