"Hi. Just writing to let you know my trip to Manila, Philippines with my family has been a mess…I need you to loan me some money. I'll refund it to you as soon as I arrive home."
That is the kind of fake e-mail thousands of Americans get every year. It appears to come from a friend, but is actually from a con man half a world away. Most people delete them.
When a "Nightline" producer received one of these emails, she decided to hit reply. That took us on a journey half way around the world and inside one of the most common online scams around. It's called "the stranded traveler" scam and it costs victims who fall for it million of dollars every year.
The FBI's Internet Crime Complaint Center, based in West Virginia, has about 150,000 "stranded traveler" complaints on file. The phony emails often use the subject line, "I'm writing with tears in my eyes." Special Agent Charles Pavelites showed us how the identical email has been received from Madrid, Spain, London, England and, yes, Manila in the Phillippines. "They're all basically the same story, they were out of the country, they've been robbed and they need assistance now," Pavelites said. "This is a prefab…it's a form letter for a criminal." "
The email our producer received asked for nearly $2,000 and it looked like it had been sent from an acquaintance named Susan Zador. But when we checked in with the real Susan, we found out she was not in the Philippines and her email account had been hacked.
Zador's son Andy said every contact in his mother's email address book, hundreds of people, received the same alarming message.
"It's pretty disheartening to think that people are that money-hungry that they'll just send it out to whoever they think they can get the most money from," he said.
Zador's friend Mary Blackwell said she sent $300 and then learned it was a scam.
"I went through the roof. I was so upset," she said. "Not because I sent the money or anything like that, but it was because my heart was broken for Susan."
The person pretending to be Susan Zador claimed over email that he was traveling with somebody named Richard Kamenitzer and to wire the money to Richard in Manila. When "Nightline" tracked down the real Kamenitzer, a professor in Virginia, he said he had no idea who Susan Zador was, but that his email had also been hacked the same day as hers. Kamenitzer said he received several emails from worried friends. The hackers blocked Kamenitzer's access to his own address book, so he had no easy way to alert his friends to the scam.
"I had had 4,036 contacts in my address book none of which were available to me," he said. "Everything was lost."
In "Nightline's" case, instead of sending the nearly $2,000 that our new pen pal had requested, we only sent $20. Within hours, the con artist wrote back and complained.
"You should have told me you never had any money," he said. Then he had a creative suggestion. "I think you can also have the money wired with the use of your credit card."
"Nightline" followed the email trail to the Philippines, where a Western Union agent said a suspected scammer has come into his shop to cash in.
"The first time I met this guy, he claimed...$4,000 in two transactions," the agent said. "When he claimed it, he showed his... ID, which was his driver's license."
In "Nightline's" interactions with the con artist, we noticed that when we ignored the scammer's pleas, his emails became increasingly desperate. "Talk to me dear … Act as urgent please! ... Please I beg you in the name of God," one email said.
Wire services don't disclose where your money is picked up and law enforcement almost never pursues these cases so chances are victims will not get their money back.
If victims do send money, the con artists put them on their "sucker list" and hit them with other scams. Sure enough, our "Nightline" producer began receiving new emails phishing for her back account number. This time, we hit "delete."
So how do criminals get your email password so they can get into your email account and attempt to scam your contacts? We asked Cyber security guru Dan Clements, who told us there are four key ways:
1. Trojan programs: If you click on an attachment in an unknown email, it can trigger your computer to download a "Trojan" program that then allows cyber criminals to see every key stroke you make –including your email password.
2. Password breaker program: Often called a "brute force program," this is software bad guys use to try every combination of numbers and letters until they hit on your password.
3. Email addresses used as logons: You know how many websites have you set up an account using your email address as your User ID? If you then use the same password for that account that you use for email, criminals have what they need: your email address and your password.
4. Insider theft: It's less common, but there have been instances where employees at internet companies stole customers' email addresses and passwords from internal servers.
How can you protect yourself?
Don't click on attachments in emails from strangers. Create complex passwords that are random combinations of letters, numbers and symbols and use a different password for each account you create. If a website gives you a choice of using your email address as your User ID or some other ID, choose the alternate.