From the category archives:

scams

Vehicles Of Financial Frauds: Phishing, Vishing, And Other Social Engineering Methods

by golbguru on September 28, 2007

Over the past few weeks, I have been getting increasing number of messages from readers about some Bank of America scam emails and related fake websites. As such, I though it would be in order to discuss some of these issues by the way of a dedicated post. Although, the content below is by no means a comprehensive compilation of methods of financial fraud, it should be a fairly useful starting point to generate awareness about this topic.

Also, since most people who read this blog (and other personal finance blogs) are probably financially savvy to some extent - that is, they probably conduct a lot of financial transactions online, are aware of the risk of identity theft, etc - it’s all the more important that they are aware of the information discussed below.

This post became a bit too lengthy for my taste, so here is a little table of contents to help you navigate if you don’t like scrolling too much:

~$$~

Phishing

This is an internet-based activity in which attempts are made to fraudulently extract sensitive financial and personal information from unsuspecting victims. The most common method for perpetrating this criminal activity is generating fake emails that direct readers to counterfeit websites designed to look like authentic ones. The thieves pursue pieces of information like: credit card numbers, CVV or CVC codes (those three digit numbers at the back of your card), ATM card numbers and passwords, and login ids and passwords to transaction sites like eBay, Paypal, bank accounts, etc.

Here is an example of a Bank of America phishing email that I received several months ago - since then, there have been many instances of people almost being fooled by similar BoA emails (check the comments in that post).

Here is an YouTube video that explains a bit more about phishing using a specific example:

[youtube]n2QKQkuSB4Q[/youtube]
[Feed readers, click here to watch the video]

A rich source of information on phishing and related issues is the Anti-Phishing Working Group. Some essential guidelines from this website to avoid being a victim of a phishing scam are as below:

  • Be suspicious of any email with urgent requests for personal financial information.
  • Don’t use the links in an email, instant message, or chat to get to any web page if you suspect the message might not be authentic or you don’t know the sender or user’s handle.
  • Avoid filling out forms in email messages that ask for personal financial information.
  • Regularly log into your online accounts.
  • Regularly check your bank, credit and debit card satements to ensure that all transactions are legitimate.
  • Always report “phishing” or “spoofed” e-mails to the following groups:
    1. Forward the email to reportphishing@antiphishing.org
    2. Forward the email to the Federal Trade Commission at: spam@uce.gov
    3. forward the email to the “abuse” email address at the company that is being spoofed (e.g. “spoof@ebay.com”)
    4. When forwarding spoofed messages, always include the entire original email with its original header information intact
    5. Notify The Internet Crime Complaint Center of the FBI by filing a complaint on their website: www.ic3.gov/

In addition to these measures, read below about protection against spoofing and ransomware - all the measures should go together for increased effectiveness.

~$$~

Spoofing

There are different types of spoofing, but for our purposes, let’s restrict to website spoofing - that is, the creation of fake financial websites designed to imitate authentic ones… again for the purpose of stealing financial information. Spoofing goes hand in hand with phishing - a phishing email, with all it’s fake links, is designed to lure the recipients to a spoof website.

Here are links to two sample images: 1. Bank of America Spoof Site, and 2. Bank of America Authentic Site. You can see how good this spoofing business can get.

Two quick ways of catching most spoof sites are:

  • Look at the URL in the address bar of your browser. Authentic financial websites are secured and their URLs must start with “https” not with “http”.
  • Look for the padlock image in the status bar of your browser - no padlock image means site is not secured. In fact, go ahead and click on the padlock image and see if it displays a valid security certificate - in all probability, spoof sites won’t have one.

If you are looking for automatic protection, Firefox 2.0 and Internet Explorer 7.0 have some built-in spoof/phishing detection measures in them. To add an additional level of security, you can use browser extensions or other programs that will do the job for you. Here are a couple of such free programs that can be really valuable:

~$$~

Vishing

This is an offshoot of phishing, specifically coined to describe the attempts to steal financial information using voice plus phishing - with the “voice” term coming from VoIP (Voice over Internet Protocol) technology. Criminals are attracted to this method of scamming because VoIP offers a good measure of caller ID spoofing - calls made from VoIP terminals are difficult to trace back to their origins (protects the identity of identity thieves!), which is unlike calls made from a land line or a cell phone.

Here is the modus operandi according to Wiki:

When the victim answers the call, an automated recording, often generated with a text to speech synthesizer, is played to alert the consumer that their credit card has had fraudulent activity or that their bank account has had unusual activity. The message instructs the consumer to call the following phone number immediately. The same phone number is often shown in the spoofed caller ID and given the same name as the financial company they are pretending to represent. When the victim calls the number, it is answered by automated instructions to enter their credit card number or bank account number on the key pad.

A simplest thing to do to avoid being a victim of this scam is to make sure that you never give your personal information on the phone to unsolicited callers. Don’t compromise on this for any reason.

~$$~

Pharming

This is essentially phishing, but it goes beyond simple tricks like fake emails filled with bogus links. Phishing can be remedied by simple security measures that you can observe while using your computer, however, pharming is not that easy to contain.

