Other Internet Fraud Variations...
Credit Card Fraud: Unauthorized use of a credit card to fraudulently obtain money or property. Credit card numbers can be stolen from unsecured websites, or can be obtained in various identity theft schemes.
Steps to Avoid
Credit Card Fraud...
Don't give out your credit card number(s) online unless the site is both secure and reputable.
Sometimes a tiny icon of a locked padlock or an unbroken key appears to symbolize a higher level of security to transmit data. This icon is not a guarantee of
a secure site, but may provide you some assurance.
- Before using the site, check out the security software that it uses to make sure your information will be protected, including digital certificates which authenticate the site/vendor. Independent certificate services like VeriSign and Thawte will authenticate the identity of the Web site you are visiting.
(See the "Secure Your Computer!" section of this presentation for more information on these two online security tips [above] on how to avoid credit card fraud.)
- Make sure you are purchasing merchandise from a reputable/legitimate source. Once again, investigate the
person or company before purchasing any products.
- Try to obtain a physical address rather than merely a post office box and a phone number and call the seller to
see if the number is correct and working.
- Send them e-mail to see if they have an active e-mail address and be wary of sellers who use free e-mail
services where a credit card wasn’t required to open the account.
- Check with the Better Business Bureau to see if there have been any complaints against the seller.
- Check out other web sites regarding this person/company.
- Be cautious when responding to special offers (especially through unsolicited e-mail).
- Be cautious when dealing with individuals/companies from outside your own country.
- If you are going to purchase an item via the Internet, use a credit card since you can often dispute the charges if
something does go wrong.
- You should also keep a list of all your credit cards and account information along with the card issuer’s contact information. If anything looks suspicious or you lose your credit card(s), contact the card issuer immediately.
(But don't keep your credit card and accounts list in your home/office computer! Choose a secure place for the list.) Consider downloading and printing our "Lost/Stolen Wallet Inventory & Emergency Checklist" to record key credit card information, then store the list a safe place.
- Limit the amount of information you choose to give to a merchant when paying by credit/debit card. Remember, the rules of the Visa and MasterCard association prohibit merchants from requiring you to give a telephone number, driver's license number, or home address when using their cards —information the wise consumer definitely doesn't want on a debit or credit card receipt. If you choose to give your phone number, give your work phone.
Consumer Tip: a specific, recent credit-card scam...
You receive a call from someone claiming to be from the security and fraud department at either Visa or MasterCard. You're asked to confirm a recent purchase (that you never made). When you say you didn't buy the item(s), the scammer asks you to authenticate your identity (by providing the three-digit security code printed on your card) so he/she can "remove" the purchase from your record. That information allows the scammer to run up a huge bill on your account. Don't forget:Visa, MasterCard or issuing banks never ask for information on your card —they already know that information!!!
A Consumer's Guide to
Common Merchant Credit Card Abuses:
FOUR BIG NO-NO's...
Remember, these merchant abuses expose you to an increased risk of identity theft and credit fraud and, (beyond card company policies) may even be illegal in some cases. Many clerks are simply unaware of the potential for credit fraud and identity theft crimes, such as might be associated with the use of personal information written on checks —but clerks rarely set store policy. Ask to speak to the store manager.
- A merchant should never write your personal information on a bank credit card sales-slip.
- The rules of the Visa and MasterCard association prohibit merchants from requiring you to give a telephone number, driver's license number, or home address when using their cards —information the wise consumer definitely doesn't want written on a debit or credit card receipt. If you choose to give your phone number, give your work phone.
- We'd suggest you refuse to provide personal information to be written on a credit card sales-slip; the merchant has no right to refuse you the sale.
- Also, if you refuse to present "identification", such as a driver’s license, the merchant may not refuse to make a credit card sale under Visa, MasterCard, and American Express rules.
(Note: If this becomes an issue, it might help to point out to the clerk that even if you exceed your credit limit, the card-issuing bank absorbs any loss, so there is no need for the merchant to record personal/contact information on your receipt.)
- A merchant should never require a minimum amount for credit card purchases.
- If a store requires a minimum purchase amount for a Visa card or MasterCard, point out to the store manager that the practice is specifically prohibited by those card companies.
- A merchant should never charge "extra" for payment by credit card.
- Visa and MasterCard prohibit surcharges.
- American Express discourages surcharges, and indirectly prohibits them where Visa/MasterCard are also accepted; American Express does prohibit "discrimination" against the American Express card, if a merchant accepts Visa and MasterCard (and cannot impose a surcharge under those companies' rules), the merchant may not discriminate against American Express by imposing a surcharge.
