Skip to main content
  1. Writing/

From Canada with Money - Watch Out for the Old-School Mail Scam

·3607 words
scam privacy personal-data security mail
Table of Contents
This post talks about a scam and includes references to emails and domains used in received communications. Because these domains are not verified and associated with, what seems like, scam activity, I highly recommend not navigating to the URLs on your primary devices - all testing has been done in a virtual machine (VM). I do not know what other content these websites host and what malware those can carry.

The other day one of my friend shared an interesting letter they received, that I thought I’d cover on this blog. It all started with them peeking at their USPS Informed Delivery digest to see that there was a letter headed to them postmarked with an automated Canada Post label.

A non-descript envelope postmarked with Canada Post.
A non-descript envelope postmarked with Canada Post.

For privacy reasons, I removed all possible identifying information above - the address was not, in fact, pixelated when it arrived. They didn’t expect a letter from Canada, and one that had no other identifying markers on the envelope, at that.

The content of the letter #

At a glance, the envelope looked a bit scary because it was so non-descript. Were they receiving it because they got some automated traffic ticket after their recent trip to Toronto?

Once the letter landed in their mailbox and they opened it, they were greeted with this wonderful outline:

A fake legal letter. There are too many red flags to count.
A fake legal letter. There are too many red flags to count.

For accessibility purposes, the letter reads:

Beckley, Zurawski & Associates LLP

Address: <REDACTED>

ON K2P Canada

Tel: <REDACTED>

E-mail : info[@]beckleyzurawskillp[.]com

Website: www[.]beckleyzurawskillp[.]com

Ref: <REDACTED>

Date: Toronto October 13, 2024

Dear <REDACTED>,

My name is Mr. James Zurawski, I am a partner at Beckley, Zurawski & Associates LLP, in Ontario, Canada. Apologies if my letter came to you as a surprise, since there has been no previous correspondence between us. There is an unclaimed “permanent life insurance policy” held by our deceased client.

This transaction pertains to an unclaimed “Payable on death” (“POD”) savings monetary deposit in the sum of Ten Million Eight Hundred & Twenty Thousand United States Dollars ($10,800,020.00). The policy holder was one of our clients, late Dr. <REDACTED>, who was a real estate investor and precious stone dealer. She was a Covid-19 victim, who died about 4 years ago. Since Her death no one has come forward for the claim and all our efforts to locate her relatives have proved unsuccessful.

The insurance company code stipulates that “Insured Permanent Policies” not claimed must be turned over to the abandoned property division of the state after 2-3 years.

Therefore, I ask for your consent to be in partnership with me for the claim of this policy benefit, in view of the similarity in the same last name and nationality with the deceased. If you permit me to add your name to the policy, all proceeds will be processed on your behalf. I wish to point out that I want 10% of this money to be shared among charity organizations while the remaining 90% will be shared between us.

This is 100% risk free. I do have all necessary documentation to expedite the process in a highly professional and confidential manner. I will provide all the relevant documents to substantiate your claim as the beneficiary. This claim requires a high level of confidentiality, and it may take up to fourteen (14) business days, from the date of receipt of your consent.

Contact me via: jameszurawskilaw[@]gmail[.]com

COPY: jameszurawski[@]beckleyzurawskillp[.]com for more details.

Your earliest response to this matter would be highly appreciated.

Now, this entire letter is a giant red flag - this scam style has been known for decades, but I had time this weekend to entertain myself with digging more into it to have definitive proof that this was a scam and warn others that this is going around (again, or still).

In case anyone in your personal or professional network gets one of these - feel free to toss it out. Never respond or engage with these individuals.

This letter is also extremely similar to that another individual reported on Reddit four months ago, or another from a year ago. There was also a report in the Marion County Record in 2023 about this exact scam. Sedgwick County in Kansas also acknowledges this scam. You get the idea - it’s definitely a scam. But I’m going to dig in anyway.

