Preventing Fraud and Identity Theft
In 2009 the Internet Crime Complaint Center (IC3), which acts in partnership with the National White Collar Crime Center and the FBI, received more than 336,000 complaints on its website and referred over 146,000 to law enforcement agencies for further consideration. The total loss from all of these cases was about $560 million. You may be at risk if you answer “yes” to any of the following questions:
- Do you visit websites by clicking on links within an e-mail?
- Do you reply to e-mails from persons or businesses you are not familiar with?
- Have you received packages to hold or ship to someone you met on the Internet?
- Have you been asked to cash checks and wire funds to someone you met on the Internet?
- Would you cash checks or money orders received through an Internet transaction without first confirming their legitimacy?
- Would you provide your personal banking information in response to an e-mail notification?
For more information on Internet fraud visit www.LooksTooGoodToBeTrue.com.
If you become a victim of Internet fraud or receive any suspicious e-mails you should file a complaint with the IC3 at www.ic3.gov. Its website also includes tips to assist you avoiding a variety of Internet frauds. Some of these are presented below.
Delete any suspicious e-mail without replying, especially the following:
- Business opportunities to make money with little effort or cash outlay
- Offers to sell lists of e-mail addresses or software
- Chain letters involving money
- Work-at-home schemes
- Health and diet claims of scientific breakthroughs, miraculous cures, etc.
- Get-rich-quick schemes
- Free goods offered to fee-paying group members
- Investments promising high rates of return with no risk
- Kits to unscramble cable TV signals
- Guaranteed loans or credit on easy terms
- Credit repair schemes
- Vacation prize promotions
- Special offers that require a credit check and a small fee for verification expenses to be paid by a credit or debit card
- Notices of prize or lottery winnings that require you to pay a fee to cover expenses
Online shopping frauds.
Do not use a debit card when shopping online, especially on an unfamiliar website. If something goes wrong your account can be emptied quickly without your knowledge. This can result in overdrafts, fees, and an inability to pay your bills. Even if your bank offers a fraud guarantee it is not obligated to restore your funds for at least two weeks while it investigates. If you use a credit card the federal Fair Credit Billing Act limits your liability to $50 for any unauthorized or fraudulent charges made before you report the billing error. To protect yourself you need to do the following:
- Write to your credit card company within 60 days after the date of the statement with the error and tell it your name and account number, that your bill contains an error and why it is wrong, and the date and amount of the error.
- Pay all other charges. You do not need to pay the disputed amounts.
Consumers should be aware that if a deal looks too good to be true, it probably is. An example of such a scam occurred in December 2009 when the victim located a car on the Auto Trader website and contacted the seller directly by e-mail. He was told that the car would be shipped to him for inspection and approval if he wired the money to a bank account where it would be held in escrow. He wired the money but the car never arrived. To prevent this kind of scam consumers need to be diligent in verifying all the parties involved in the purchase by phone calls, face-to-face meetings, etc. In a similar case the consumer asked to see the car before wiring any money. The scammer ended all contacts at that point.
Another example involved a Craigslist ad for a vacation apartment rental in New York City. The renter was told he had to act fast and wire the money or he’d lose out on this good deal. All three elements of a typical scam were present in this case: (1) act fast or lose the deal, (2) wire the money, and (3) a price that was too good to be true.
Online scams also promise great deals on airline tickets, timeshare properties, and vacation packages. The biggest red flag is when payment is requested by a wire transfer. It’s difficult to track these transfers and almost impossible to get a refund. Check out the company offering the deal before making a purchase. If it and the deal appear to be legitimate, pay by credit card and not by wire. Then if the deal turns out to be fraudulent, you can dispute the charges as indicated above.
For additional information on this and other privacy issues visit the Privacy Rights Clearinghouse’s website at www.privacyrights.org.
In an e-mail scam known as “phishing” identity thieves fish for personal information by sending realistic-looking e-mail that asks recipients to go to a bogus website and provide personal information such as a credit card number or a Personal Identification Number (PIN). Legitimate banks and financial institutions don’t send e-mails asking you to verify your account information. They already have it. The following are examples of scammers posing as the Internal Revenue Service (IRS), Federal Bureau of Investigation (FBI), Federal Deposit Insurance Corporation (FDIC), and the Centers for Disease Control and Prevention (CDC).