Simply put, a merchant that accepts American Express cards, and who accepts Visa and/or MasterCard may not charge consumers a surcharge on purchases charged to any of those three cards.
- A merchant should never write one of your credit card numbers on your personal check.
Some clerks ask for two forms of identification, and if a credit card is proffered, proceed to write your credit card number on the check. Refuse to allow them to use your credit card number for this purpose!
If the your purchase is refused, ask to speak with the store manager, explain the risks of identity theft and credit card fraud, and point out the futility of recording your credit card number on a check:
- The rules of the three major credit card companies prohibit merchants from charging a credit card to cover a bounced check
- Likewise, a merchant cannot use credit card numbers to locate a consumer whose check bounces.
When merchants try to abuse you and put you at increased risk, as described above, report them to the card company(s) (Visa, MasterCard, and American Express).
If a merchant is unwilling to cooperate with your need to protect your identity/credit, remember to vote with your feet — take your business elsewhere.
Tips to minimize the risk of
credit card fraud for BUSINESSES:
- Don't accept orders unless complete information is provided (including full address and phone number).
For over the counter transactions, compare the name, account number, and signature on
the card to those on the transaction receipt. They should match.
- Insure your sales staff knows the security details for the types of credit cards you accept. For example, for VISA® cards...
- Require address verification for all of your credit card orders. Require anyone who uses a different shipping
address than his or her billing address to send a fax with their signature and credit card number authorizing the
- Be especially careful with orders that come from free email services — there is a much higher incidence of fraud
from these services. Many businesses will no longer accept orders that come through these free email accounts.
- Send an email requesting additional information before you process the order asking for: an email address other
than a free service, the name and phone number of the bank that issued the credit card, the exact name on the
credit card, and the exact billing address.
- Be wary of orders that are larger than your typical order amount, and of orders with next-day delivery.
- Pay extra attention to international orders. Validate the order before you ship your product to a different
- If you're suspicious, pick up the phone and call the customer to confirm the order.
- Consider using software or services to fight credit card fraud online.
- If defrauded by a credit card thief, you should contact your bank and law enforcement authorities.
Freight forwarding scams involve variations of the Business/Employment Schemes mentioned earlier in "Preventing Identity Theft: Part 2" —receiving and subsequently reshipping merchandise ordered online to other locations, usually abroad. Individuals are often solicited to participate in this activity via chat rooms, or through Internet job postings. Unbeknownst to the reshipper, the merchandise has been paid for with fraudulent credit cards, and is therefore stolen.
To avoid raising vendor suspicion, the scammer makes sure the shipping address — the address of the "recruit" — also known as a "reshipper" or "freight forwarder" — is in the same state as the billing address on a stolen credit card.
To do so, the con artists have a wide variety of employees and stolen credit cards from which to choose. They have also managed to change billing addresses on stolen credit cards so they match the recruit's locale. "At best guess, the con artists have already made off with between $5 million and $10 million", said Barry Mew, spokesperson for the Postal Inspection Service.
A recent example: According to a November, 2003 Internet Fraud Complaint Center (IFCC) "Intelligence Note", a new series of scams involving the use of counterfeit cashier’s checks targets individuals that use Internet classified ads to sell merchandise.
A potential buyer (the scammer), usually located outside the U.S., contacts a seller. The seller is told that the potential buyer has an associate in the United States that owes him/her money, and that he/she will have the associate send the seller a cashier's check for the amount owed to the buyer. This amount will be thousands of dollars more than the price of the merchandise, and the seller is told the excess amount will be used to pay the shipping costs associated with getting the merchandise to his/her location. The seller is instructed to deposit the check, and as soon as it clears, to wire (Western Union) the excess funds back to the buyer, or to another associate identified as a shipping agent (the scammer's "freight forwarder").
Usually, the money is sent to locations in West Africa (Nigeria). Because a cashier's check is used, a bank will typically release the funds immediately, or apply only a one or two day hold. Falsely believing the check has cleared, the seller wires the balance of the money as instructed. In some cases, the buyer is able to convince the seller that circumstances have arisen necessitating cancellation of the sale, and cons the victim into refunding the remainder of the money as well. Shortly thereafter, the bank notifies the victim that the check was fraudulent, and the bank holds the victim responsible for the full amount of the check, as well as applicable fees and penalties.
An offering that uses false or fraudulent claims to solicit investments or loans, or that provides for the purchase, use, or trade of forged or counterfeit securities.
If you want to invest wisely and steer clear of frauds, you must get the facts. Never, ever, make an investment based solely on what you read in an online newsletter or bulletin board posting, particularly if the investment involves a small, thinly-traded company that isn't well known.
