Federal agents say the first hint of trouble came last week — complaints from a humanitarian organization in Portland, Oregon called Mercy Corps.
The investigative trail ended Thursday with the arrest of a Pittsburgh man, an unemployed painter named Matthew Schmieder.
In court documents, investigators say Schmieder sent out 800,000 e-mails, claiming he was raising money for tsunami aid. In fact, the FBI says, he told agents he thought it would be OK to keep the money to fix his car and pay bills, if he gave some of it to charity. Everybody needs money, agents say he told them.
Late Thursday, Mercy Corps said it was stunned and saddened to learn someone was trying to misuse its name.
Solicitations looked genuine
"We're processed more than 40,000 online gifts successfully with no problem at all," says Mercy Corps Chief Development Officer Matthew DeGalan. "So the thought that somebody was trying to take advantage of this for their own gain made us all mad."
Investigators say Schmieder's e-mails contained elements from the real Mercy Corps Web site to make it look like his solicitations were genuine. Recipients were told to respond to an e-mail address he set up.
The FBI says he didn't get very far, banking only $150 before he was shut down.
Schmieder faces fraud charges that carry a maximum 20-year sentence — tough charges for a crime the FBI says it takes very seriously. And agents say dozens of other potential scams are now under investigation.
Tsunami scams began to proliferate almost immediately after the disaster struck, as con artists wasted no time jumping on the chance to steal money and personal information from vulnerable, charity-minded Net users.
Most of the scams take the form of phishing e-mails and their companion "landing" Web sites. The now-familiar con strategy involves creating e-mails that appear to be from a charitable organization or company, complete with convincing logos. But they include a link to an authentic looking Web site controlled by a hacker, who then steals information entered into the site and uses it to commit identity theft.
Nameprotect Inc., a service that monitors the Internet for trademark abuse by phishers, said it has spotted more than 170 suspicious Web sites and turned the list over to the FBI. Many of the sites use clever variations of the name Red Cross or Mercy Corp, said CEO Mark McClean.
"They register a site that looks like the Red Cross, but with an extra 'd' or something like that," he said. The number of sites continues to rise, he said. "We think this is a fairly big problem on the Net right now."
Dave Jevans, who spies phishing e-mail trends as chairman of the Anti-Phishing Working Group, said the problem of tsunami scams was significant, but "not huge."
Giving charities on the Net a bad name
"About 1 to 2 percent of the phishing attacks we see right now," are tsunami scams, he said. It's unclear how many people have fallen for them.
Still, experts at Consumers Union are concerned that even raising the suspicion of scams gives a black eye to Internet-based charitable giving, and that hurts the effort to help victims.
"Every time people hear about this, and the same thing happened after 9/11, I'm concerned it may make people skeptical about using the Web to do good," said Beau Brendler, director of Consumer Union's Consumer WebWatch. The consumer group is also worried that the audience for these scam e-mails is much wider than most phishing notes, which are sent purporting to be from a specific company.
Such e-mails only apply to some recipients; for example a fake Citibank e-mail can only entice Citibank customers. But tsunami donation e-mails could trick anyone, said Consumer Union's Gail Hilldebrand, who was relieved to hear about the arrest.
"The impulse to generosity is important and should be protected," she said.