Each year during tax preparation time there is a surge in the number of frauds by criminals posing as IRS officials to obtain personal information for identity theft. The IRS never sends out unsolicited e-mails or asks for detailed personal and financial information. Any such e-mail is a fraud. So are telephone calls from someone stating they are from the IRS. Go to the IRS website at www.irs.gov for information on the latest scams and instructions on how to protect yourself from suspicious e-mails or phishing schemes. The IRS also recommends forwarding the suspicious e-mail to it at firstname.lastname@example.org.
Fraudulent e-mails have also been sent out by criminals posing as FBI agents and officials. They give the appearance of legitimacy by using the FBI seal, letterhead, and pictures of the FBI Director. They may also claim to come from the FBI’s domestic or overseas offices. Like the IRS, the FBI does not send out e-mails soliciting personal or financial information. For more information on this kind of fraud go to the FBI website at www.fbi.gov and click on New E-Scams and Warnings under Be Crime Smart.
Another agency that has become aware of fraudulent e-mails in its name is the FDIC. These ask recipients to “visit the official FDIC website” by clicking on a hyperlink that directs them to a fraudulent website that includes hyperlinks that open a “personal FDIC insurance file” to check on their deposit insurance coverage. Clicking on these links will download a file that contains malicious software to collect personal and confidential information.
On Dec. 2, 2009 the CDC issued a health alert warning people not to respond to an e-mail referencing a CDC-sponsored state vaccination program for the H1N1 (Swine Flu) contagion that requires registration on www.cdc.gov People that click on this embedded link risk having a malicious code installed on their computer. Examples of this and other hoaxes and rumors can be seen at http://www.cdc.gov/hoaxes_rumors.html.
The following tips will help you counter phishing:
- Do not open any e-mail from an unknown sender.
- Do not open any unexpected e-mail attachments.
- Do not open any attachments that ask you to reset a password.
- Do not click on website addresses in e-mails you get even if they look real. Retype them into your browser.
- Do not click on links within e-mail messages purporting to come from your bank.
- Do not double click on an Internet pop-up offering a link or provide personal information in response to an e-mail or Internet pop-up offer.
- Use the latest versions of Internet browsers, e.g., Microsoft Internet Explorer 8, which is designed to prevent phishing attacks. Use Explorer in the “protected mode,” which restricts the installation of files without the user’s consent, and set the “Internet zone security” to high. That disables some of Explorer’s less-secure features. And set your operating system and browser software to automatically download and install security patches.
- Use the latest versions of Internet browsers, e.g., Microsoft Internet Explorer 8, which is designed to identify phishing attacks. Set your operating system and browser software to automatically download and install security patches.
- Make sure the website page you are entering sensitive information on is secure. You can tell it is secure when the address on the top of your screen where the Uniform Resource Locator (URL) is displayed begins with https:// rather than http://. You can also look for a closed padlock or an unbroken key on the bottom of your screen to indicate the page is secure. If the lock is open the site or the key is broken, the page is not secure. Note that on many websites only the order page will be secure.
- Keep your computer up to date with the latest firewalls, and anti-virus and anti-spyware software. The latter counters programs that secretly record what you type and send the information to the thieves. They are often installed when you visit websites from links in e-mail. Use security software that updates automatically. Visit www.OnGuardOnline.gov for more information.
- Do not buy “anti-spyware” software in response to unexpected pop-ups or e-mails, especially ones that claim to have scanned your computer and detected viruses known as malware, i.e., malicious software.
- Do not respond in any way to a telephone or e-mail warning that your computer has a virus even if it appears to come from an anti-virus software provider like Microsoft, Norton, or McAfee. “Helpful hackers” use this ploy to get you to download their software to fix the virus or sell you computer monitoring or security services to give them remote access to your computer so they can steal your passwords, online accounts, and other personal information. If you already have anti-virus software on your computer you’ll receive a security update or warning directly on your computer.
- Contact your e-mail provider. Most keep track of scams. Send your provider the suspicious message header and complete text.
- Use caution when entering personal information online.
This is phishing with text messages instead of e-mails. Beware of any messages that request personal information or give you a phone number to call. Before calling verify that the number matches the number of the named institution, e.g., your bank. And never give out personal information unless you have initiated the call.