And, don't even think about investing on your own in small companies that don't file regular reports with the U.S. Securities and Exchange Commission (SEC), unless you are willing to investigate each company thoroughly and to check the truth of every statement about the company. For instance, you'll need to:
And, don't stop there! For a more detailed list of questions you'll need to ask – and have answered – read the SEC's web presentation, "Ask Questions", —and, always watch out for tell-tale signs of fraud.
- get financial statements from the company and be able to analyze them;
- verify the claims about new product developments or lucrative contracts;
- call every supplier or customer of the company and ask if they really do business with the company; and
- check out the people running the company and find out if they've ever made money for investors before.
For more detailed information on Internet investment fraud, click HERE to jump to the SEC's online publication,
Other SEC online publications dealing with investment fraud:
—also, consider visiting the
U.S. "Consumer Action Website"
where you'll find the
Federal Citizen Information Center (FCIC)
pages with information on
investing tips and investment fraud.
—and also the
Canada Deposit Insurance Corporation (CDIC) publication,
"Internet Investment Scams"
A Few "Starter Tips"
to Help Reduce the Risk of Investment Fraud...
- Don't invest in anything based on appearances. Just because an individual or company has a flashy web site
doesn't mean it is legitimate. Web sites can be created in just a few days. After a short period of taking money, a
site can vanish without a trace. Also, check out other web sites regarding this person/company.
- Don’t invest in anything you are not absolutely sure about. Do your homework on the investment and individual/company to ensure that they are legitimate.
- Be cautious when responding to "special" investment offers (especially through unsolicited e-mail) by fast talking
- Inquire about all the terms and conditions regarding the investors and the investment.
- Rule of Thumb: If something sounds too good to be true, it usually is.
A new twist on the old
PUMP & DUMP
—the "Wrong Number" Scam...
One sneaky "voice mail" stock scam is a pump-and-dump ploy involving a phony voice-mail message, delivered to recipients as if it was a wrong number, with the woman on tape inviting her friend (for whom this message was supposedly intended) -- to get in on a "hot" stock tip.
Many different stocks have been used in this particular scheme —and thousands of investors have been taken in. The scammers use this scheme to promote a thinly traded stock, claiming it's about to soar. Once demand drives up the stock price, the scammers dump their shares, pocket the profits, and often start again on another stock.
Here's a transcript of a variation of this voice-mail and answering machine scam, released by the U.S. Securities and Exchange Commision (SEC):
"Hey Tracy, it's Debbie. I couldn't find your old number and Tammy says this is the new one. I hope it's the right one. |
Anyway, remember that hot stock exchange guy that I'm dating? He gave my father that stock tip on the company that went from under a buck to like three bucks in two weeks and you were mad I didn't call you? Well I'm calling you now!
This new company is supposed to be like the next really hot clothing thing. And they're making some big news announcement this week. The stock symbol is ... He says buy now. It's at like 50 cents and it's going up to like 5 or 6 bucks this week so get as much as you can.
Call me on my cell, I'm still in Orlando. My Dad and I are buying a bunch tomorrow and I already called Kelly and Ron too. Anyway I miss you, give me a call. Bye."
(Click HERE to LISTEN one of the "wrong number" voicemails.)
If you get one of these messages on your answering machine, voice mail, or even as an email or instant message, the SEC would appreciate hearing details about the stock being hyped, and the phone number from which the call came (if you're able to retrieve it) You can use our on-line complaint form, at http://www.sec.gov/complaint.shtml,
e-mail the SEC at mailto:firstname.lastname@example.org, or
you can call the SEC at 1-800-SEC-0330.
Investment-related spam e-mails should be forwarded to the SEC at email@example.com.
Here's a list of red flags found in many of the frauds seen by the SEC:
—Start With the SEC's EDGAR Database. The federal securities laws require many* public companies to register with the SEC and file annual reports containing audited financial statements.
If it sounds too good to be true, it is. Any investment opportunity that claims that there are huge guaranteed rewards, especially for acting quickly, are incredibly risky, and more likely to lead to losing some, most, or all of your money.
- "Guaranteed returns" aren't. Every investment carries some degree of risk, and the level of risk typically correlates with the return you can expect to receive. Low risk generally means low yields, and high yields typically involve high risk. If your money is perfectly safe, you'll most likely get a low return. High returns represent potential rewards for folks who are willing to take big risks. Most fraudsters spend a lot of time trying to convince investors that extremely high returns are "guaranteed" or "can't miss." Don't believe it.
- Check out the company before you invest. If you've never heard of a company, broker, or adviser, spend some time checking them out before you invest. Most public companies make electronic filings with the SEC. There are computerized databases to check out brokers and advisers. Your state securities regulator may have additional information. And by the way — if a supposedly upright firm only lists a P.O. box, you'll want to do a lot of work before sending your money!
