High-Tech Confidence Games
Scams and confidence games have been around as long as history records. All scams, modern or old, have a single critical factor without which they cannot succeed: the willing participation of the victim. Scam and con perpetrators prey upon people's desire — for profit or money, for gratification, for advancement, or for anything else the schemer can identify that will attract potential victims.
For years, law enforcement and other officials working to combat scams and cons have used a simple slogan that you'll see a number of times on this website — it remains true regardless of the mechanism used by the perpetrator: "If it sounds too good to be true, it probably is."
Exercise caution and a healthy skepticism when considering ANY transaction. Your guard should be up all the time; the old Latin phrase "caveat emptor" (let the buyer beware) remains universally true. When a transaction appears irresistible, that's the time to take a second look. Be sure you make an informed decision based on ALL of the best available information.
The perpetrators rely on another emotion to avoid being reported and caught: embarrassment. Numerous victims of scams and cons identified in the course of law enforcement investigations have said they didn't report their loss because they felt so foolish after realizing they'd been duped. Law enforcement and the rest of the criminal justice system rely on input and participation from the public. If you realize you've been victimized, make a report. If you don't, you are not only allowing the perpetrator to get away with your loss, but to continue to victimize others.
The growing ranks of Internet crooks are using new tricks called "phishing" and "spoofing" to steal your identity.
"Spoofing," or "phishing," frauds attempt to make Internet users believe that they are receiving e-mail from a specific, trusted source, or that they are securely connected to a trusted web site, when that is not the case.
Phishing (also known as "carding" or "brand-spoofing") is hacker-speak for "link alteration", —a "verification scam" where criminals (the "phishers") imitate legitimate companies in e-mails to entice people to share passwords or credit-card numbers.
For several years, individuals have bought Internet domain names that are similar to those of real, legitimate companies — for example: "change-ebay.com", where the real company website is "ebay.com".
The "phisher" (scammer) sends out millions of E-mail messages asking consumers to "verify account information" by providing key personal data —even SSN. This is the "phishing" (fishing) part —the bait (bogus email) is thrown out with the hope that, while most will ignore the bait, some "phish" (victims) will be tempted into biting.
When you get an email talking about an account you don't have, or from a company/vendor you don't use, you probably just ignore it as "junk mail". But, when customers of a real company get a cleverly-forged email, and presume it's from the legitimate company they do business with, they often respond.
The three most common ways the phisher hooks a phish (victim/consumer) is when —
- the victim responds, by return email, to a fraudulent "account verification" or "account update" request letter from the phisher.
- the victim fills out an email form (an HTML-based submission form, in the phisher's email message), which forwards the victim's input to the criminal's email/website address.
- the victim clicks on a website "link" in an email, that leads to the phisher's website, rather than the legitimate site.
When an unsuspecting phish (victim) receives a believable looking (but actually fraudulent) e-mail, requesting him/her to "click here to update" their account information, they are redirected to a site that looks exactly like their ISP, auction site, online store, or other commercial site where they have an account. Most phishing (link-alteration) sites are so sophisticated that there's a significant chance that any consumer that makes it that far (In for a dime, in for a dollar!) will follow through, (unwittingly submitting their personal and/or credit information to the criminal) thinking it's a legitimate, routine transaction.
Recent "phishing expeditions" (scams) used the look-alike site names "ebay-verification.net", "change-ebay.com" and "http://ebayservices-cancelorder.cjb.net" —to scam eBay (ebay.com) customers. Similarly, a scam site with a URL starting with "paypalsys.com" was used to scam customers of PayPal (paypal.com). Companies that have been known to be victims of this scam include: AOL, MSN, Earthlink, Yahoo, PayPal, eBay, Best Buy, Discover Card, Bank of America, Providian, and even the IRS.
And, the SMishing scam
"SMishing" is basically the same thing as "phishing", except that it arrives via a text message (SMS) instead of via email.
When you call the number to take care of the “account problem,” you get an automated voicemail system that prompts you for your account information.Click HERE to jump to the FTC's Consumer Alert,
Spoofing is generally used as a means to convince individuals to provide personal or financial information that enables the perpetrators to commit credit card/bank fraud or other forms of identity theft.
