Online Scams & Identity Theft
Recently, several people in the North Indiana Conference received a fake email asking for the sum of $2,000 to help get an ailing uncle back to the States for medical treatment. Apparently, a scammer took over this person's email account and sent the scam email out to everyone in this person's address book.
This is a more personal variation of the Nigerian 419 Scam. You know – the ones where a person from Nigeria claims to have millions of dollars to share with you if you give them your bank account information.
How Do They Do It?
So how does a scammer get your personal information? There are a couple of ways:
- Perhaps you downloaded something from the Internet and along with it came spyware (something you didn’t ask to be installed). That spyware may have a keylogger attached to it. A keylogger records all of your keystrokes, and where you visited when you made those keystrokes. That information is all sent back to the criminal’s computer. Think about online banking, email, anywhere you input a username and password. Or you purchase items online with a credit card. YIKES! Now they’ve got it and can steal your identity, clean your account out, or charge a Caribbean cruise on your credit card.
- Or you may have fallen for a phishing scam. Phishing is when someone claiming to be from a reputable company that does online business (Gmail, Yahoo!, eBay, Citibank, Wachovia, Capital One, etc…) sends you an email claiming that you need to click a link in the email to confirm your account, or that they’ve upgraded their systems and you need to log in to the ‘new’ system, or even that they think your account may have been compromised. Unfortunately, that link does NOT go where you think it does. It goes to an entirely different web site that the scammers have set up in order to fool you. It looks EXACTLY like the company’s regular web site and once you input your username and password into that site, they’ve now got it and can steal your identity.
Once these criminals have your username/password, they can take over your email account and send false Nigerian 419 scam emails to everyone in your address book (like what happened with the recent fake email described above). Or worse yet, they have your online banking username/password and can clean out your bank account. Or they’ve got your credit card number and can start charging to their heart’s content (or at least until they reach your credit limit).
Should I Be Worried?
YES!!! A HUNDRED TIMES YES!!! Although worried may not be as appropriate a word as cautious.
It’s not just the big national banks and companies that are being targeted. There are many confirmed cases of small regional banks and credit unions being targeted in phishing attacks. So banking with a small bank does not make you immune to these attacks.
Also, the Nigerian 419 scammers realize that people are no longer falling for the trap that “Mr. Nkande’s widow in Nigeria has 44 Million US Dollars to share with you if only you give her your bank account information.” They are now trying to take over people’s legitimate email accounts and send email from that person’s account asking for smaller sums of money for some “emergency” that they dream up. It’s getting more personal and smaller in scale, which makes it more dangerous.
Once a scammer takes over your email account, it can be very hard to reclaim that account for yourself. You may end up having to let it go and start with another one.
How Do I Identify or Combat These Attacks?
Spyware
- Get a good antispyware program and install it on your computer. You must have BOTH antivirus AND antispyware software installed on your computer. Having only antivirus software is not enough anymore. Many antivirus companies now sell products that also have antivirus and antispyware components in one package. You can also purchase a separate antispyware program if you wish, but no antispyware software takes the place of antivirus software. You still need antivirus software installed as well.
- Be very careful about downloading free software on the Internet. Many “free” software packages also contain viruses and/or spyware, especially if they are on peer-to-peer file sharing sites, such as Napster or KaZaA.
- Pay attention to the messages that appear when installing downloaded software. Some spyware programs (although very few) display messages asking for your consent to install the application, although they are often mixed in among other messages and installation processes that have no relation to the spyware. Don’t just click the “Yes” or “Next” buttons on an installation screen without reading what you are responding to.
Phishing
Phishing attacks are dangerous because many times they try to con you into thinking that something bad has happened to your account, or that they are upgrading their software to make your account more secure. Each of these scenarios creates a false sense of urgency – that if you don’t do something NOW, your account will not be secure. That’s why many people fall for these scams. Here's how to identify them:
- Reputable businesses will NEVER ask you for personal or confidential information in an email message. If you receive a message from your bank asking you to click on a link in the email to log in to your account, DON’T DO IT! If you must log in, go to the bank’s web site in your web browser (as you would normally) and then log in from there.
- NEVER divulge ANY personal or confidential information in an email message. This includes usernames, passwords, credit card numbers, bank account numbers, PINs, Social Security Numbers, or anything else that uniquely identifies you and/or your accounts.
- Other characteristics of phishing attack email that you should look for:
- The link in the middle of the email is misleading. Links do not always go where they say they are. The link might say one thing on the email, and then take you to another site that the scammers have set up for the express purpose of gathering your account information.
- A generic greeting. Something like “Dear Account Holder:” or even a non-existent greeting. If a reputable company intends to contact you, they will know who you are and use a very specific greeting with your name in it.
- A false sense of urgency. Statements like “you leave us no choice but to temporarily suspend your account” or “you must verify your account within 36 hours.” Reputable companies will NEVER suspend your account because you didn’t act on an email.