- If it is that good, it will wait. Scam artists usually try to create a sense of urgency — implying that if you don't act now, you'll miss out on a fabulous opportunity. But savvy investors take time to do their homework before investing. If you're told something is a once-in-a-lifetime, too-good-to-be-true opportunity that "just can't miss," just say "no." Your wallet will thank you!
*For example, the following companies must file reports with the SEC:
Anyone can access and download these reports from the SEC's EDGAR database for free. Before you invest in a company, check to see whether it's registered with the SEC and read its reports.
- All U.S. companies with more than 500 investors and $10 million in net assets; and
- All companies that list their securities on The Nasdaq Stock Market or a major national stock exchange such as the New York Stock Exchange.
The difference between investing in companies that register with the SEC and those that don't is like the difference between driving on a clear sunny day and driving at night without your headlights.
—You're asking for serious losses if you invest in small, thinly-traded companies that aren't widely known just by following the signs you read on Internet bulletin boards or online newsletters.
And, don't stop with the SEC... You should always check with your state securities regulator, which you can find on the website of the North American Securities Administrators Association (NASAA), to see if they have more information about the company and the people behind it. They can check the Central Registration Depository (CRD) and tell you whether the broker touting the stock or the broker's firm has a disciplinary history. They can also tell you whether they've cleared the offering for sale in your state.
While you're at the NASAA website, try out their online Investment Fraud Awareness Quiz!
Also, check with the the National Association of Securities Dealers, Inc. NASD). NASD can also give you a partial disciplinary history on the broker or firm that's touting the stock. Call their toll-free public disclosure hot-line at (800)-289-9999 or visit their website at http://www.nasdr.com.
One last note on investment fraud... NASD has a great section of online "Investor Alerts"section with links to over thirty current NASD and other investor alerts.
Knowledge is the best defense against investment fraud. Reading the NASD Investor Alerts will help give you the information you need to protect your money and avoid scams and other investing problems.
Before you open your checkbook, educate yourself.
Merchandise or services that were purchased or contracted by individuals on-line are never delivered.
Steps to avoid "Non-Delivery of Merchandise" Fraud...
- Make sure you are purchasing merchandise from a reputable source. As with auction fraud, check the reputation
of the seller whenever possible, including the Better Business Bureau.
- Try to obtain a physical address rather than merely a post office box and a phone number. Also call the seller to
see if the number is correct and working.
- Send them e-mail to see if they have an active e-mail address. Be cautious of sellers who use free e-mail
services where a credit card wasn’t required to open the account.
- Do not judge a person/company by their fancy web site; thoroughly check the person/company out.
- Be cautious when responding to special offers (especially through unsolicited e-mail).
- Be cautious when dealing with individuals/companies from outside your own country. Remember the laws of
different countries might pose issues if a problem arises with your transaction.
- Inquire about returns and warranties on all items.
- The safest way to purchase items via the Internet is by credit card because you can often dispute the charges if something is wrong. Also, consider utilizing an escrow or alternate payment service.
- Make sure the web site is secure when you electronically send your credit card numbers.
According to the Internet Fraud Complaint Center's "IFCC 2002 Internet Fraud Report" (Prepared by the National White Collar Crime Center and the FBI), 31.3% of all 2002 fraud complaints involved the non-delivery of goods/services or payment...
Top Three IFCC Complaint Categories
46.1% — Auction Fraud
31.3% — Non-Delivery of Goods/Payment
11.6% — Credit Card Fraud
(% of referred fraudulent complaints in 2002)
Since we're talking statistics, here are some additional
FRAUD & IDENTITY THEFT STATISTICS...
2002 IFCC Fraud Report Details—
Average Amount Lost, by Fraud Type,
for Persons Reporting Monetary Loss
% of Complainants
Reporting a Dollar Loss
per Typical Complaint
(merchandise & payment)
|Nigerian letter Fraud*||< 1%|
* —Of 16,164 complaints, 74 individuals lost money totaling $1.6 million.
Per Referred Complaint,
By Gender and Age
60 and older
Statistics from the FTC's January 22, 2003 report, "National and State Trends in Fraud & Identity Theft,
January - December 2003"—
The FTC's 2003 report also has state-by-state statistical charts on reported fraud and identity theft. Here's an example of the stats from the report for Oklahoma...
Back to "Other Internet Fraud Variations"...
Online Auction/Retail: The fraud attributable to the misrepresentation of a product advertised for sale through an Internet auction site or the non-delivery of products purchased through an Internet auction site. For specific advice on how to avoid online auction-related fraud, click HERE to download the FTC's "Facts For Consumers" booklet,
"Internet Auctions: A Guide for Buyers and Sellers".
