Welcome to the 21st century. It's a place where technology is magic, and that magic can make your hard-earned cash disappear without a trace and with no thief in sight.
Cybercrime is on the rise, and it will continue to rise. For the average American with a computer at home, you are already more likely to be a victim of cybercrime versus any sort of physical theft. Cybercrimes cost consumers billions of dollars every year, and cyber-theft has grown every year since it began being tracked by the Federal Trade Commission.
Why is it so pervasive, and why is it growing so quickly? For one thing, it is an easy crime to commit with very little threat of punishment. It is also very profitable for the criminal...often more profitable than selling drugs, running prostitution rings and other more traditional forms of organized crime.
Organized crime? That's right, much of the cybercrime today is perpetrated through large (and not-so-large) criminal organizations. For the various cartels and criminal factions, both internationally and domestically, cybercrime, and specifically identity theft, is simply too lucrative to pass up. Technology has given the thieves tools to create a near-perfect criminal environment: easy money from soft targets, little to no risk, and an endless supply of victims.
So how do they use technology to do this? I'm glad you asked. Let's go over some of the more common methods, now.
The Phish Prince of Zaire
Dear Sir and/or Madam,
The revered Prince Ollie Barnotovilogiboxoboxo asked me to contact you regarding a matter of greatest importance. As you may know, he recently was fitfully flogged and remanded to a state of being not unlike that of a common servant. He has done nothing wrong and therefore had set up a fund of the peoples money in a separate bank account for further use to feed the poor and starving children of the world and Zaire.
Since he can not export the full sum of money directly, being that he is arrested of house jail, he would like to wire the money directly to a trusted person of interest like yourself. The full sum is $23,211,510.33, and for your effort he would like to allocate the portion of $3,512,212.31 for you to keep for your effort. Please respond to this email for further instructions. Kindest regards...Blokey Carlton, British Deputy Diplomat to the Consulate of Zaire Embassy.
Dissecting the Prince
Aside from the fact that the country of Zaire hasn't been in existence since 1997, on its face the above reenacted email is absurd. You may believe that no one could be fooled by it. Though the simulated email is completely fictional and written for the purpose of this article, believe it or not I have seen even more absurd emails with equally poor grammatical syntax and similar subject matter that have been sent by identity thieves for the purpose of defrauding individuals. But here's the real kicker: I've had some of those who received such emails ask me if the emails are/were "for real".
In answer to the question of whether or not people fall for these things: yes, they do. Granted, not that many people will fall for such poorly worded and illogical emails, but even one person in a hundred thousand, out of tens or perhaps hundreds of millions of emails sent, will reap thousands upon thousands of dollars for the thieves - all for sending out a single email that didn't take much effort or thought to put together.
Additionally, the crooks have gotten savvier about these types of emails, called "phishing" emails. Some phishing emails have articulate and intelligent-sounding premises, and the originators have taken care to ensure the emails are grammatically correct. I have even seen some phishing emails sent to industry specific mailing lists with industry specific lures. In one case, a religious organization received an email saying that Mrs. SuchAndSuch wanted to donate a large sum to their ministry. That one was more convincing because the criminals had actually researched the institution they were targeting and talked about specific funding.
If you happen to respond to such an email, the typical variances of fraud can go something like this:
- After you respond to their email, the thieves respond back requesting either a direct phone conversation, or they will ask for specific information via email. If they want to talk on the phone, they may ask you for a phone number, or they may give you a phone number to call.
- If they respond by asking you to call a number, the number could be a real number with which to further draw you into a scheme, but it could also be a quick fraud. The phone number you call might be a pay-per-call or a premium phone number that charges you an exorbitant fee for making the call. If it is a premium call, they may try to keep you on the line in order to bill by the minute.
- In some cases they may ask for very direct information such as your bank account and routing number on the pretense that they are wiring you the money, all while attempting to clean out your bank account. Of course, major institutions' fraud prevention systems may catch this sort of fraud, these days, so the criminals will probably ask you to wire them some money to cover "transfer fees". If you are willingly sending the money, you're likely not going to have much recourse in getting it back.
- In other instances the thieves, in addition to asking for bank account information and transfer fees, may ask for more information such as a copy of your social security card, your license, your home address, your date of birth, or your passport in order to "verify" your identity. These identity thieves will use all of the information to maximum effect. Inevitably, these types of thieves either have networks within the U.S. or will sell your information to other criminal networks operating within the U.S. They will then attempt to open bank accounts, credit lines, and loans in your name, and they'll probably file false tax returns where the refunds will be sent to an address of their designation.
- In some cases, the thieves might actually send you a check or money order, first, to prove their intentions and to gain your trust. You could receive the check or money order and deposit it, at which point you might even see the balance of your account increase...until the bank discovers the check/money order is fraudulent. In the more sophisticated schemes, the check/money order transaction is routed back to a fake bank in another country. The fake bank receives your account and routing information from the transaction data, and a path is created with which to allow the criminals/fake bank to transfer money out of your account without any further interaction between you and the criminals. One week you see your account and the deposit all apparently intact, and the next week you see an empty account.