In "E-mail spoofing" the header of an e-mail appears to have originated from someone or somewhere other than the actual source. Spam distributors and criminals often use spoofing in an attempt to get recipients to open and possibly even respond to their solicitations. The "From" field (the "sender's" address) of an email can easily be altered (spoofed) —it is not a reliable indicator of the real origin of any email.
These bogus emails can be very tricky, using HTML mail/forms or other "phishing" techniques to hide/disguise the ultimate destination of the email's return/reply address, form submission, or "clickable" website links in their solicitation for your personal/account information.
Virus Hoaxes –
Not Just Harmless Pranks
—But, many of the horrible "viruses" that you hear about aren't really out there at all. Hoax virus warning messages are more than just time-wasters; like in the story of the "'Little Boy Who Cried Wolf", repeated hoaxes do condition us.
After repeatedly becoming alarmed and wasting time/effort on a hoax warning, only to learn that there was no real virus, home and office computer users may get into the habit of ignoring all virus warning messages —and that would be a big mistake —a lesson to be taught by the next real, destructive virus they encounter.
Don't forward any email virus warnings you receive unless you, personally, can vouch for the validity of the email warning. Remain vigilant, and by not forwarding hoax warnings, help others do the same.
Here are some links for more information on virus HOAXES:
- The Snopes.com Urban Legends Reference Pages
- Internet/web hoaxes at urbanlegends.about.com
- Rob Rosenberger's myths/hoaxes site,
myths.com —Truth About Computer Virus Myths & Hoaxes
- The F-Secure Info. Cntr. (datafellows.com) Hoaxes Page
- The McAfee Hoaxes Page
- The Sophos Hoaxes Page
- The Symantec "Threat Explorer" Hoaxes Page
Be wary of promotional scams.
Identity thieves may use phony offers to get you to give them your personal information. Be wary of web advertisements and websites that offer a reward/prize in exchange for your contact information or other personal details.
There's a very high probability that they are specifically gathering this information for direct marketing purposes. It's likely that your name and address are worth much more to them (because they can sell it to other marketers, who can also sell it to even more marketers) than the reward/prize you're supposedly getting will be worth to you.
Unwanted commercial email – also known as "spam" – can be annoying. Worse, it can include bogus offers that could cost you time and money. Take steps to limit the amount of spam you get, and treat spam offers the same way you would treat an uninvited telemarketing sales call. Don't believe promises from strangers. Learn to recognize the most common online scams.
Scammers use email, online ads, pop ups, and search results to trick you into sending them money and personal information. One way to outsmart them? Use your email’s spam filter to screen the email you get. Then forward any email that seems suspicious to firstname.lastname@example.org. You also might want to read our Phishing article.
For a detailed presentation on SPAM, visit the FTC’s OnGuardOnline.gov’s SPAM presentation
Another source of privacy complaints and identity theft concerns is Internet "spyware" —"data miners" commonly in the form of "browser cookies" "web bugs" and "adware".
Created/stored on your own computer to interact with a specific website (or group of websites), cookies are text files that hold user information in order to "personalize" web pages.
Cookies are commonly employed for user-friendly e-commerce purposes such as tracking a user's visit to a website (recorded in one or more "cookies") and providing custom page content and goods/services recommendations to users based on their own unique history of purchases/interests. Cookies are not limited, however, to "consumer-friendly" purposes, but can also be used by any website you visit to track your activity.
Far more invasive than cookies, web bugs are often tiny transparent image files (often a single pixel) on webpages and are also used to monitor/capture a web-surfer's online habits, as well as potentially install malignant files. Web bugs can take information you've entered at a selected web site and transfer it to any number of other sites without the your knowledge/consent.
Some web bugs infest/infect your computer "drive-by downloads". If your web browser/Internet security controls aren't set correctly, simply visiting or clicking on a website can instantly and secretly install a web bug inside your computer. And, unlike cookies, web bugs can exceed even the ability of settings in your browser software to block/delete, and are often very difficult to track/reveal/remove without special software or expertise.
Once on your computer, a web bug sits on your hard drive, continuously tracking your actions and using your Internet connection (without your knowledge/permission) to send periodic reports to its parent/creator.