Internet Auction Fraud — Steps to take if victimized...
Steps to take to avoid being victimized...
- File a complaint with the online auction company. In order to be considered for eBay's Fraud Protection
Program, you should submit an Online Fraud Complaint at 30 days after the listing end-date.
- Notify your local and
state law enforcement officials.
- Notify law enforcement officials in the perpetrator's town and state.
- File a complaint with the shipper (e.g., for the U.S. Postal Service, use the Mail Fraud Complaint Form.)
- File a complaint with the Better Business Bureau at BBB Online.
- Understand as much as possible about how Internet auctions work, what your obligations are as a buyer,and what the seller's obligations are before you bid.
- Find out what actions the website takes if a problem occurs and consider insuring the transaction and shipment.
- Learn as much as possible about the seller, especially if the only information you have is an e-mail address. If it is a business, check the Better Business Bureau where the seller/business is located.
- Examine the feedback rating for the seller, and use common sense; if the seller has a history of negative feedback, don't bid with or buy from that particular seller.
- Determine what method of payment the seller is asking for and where he/she is asking to send payment. Use caution when the mailing address is a PO Box #.
- Be aware of the difference in laws governing auctions between the U.S. and other countries. If a problem occurs with an auction transaction that involves the seller in one country and a buyer in another, it might result in a dubious outcome leaving you empty-handed.
- Be sure to ask the seller when delivery can be expected if not specified in the listing, and about warranty, exchange or return of merchandise you find defective or unsatisfactory.
To avoid unexpected costs, read the information in the listing about shipping and handling fees carefully. If not specified, you may want to clarify before bidding or buying.
- Finally, avoid giving out your Social Security number or driver’s license number to the seller, as the sellers have no need for this information.
A November 2003 IFCC "Intelligence Note" warns of an increasing number of reported Internet auction frauds and hundreds of new complaints received daily. Many of these frauds originate in Eastern Europe in former communist countries. Consumers are strongly cautioned against entering into Internet transactions with subjects exhibiting the following behavior:
- Buyers should beware of sellers who post the auction under one name, and ask for the
funds to be transferred to another individual for any reason, especially when the seller
reports to be in the U.S., but requests funds be sent to another country.
- The subject requests funds to be wired directly to him/her via Western Union®, MoneyGram®, or bank-to-bank wire transfer. The IFCC has verified that funds sent via Western Union® can be picked up anywhere in the world without the need to provide the money transfer control number (MTCN) or the answer to any secret question, as many scammers have represented to the victim. Money sent via wire transfer leaves little recourse for the victim once it is claimed.
- If the product or deal seems too good to be true, it probably is. Many vendors in Eastern European countries claim to sell "factory-direct" brand-name products, but those products aren't manufactured in Eastern Europe.
- Buyers who ask for the purchase to be shipped using a certain method to avoid customs
or taxes inside another country should be avoided.
- Be suspect of any credit card purchases where the address of the cardholder does not
match the shipping address. Always receive the cardholder's authorization before
shipping any products. Beware of customers using multiple credit cards to make a single
or large purchase, as these may be fraudulent transactions.
- Victims are also reporting to the IFCC that they have participated in, or been victimized
by, a scheme involving work-from-home jobs on web sites. The seller asks the U.S.
citizen to act as a third party receiver of funds from victims who have purchased products
from the subject via the Internet. The U.S. citizen, receiving the funds from the victims,
then wires the money to the subject in either Bucharest, Romania, or Riga, Latvia. The
buyers never receive their merchandise.
BONUS LINK: Think you have a real lemon? Maybe you do! Visit the new "government recalls" website — the centralized, online listing for all manner of product recalls— consumer products, motor vehicles, boats, food, medicine, cosmetics, and more.
Phony Escrow Services:
In an effort to persuade a wary Internet auction participant, the scammer will propose the use of a third-party escrow service to facilitate the exchange of money and merchandise. The victim is unaware the scammer has spoofed a legitimate escrow service. The victim sends payment or merchandise to the phony escrow and receives nothing in return.
For more information on phony escrow services, click HERE to jump to the FTC's Consumer Features article,
"Going, Going, Gone... When Online Auction Users
Lose Out to Phony Payment and Escrow Services"
and/or click HERE to download the FTC's booklet,
"Internet Auctions: A Guide for Buyers and Sellers"
for additional advice on how to avoid auction-related fraud.
