Turning the tables on a scammer… by contacting his mum on Facebook

Using the same username across the web? That may have its drawbacks…

Graham Cluley
Graham Cluley
@[email protected]

Turning the tables on a scammer... by contacting his mum on Facebook

Some scammers think the chances of the police ever catching them are low, but there’s one thing they are afraid of: their mum.

Christian HaschekSecurity researcher Christian Haschek tells the story of how he tried to sell some Apple gift cards online that he won in a competition, but ended up handing over the gift card codes… and not receiving any money in return.

Although the scammer tried to fade away, Haschek knew the usernames that the gift card robber had used on eBay and Reddit.

Sign up to our free newsletter.
Security news, advice, and tips.

That eBay nickname had also been used on a freelance job search site, providing his first name, the first letter of his surname, and confirmations of his city.

The information collected so far brought Haschek to a likely Facebook profile belonging to the scammer – but its locked-down privacy settings prevented much further information being extracted.

No matter, one of the scammer’s friends was a lot more lax with their Facebook privacy settings, and Haschek was able to trawl through four years’ worth of old posts – eventually revealing the scammer’s full name.

So, now what? Well, Haschek found the scammer’s older brother and mother online, and sent them this message:

Haschek Facebook message


My name is Christian Haschek and I’m the head of the security research company Haschek Solutions.

I want to talk to you about your brother <REDACTED> He is scamming people on Reddit <REDACTED>

He stole 500$ (2x 25U$) Apple Store gift cards from me personally a few weeks ago. He wanted to buy them from me. I gave him the card codes and he deleted his accounts. All I had was his IP address (located in <REDACTED>) and his Ebay account he used to assure me his karma is good)

Then I focussed my companies resources to find out who he is and within a few days we had all the information needed to take legal action.

We have found multiple IPs and Email addresses. they all connect to his steam. ebay and multiple other accounts. We also found his address <REDACTED> and his birthday.

I have contacted him several times via various sources but he keeps lying and deleting his accounts.

When I found out he is only 22 I hesitated on contacting the <REDACTED> state police because I too at his age did stupid things and I don’t want to ruin his future because of this.


I wanted to consult you on how to continue with this matter, as I said I don’t want to ruin his life but I need to know that he won’t scam people anymore.

Best regards,

Check out Christian Haschek’s blog post to find out what happened next. :)

So, what can we learn from this?

Well, when you reuse usernames across the web you’re helping others pull the strands of information together to weave a picture of who you are, where you might live, and what your interests might be.

Furthermore, take Facebook privacy seriously and be careful what you post and how you share it. Sadly it’s not enough for you to be careful with your online privacy – you also need your friends, family and colleagues to be just as wise to the risks of sharing too much information.

Finally, take care when you sell things online.

If you are on Facebook, and want to be kept updated with news about security and privacy risks, and tips on how to protect yourself online, join the Graham Cluley Security News Facebook page.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

3 comments on “Turning the tables on a scammer… by contacting his mum on Facebook”

  1. Alex

    Had I received it, I would have thought the original letter was a scam in and of itself considering the poor composition and spelling.

    1. SJM · in reply to Alex

      If you had a bit of consideration you would have deduced that english is not Mr. Haschek first language since he is from Austria.

  2. Rick

    I feel I have been left high and dry. What did his brother or mother do?

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.