Here, the fraudsters attack the flow of information on the internet - such that, even if you type in the real authentic URL for a financial institution in your computer, you will be illegally redirected to a scam website designed to steal your information. Due to the technical complexity involved in rigging up such a system, pharming scams are not as popular as phishing scams - as of yet; but fraudsters become smarter by the minute, so this will be something to watch out for in future.

A particularly ominous pharming tactic is known as domain name system poisoning (DNS poisoning), in which the domain name system table in a server is modified so that someone who thinks they are accessing legitimate Web sites is actually directed toward fraudulent ones. In this method of pharming, individual personal computer host files need not be corrupted. Instead, the problem occurs in the DNS server, which handles thousands or millions of Internet users’ requests for URLs. Victims end up at the bogus site without any visible indicator of a discrepancy. Spyware removal programs cannot deal with this type of pharming because nothing need be technically wrong with the end users’ computers. (source)

~$$~

Ransomware-ing

This is a relatively new beast. In this, attackers remotely access your computer and steal photos, documents, or encrypt all the data (so that you can’t access anything). Then they send you a ransom note demanding money if you want your data back or you want access to your computer again. Call it “data kidnapping” if you want.

Here is a video that explains it all:

[youtube]CO3pWtcaKpA[/youtube]
[Feed readers, click here to watch the video]

The malicious programs or “ransomware” that is used in these cases, comes via some stupid email attachments or automatic downloads from untrusted websites. The best defense against such attack is to have your computer security updated with the latest antivirus, spyware, and firewall protections. Some popular free security tools are listed below:

~$$~

Dumpster Diving

On yeah! low tech means to achieve rich results. This has nothing to do with computers or internet, but it can be equally damaging in terms of losing valuable financial information. And the sole reason why this is still going on? people have still not learned to shred their financial documents before disposing them in the trash.

If you don’t yet have a shredder, go get one right now. Now-a-days, you can get a shredder in the cost of a couple of burgers.

There is a technological side to dumpster diving which raises it’s head occasionally. It’s dumpster diving for electronic data. Don’t throw your used hard drives in the trash without wiping them off (completely stripping them of residual data). Simply deleting data or formatting a drive is just not enough. Read this article to learn more about this issue - wiping your hard drive clean before disposing it. Personal finance enthusiasts who maintain spreadsheets, or software programs to manage their finances should especially be aware of how they dispose their hard drives.

~$$~

Social Engineering

This is defined as follows:

… social engineering is generally a hacker’s clever manipulation of the natural human tendency to trust. The hacker’s goal is to obtain information that will allow him/her to gain unauthorized access to a valued system and the information that resides on that system. (source)

“Hacker” means any unauthorized person wishing to steal your sensitive information - not restricted to just computer hackers.

From this definition, it is obvious that all the methods used to perpetrate financial fraud, as discussed above, are subsets of this huge thing called social engineering. Be very wary of social engineering - it inevitably ends in identity theft and loss of valuable and sensitive financial information.

~$$~

Apart from using the technological tools to fight social engineering, the best thing we can do is to train ourselves to look at things with a critical eye. Knowledge and awareness are your best friends towards mitigating the risk of becoming a victim of social engineering and financial fraud. Hope this post gives you a head start in that respect.

Additional useful resources:

{ 10 comments }

The Stupid Blue Postcard - Scam, But Not Quite?

by golbguru on June 19, 2007

Here is a blue postcard that I received sometime back (click on the image to enlarge it):

blue post card from timeshare company

And it came from this “Awards Verification Center” address:

address on the blue postcard

Obviously, all the big words - “NEW MERCEDES, BMW, PORSCHE or $40,000 CASH” are sure indicators of a scam. But generally stupid scammers, who promise big rewards, choose email as their preferred way of communicating to me that some Nigerian prince wants to give me $10,000,000 for free (I mean, in return for my bank account information). This postcard however, is the first piece of *scam* that I have received through regular email.

To find out about who these generous scammers are, I checked up the address on Better Business Bureau (BBB) and it turned up three entries on Silverleaf Resorts - a timeshare company. Here is what BBB says under “customer experience” for this company:

Based on BBB files, this company has a satisfactory record with the Bureau. A satisfactory record means a company has been in business for at least 12 months, and properly addressed matters referred by the Bureau. The company does not have an unusual volume of complaints, or any government actions involving its marketplace conduct. The Bureau understands and has no concerns about the company’s products, services and type of business.

OK, so what I first thought was a *scam* actually has a *satisfactory* rating at BBB ! So basically, it’s not a scam - it’s an authentic timeshare company indulging in some “scam-like” behavior (?!) (I am assuming that real scams wouldn’t care about solving customer complaints to get a satisfactory rating). On a related note, I have heard that most timeshare companies show similar traits on the issue of misleading marketing, and in that sense all of them are tending towards scams, but let me not crowd too many topics in one post - feel free to discuss this in the comments.

Fortunately, for the company under discussion, there are some negatives mentioned on the BBB website - without which it would have been impossible to understand the veracity (or rather, the lack of it) of the shady promotional postcard.