Ponzi*/Pyramid Schemes: Investors are enticed to invest in this fraudulent scheme by the promises of abnormally high profits. However, no investments are actually made by the so-called "investment firm". Early investors are paid returns with the investment capital received from subsequent investors. The system eventually collapses and investors do not receive their promised dividends and lose their initial investment.
(* —the term "Ponzi Scheme" is derived from Charles Ponzi, an immigrant who ran his original pyramid frauds in the U.S. in the 1920s. While not the inventor of the pyramid scheme, Ponzi was certainly a master at promoting them, and cheated thousands of people out of millions of 1920 dollars. Eighty years later, Ponzi Schemes are still being run on the same "rob-Peter-to-pay-Paul" method as money from new investors is used to pay off earlier investors until the whole pyramid collapses.)
The FTC offers these tips to avoid pyramid schemes:
- Avoid any plan that offers commissions to recruit new distributors.
- Beware of plans that ask you to spend money on costly inventory.
- Be cautious of claims that you will make money by recruiting new members instead of on sales you make yourself.
- Beware of promises about high profits or claims about "miracle" products.
- Be cautious about references; they could be "shills*" by the promoter. (* —a "shill" is a scammer's assistant. Usually a person who poses as an ordinary customer in order to entice others to participate in the scam.)
- Don’t pay money or sign contracts in a high-pressure situation.
Check out all offers with your local Better Business Bureau and state Attorney General.
For more information on pyramid schemes, click HERE to go to the FTC's webpage,
"Don't Get Burned... By A Pyramid Scheme!".
Want to know even more? Visit these webpages:
A new twist to the old "Protection Racket"...
Be wary of vendors/solicitors that offer to "protect" you from ID theft and demand sensitive information. The FTC warns that some fake companies, claiming to be identity theft prevention services, are simply guises for obtaining personal information from you such as your driver's license number, mother's maiden name, social security number and credit and bank account numbers. Remember, do not give out any personal information over the phone or online unless YOU initiated the call AND are familiar with the business that is asking for it. If you are unsure about a firm, check it out with the Better Business Bureau.
Outright Extortion —with Small Ransoms...
Another variation, more pure extortion than identity theft, is scams involving email threats to delete files or send embarassing photos to office workers' computers unless the victim pays a small fee — at first no more than $20 or $30. The perpetrator preys on office workers who are naive and normally wouldn't think of doing anything wrong, who pay the small extortion with their credit/debit card thinking they can make the problem go quietly away.
Because the ransom is small, many people tend to pay up and keep quiet, never reporting the episode. Unfortunately, paying the small ransom simply identifies them to the scammer as a soft target; the scammer may come back demanding more money the next time. Even small companies are extorted in this manner by threats to delete files or release viruses if small ransoms aren't paid.
at Public Computers...
Cyber-criminals can also snare you when you use public Internet kiosks, public computers at libraries and other locations, and Internet cafes —i.e. "other people's computers". When you surf the Internet you usually leave "cache" trail in the computer you are using – a trail that others can follow.
In one recent U.S. Department of Justice case, a 24-year old man successfully installed "keylogging" software in fourteen Kinko's stores in the New York City area (without Kinko's knowledge or permission) and was able to capture customers' usernames and passwords. He admitted he then used the confidential information he obtained to access, or attempt to access, bank accounts belonging to other persons, and fraudulently open on-line bank accounts. (He also pled guilty to similar fraudulent conduct that he continued to commit while on bail after his arrest.)
Keylogging software and hardware devices (AKA "system monitors) are readily available over the Internet (starting at about $20). Hardware keyloggers take many forms, from tiny plugs inserted between the keyboard and computer (easy to deploy/retrieve from public computers by identity thieves), to even more stealthy keyloggers built into keyboards and/or keyboard extension cables that are totally invisible to the victims.
Personal data stolen through keylogging software, surreptitiously installed on public computers, can be harvested by scammers in a number of ways, from manual and automatic software-driven Internet connection downloads, to quick local harvests through the use of tiny, inexpensive, USB "keychain" memory/storage devices.
Another source of privacy complaints and identity theft concerns is Internet "spyware" —"data miners" commonly in the form of "browser cookies" "web bugs" and "adware".
Created/stored on your own computer to interact with a specific website (or group of websites), cookies are text files that hold user information in order to "personalize" web pages.
Cookies are commonly employed for user-friendly e-commerce purposes such as tracking a user's visit to a website (recorded in one or more "cookies") and providing custom page content and goods/services recommendations to users based on their own unique history of purchases/interests. Cookies are not limited, however, to "consumer-friendly" purposes, but can also be used by any website you visit to track your activity.
Far more invasive than cookies, web bugs are often tiny transparent image files (often a single pixel) on webpages and are also used to monitor/capture a web-surfer's online habits, as well as potentially install malignant files. Web bugs can take information you've entered at a selected web site and transfer it to any number of other sites without the your knowledge/consent.