Red flags #

The letter alone has quite a few warning signs that stood out right away:

  1. The envelope had no return address.
  2. The envelope arrived unexpectedly from Canada.
  3. There is So Much Unnecessary Capitalization that it makes my eyes hurt.
  4. A lawyer was not able to find relatives of a deceased person so they reach out to random people that match the last name of my friend, because why not - we all know that having the same common last name means you are 100% related and can get their inheritance money that is usually in the millions.
  5. 10% to charity, 90% of the rest split “between us.” I am sure there’s a German word for this, meaning something along the lines of “Yeah, right - this is how lawyers talk in formal letters about financial amounts.”
  6. The letter is a photo copy.
  7. Contact email is a GMail address, with the ask to CC some other email that is associated with what seems like an official domain (it’s not - we’ll get to that in a second).
  8. Attempt to create proof that the millions came from a wealthy person ("[…] who was a real estate investor and precious stone dealer.") Maybe it’s just me, but I have not seen a single legal letter that talks like this.
  9. They couldn’t even match the amount of money from the text to the number - “Ten Million Eight Hundred & Twenty Thousand United States Dollars” is $10,820,000.00 not $10,800,020.00, geniuses.
  10. The physical address they provided points to a residential neighborhood, with a single family home seen on Google Maps. I removed the address from the letter above because I do not know who this belongs to - it very well could be an innocent person’s house that they just happened to grab as a random destination. Again - I don’t know any lawyer that would use their house address for legal correspondence.
  11. There are no references online to “Beckley, Zurawski & Associates LLP” anywhere but their own website.
  12. K2P is not a valid Canadian postal code.
  13. Why is “Toronto” included in the date field?
  14. They couldn’t even bother with a real signature. Just look at this pixelated JPEG-quality garbage.
"We have an official letter for you to pick up a few million dollars, but signatures - our budget ran out on that."
“We have an official letter for you to pick up a few millions of dollars, but signatures - our budget ran out on that.”

Also, what’s with the punctuation at the end of your name and title? Who does this? Even the legit James P. Zurawski doesn’t do it (who, by the way, is based in the US, not Canada, and is not associated with this whole story).

The website #

So, let’s start digging a bit. They gave us a domain, because we all know - the hallmark of any legit operation is having your own domain, not some random free BlogSpot or WordPress site. What would their site look like?

"We're in Toronto Don't worry about palm trees."
“We’re in Toronto Don’t worry about palm trees.”

Super pixelated logo at the top, a phone number (I blocked it out - no reason to include it here), some tropical environment that definitely looks nothing like Toronto or anywhere in Canada, and a bunch of generic stock images as you scroll through the page. Looks legit.

"HAHA! Yes, I too like lawyering."
“HAHA! Yes, I too like lawyering.”

The contact form goes nowhere, by the way - it returns a very disappointing HTTP 404, no matter what you submit.

As an added bonus, whoever set up the site didn’t even bother renaming the images from whatever stock site they used, so we can see this:

https://beckleyzurawskillp[.]com
  /wp-content
  /uploads
  /sites
  /181
  /2020
  /03
  /Depositphotos_131608234.jpg
A generic photo of generic people on a generic stock photos site.
A generic photo of generic people on a generic stock photos site.

Cool - so I guess they couldn’t really find any lawyers or staff for their own photos. The tropical header image actually also makes a ton of sense once we look at the CSS requests issued:

Indicators that the content is very likely lifted from somewhere else.
Indicators that the content is very likely lifted from somewhere else.

I can only assume that /summitboca/ might be referring to Boca Raton, Florida, which would explain the palm trees. Oh wait…

https://beckleyzurawskillp[.]com
  /wp-content
  /uploads
  /sites
  /181
  /2020
  /03
  /Depositphotos_289841016.jpg

Nope, yet another generic photo.

Apparently this is Hillsboro Inlet Lighthouse in Hillsboro Beach, Florida.
Apparently this is Hillsboro Inlet Lighthouse in Hillsboro Beach, Florida.

