Happy Trails Computer Club

Deception and Deceit on The Internet -- Scams, Hoaxes, Fraud and Identity Theft

The Internet is a natural breeding ground for scam artists and vandals because it lends itself to anonymity. Perpetrators can hide very effectively by "spoofing" or quickly changing their email address, and/or by using offshore or "zombie" computers.

Email spam and bogus websites are often used to perpetrate fraud. Virtually all spam conceals a scam of some sort. If it's too good to be true, it isn't, but spam and bogus webpages can be mighty alluring.

Identity-theft is probably the worst fraud that you can be a victim of. Phishing victims lost $1.2 billion to identity-theft related fraud between April, 2003 and April, 2004. "The Internet's becoming a very dangerous place to conduct financial business unless you're willing to scrutinize your activities very closely," --Avivah Litan, Gartner Research Vice President

Social engineering

The usual starting point for dirty tricks, scams and fraud is "social engineering" -- the art of getting people to drop their guard. A good social engineer can get many people do something or reveal something when they'd ordinarily refuse. Good virus writers carefully engineer their email message to get people to open their virus-carrying attachment.

Malicious software often "piggy-backs" on legitimate software. The file that you download and run does just what it claims it will. However it also does it's dirty work on the sly. For example, it also might install a Trojan horse, or spyware. The social engineering in this case is simple. You are attracted to something useful, and for some reason you don't think to check if you could get more than you bargained for.

The most widespread strain of social engineering is called "phishing". You might get an email, popup window, or even a phone call, which asks for information to clear up a problem with your account or credit card. Something alon the lines of, "Can you verify your password (date of birth -- account number -- any personal detail) for us?" Organized crime is getting into phishing because it's so successful. The attacks have become very sophisticated.

If you read or hear anything similar, it should be a hugh warning, no matter how the request arrives. If you didn't initiate the contact yourself, be very afraid. Don't respond. Contact the financial institution directly to check it out.

It's a jungle out there

The Internet makes it easy to deceive the credulous, and sometimes the not-so-credulous. It's just the nature of things. Many savvy people have been taken in by some clever con-artist's email or webpage. The Internet is seen as an open, free-spirited sort of place on the surface. This perception often fosters misplaced trust and wishful thinking. People forget that it's easier to hide motives, and avoid detection and prosecution on the Internet than it is in real life.

"...online auction fraud has been the single largest category of Internet-related complaints to the U.S. Federal Trade Commission’s (FTC) Consumer Sentinel international database — 51,000 complaints in 2002, and officials expect even more in this year’s final tally."

Web sites and email both lend themselves to scams and fraud -- not to mention hoaxes, conspiracy theories and urban legends. Virtually all spam contains deception of some kind. Bogus email often links to a bogus Web site to complete the scam. You're not as vulnerable to immediate physical attack on the Internet though.

The answer is to always be on guard against scams and fraud. Think before you decide to buy anything on the Internet. Especially if you didn't go looking for it. Why are they in business? Why are they offering what they offer? A legitimate business will never ask you for private information such as credit card information or your account password in an e-mail. They may direct you to a Web site to enter it, but be sure it's the real deal. It's very easy to counterfeit websites.

Examples

Don't get hooked...

"Phishing" is a newer form of social engineering. Con artists phish by spamming the world with counterfeit email. Their message appears to come from widely a recognized business like Sprint, America Online, eBay, Yahoo!, American Express, etc. It may even incorporate copies of the company graphics. These fake messages urgently request some personal information -- your account number, date of birth, Mother's maiden name, credit card expiration date, etc. The Internet bottom feeders love to misspell words, especially namess for dirty tricks like Phishing.

The objective of Phishing trips is get into your account, or worse yet, steal your identity. Phishing works because there are always a few phish biting. A recent victim lost $4,350 from his bank account when he was hooked by a fake message claiming to be from PayPal. (PayPal has started to warn visitors about these scams.) [banking scam]

David Jevans, the chairman of The Anti-Phishing Working Group, a group of Internet service providers, banks and other companies said that the average phishing trip will reach between 50 thousand and one million email in-boxes. They identified over 1,000 different scams in May of 2004. That amounts to around 3 million baited hooks per day.

Phishing scams are becoming more devious. In one of the latest eBay scams, when you click on a link it opens two Web pages. One is a real eBay page, and the other is a fradulent form that opens on top of it. When you fill in the form, your private details goe directly to the scammer. [article] [interesting examples]

A legitimate business will never send a message asking for private details. Don't follow the instructions or links given in an email message, even though it looks urgent and legitimate. Start your browser, and go to the Web site directly. Type their address in yourself. If there’s no information at their site about the alleged problem, contact the business directly if you're still concerned.

"Toll free" scams are vicious. Here how they work: A bogus message announces an unclaimed prize, a vacation offer or whatnot. All you need to do to take advantage of it is to call what looks like a toll free number. Trouble is, it's not really a toll-free number. It just looks like one. The call goes to an offshore location, and can cost hundreds if not thousands of dollars in just a few minutes. Think about that enticing offer before you dial. Why would anyone be that nice to someone they don't even know? If someone offered you a free sandwich on the street, would you eat it?

The "Nigerian" scam is both amusing and a serious ripoff. This and other "419" scams have fleeced victims of more than $150 Million so far. Update: The perpetrator, or at least one perpetrator of this scam was recently nabbed in Southeast Asia. Watch out for copycats though.
http://www.consumerwebwatch.org/news/Barrett/419fraud.htm
http://www.snopes.com/inboxer/scams/nigeria.htm

See for yourself

It's not possible to know about every scam, hoax or fraud. It does pay to understand more about how they work, because even experts get hooked at times. The links below will take you to a number of other interesting examples to learn from.

http://www.consumerwebwatch.org/news/Barrett/1103_AOL.htm
http://www.dslreports.com/shownews/36359
http://www.dslreports.com/shownews/36376
http://www.dslreports.com/shownews/36402

Tips for avoiding fraud online

Be careful where you shop online: Always use a credit card -- never a debit card -- the protection against loss is usually much better. You can also get credit card surveillance for $29.95 per year. [safe shopping online]

FBI and Federal Trade Commission tips to avoid Internet scams that use bogus email and Web sites to get personal information:

* Be wary of unsolicited e-mail that asks, either directly or through a Web site, for personal financial or identity information, such as a Social Security number or passwords.

* Don't click on the links provided in such e-mail.

* When updating account information use a familiar process, such as visiting the known Web address of a company's account maintenance page. Unfamiliar addresses for this probably are fake.

* Make sure an Internet connection is secure — with an icon of a lock visible on the Web browser — before submitting personal information.

* Monitor credit card and bank statements for unauthorized charges.

* If an e-mail or Web site is in doubt, make sure the request is authentic by contacting the company directly by phone or through a Web site or e-mail address known to be authentic.

* People victimized by a fraudulent e-mail or Web site should contact their local police department and file a complaint with the FBI and the FTC. Consumers also should report fraudulent or suspicious e-mail to their Internet service provider.

Resources

MillerSmiles
Infinisource
Internet ScamBusters
Federal Trade Commission
How to Avoid Internet Investment Scams
Fraud Bureau
"There's a sucker born every minute." -- P.T. Barnum
club stuff
help
topics
computers
software
hardware
internet
security
overview
   lost? > index
attack vectors
   attachments
   deception
   email
   hackers
   web sites
   worms
defenses
   #  2  3
safe settings
   system
   browser
   email client
safe practices
   patching
   email
   attachments
   surfing
   file handling
defense tools
   malware
   antivirus
   anti-trojan
   firewalls
defense tests
privacy
resources