Some web bugs infest/infect your computer "drive-by downloads". If your web browser/Internet security controls aren't set correctly, simply visiting or clicking on a website can instantly and secretly install a web bug inside your computer. And, unlike cookies, web bugs can exceed even the ability of settings in your browser software to block/delete, and are often very difficult to track/reveal/remove without special software or expertise.
Once on your computer, a web bug sits on your hard drive, continuously tracking your actions and using your Internet connection (without your knowledge/permission) to send periodic reports to its parent/creator.
Sophisticated "spyware" bugs (AKA trojanware, snoopware and trespassware) are stealthy stand-alone programs potentially capable of ...
—literally capable of finding all targeted data on, or passing through, your computer (including your passwords) —and of secretly sending the stolen/captured information to a third party!
secretly monitoring your keystrokes,
- snooping your computer files/applications,
- reading your browser cookies,
- changing your default homepage and
- logging all the websites you visit
Spyware can be divided into two main categories: "surveillance spyware" (AKA system-monitors) and "advertising spyware" (AKA adware).
The surveillance spyware category includes trojans, keyloggers, screen-capture and remote control devices/programs, and can be a powerful identity theft tool. Unlike advertising spyware, which usually has a commercial/marketing purpose, surveillance spyware is typically put to more nefarious uses.
Both surveillance and advertising spyware frequently piggyback on Internet downloads of free/trial software applications, such as music or photo sharing programs, games or small utilities like "cute"" cursors, and screen-savers frequently in the form of ActiveX controls and plugins. Advertising spyware is also widely spread on the popular peer-to-peer music/file-sharing programs/networks. Some flavors of advertising software include pop-up ad programs, search-redirectors, data-miners, homepage/browser hijackers, and porn-dialers. Advertising spyware is most notorious for intrusive popups and other commercial annoyances.
The presence of adware may actually be "legally" disclosed, buried deep in the lengthy licensing agreement that most users ignore and click past when downloading material they want. Refusing to accept the bundled/piggyback adware, or removing it later, may render the program you wanted useless.
Advertising spyware in commercial software not only pops up ads (the part of its function you get to see), but also monitors users' computer behvior and Internet browsng habits, gathers users' personal data and transmits it all back to direct marketing firms, who in turn use the data to target specific advertising back at the user.
Not necessarily less dangerous than "surveillance" spyware, the most intrusive advertising spyware can log (and transmit) considerable personal data about the user, including the user's name, age, sex, email addresses, online buying habits, a history of all the websites visited, the computer's hardware/software configurations, and more. (Possibly even the user's passwords.)
Users choose to download most spyware as part of a file download they want (whether they're actually aware of that "choice" or not) and, attached to a legitimate download, even the most malicious spyware can easily bypass firewalls. Once it's more or less secretly installed, it will often take special expertise or software tools to remove it; spyware is designed to not be easily removed.
"Porn-dialers" are a nasty form of spyware that may be installed just by surfing past the wrong website (they're often drive-by downloads). Once they're secretly installed on the user's computer, they happily go about their job of using the victim's computer modem to dial up 1-900 porn-distribution numbers, often overseas. The phone bills that result from these secret calls can be astronomical. Typically, the user doesn't know there is a problem until the monthly bill arrives (on pallets, on a flatbed truck).
Note:The FTC suggests, if you think you've been a victim of unauthorized modem dialing, to—
- Dispute the charges with the company doing the billing.
- Save the bill. it may help identify the scammers when you report the incident.
- Take action if you are billed for access to Internet content that you didn't authorize. Use the FTC's complaint form, or contact the FTC, toll-free, at 1-877-FTC-HELP (1-877-382-4357).
At best, spyware programs like adware can slow your computer and bombard you with pop-up ads. At worst, spyware can set the county phone-bill record, corrupt your data, crash your system and help some clown steal your identity.
Your identity-theft protection isn't complete without spyware-monitoring software on any internet-connected home/office computers. A number of commercial, shareware, and freeware products are available to help control/manage cookies and identify, block and delete web bugs. Examples include—
Products like these can identify thousands of existing spyware variants, and can be updated over the Internet to keep you protected against emerging bugs.
You can also use an Internet search-engine with keywords like "find delete spyware cookies web bugs" to lead you to other similar products.
Also, you can take a free audit for spyware at the following websites:
Some of the major ISPs have begun bundling spyware protection into browser upgrades. Earthlink® has their Spyware Blocker software in place, and AOL® has announced their intent to do so.
