Recently, I got an email from a family member which reads as follow:
I'm out of town suffering a terrible incident, I need your urgent favor,
Please email me back as soon as possible.
The displayed email address looks correct as XXXX@yahoo.com, but when I check the headers, the reply-to address is XXXX@outlook.com. And the phone number has the wrong area code.
I recognized it as the money gram scam. Basically, if you reply to that email, you will receive a request to send money by Western Union (or a similar money transfer service), where it is easy for anyone to go and pick up the cash. (If you call the number, you will probably get voicemail.) The way this scam works is to hack into someone’s email account, send this same message to everyone in the address book, and hope that one or two people will fall for it and send money.
I sent a warning to my family and wasn’t surprised to find that most did not recognize this email as a scam. They were confused or thought it was a joke. The family member, whose email account was hacked, disclosed that several friends and acquaintances were calling to ask why he needed $930. This tells me that a lot of folks are not knowledgeable about Internet scams. I want to talk about scams, Internet and otherwise, and the one method that I use to fight them.
In the past, this and other frauds were perpetrated by isolated con artists. Nowadays, I believe that most of the scams on the Internet are perpetrated by criminal organizations. If I was a mafia boss, I would definitely have an Internet racket because face it, you can make a ton of money (from the hundreds of millions of victims) with very little risk of getting caught or punished, especially if you are located in another country.
So, there are groups of hundreds of criminals, backed by the best servers that dirty money can buy, running scams across the Internet (and elsewhere). They are working full-time to steal money from you and the companies you do business with. If they are truly International, they may be working full time across multiple time zones, while you are sleeping, eating, going to the bathroom, and watching TV.
You may throw up your hands in defeat at this point. And to be truthful, I agree. There is no way you can beat everything that an organization like that can throw at you. The best you can aspire to be is a potential victim that would take too much effort to defraud. Sad to say, your goal is to be less naive than the masses. Or more simply, the criminals will go for the lowest-hanging fruit and your job is to avoid being the lowest-hanging fruit.
The most powerful tool that we victims have in our arsenal is to “trust but verify” or more accurately, verify before trusting. This applies to almost everything in life. To illustrate, one of my friends did fall for the money gram scam above a couple years ago. After sending the money, she had some doubts so she called the friend up and the friend replied, “What? I’m not in XXXX country, robbed of everything, and in need of money!” My question is: Why didn’t she call up the friend or the friend’s family first before sending money? If she had verified first, the friend or the friend’s family would have told her that the email was a fake.
Email Links: Bad Idea
Avoid clicking on any links in an email, especially an email from your bank. Definitely, do not login if the link takes you to a login page where you are prompted to input your username and password. Instead, open up a browser and manually type in the address of your bank or whatever.
If you’re lucky, clicking on links indiscriminately may get your computer infected with a virus or spyware which will just slow down your computer. If you’re unlucky, a virus will erase your hard drive or a spyware will record what you type, like passwords, and transmit the data to someone who doesn’t have your best interest in mind. Worst, if you click on a link to your bank account and input your username and password, you may have just given access to your bank account to a criminal.
The last is referred to as phishing (pronounced like “fishing” because they are “phishing” for your money) which involves pretending to be a trustworthy entity in order to acquire sensitive information. Basically, someone nefarious creates a website which looks exactly like your bank’s login page. They send you a fake email from your bank with a link. When you click on the link, you are taken to the fake login page. After you input your banking username and password, they could then forward you to the real bank or just throw an error that maintenance is in progress. In the meantime, they have your username and password to access your bank account with.
Phishing may be used to gain access to accounts belonging to other companies than your bank, like investment firms, credit card companies, loan application processors, mortgage payment companies, etc. I believe that all legitimate businesses should make it a policy to not include any links in their official emails; instead, they should ask their users to manually browse to their company websites.
Note: If you receive a complicated link in an email, perhaps pointing to a specific Google or Yahoo photo album, which requires a login and you can’t figure out how to manually browse to it, here’s what you can do:
- Browse to the company address by manually typing it in, and log into your account.
- Go back to the email and click on the link.
If the link is legitimate, the system will recognize that you are already logged in and bypass the login screen. You would then go directly to that page; that is, the photo album. Doing the above will help you to avoid being tricked by a phishing website.
Phone Calls: Just Hang Up
Similar to the above, if you get a phone call from your bank and are asked to verify your identity, ask what the call is about, say bye-bye, and call your bank’s official phone number (listed on the back of your ATM card, their website, or in the phone book). Calling them directly is the equivalent of manually browsing to the company website. If the “bank” calls you and you provide your verification info (mother’s maiden name, social security, etc.), you may have just given your identity away to thieves, who could then gain access to your accounts or more likely, open a new credit card or loan in your name.
Knowing the above, the perpetrators will attempt to override your caution. A year ago, I got a phone call from my credit card company. They told me that they believed my credit card number had been stolen because they were seeing charges for flowers amounting to over a thousand dollars in Florida. They asked me to verify my identity so they can confirm that the charges were fraudulent. Of course, I answered every question they asked. Afterwards, I realized with horror that I might have just given the keys to my identity away to someone who “called” me on the phone. Thankfully it was a legitimate call, but it could have easily been a trick. What I should have done was ask them what the call was about, hang up, and call the credit card company back directly.
Phishing: Old as the Pharaohs
Phishing isn’t something new on the Internet; it has been around for a long time. I’m sure it has been around since mankind first discovered how to cheat and steal. I think all effective scams involve the use of phishing (again, pretending to be a trustworthy entity) because no one hands their money to some entity they don’t trust.
For example, suppose that you are on a business trip. You arrive late at the hotel. You’re hungry but too tired to go out. Conveniently, there is a flyer for pizza delivery that someone slipped under the hotel room’s door. You dial up the pizza place, make an order, and pay with your credit card. An hour later, the pizza hasn’t arrived yet. You call back and get some lame excuse like the oven has exploded, sorry, but there won’t be pizza for anyone. Or maybe no one picks up. Congratulations, you’ve just had your credit card number stolen.
Remember what P.T. Barnum supposedly said, “There’s a sucker born every minute.” Try not to be that sucker. But if you fall for a scam (which I must embarrassingly admit to once or twice), forgive yourself. You are only human. Just repeat to yourself, “There’s a human born every minute.” (To be exact, there’s a human born every 8 seconds.)