In another scam known as “whaling” fake e-mails have been sent to high-ranking executives to trick them into clicking on a link that takes them to a website that downloads software that secretly records keystrokes and sends data to a remote computer over the Internet. This lets the criminal capture passwords and other personal or corporate information, and gain control of the executive’s computer. In one case fake subpoenas have been sent to executives commanding them to appear before a grand jury in a civil case. The link that offers a copy of the entire subpoena downloads the malicious software.
Social Networking Dangers.
Virus creators, identity thieves, and spammers are increasingly targeting users of social networking sites in an effort to steal personal data and account passwords. One of the tactics they use to gain access to this information involves sending social networking users e-mails that appear to come from online friends. For example, some Facebook users have been receiving e-mails from their “friends” that claim to contain a video of them. When they click on it they download a virus that goes through their hard drives and installs malicious programs. The virus, known as Koobface, then sends itself to all the friends on the victim's Facebook profile. A new version of the virus also is affecting users of MySpace and other social networking sites. Cyber-criminals are tricking social networking users into downloading malicious software by creating fake profiles of friends, celebrities, and others. Security experts say that such attacks, which became widespread in 2008, are increasingly successful because more and more people are becoming comfortable with putting all kinds of personal information about themselves on social networking sites. They warn that users need to be very careful about what information they post because it can be used to steal their identities. Facebook users should become a fan of its security page at www.facebook.com/security, which has posts related to all sorts of security issues, tips, resources, and other information.
To avoid problems on social networks or anywhere in the Internet, users should:
- Not to click on any links, videos, programs, etc. provided in messages, even if a “friend” encourages you to click on them.
- Get program updates from the company’s website, not through a provided link.
- Customize your personal privacy settings so only your friends have access to the information you post.
- Scan your computer regularly with an updated anti-virus program.
- Be suspicious of anyone, even a “friend,” who asks for money over the Internet.
Cybercriminals are now creating illegitimate websites that will receive high search-engine rankings and thus attract the attention of persons searching for information on a particular subject. Persons just visiting those sites risk having their computers infected with viruses. And if they click on any links in those sites they risk becoming a victim of identity theft and various scams, e.g., ones that claim you can make a lot of money for a small initial investment. To avoid these problems users should:
- Keep your computer’s anti-virus system up to date with the latest firewalls and software.
- Use caution clicking on links that claim to provide videos or information on hot topics in the current news, e.g., the earthquakes in Haiti and Chile. And be aware that the bad guys are now tricking Google into telling you that the link is a PDF file, which makes it look more authentic.
- Do not click on links to other websites. Look up the address elsewhere and retype it into your browser.
- If the link address is correct, before clicking on it check to see where you would actually go. You can do this by scrolling your mouse over the link and reading the address in the box that will pop up over the link. Do not click on the link if this address does not match the one in the link.
- Use the tips provided above to counter phishing.
Do the following to make sure a website is legitimate, especially if you are planning to make a purchase of a name brand product:
- Check that the domain name is spelled correctly.
- Check that the domain name ends in .com, .org, or .net. Those ending in .cn for China or .mn for Mongolia are likely to be fraudulent.
- Call the phone number posted and talk to a live person.
You receive an e-mail saying “A friend has sent you an e-card.” The e-mail appears to be from a legitimate card company, but malware or a virus is downloaded into your computer when you click the link to see the card. You should delete the e-mail if you don’t recognize the sender or if you are instructed to download an executable program to view the e–card. And make sure your computer has adequate anti-virus protection.
And even if you recognize the sender your computer could be harmed if the incoming e-mail is phony and you click on a link to an e-card or open an attachment. This happened around Christmas time in December 2010 when employees of various government agencies received phony holiday messages that appeared to come from the White House.
Security alerts. Security warnings and information on a wide range of Internet security threats is available at no cost to the public from Websense, Inc. on its website at www.websense.com. (Websense discovers and investigates advanced Internet threats and publishes its findings to enable organizations to protect employee computing environments from increasingly sophisticated and dangerous internet threats.) You can sign up to receive free security alerts by e-mail by clicking on “more” in the box entitled Security Effectiveness Center, and the on the page entitled Top Client Web Application Attacks, clicking on “Sign up to receive security alerts” under QUICK LINKS. From that page you can also see its insights on the latest security trends and visit its Security Labs blog.