Sophisticated "spyware" bugs (AKA trojanware, snoopware and trespassware) are stealthy stand-alone programs potentially capable of –
- secretly monitoring your keystrokes,
- snooping your computer files/applications,
- reading your browser cookies,
- changing your default homepage and
- logging all the websites you visit
—literally capable of finding all targeted data on, or passing through, your computer (including your passwords) —and of secretly sending the stolen/captured information to a third party!
Spyware can be divided into two main categories: "surveillance spyware" (AKA system-monitors) and "advertising spyware" (AKA adware).
The pre-approved credit-card scam
The "pre-approved" credit-card scam ...
Current financial situation isn’t so great right now? It’s your lucky day! You’ve just gotten an email that offers a "pre-approved" Visa card! Or maybe the email offers you a loan with an impressively high credit limit. Hallelujah!
All you have to do is pay the annual fee up front.
Guess what happens next ... or rather what does NOT happen next, after you send in your payment. You never hear from them again. There never was a credit card or loan.
Similar "lucky day!" cons:
- “You’ve won a lottery!”
- "You've won the sweepstakes!"
- “You’ve landed a great job!”
- “You’re invited to a great investment!”
The "work-at-home" scam
At this point, you should be rolling your eyes. See the Internet-scams pattern yet?
You get an email offering you an sweet-sounding "work-at-home" job. Might be stuffing envelopes, processing insurance claims, processing credit-card transactions, or a similar tedious, but simple task -- and it pays well!
All you need to do is buy something up front: processing equipment, or a Web site, or access to a list, other "tools" to do this easy work at home for a good wage.
You send the money, and guess what you get back? ...
Nothing. Zero. Zip. Nada.
The “infection detection” scam
While browsing the Internet ... a "pop-up" message appears on your screen, proclaiming your computer is infected by a virus.
Fortunately, the pop-up gives you a phone number where you can find immediate help!
For a mere $49.95, they can and will promptly remove the “virus” from your computer.
Some of these pop-up messages are very frustrating -- closing one pop-up will simply spawn another. Out of frustration you may be tempted to pay their price just to get back to what you were doing and avoid leaving the "virus" on your computer for any longer than necessary.
DATA Mining ...
The surveillance spyware category includes trojans, keyloggers, screen-capture and remote control devices/programs, and can be a powerful identity theft tool. Unlike advertising spyware, which usually has a commercial/marketing purpose, surveillance spyware is typically put to more nefarious uses.
Both surveillance and advertising spyware frequently piggyback on Internet downloads of free/trial software applications, such as music or photo sharing programs, games or small utilities like "cute"" cursors, and screen-savers frequently in the form of ActiveX controls and plugins. Advertising spyware is also widely spread on the popular peer-to-peer music/file-sharing programs/networks. Some flavors of advertising software include pop-up ad programs, search-redirectors, data-miners, homepage/browser hijackers, and porn-dialers. Advertising spyware is most notorious for intrusive popups and other commercial annoyances.
The presence of adware may actually be "legally" disclosed, buried deep in the lengthy licensing agreement that most users ignore and click past when downloading material they want. Refusing to accept the bundled/piggyback adware, or removing it later, may render the program you wanted useless.
Advertising spyware in commercial software not only pops up ads (the part of its function you get to see), but also monitors users' computer behvior and Internet browsng habits, gathers users' personal data and transmits it all back to direct marketing firms, who in turn use the data to target specific advertising back at the user.
Not necessarily less dangerous than "surveillance" spyware, the most intrusive advertising spyware can log (and transmit) considerable personal data about the user, including the user's name, age, sex, email addresses, online buying habits, a history of all the websites visited, the computer's hardware/software configurations, and more. (Possibly even the user's passwords.)
Users choose to download most spyware as part of a file download they want (whether they're actually aware of that "choice" or not) and, attached to a legitimate download, even the most malicious spyware can easily bypass firewalls. Once it's more or less secretly installed, it will often take special expertise or software tools to remove it; spyware is designed to not be easily removed.
- All they have to do is ask!
Pretexting — The easiest way for an identity-thief to steal your identity is to ask you for it, often over the phone. Posing as your bank, insurance company, doctor's office or other business you use, the thief calls you on the phone, tells you a believable story (the "pretext" for the call), and asks you for key personal information.