Hillsboro Beach is indeed in Boca Raton. Dammit, Beckley, Zurawski & Associates LLP. Do you have any real photos on this very real legal operation of yours?

As I was digging through some other assets that they were loading, I noticed this image:

A reference to something called TitleTap.
A reference to something called TitleTap.

That name actually rung a bell. Remember how I mentioned earlier that the CSS content was being loaded from a weird location?

https://beckleyzurawskillp[.]com
  /localwebdesigncompany[.]com
  /summitboca
  /wp-content
  /plugins
  /titletap-plugin
  /css
  /skins
  /tt-design-01-skin.css

Once I went to localwebdesigncompany[.]com, I was greeted with this:

Another reference to something called TitleTap.
Another reference to something called TitleTap.

It seems like TitleTap is a service for attorneys and title companies to easily spin up websites for their firms. According to their Twitter bio, they’re headquartered in Tampa, Florida. Their landing page looks awfully similar to that of our legal “friends”, Beckley, Zurawski & Associates LLP.

The landing page for TitleTap.
The landing page for TitleTap.

I, however, don’t think that the site I am analyzing is in any way, shape, or form associated with TitleTap. They just happened to grab the theme assets from one of the legit sites that TitleTap hosts.

Why do I think that? Well, remember this part:

localwebdesigncompany[.]com/summitboca

Boy, do I have news for you.

The landing page for Law Office of Adam Bessen.
The landing page for Law Office of Adam Bessen.

Looks familiar? As it turns out, generic stock photos were a red herring - there is a web page for, as far as I can tell, a very much legit lawyer in Boca Raton, FL, that is hosted by TitleTap. Whoever is running Beckley, Zurawski & Associates LLP just lifted the entire design of the WordPress page and used it for their own site. Without all the functionality of the legit site, of course - they can’t quite plagiarize everything.

The domain for the aforementioned fake law firm was also just recently registered. Looking them up on whois.com yields this snippet:

Domain name: beckleyzurawskillp[.]com
Registry Domain ID: 2910081718_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.namecheap.com
Registrar URL: http://www.namecheap.com
Updated Date: 0001-01-01T00:00:00.00Z
Creation Date: 2024-08-22T08:57:16.00Z
Registrar Registration Expiration Date: 2025-08-22T08:57:16.00Z
Registrar: NAMECHEAP INC

Created this past August. Maybe this is a freshly registered law firm? Let’s do a search on the Canadian Bar Association website.

Find-A-Lawyer seems oblivious to one of the names used.
Find-A-Lawyer seems oblivious to one of the names used.
Find-A-Lawyer seems to also be oblivious to the other name used.
Find-A-Lawyer seems to also be oblivious to the other name used.

That doesn’t necessarily inspire confidence now, does it? If we look at the DNS records for the domain beckleyzurawskillp[.]com we see that they do host with UnReal Servers, LLC, a hosting company headquartered in Kansas City, MO. For comparison, all the sites produced by TitleTap seem to be hosted on Digital Ocean. Another notch for my hypothesis that whoever is running the Beckley and Zurawski operation is likely lifting legit content from the TitleTap template and hosting it somewhere else.

What about the others? #

Others? What others, you may ask.

As I was digging through this, I decided to use some Google probing for the verbiage used on the site - “a full-service Canadian based law firm with expertise in the areas of Real Estate, Succession Law, Business Sales and Acquisitions”. This is the verbiage that was also lifted from Adam Bessen’s (the lawyer from Florida) legit website.

Surprisingly (or not surprisingly), the search yielded a few extra domains that seemed to fall into the exact bucket of fake law firms:

https://perenlaw[.]com/
https://www.alphalawoffice[.]com/
https://avantcorporatefirm[.]com/
https://barnesboisvertllp[.]com/

The content on each of these sites is ever so slightly different from each other, but otherwise almost entirely identical, to the pixel (other than logo pixels, of course):

  • Perez, Nguyen & Associates LLP: “Thai Nguyen , Esq, has been serving the Toronto market for over 25 years.
  • Alpha Law: “Brian Graff , Esq, has been serving the Edmonton market for over 25 years.
  • Avant Corporate Law Firm: “George Bruce, has been serving the Ottawa market for over 15 years.
  • Barnes, Boisvert & Associates LLP: “Sean Boisvert , Esq, has been serving the Toronto market for over 25 years.

