Social Media Scam and Bank Fraud

How my daughter got catfished and almost took down the entire family finances.

A tale of near misses by Lauro Chavez.

The Background:

My daughter's friend, in her early 20's, tells her about a man that is approaching her through her Instagram account looking to pay her for some time spent chatting with him, simply explained as emotional based online conversation. She says there is no exchanging of photos or anything inappropriate going on, and that this is a good opportunity to make some money on the side.  

The story goes like this:

The man says he is willing to pay for the time to chat with them online and that he is not looking for anything related to the exchange of inappropriate items/information. He gives a background story of a financially secure man who has lost his family to some tragedy many years ago and now at the end of his life looking to have the fun of talking to a young lady about life again. After a few days of investigating and gut checks, my daughter and her friend finally agree that being paid for simply chatting with a man online is a pretty good deal.

On or about June 5th, 2019

My daughter allows friendship on Instagram (her profile was public at the time) and the man approaches her via direct message inside Instagram’s application. After a few hours of conversation over several days he presents her with the offer to pay her for her time and simply asks her to register on a pay site (Mint Pay) so he can deposit some money in her bank account for the time spent and any future interactions with her. My daughter, having a kind heart and because the conversation up to this point had been really mild and joyful with the guy and he seemed legitimate enough, tells the man that she would just chat with him as friends for free and payment was not really necessary. Despite my daughter’s kind offer the man continues to insist on paying her for her time. She finally agrees and follows the link he sends her. The link leads her to a landing site that appears to be a registration page asking for PII (Personally Identifiable Information) and bank account data. She fills out the form and submits it. A day goes by and on early morning of June 11th, 2019 the man contacts her asking if she has received the first of his payments. When she logs in to check her account, she notices three checks for various amounts (totaling about $1300.00 USD) ‘pending’ for deposit, but she notices something is very strange about the checks.

Meanwhile on June 11…..

My wife is doing her daily accounting routines and notices three pending checks for our daughter in our main checking account. I am summoned to investigate and notice quickly that the checks are a copy of a previously deposited check (estimated 30 days prior) that was sent to our daughter for her graduation. A gift well deserved after four years of hard study at school for her degree. What is interesting about the checks besides the fact they are clearly forged, is that they (the cybercriminal ring) have modified the checks in a manner not consistent with standards of writing and signing checks to parties from other parties here in the United States. What immediately caught my attention is that the check was made out to my daughter, but the amounts had been written over (hand-written style) and the dates had been ‘typed’ in – appearing to be as this word editor font, presented as: (06-10-19). Also, my wife’s signature was on the front of the check authorizing the amount was also copied and pasted on the back as the recipient’s signature. Having her signature on the front and back of the check made no sense and was an unauthorized action on these pieces of bank notes based on the context of how the check was intended to be used. As I reviewed the images of the check my wife was already on the phone with the bank’s fraud department.  She was able to close and disable our account before anything malicious could happen; the real hero of this story.


Brief Replay:

  1. Daughter was lured or "catfished" with the hopes of easy money and directed to a website to set up payments.
  2. The site was used to obtain enough information about her, that her bank account could be accessed.
  3. After gaining access and review of her account they came across the check record in ‘deposits’ for the amount previously deposited by us (parents).
  4. The images of the original authorized check were copied and modified into three separate new forged checks and used to send back to the daughter’s bank to deposit, possibly via phone app (image capture deposit).


Just Lucky:

This fraud scheme was very well orchestrated and I’m sure my daughter is not the first or the last victim of this criminal ring. What we do have to be thankful for is their catastrophic failure to recognize finite details of our system. A failure that I believe they will not suffer for very much longer.

  1. The modification was incorrect to our standards of check writing.
  2. The checks were made out to our daughter,
  3. The amounts were changed with hand written form
  4. The dates, unlike the amount, were typed in.
  5. My wife’s signature on the front was also copied and pasted on the reverse side in the place for the recipient (in this case my daughter).


Lessons Learned:

What I think is most interesting in this case is that it shows how the nature of greed will most certainly endow failure. I look at the details presented and while my logic defines luck as more of a precise mathematical timing, I cannot help but realize how lucky we got on this one. As a practitioner of cyber security, it’s a deep wound to have one of the kids fall victim, but the deeper the wound the harder the scar. As I hope this has helped to inform you of the types of activities that are occurring actively to United States Citizens and right under our proverbial noses. I would like to think that greed these cyber-criminals had that caused them failure in this attempt, cost them greatly and greedily under the laws of their captors.

As a father, I realized that my kids were bored with the information I had tried to teach them. Not being very interested in the ‘tech-world’, they took my teachings with a grain of salt. I realize now that I should have dedicated more time to their tech-related education.  Since this happened, my daughter has been all ears and made serious modifications to her personal cybersecurity. I’m glad she gets it now, but I’m sad it had to come to something like this in order for it to, as they say: “hit home”, in this case quite literally. The resistance to wanting to understand the repercussions that can exist in the world really made me think; I can’t have the only kids who don’t want to hear it. These types of activities are in no amount of shortage and certainly transcend borders and continents. It may be time for a more strategic approach to practical security training for the body of the people of every country, not just our own.


In the practical art of war, the best thing of all is to take the enemy's country whole and intact; to shatter and destroy it is not so good. So, too, it is better to recapture an army entire than to destroy it, to capture a regiment, a detachment or a company entire than to destroy them.

                                                                                    -Sun Tzu

About the Author

Written by Lauro Chavez

CRISC - Certified in Risk and Information Systems Control Oracle Certified Expert - Oracle Solaris 10 Security Administrator CCNP +S - Cisco Certified Network Professional + Security PCI-P - Payment Card Industry Professional OSCP - Offensive Security Certified Professional