This practice is called "pretexting" — the practice of getting personal information under false pretenses. Pretexters can use your information (or sell your information to other people who may use it) to get credit in your name, steal your assets, or to investigate or sue you. Pretexting is against the law.
As a general rule, always be suspicious of telephone solicitors. Never provide personal information unless you have initiated the call.
In other forms of telemarketing fraud, you may receive unsolicited calls with offers of prizes, vacation packages, merchandise, or other "opportunities" that seem too good to miss (or be true) —and are usually not just "limited time offers" —they're only available if you act right now. You're required to provide your credit/debit information, up-front, to (supposedly) take care of a "minor fee" or "tax". When the prize/merchandise never shows up, you'll realize you've been "had" by a scammer.
Beware high-pressure sales tactics and offers of prizes, goods, or services that can only be shipped/delivered when you pay an"up-front" fee via cash, credit/debit card number or checking account number. Also, be wary of telephone surveys —the "survey" may simply be a scammer's "pretext" to gather information about you to be used in a future scam.
The modern Internet-based Business/Employment Scheme typically incorporates a crafty blend of identity theft, freight forwarding, and counterfeit check schemes.
This scheme begins when the thief posts a help-wanted ad on popular Internet job search sites.
(NOTE: Remember, online recruiting business giants like Monster.com, CareerBuilder.com and JobsOnline.net caution users about false online job listings, sometimes posted by identity thieves, to steal personal data for scams from unsuspecting job seekers.)
Online job seekers are required to fill out an application wherein they divulge sensitive personal information, such as their date of birth, social security number, etc. The scammer then uses that personal information to purchase merchandise on credit. The merchandise is sent to another job seeker, who has been hired as a "freight forwarder" by the scammer.
The forwarder re-ships the merchandise out of the country. The scammer, who has represented himself as a foreign company, then pays the "freight forwarder" with a counterfeit check reflecting an amount significantly over that due. The scammer gets the freight forwarder to wire back the overage amount to the scammer, usually in a foreign country, before the fraud is discovered. The scammer profits at every turn of this elaborate scam.
Fraudulent Bonus Checks For Non-Existent Jobs: In another employment-related scam variation, some Americans are being victimized by an "online job application" fraud scheme. The individuals have applied for and accepted jobs through an online job search service advertising "signing bonuses" of approximately $2,500 to new hires.
Each prospective employee has received a check ranging from $19,000 to $50,000 by mail from the prospective employer with instructions to deposit the check, preferably at an ATM. The recipient is further instructed to keep $2,000 to $4,000, depending upon the amount of the signing bonus, and return the balance of the money by wire to a location in Europe.
The checks are fraudulent; therefore, the depositor is ultimately responsible for any amounts charged back to his or her account by the bank resulting from the dishonor of the checks.
Counterfeit Check Schemes
· This scam begins when a counterfeit or fraudulent cashier’s check or corporate check is utilized to pay for merchandise. Often these checks are "accidentally" made out for a substantially larger amount than the purchase price. The victims are instructed to deposit the check and return the overage amount, usually by wire transfer, to a foreign country.
· Because banks may release funds from a cashier's check before the check actually clears, the victim believes the check has cleared, and wires the money as instructed. (Obviously, the fake check will never actually clear, and the victim loses the "overage" money he/she wired back to the scammer.)
One popular variation of this scam involves the purchase of automobiles listed for sale in various Internet classified ads. A "potential buyer" (the scammer) contacts the sellers about purchasing the autos and shipping them to a foreign country. The buyer (scammer), or person acting on behalf of a buyer, then sends the seller a cashier's check for an amount several thousand dollars over the price of the vehicle. Oops! Oh, darn!
The seller is now directed to deposit the check, and wire the excess back to the buyer (scammer), so they can (supposedly) pay the shipping charges. Once the money is sent, the buyer typically comes up with an excuse for canceling the purchase, and attempts to have the rest of the money returned.
Although the seller does not lose the vehicle, the seller is typically held responsible by his/her bank for depositing a counterfeit check, not to mention any "overage" funds he/she wired back to the buyer, and any other money sent back, during the scam.