These folks have been proudly serving the Canadian markets for the same amount of time, and clearly are on the same wavelength with each other because all their websites look the same and use the same text.

What’s hilarious about Avant Corporate Law Firm is that, despite being Canadian according to their website, the homepage features the Pueblo County Courthouse and on their About page there’s a featured photo of the Burj Khalifa in Dubai. For as much as these firms operate in Canada they sure can’t find a single photo of a Canadian city or courthouse.

And of course, looking up every single name above yields nothing on the Canadian Bar Association’s “Find-A-Lawyer” page.

Let’s compare #

For each of the domains we have, let’s compare the registration data to see if there is overlap:

Domain Website Host Registrar Registration Date Has MX Records Registrant Privacy Enabled
beckleyzurawskillp[.]com UnReal Servers, LLC NameCheap 2024-08-22 βœ… βœ…
perenlaw[.]com velia.net Hosting Concepts B.V. d/b/a Registrar.eu 2024-04-17 βœ… βœ…
alphalawoffice[.]com velia.net Hosting Concepts B.V. d/b/a Registrar.eu 2024-04-13 βœ… βœ…
avantcorporatefirm[.]com OVH SAS OwnRegistrar, Inc. 2024-05-13 βœ… βœ…
barnesboisvertllp[.]com velia.net OwnRegistrar, Inc. 2024-05-25 βœ… βœ…

There is some overlap - hosting companies and registrars, along with very recent registration dates. All of them have MX records that point to the fact that likely there is an actual email server attached to them. However, the MX records are pretty barebones, making me think that they most of the time don’t actually have an inbox associated with the domain. That’s the reason they want you to email your interest to the GMail address and CC the official address. Because the official address will bounce.

What I also have access through OSINT tools available online is WHOIS history. This will allow me to check each of these domains for any changes to registration metadata to see if there are any slip-ups, where the registering person potentially exposed who they are.

And sure enough, one of the domains had the full information listed (reminder - if you are registering domains, enable WHOIS privacy protection, it’s free).

WHOIS records showing the true registrant of a domain.
WHOIS records showing the true registrant of a domain.

This same individual also registered a few other domains, among which the following stood out:

https://ravenlawfirm[.]com/
https://suntrustcreditunion[.]com/

Raven Law Firm (not to be confused with RavenLaw, a legit legal company based in Canada) boasts that it has an all-star crew of legal experts working for you:

WHOIS records showing the true registrant of a domain.
WHOIS records showing the true registrant of a domain.

It’s too bad that reverse Google image search works as well as it does, because the first picture of Peter Bruno is actually that of an author - Matt Kingsley, with zero published books on Amazon. Or is he really an author? Maybe he is the “confident man in stylish outfit sitting at table.” This guy is either a polymath with different names, or this is yet another example of stock photo use. It won’t surprise you to learn that the other two photos are also stock from Pexels, a royalty-free image service.

The SunTrust Credit Union has an unknown purpose - it’s clearly not a real bank, it doesn’t have any references online other than its own website, and the address points to a plaza in Toronto that doesn’t have the organization listed as a customer. It also somehow targets Canada:

Businesses all over Canada are united by one thing: Ambition. Suntrust Credit Union wants to help local businesses keep up with their ambitions, whether that’s growing a global business, becoming the best in their field, building a stronger local community, or even creating a lifestyle where they can spend more time with their family.

Not suspicious at all. The website also uses the open-source iBanking project for the customer authentication flow that happens to collect some personal information (zero clue what happens with that data once entered). The domain also has MX records with Google, so very likely it has a Google Workspace subscription attached to it.