Click here to jump to a PC Magazine® article, "Spyware—It's Lurking On Your Machine", comparing various spyware-fighting products.
More and more malware is being developed to spy on innocent home computer users and inadequately protect businesses, including even the ability to turn webcam(s) and microphone(s) against their owners.
For example, the "Rbot-GR worm" (aka W32/Rbot-GR) is a prolific worm that spreads through networks shares, dropping backddor Trojan horse programs on vulnerable computers as it spreads.
Once infected, the attacker can do whatever they want through the backdoor program, and the Rbot-GR worm is designed specifically to control a victim's webcam and microphones. If your infected computer has a webcam plugged in, everything you do and say in front of the computer can be seen, heard, and recorded.
Pretexting— The easiest way for an identity-thief to steal your identity is to ask you for it, often over the phone. Posing as your bank, insurance company, doctor's office or other business you use, the thief calls you on the phone, tells you a believable story (the "pretext" for the call), and asks you for key personal information.
This practice is called "pretexting" — the practice of getting personal information under false pretenses. Pretexters can use your information (or sell your information to other people who may use it) to get credit in your name, steal your assets, or to investigate or sue you. Pretexting is against the law.
As a general rule, always be suspicious of telephone solicitors. Never provide personal information unless you have initiated the call.
In other forms of telemarketing fraud, you may receive unsolicited calls with offers of prizes, vacation packages, merchandise, or other "opportunities" that seem too good to miss (or be true) —and are usually not just "limited time offers" —they're only available if you act right now. You're required to provide your credit/debit information, up-front, to (supposedly) take care of a "minor fee" or "tax". When the prize/merchandise never shows up, you'll realize you've been "had" by a scammer.
Beware high-pressure sales tactics and offers of prizes, goods, or services that can only be shipped/delivered when you pay an"up-front" fee via cash, credit/debit card number or checking account number. Also, be wary of telephone surveys —the "survey" may simply be a scammer's "pretext" to gather information about you to be used in a future scam.
For more information on pretext calling, click HERE to jump to the FDIC publication, "Guidance on Identity Theft and Pretext Calling".
Also, for good one-page presentation on charity scams, click HERE for "Give to the Needy, Not the Greedy —A Giving Guide for Donating to Charities" from the Consumer Protection Unit of the Oklahoma Office of the Attorney General (Adobe PDF format).
Under a new federal law (the Gramm-Leach-Bliley Act) it's illegal for anyone to:
However, essential to PREVENTING identity theft is doing all you can to insure the identity thieves never get their hands on your personal information in the first place!
- use false, fictitious or fraudulent statements or documents to get customer information from a financial institution or directly from a customer of a financial institution.
- use forged, counterfeit, lost, or stolen documents to get customer information from a financial institution or directly from a customer of a financial institution.
- ask another person to get someone else's customer information using false, fictitious or fraudulent statements or using false, fictitious or fraudulent documents or forged, counterfeit, lost, or stolen documents.
Another identity theft law: "Identity theft is a criminal offense. It occurs when a person...
- knowingly transfers or uses,
- without lawful authority,
- a means of identification of another person
- with the intent to commit or to aid or abet
- any unlawful activity that constitutes a violation of federal law or that constitutes a felony under any applicable state or local law."
—Identity Theft and Assumption Deterrence Act, 18 USC 1028(a)(7)
Click HERE for FBI tips on dealing with various types of "Fraud on the Internet" or click HERE for FBI presentations on "Common Fraud Scams".
- If you encounter an unsolicited e-mail that asks you, either directly, or through a web site, for personal financial or identity information, such as Social Security number, passwords, or other identifiers, exercise extreme caution.
- If you need to update your information online, use the normal process you've used before, or open a new browser window and type in the website address of the legitimate company's account maintenance page.
- If a website address is unfamiliar, it's probably not real. Only use the address that you have used before, or start at your normal homepage.
- Always report fraudulent or suspicious e-mail to your ISP.
- Most companies require you to log in to a secure site. Look for the lock at the bottom of your browser and
"https" in front of the website address at the top of your browser window.
- Take note of the "header" address on the web site. Most legitimate sites will have a relatively short internet address that usually depicts the business name followed by ".com", or possibly ".org". —
Spoof sites are more likely to have an excessively long string of characters in the header, with the legitimate business name somewhere in the string, or possibly not at all.
- If you have any doubts about an e-mail or website, contact the legitimate company directly. Make a copy of the questionable web site's URL address, send it to the legitimate business and ask if the request is legitimate.
- If you've been victimized by a spoofed e–mail or web site, you should contact your local police or sheriff's department, and file a complaint with the FBI's Internet Fraud Complaint Center at www.IFCCFBI.gov.