Cutting Bate And Avoiding Entrapment
Avoidance is clearly the best policy with these types of scams, and it's also a 100% effective method of prevention. Just don't answer the email. Don't take the bait, and don't try to string the scammers along.
Some people have an inclination to try to play the game in an effort to entrap the crooks, but it's important to understand that the criminals don't even know you exist unless you respond to them. They are spamming millions of email addresses without knowing who the addresses belong to or even which addresses are valid. Even if you *know* they are trying to scam you, you should avoid them altogether. Some of these groups are organized and networked within the US, and you will probably only succeed in making yourself a target if you try to toy with them. You can report them to your state Attorney General or perhaps the FBI if you really want to be proactive. In truth, nothing you do will likely spur any sort of investigation with local or federal authorities, but such complaints may help to amass enough pressure over time to spur some sort of law enforcement action(s).
Of course these sorts of phishing emails are just the tip of the iceberg. There are many effective and damaging phishing strategies being employed by criminals with more technical knowledge.
Returning To The Phishing Hole With Better Bait.
As time progresses, antivirus and anti-spam software and hardware evolve to block certain kinds of threats. Developers adapt security systems to look for signs of known threats and known threat sources. In turn, the criminals figure out ways to circumvent and/or disable security systems software and hardware. It is a sort of cat and mouse game that seems to favor one side or another at any given time. Right now, phishing threats, among others, seem to be growing faster than security systems and software can keep up. For this reason, users must take on some of the responsibility to identify and avoid the threats rather than solely depending upon their antivirus software, firewall, and/or other security systems.
A second form of phishing is more direct. It commonly occurs via email or on social networking sites. Phishing emails or messages may try to create a sense of urgency by telling the user an account has been compromised and frozen or is about to be frozen unless account information can be verified. Large banking institution names are commonly used in these scams because the thieves generally don't know where you bank, but there is a statistical chance that you could have accounts at banks such as Wells Fargo, Bank of America, etc. Thus, at one time or another, you'll probably see a phishing email relating to your bank if you bank at a national institution.
No matter which institution name is used, a link is usually provided with which to "verify" the account. Sometimes the links will lead to web pages that ask for a username and password, and sometimes they will lead to web pages that ask for other information such as social security numbers, birth dates, license numbers, or credit card numbers. Regardless, the information being requested is almost always sensitive information that will in some way benefit the criminals.
As anyone reading this is aware, viruses are a major threat in today's online world. The worst sorts of viruses and worms are those that incorporate software into their payloads that will steal personal information such as keystrokes, passwords, banking information, and anything else that a thief might consider valuable.
One of the ways such infections occur is through phishing emails. In one case that I dealt with recently, an accounting person at a business received a convincing email from what appeared to be their bank. The email simply requested that they sign on to their account to verify account information. To the person who received the email, the link and request looked legitimate because it appeared to originate from the bank in which the company's business accounts resided. After clicking on the link in the email, a web site came up that looked convincing, as well. The user entered the company's business account and password and received an error indicating the website was undergoing maintenance, and the error instructed her to try again later. At the time she was unaware of the damage that had just occurred. She had just fallen prey to a phishing email.
This particular phishing email was damaging in two ways: first, in typical phishing fashion, the link took her to a site that collected her business account name and password directly, giving the bad guys the ability to login to the company's actual bank site and access business accounts (which they did); second, when the user clicked on the link, the linked website injected a virus through a Java exploit that installed a key logger (a program that records keystrokes and relays them to someone elsewhere). It also installed a remote access backdoor so that the thieves could get into her computer and do whatever they wanted to do.
This sort of phishing/virus email hybrid is particularly effective because, beyond the standard phishing tactic of fooling users into giving up private information, such emails link to sites that infect machines with viruses designed to harvest even more information. Often, when a virus injection from a website is based upon a Java or Adobe exploit, the user's antivirus software may be bypassed altogether and subsequently disabled. Additionally, the virus may frequently download new payloads to further exploit the machine and to avoid detection from newer security/anti-virus software.
Unfortunately, phishing and viral identity theft have begun to merge to give criminals the maximum advantage in harvesting your personal data, and this trend will continue to rise.
Preventing More Terrible Fishing Analogies
What can you do to avoid falling prey to the direct and hybrid phishing exploitation schemes?
- In both the classic phishing emails and virally-tinged versions, the single best advice is to delete any emails that contain external links, especially if they implore you to "verify" account information. No matter how tempting it looks, no matter how convincing it looks, no matter how desperate the message is, even if it appears to originate from a person or institution that you deal with regularly (including family members), don't click on external links in emails! If there is any question in your mind as to the validity of the email, and if you feel strongly enough about it to the extent that you believe it might be valid, pick up the phone and call the bank, institution, or individual directly. Verify that they sent the email with the intent of having you validate information. 99.999999999% of the time, banks will tell you the email is fraudulent, and most of the time, a personal acquaintance won't even know what you're talking about. Most banks, financial institutions, and the IRS will tell you that they *never* solicit sensitive personal information via email.