Do keep in mind that the author of the open-source project is likely not affiliated with the owner of the aforementioned websites - their project just happens to be used on the “bank” website.

All of this, of course, is circumstancial evidence. I cannot, hand to the flame, claim that the person for this one domain is responsible for all of them. They might’ve used fake information in the WHOIS record too, since anyone registering a domain can write whatever they want there, especially if this is a throwaway scam domain they aren’t worried about maintaining long-term. However, what we see is that:

  1. All of the aforementioned domains host websites that represent fake legal firms that have no references in the Canadian Bar Association index.
  2. The verbiage used across sites is oddly consistent, stolen from a legal firm in Florida.
  3. Most websites look the same, with a lifted WordPress theme from a the same legal firm in Florida.
  4. All websites claim to be Canadian, yet there are no references in Canada to these businesses.
  5. All of the websites use seemingly random Canadian addresses, including residential, that do not indicate a real physical presence.
  6. One of the websites for the made-up law firm with the same verbiage as a bunch of others had the WHOIS record unprotected.
  7. According to WHOIS records, the same individual also registered other domains - one for another made-up legal firm and the other for a credit union, both represented as Canadian on their websites.

It’s possible this person got really lucky in copying one specific piece of text on their site from one very niche lawyer in Florida, or maybe they are connected to all of the pages above. From the data we see online, they are not in Canada, and certainly do not maintain any Canadian businesses.

Conclusion #

I don’t need to theorize much on what happened. Whoever tries to maintain this fake lawyer collection is interested in scamming real people out of their money through a version of the advance-fee scam. To do that, they use data from the many unscrupulous data brokers that collect and disseminate our private information (including names and addresses) to identify people’s physical location and then craft a legal letter with a random name as a “deceased” person that miraculously matches the last name of the addressee. Scam as old as time - nothing new here.

The sites are clearly spun up as “fronts” to provide legitimacy - the functionality on them is irrelevant. Even though the contact form doesn’t work and they’re packed with stock photos, that doesn’t matter to your Average Jane and Joe, especially if this is targeting elderly folks or those that are not technologically proficient. To them - they see a website, and that’s good enough. That means it’s all good and real (good luck explaining to your grandma that anyone can register a domain and spin up a landing page). Even the letter alone looks official enough for the untrained eye.

The letter is sent through physical mail to provide legitimacy too. Email is finicky - things get caught in the spam filter too easily, but there is no spam filter for your physical address, so you have guaranteed delivery. Of course, your letter can get trashed right away, but that’s why the envelope is non-descript - there is no indication on it that tells you what it is about, forcing you to open it.

At that point, once you read the letter, there are two reactions:

  1. This is a scam,” and you trash it.
  2. Oh interesting, let me contact them,” and then write the email as stated in instructions.

Again, and I can’t emphasize this enough - the average person sees a legal letter, even a made-up one, and they aren’t likely to dive too deep into the details, like a pixelated signature or a non-existent postal code. They will visit the site, see that it appears to be a real firm, and then write the email. The vast majority of people won’t be Google-ing for verbiage on the site to see if it was lifted somewhere else or whether the network requests point to a different origin.

The letter is also sent via what seems like business mail - whether the owner of the operation is in Nigeria or not based on the WHOIS records, they have a proxy in Canada who is able to send pre-paid mail with a dedicated account ID (4675363 for any Canada Post employees reading this). Said proxy is responsible for sending out mail to appear as if it originates in Canada (and it does).

So, what am I doing about this? I am contacting the Canadian Anti-Fraud Centre to report the postal account. I am not confident anything will be done about it given just how wide-spread this scam is, but even as a statistical data point it’s important to make sure that folks know about this style of scams going around.

To your friends, relatives, and colleagues, keep hammering the idea home - if it’s too good to be true, it is extremely likely a trap. Be vigilant with your mail, even the snail type.