“Mugged in Madrid. Need 1,000 euros”

A ring of Gmail hackers uses Western Union for cash swindles around the world

Plaza del Callao in downtown Madrid: the Gmail scam preys on the capital’s undeserved reputation for muggings, say police.
Plaza del Callao in downtown Madrid: the Gmail scam preys on the capital’s undeserved reputation for muggings, say police.ÁLVARO GARCÍA

It all began with an email from Joseph Lelyveld, a man of 74 who was editor of The New York Times from 1994 to 2001.

We met in the 1990s in South Africa and remained vaguely in contact over the years. Four months ago I had a glass of wine with him in his New York apartment. His email arrived on the afternoon of February 8.

“I hope this reaches you in time. I was visiting Madrid and I was mugged. I lost my wallet with passport, credit cards, cash, the works. Physically I’m OK, but I need money urgently to get out of this situation. I’ll return it as soon as I get home…”

He proposed that I help him by means of the firm Western Union. I answered immediately: “Of course, Joe. Give me further instructions and I’ll help you as much as I can.” He answered that he needed 1,000 euros. I called his cellphone. Several times. Nothing. The answering service always came on — meaning, I thought, that they had taken his cellphone too.

Before sending the money order from Barcelona, where I live, I called Western Union. An operator told me the money could only be received in Spain, and that the receiver must show an ID card with a photo. I went to a nearby call center, run by a Pakistani, where they offer Western Union service, and sent Lelyveld a thousand euros. I sent him the money-order number by email and he wrote back, “a million thanks.”

A while later, another email came. He said he was flying at 10.30pm that same night to New York and needed money for the fare. I thought: “There aren’t any flights to New York at that hour.” I decided to look over the emails we had exchanged. The original, calling for help, had been sent from a Gmail address I recognized from earlier correspondence. But my answer, and all further exchanges, had gone to the same user name, but not to “gmail.com” but “ymail.com.” I had stepped in a trap.

I spoke on the phone to the chief inspector of the Technological Investigation Brigade (BIT) of the National Police in Madrid, Enrique Rodríguez. He was patient and polite, but told me simply that I had been ripped off, and there was nothing I could do about it.

Yes, I said. But I propose a plan. I remain in contact with my correspondent. I have let on I was prepared to send him another thousand euros. Why don’t we find out where he received the money the first time, then I tell him there is more on the way, and the police set up a trap and catch him, or his accomplice?

Again I am naïve. Inspector Rodríguez told me: we don’t know in which of a thousand Western Union offices the money had been received; we don’t even know if it was in Spain. But, I say, Western Union assured me that it could only be received in Spain. The inspector, who opined that it could have been received in Timbuktu, suggested I report it to his colleagues in Barcelona, whose job it would be to investigate, since the crime occurred in their territory. I went to an office in Barcelona, of the same Technological Investigation Brigade, and talked to a young officer, who was likewise helpful and polite, but likewise told me there was nothing I could do.

I decided to try and find out something on my own — for example, where the money had been received. I called Western Union; an operator told me I had to go to the call center from which I had sent it. There the Pakistani explained to me that there was a procedure. We made photocopies of my sender document, filled out a form and he sent it all by fax to Western Union. He would let me know when he had an answer.

I went to report it to the Mossos d’Esquadra, the Catalan police. “Western Union?” said a sympathetic policewoman. “Yes, they always use it for these scams.” Two other policemen at the same station told me the same.

Three days after the call for help, the real Lelyveld emerged. He was in India. Everything OK. Would be back in New York in a couple of days. We talked on the phone. He felt awful about it, and so did I when he told me that the “Madrid mugging message” had been received by hundreds of his contacts, but only I had fallen for it. It was by no means a new scam, he said, suggesting I read a recent article, Hacked!, by James Fallows in The Atlantic.

Here Fallows tells the story of what happened to his wife, whose Gmail was hacked last year. Her contacts received “Mugged in Madrid” messages. Mr Fallows has important friends, including Eric Schmidt, managing director of Google, the owner of Gmail, who told him that he, too, had received a Mugged in Madrid email.

Next day I called the Pakistani. Any news? Nothing. I went to London on work, and there talked to a friend who said “You don’t say! Gmail? Western Union? Madrid? I have a friend who just had the same thing happen to him.” I called the friend, William Reeve of the BBC. He had not been robbed as I had, but they had hacked his Gmail and sent practically the same letter (mugged in Madrid, Western Union, etc.) to all his contacts. One friend fell for it, and sent even more money than I did.

“Western Union bears a lot of responsibility in this,” said Reeve. “The hackers keep using it for their scam, because the company does nothing.” Reeve said he had looked into the matter, and found there had been a plague of emails of this type late last year. He referred me to an article in The Observer of London in October, where the writer tells of how her Gmail was hacked, and 5,000 people on her contact list had received a Mugged in Madrid message. Again, Western Union had been the recommended means.

Back in Barcelona I was determined to ask some questions of Western Union, and of the National Police. First I talked to the Pakistani. He had sent the fax to Western Union, but so far, eight days, later, there had been no answer. I called Western Union. They kept me on the phone for 44 minutes, a total waste of time. First an operator told me she could give me the name of the city where it had been received, but not the office. And then she told me she could give me neither of the two. The only thing to do was to fill out a form, make photocopies of my sender document and send it all by fax to Western Union. But I already did that, I answered. She then passed me to a supervisor who repeated the same story. Was there anyone higher up in the company I could talk to? No.

I wrote an email explaining the problem to an address given by Western Union (headquarters: Englewood, Colorado) for its customers, but, though I paid more than 50 euros in “commission” on top of the lost thousand, it has not answered.

I spoke again with the chief inspector Enrique Rodríguez. Given the international rash of Mugged in Madrid messages, was the Technological Investigation Brigade looking into the Madrid. “No. There’s no reason for it,” he said. And wasn’t it funny how they had picked Madrid, of all places? “This is not a determinant factor. Madrid has a certain reputation for muggings. This is no longer true, but legends die hard. Madrid is a cosmopolitan city visited by lots of people, and the reputation is useful to them because it makes the bait easier to swallow.”

So — there is no connection between Madrid and the scam? “No. In Madrid they never appear. It’s a coincidence.” But, I went on, perhaps there is some practical reason why they use Madrid, or at least Spain. And I repeated my earlier idea of setting a trap for them. The problem with that, he said, is that there would be no time for what you propose. The Western Union service is practically instantaneous. “You send the money, and it’s received 10 minutes later, in Spain, or London, or wherever. This works in the crook’s favor.”

It was my impression, I said, that Western Union offered a wonderful instrument to swindlers, or to terrorists, to move money around the world. He answered that Western Union was a perfectly legal company that in no way lent itself to such practices. But he did admit there was a problem. To obtain the information that I had sought about where my money had gone, the police had to get a court order (the Western Union operators I talked to had not informed me of this fact). “There is a data-protection law that prohibits giving out information about any personal data.”

Yes, I answered, but here we’re not talking about personal data. I only wanted to know the city and office where my money was received, and now it appeared that not even the police could find out without getting into the judicial bureaucracy. “Well, yes,” said the inspector. “It’s a circumstance that’s hard to understand, since there is no personal information involved.”

In other words, the law that applies to these cases could be reexamined. Not for my sake, but for that of shutting down a scam that has been operating with impunity for at least a year. A nagging doubt remains as to why the Spanish police, or Interpol, for example, seem to have done nothing to investigate whether there is anything more than coincidence in the now world-famous expression “Mugged in Madrid.”

Recomendaciones EL PAÍS
Recomendaciones EL PAÍS