- A spoofed FROM: address. Emails are not always from the address they appear to be.
- Bad grammar or misspelled words. Reputable companies pay people lots of money to make sure their correspondence is grammatically correct. Bad grammar or misspelled words generally indicate an author whose first language is not English. But this isn’t always the case; many phishing emails nowadays are fairly well written.
- Emails asking you to open an attachment. Beware of any and all attachments! NEVER open an attachment unless you absolutely know 100% for sure what it is — even if it is apparently from someone you know (see #4 above). Attachments often contain viruses and/or spyware. Reputable companies will NEVER send an attachment in an email unless you have specifically asked for one (for example, your bank statement in PDF format).
- If something “just seems fishy” about an email, delete it. Perhaps the writing style does not quite match the person’s normal style. There may be lots of grammatical errors. Or it just sounds too good to be true. Even if the email was legitimate, reputable banks do not rely on email as their only form of communication with their clients. If they really need to contact you, they will send a letter in the mail or call you.
Phishing attacks are harder to combat with software than viruses and spyware are. Some email providers have filters in place that will try to warn you that an email seems like a phishing attack, but these fall for short of the mark. Some other antispam software packages detect some phishing email as spam. Some web browsers will also try to alert you that a web site might not be legitimate. Do not rely solely on these filters as an indication of a phishing attack, however.
Nigerian 419 Scam
The Nigerian 419 Scam has been around for decades. It is simply being done via email and the Internet now. Be aware of anything that says it is from Nigeria. As we have seen already, Nigerian 419 Scams are getting more personal and targeted to a more specific audience.
If you receive an email (even from someone you know) asking for money, just delete it. If it is from someone you know and you want to help, CALL the person first (DO NOT EMAIL) to make sure the need is legitimate, and then act accordingly.
What If I Already Fell For A Scam?
If you think you’ve been the victim of a fraud or scam, immediately follow these steps. The faster you contact the proper authorities, the more likely you are to minimize the damage a scammer can do to your identity, your credit, and your bank account.
Step 1: Close any affected accounts
Contact the genuine company or organization if you believe you've given sensitive information to an unknown source masquerading as that real company or organization. If you contact the real company immediately, they might be able to lessen the damage to you and others. Then:
- Speak with the security or fraud department about any fraudulently accessed or opened accounts at every bank or financial institution you deal with, including credit card companies, utilities, Internet service providers, and other organizations that have your personal information.
- Follow up with a letter and save a copy for yourself. When you open new accounts use strong passwords, not passwords such as your mother's maiden name, along with a new account number.
Step 2: Change the passwords on all of your online accounts
When you change your passwords or open new accounts, use strong passwords. For ideas for how to make a strong password, visit www.microsoft.com/protect/yourself/password/create.mspx.
Step 3: Place a fraud alert on your credit reports
In the United States, contact these three credit bureaus:
- Equifax: (800) 525-6285
- Experian: (888) 397-3742
- TransUnion: (800) 680-7289
For each of the credit bureaus:
- Get a copy of your report (victims of ID theft can receive copies of their credit reports for free) and ask that no new credit be granted without your approval.
- Make sure your account is flagged with a "fraud alert" tag and a "victim's statement," and insist that the alert remain active for the maximum of seven years.
- Send these requests in writing and keep copies for yourself.
- Review the reports carefully. Look for things like inquiries you didn't initiate, accounts you didn't open, and unexplained debts.
Outside of the United States, you can contact your bank or financial institution, who can direct you to the relevant organization or agency.
Step 4: Contact the proper authorities
In the United States, contact the Federal Trade Commission (FTC).
- File a complaint. If you are a victim of any type of identity theft, you can report the theft by calling the FTC's toll-free Identity Theft Hotline at (877) ID-THEFT or (877) 438-4338. Counselors will advise you on how to deal with the credit-related problems that can result from identity theft.
- Download and print the FTC's Identity Theft affidavit. Fill it out and send it to all the financial institutions at risk to help minimize your responsibility for any debts incurred by those who stole your identity. Your case will be entered in the FTC’s nationwide "Consumer Sentinel" database of ID theft cases, which helps law enforcement agencies find criminal patterns and catch the thieves.
- File a report with your local police department. Get a copy of the police report to notify your bank, credit card company, and other creditors that you are a victim of a crime, not a credit abuser.
Depending on where you live, you might be required to file a report in the jurisdiction where the crime actually took place.
Step 5: Record and save everything
As you complete all these steps to clear up the wrongdoing, always make print copies of documents for yourself, including e-mail messages, written correspondence, and records of telephone calls, and file them somewhere safe.
For telephone or in-person conversations, follow up with dated confirmation letters to the organization, and save a copy for yourself. State in the letter what was covered in the conversation, and list any follow-up items that you or the representative have committed to in the conversation.
Additional resources
United States:
General:
Links