- If you have a business, security appliances such as the Barracuda Web Filter or the SonicWALL security appliances are particularly effective in combatting phishing scams. Such appliances filter a lot of web-borne viruses and phishing sites before they reach individual users and before injected viruses can attempt to exploit vulnerable machines.
Viral Identity Theft
As previously mentioned in the "Hybrid Phishing Schemes" portion of this article, viruses are becoming one of the key tools that criminals use to gain information for their identity theft schemes. Besides phishing schemes, some other common methods are listed below:
Emails With Attachments
Did you ever receive an email from a friend or loved one that said, "Hey, check this out!" and it was a video or PowerPoint presentation of something funny or political or otherwise interesting? Maybe it wasn't really interesting or funny, after all, but chances are that you opened it out of curiosity.
Well, that is a good way to get a virus and therefore a good way to have your identity stolen. Even though anti-spam/anti-virus software and hardware filtering systems have eliminated much of these kinds of virus distribution threats, because most harmful attachment types are stripped from emails, there are still virus creators who occasionally manage to bypass filters to get attachments through.
If you happen to double-click the attachment and your antivirus system doesn't catch it, the program can do anything on the machine that any other program can do, including deleting files, installing key logging programs, etc. The most common such threats we see come from other infected machines where the virus has accessed the infected computer's address book. It then sends out infected attachments to people within the address book while representing the email as coming from some other person within the same address list. In that way, the email may appear to come from someone the user knows, making the user less suspicious and more likely to open the attachment. These types of viruses may be of the garden variety sort that will install intrusive software for which you are prompted to purchase software to remove, or they may be more sinister, seeking to gain personal information for the purpose of stealing your identity in some form.
Other common attachment-based viruses that seem to be on the rise again are those that represent themselves as coming from "ADP" as a payroll report or "UPS" as a shipment report or even "American Airlines" with a supposed ticket confirmation. These types of emails are usually directed at businesses, and they most often have the purpose of stealing business and personal information in order to exploit bank accounts or otherwise steal from victims. Often, these attachment types will be html-based with some Java-exploits embedded into the html. HTML attachments often bypass mail filters, because a lot of email is already html-based.
One other note: if you get an unsolicited "update" from Microsoft, Trend, Symantec, or any other large software and/or anti-virus company, it is a virus. Aside from the fact that these companies would likely have no way of knowing what software you're running, they also never distribute unsolicited updates via email.
Viruses On The Web
Last but unfortunately not least are web-based viruses that will steal your personal information. These kinds of viruses install themselves in the same way as described in the "Hybrid Phishing" section of this article, but they infect the computer by virtue of clicking on links from social media news feeds and walls, Google Searches (or searches from any search engine), and sites that unwittingly have been infected. These are the most difficult to avoid, because legitimate sites can be infected, and they can then become the infector. The most egregious case I saw of this was a few years ago at the Texas A&M student radio web page. Whether or not a site is legitimate really doesn't alter the fact that your personal information is at risk if that site infects your computer.
Protecting Yourself Against Viral Identity Theft
Web-based viruses, thus web-based viral identity threats, are probably the most difficult types of threats to protect yourself against. However, there are some steps you can take:
- First and foremost, avoid opening unknown email attachments. Even if an attachment comes from someone you know, if you aren't expecting it or if you are not sure of its purpose, don't open it. If the lure of the file seems irresistible, call the person who sent the attachment, first, and ask if it was forwarded intentionally. Satisfying your curiosity is probably not worth years of dealing with the fallout of identity theft.
- Keep your antivirus software and definitions up to date. Along the same lines, make sure your antivirus software has a web-scanning/link-scanning feature and that it is enabled.
- Keep your Adobe and Java plugins and software up to date. Security exploits are exposed regularly for these platforms, and between the two of them, the exploitation of their security flaws are the biggest source of web-based virus infections at present. Also, keep your operating system up to date. Microsoft also has numerous security holes revealed regularly, and security patches are released every second Tuesday of the month.
- Use mainstream search engines like Google or Bing. Their index engines often scan and identify infected sites and warn you in your searches.
- If you run a business, consider a content filtering appliance for web and email. These types of systems screen content before it reaches potentially vulnerable PCs.
As I mentioned in the first identity theft article, vigilance is the most important part of protecting your identity. Ensure that your software and security updates are performed regularly. Watch for fraudulent schemes and avoid them. Don't try to con the conman. Did you receive an email from the IRS or a bank that wants you to go online from a link within the email? Don't do it. Either call the institution or go to the appropriate website yourself. Check the facts before accepting the premise of any email. Are friends sending you attachments? Call them to find out what they're sending before opening anything. Check and re-check everything. It will eventually become second nature to you.
In the end, your identity depends upon your own vigilance. Antivirus software, security appliances, etc. simply help augment your defenses, but ultimately your own actions will likely determine whether or not your personal information is secure.
In a future article, I'll relate some steps to take if, despite your best efforts, the worst happens and your identity is compromised. Much of the damage of identity theft can be mitigated or avoided altogether, even after you have been victimized, simply by being...vigilant...after the fact.
If you like this article or found it useful, please feel free to Like it and share it with your friends and/or on Facebook.