Internet Scams - Phishing Scams - Identity Theft
|No, it isn't a misspelling, or a way to entertain yourself by playing a game on your computer. It isn't a game at all, millions of people succumb to these well thought out and cleverly devised scams every year:|
- You receive an e-mail from your bank, asking you to confirm a charge from a hotel that you have never been to.
- A credit card company sends you an e-mail telling you that you need to log in to your account within the next 24 hours to confirm your account details, or your account will be suspended.
- You get an e-mail from Amazon explaining that during their last account update they could not verify all of your account information, and that you need to log in to your account to verify that information.
- PayPal sends an e-mail telling you that they have reason to believe that your account has been hijacked by a third party, and that you need to log in to your account to verify your identity.
In all of these cases there are helpful links embedded in the e-mail, so that you can simply click here to quickly address the issue that is described.
They all sound like they may be legitimate issues, and there is certainly a sense of urgency. Fix this now, or something bad will happen. And, as you will see below, the e-mails really look and feel like they are from the legitimate business. The logos are there, the colors and fonts are the same, the layout is correct, everything looks right. The problem is that when you click on the links provided you will not be taken to the legitimate website, but will instead go to an imposter site, where the masquerade will continue. Here's the basic definition of Phishing, from Webopedia:
(fish´ing) (n.) The act of sending an e-mail to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft.
Here is a copy of an actual phishing e-mail that I received just last week, claiming to be from PayPal:
Here is another one trying to hijack your Amazon account (as described in Anti-phishing.org):
As you can see, a fair amount of work went into these to make them look real. And they do look legitimate, no one can be blamed for believing that they are exactly what they claim to be. Unfortunately the deceit doesn't end here. If you do acquiesce, and click on one of the links provided you will be taken to an equally deceptive website, which looks equally real (again as described in Anti-phishing.org):
From here it is only a few short steps and a couple of quick clicks to giving away your money, you hard-earned credit rating, and your actual identity, which includes nothing less than your ability to control your own future (at least for the next couple of years while you get this mess straightened out).
So what's to be done? How can we possibly defend ourselves against evil minds, with nothing better to do than figure out ways to make a quick and easy living by destroying our lives? It's actually pretty simple, when you think about it.
DON'T CLICK ON THE LINKS IN THE E-MAIL!
If you think about the flow of this scam, everything hinges on getting you to the bogus website. The bad guys count on the fact that most people will follow the path of least resistance, and simply click on the links provided. Indeed, as in the PayPal scam they tell you that you MUST click on the provided link. Sometimes it is fairly easy to see that the link is to a site other than what you would expect. If I hold my mouse over the link in the PayPal phish from above, I'll see this:
The .pt domain is from Portugal, which is suspicious. Not necessarily just because it is a Portugal address, but because I would expect a link to PayPal would have a .com address. But how do you really know? What's to stop PayPal from setting up a separate URL to handle a security issue? If you look closely at the Amazon phish the URL of the bogus site is Amazon-department.com, which could certainly be a legitimate URL. When it comes right down to it, there is only one way to make sure that you are going to the actual legitimate site.
Instead of clicking on the links in the e-mail, go to your bookmarks for the site or enter the URL in the web browser manually. From there you can safely log in to your account, and if there is a legitimate issue you can bet you will be able to find out about it there.
I'll say it again. DO NOT follow the links in the e-mail. Instead, make sure that you are logging in the actual website, and check for any legitimate issues there.
Once you've determined that the e-mail is a phishing attempt, you should report it immediately, so that others can protect themselves from it. DO NOT click on the links in the e-mail just out of curiosity. There's nothing to stop these idiots from embedding any of an assortment of Trojans, Adware, viruses, or who knows what into these same bogus websites. You may come away thinking you've outsmarted them, only to find that you've won the battle but lost the war.
So what do you do if you have fallen victim to one of these scams? I've blatantly copied the following from MSN (http://safety.msn.com/idtheft/), because they've done a great job that I could not improve upon:
What can you do if someone steals your identity?
Plenty. Record and save everything you do to clear up the wrongdoing. Make copies of all written correspondence and keep records of phone calls.
• IMMEDIATELY file a report with the police, locally or where the identity theft occurred. Get a copy of the police report to establish with the bank, credit card company and others that you are a crime victim, not a credit abuser.
• IMMEDIATELY place a fraud alert on your credit reports with each of the three major U.S. credit bureaus (listed below). Ask that no new credit be granted without your approval. Carefully review your reports for inquiries you didn't initiate, accounts you didn't open or any other transactions that you didn't authorize. (You can also pay for automatic notification if changes occur in your account.)
* Equifax: 1-800-525-6285
* Experian: 1-888- 397-3742
* TransUnion: 1-800-680-7289
• IMMEDIATELY close accounts accessed or opened fraudulently. Speak with the fraud department of each financial institution, including credit card companies, and follow up with a letter.
• IMMEDIATELY change the passwords on ALL your accounts.
• File a complaint with the U.S. Federal Trade Commission (FTC) at http://www.consumer.gov/idtheft/. You can also call the FTC's toll-free Identity Theft Hotline at 877-438-4338.
And they mean immediately. If you can, take the day off from work and focus on nothing but this, following every possible avenue and checking every single account that you have. You are literally talking about your future here, it is not the time to be saying 'Well, I'll try to deal with this later'. It's only going to get worse.
Fortunately for consumers, in many cases the banks and other financial institutions are absorbing some of the costs of these scams, and many customers are getting some relief from any losses incurred. But that is not always the case, and they are not, in most cases, obligated to do this. It's up to you to protect yourself, and the first part of that is being aware of the danger.
Consider yourself warned...
- Anti-phishing Working Group
- If you're looking for a quick overview, MSN has a good flyer that provides a high-level view of the issue and some useful tips on ways to protect yourself (pdf):
- Looking for excruciating detail? Download a comprehensive white paper describing best practices for dealing with phishing and other on-line security threats(pdf):
- McAfee shows the top 10 phishing scams within the last 24 hours here