Over the past few weeks, I have been getting increasing number of messages from readers about some Bank of America scam emails and related fake websites. As such, I though it would be in order to discuss some of these issues by the way of a dedicated post. Although, the content below is by no means a comprehensive compilation of methods of financial fraud, it should be a fairly useful starting point to generate awareness about this topic.
Also, since most people who read this blog (and other personal finance blogs) are probably financially savvy to some extent - that is, they probably conduct a lot of financial transactions online, are aware of the risk of identity theft, etc - it’s all the more important that they are aware of the information discussed below.
This post became a bit too lengthy for my taste, so here is a little table of contents to help you navigate if you don’t like scrolling too much:
Phishing
This is an internet-based activity in which attempts are made to fraudulently extract sensitive financial and personal information from unsuspecting victims. The most common method for perpetrating this criminal activity is generating fake emails that direct readers to counterfeit websites designed to look like authentic ones. The thieves pursue pieces of information like: credit card numbers, CVV or CVC codes (those three digit numbers at the back of your card), ATM card numbers and passwords, and login ids and passwords to transaction sites like eBay, Paypal, bank accounts, etc.
Here is an example of a Bank of America phishing email that I received several months ago - since then, there have been many instances of people almost being fooled by similar BoA emails (check the comments in that post).
Here is an YouTube video that explains a bit more about phishing using a specific example:
[Feed readers, click here to watch the video]
A rich source of information on phishing and related issues is the Anti-Phishing Working Group. Some essential guidelines from this website to avoid being a victim of a phishing scam are as below:
- Be suspicious of any email with urgent requests for personal financial information.
- Don’t use the links in an email, instant message, or chat to get to any web page if you suspect the message might not be authentic or you don’t know the sender or user’s handle.
- Avoid filling out forms in email messages that ask for personal financial information.
- Regularly log into your online accounts.
- Regularly check your bank, credit and debit card satements to ensure that all transactions are legitimate.
- Always report “phishing” or “spoofed†e-mails to the following groups:
- Forward the email to reportphishing@antiphishing.org
- Forward the email to the Federal Trade Commission at: spam@uce.gov
- forward the email to the “abuse” email address at the company that is being spoofed (e.g. “spoof@ebay.com”)
- When forwarding spoofed messages, always include the entire original email with its original header information intact
- Notify The Internet Crime Complaint Center of the FBI by filing a complaint on their website: www.ic3.gov/
In addition to these measures, read below about protection against spoofing and ransomware - all the measures should go together for increased effectiveness.
Spoofing
There are different types of spoofing, but for our purposes, let’s restrict to website spoofing - that is, the creation of fake financial websites designed to imitate authentic ones… again for the purpose of stealing financial information. Spoofing goes hand in hand with phishing - a phishing email, with all it’s fake links, is designed to lure the recipients to a spoof website.
Here are links to two sample images: 1. Bank of America Spoof Site, and 2. Bank of America Authentic Site. You can see how good this spoofing business can get.
Two quick ways of catching most spoof sites are:
- Look at the URL in the address bar of your browser. Authentic financial websites are secured and their URLs must start with “https” not with “http”.
- Look for the padlock image in the status bar of your browser - no padlock image means site is not secured. In fact, go ahead and click on the padlock image and see if it displays a valid security certificate - in all probability, spoof sites won’t have one.
If you are looking for automatic protection, Firefox 2.0 and Internet Explorer 7.0 have some built-in spoof/phishing detection measures in them. To add an additional level of security, you can use browser extensions or other programs that will do the job for you. Here are a couple of such free programs that can be really valuable:
- Comodo Verification Engine (supports all major browsers)
- McAfee Site Advisor (for Firefox and IE)
Vishing
This is an offshoot of phishing, specifically coined to describe the attempts to steal financial information using voice plus phishing - with the “voice” term coming from VoIP (Voice over Internet Protocol) technology. Criminals are attracted to this method of scamming because VoIP offers a good measure of caller ID spoofing - calls made from VoIP terminals are difficult to trace back to their origins (protects the identity of identity thieves!), which is unlike calls made from a land line or a cell phone.
