Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - SANS Internet Storm Center InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

House for rent! Observing an Overpayment Scam

Published: 2011-10-19
Last Updated: 2011-10-31 16:14:49 UTC
by Johannes Ullrich (Version: 1)
4 comment(s)

About a month ago, my wife posted a "House for Rent" ad on Craigslist. (real nice house in a great area btw... in case someone is moving to Jacksonville ;-) ). A couple responses came in, among them, one from a person in England. Odd, but there are actually a couple British living in the neighborhood, so she responded:

From: C M [*** names altered ***]
Subject: Rent Inquiry
Hello - 
  I'm inquiring about the rental property, I will like to get some more details about the property,
I'll like you to give me the below detail ...
[*** questions about property ***]
Certainly not a native speaker of English (the questions I omitted where normal questions someone would have about a house. Cost, when will it be available, utilities included, address...). Some where answered already in the Craigslist ad, but ok. If you deal with prospective tenants, that isn't unusual. As this point, we didn't know that we dealt with someone who isn't local.
My wife's response:
From: H
Subject: your inquire about ...

Hi C

thanks for your interest. Please see the answers to your detailed questions below. 
Please feel free to call my cell phone *** if you would like to see the property 
in person

... answers to questions removed ....
And another email from the prospective renter. Again, sort of routine questions. At this point, the renter identifies he lives in England:
From: C M

Subject: Re: your inquire about ...

Hello H -

      Thanks for your respond, firstly I would want you to know that the property 
is OK with me and I would like to rent the property. I will be staying in the 
property for 1 year after which I will extend my contract on the property if OK 
with my need. 

I work with '*** ENGINEERING LIMITED' in England as a CNC 5 axis machining centre 
setter/operator/programmer and I'm on transfer to the USA. 

I will be moving with my wife, I'd like to know how far is the place from bus station, 
police station and gas station. 

At this point I want you to know that my company will handle the first month 
and the deposit which is ($2470) after which other payment for the property will 
be handle by me in person. 

I would also want you to know that all application and lease papers will be sign 
by me in person when I arrive. 

If this is OK with you, kindly send me the following details listed below ...

'Full Name that will be on the check'
'Mailing Address where you can receive the check'
'Home Phone'
'cell phone'

Once I receive these details from you, I'll send it to my employer, so that the
payment can be issued out to you immediately. We'll be moving in on the 1st of 
November 2011. Looking forward to your reply.

Best Regards


my wife responded (PO Box address she uses for the rental business, and she did not provide a home phone number). This was WAY too easy. A person being so fast signing up for a house unseen? We must have been too cheap!

And a few days later, the check arrived:


The check was written in the name of a person that is listed as an accountant / notary public in the town of Temecula, but the number I found is now used by a different company. The bank, Temecula Valley Bank, failed in July 2009 ( and has since been acquired by First Citizens. It is not clear if the check would be honored (if it would be real). We didn't try to cash it.

It didn't take long to find out why we got such a "generous" check. First month rent + depost was only around $2,000. Instaed, we got almost $7,000!! An e-mail arrived essentially the same day the check arrived, apologizing for the overpayment, asking us to split the overpayment and send it via Western Union to two different addresses in the UK.

Luckily no damage has been done to us. I am still trying to figure out if the person named as origin of the check actually exists and got harmed. I have no reason to believe that this person, if they exist, are aware or profiting from this scan. We did report this to .

According to the FBI's Internet Crime Complaint Center (IC3), 3.6% of the complaints relate to overpayment fraud. 


Johannes B. Ullrich, Ph.D.
SANS Technology Institute

Keywords: advance fee scam
4 comment(s)
Diary Archives