Here is the modus operandi according to Wiki:
When the victim answers the call, an automated recording, often generated with a text to speech synthesizer, is played to alert the consumer that their credit card has had fraudulent activity or that their bank account has had unusual activity. The message instructs the consumer to call the following phone number immediately. The same phone number is often shown in the spoofed caller ID and given the same name as the financial company they are pretending to represent. When the victim calls the number, it is answered by automated instructions to enter their credit card number or bank account number on the key pad.
A simplest thing to do to avoid being a victim of this scam is to make sure that you never give your personal information on the phone to unsolicited callers. Don’t compromise on this for any reason.
Pharming
This is essentially phishing, but it goes beyond simple tricks like fake emails filled with bogus links. Phishing can be remedied by simple security measures that you can observe while using your computer, however, pharming is not that easy to contain.
Here, the fraudsters attack the flow of information on the internet - such that, even if you type in the real authentic URL for a financial institution in your computer, you will be illegally redirected to a scam website designed to steal your information. Due to the technical complexity involved in rigging up such a system, pharming scams are not as popular as phishing scams - as of yet; but fraudsters become smarter by the minute, so this will be something to watch out for in future.
A particularly ominous pharming tactic is known as domain name system poisoning (DNS poisoning), in which the domain name system table in a server is modified so that someone who thinks they are accessing legitimate Web sites is actually directed toward fraudulent ones. In this method of pharming, individual personal computer host files need not be corrupted. Instead, the problem occurs in the DNS server, which handles thousands or millions of Internet users’ requests for URLs. Victims end up at the bogus site without any visible indicator of a discrepancy. Spyware removal programs cannot deal with this type of pharming because nothing need be technically wrong with the end users’ computers. (source)
Ransomware-ing
This is a relatively new beast. In this, attackers remotely access your computer and steal photos, documents, or encrypt all the data (so that you can’t access anything). Then they send you a ransom note demanding money if you want your data back or you want access to your computer again. Call it “data kidnapping” if you want.
Here is a video that explains it all:
[Feed readers, click here to watch the video]
The malicious programs or “ransomware” that is used in these cases, comes via some stupid email attachments or automatic downloads from untrusted websites. The best defense against such attack is to have your computer security updated with the latest antivirus, spyware, and firewall protections. Some popular free security tools are listed below:
Dumpster Diving
On yeah! low tech means to achieve rich results. This has nothing to do with computers or internet, but it can be equally damaging in terms of losing valuable financial information. And the sole reason why this is still going on? people have still not learned to shred their financial documents before disposing them in the trash.
If you don’t yet have a shredder, go get one right now. Now-a-days, you can get a shredder in the cost of a couple of burgers.
There is a technological side to dumpster diving which raises it’s head occasionally. It’s dumpster diving for electronic data. Don’t throw your used hard drives in the trash without wiping them off (completely stripping them of residual data). Simply deleting data or formatting a drive is just not enough. Read this article to learn more about this issue - wiping your hard drive clean before disposing it. Personal finance enthusiasts who maintain spreadsheets, or software programs to manage their finances should especially be aware of how they dispose their hard drives.
Social Engineering
This is defined as follows:
… social engineering is generally a hacker’s clever manipulation of the natural human tendency to trust. The hacker’s goal is to obtain information that will allow him/her to gain unauthorized access to a valued system and the information that resides on that system. (source)
“Hacker” means any unauthorized person wishing to steal your sensitive information - not restricted to just computer hackers.
From this definition, it is obvious that all the methods used to perpetrate financial fraud, as discussed above, are subsets of this huge thing called social engineering. Be very wary of social engineering - it inevitably ends in identity theft and loss of valuable and sensitive financial information.
~$$~
Apart from using the technological tools to fight social engineering, the best thing we can do is to train ourselves to look at things with a critical eye. Knowledge and awareness are your best friends towards mitigating the risk of becoming a victim of social engineering and financial fraud. Hope this post gives you a head start in that respect.
Additional useful resources:
{ 9 trackbacks }
{ 1 comment… read it below or add one }
Golbguru - great post! This is an area I have some extensive interest in too. It seems the Internet can certainly be a minefield these days if you aren’t careful.
Leave a Comment