Our file experience shows that this company has been the subject of complaints alleging misleading or high pressure selling tactics or dissatisfaction with the free award received at sales presentations.

And later it says:

If you have received an award letter from this company, it does not mean that you have won a contest. You will receive a free gift if you attend the sales presentation, but the chances that you will receive a major prize such as a car or cash are very slim. Most consumers receive the ten one-day holiday package, which allows use of resort facilities during the daytime only. Overnight accommodations and transportation are not included.

However, I am still having trouble understanding how a company with some definitely false claims (I don’t think they have ever given anyone $40,000 cash or Mercedes or a BMW X5) makes a “satisfactory” rating in BBB. A satisfactory rating reflects the fact that a reasonable number of complaints lodged against the company have been resolved (as seen in the BBB report). May be I should try and lodge a complaint against them on BBB under advertising issues, and see what *reasonable offer* the timeshare company sends my way to settle the issue - with so many complaints resolved, I am sure it must be something convincing - or should I say… lucrative. ;)

Fun fact: Not all timeshare companies are scams. :) Here is some detailed information about how timeshare companies operate and how the to identify the ones that are scams - in that, don’t miss this entertaining part “There have been reported cases in which a free boat that was offered as a prize turned out to be a toy boat.

I wonder if the blue post card was talking about toy Mercedes M-class and BMW X5 cars… I like free diecast vehicles. :)

{ 16 comments }

Get Rich Quickly Using Milk Bottles And A Ball

by golbguru on April 6, 2007

Here is a quick and efficient money making scheme that engaged my attention for quite some time during our last trip to Sea World:

milk bottle pyramid trick at carnivals

Yes, it’s about those milk bottle pyramids, stacked in a 2-1 pattern (sometimes 3-2-1 pattern), that appear so easy to knock down with a ball. OK, they are not really milk bottles now a days but, some wooden or (sometimes aluminum) fabrications that look like milk bottles. This milk bottle pyramid activity seemed very popular…not just with the kids, but also with their oh-that-looks-easy dads (believe it or not…it’s more popular with the dads than with the kids). :)

I spent about 20~25 minutes watching the proceedings of a milk bottle pyramid booth (with multiple terminals). In that time, at least 20 people made attempts to knock those bottles off. Only a couple of them paid $3 (because most of them appeared to be throwing the ball thrice); the rest used up 5 bucks. Not ONE of them could knock the pyramid down. Technically, a few of them did knock the pyramid down, but read the text in the above image carefully…you have to knock the bottles *off the table*, just knocking down the pyramid gets you nothing. So basically, the carny (slang for a person who works with a carnival) must have made about $90+ while I was there!

This milk bottle pyramid scheme is not new; in fact, below is an image captured from How Carnival Racketeers Fleece the Public that attempts to explain the trick - published in August 1934 (via Modern Mechanix):

milk bottle pyramid trick old report

However, in the 20 minutes that I spent watching the proceedings at the milk bottle pyramid booth, I realized that there is much more to it than just weighted bottles. Below, is a schematic (with a brief explanation that follows) of the issues involved (in my opinion) in the milk bottle pyramid game.

milk bottle pyramid trick explained

  • Weight of the ball. From what I observed, it didn’t seem like one of the bottles was heavier than the others. However, they all seemed a bit too heavy for the ball that was given to the participants. Because the ball was lighter, it didn’t transfer enough energy to the bottles to knock them “off the table”. Sure they tumbled at times, but it was more like “toppling over” than “knocking over”. Btw, some of the folks were throwing the ball with great arm movement…so they must be packing a lot of punch in it.
  • Table construction. The ball and the bottles are just half the story; the features of the table seemed equally important. The table had a raised edge around the periphery. Since milk bottles are cylindrical in shape, it wouldn’t take much to roll them off the table after you topple them. The raised edge makes sure that this rolling does not happen.
  • Dimensions of the bottle with respect to the table. The bottles were small enough to fit inside the raised edge of the table, if they were laid flat on the sides.
  • Pyramid placement. The pyramid is placed neared to the person throwing the ball. This may seem like an advantage to the thrower, but in reality, I think it further prevents the bottles from falling off the table. If they were on the opposite side (farthest from the thrower), simply toppling them might nudge them over the table’s edge.
  • Force and accuracy. People who were trying to throw the ball too fast and hard were missing the pyramid totally! Probably, too much force results in too little control over the direction of the throw.
  • Chip on the shoulder complex. This term appears in the 1934 report (see the second image from the top) and might be a strong motivating factor for a lot of older people (kids’ dads) to try the milk bottle pyramid. “Chip on the shoulder” is defined as (source):”A belligerent attitude or grievance“. This coupled with overconfidence in throwing abilities provide plenty of good candidates for milking money.
  • Bank on probability. More than a matter of skill, it seemed to me like it was a matter of probability with odds working heavily against the thrower. However, a walk around the park did prove that some folks (may be 3 or 4) managed to win prizes in such games (usually prizes are unique to certain booths…so it’s easy to figure out)…so it’s not like no one ever does it. Also, this is essential for the business, because you got to show people that they *could* win it too. :)

Plus, there are other things that you could do to mess with the thrower and earn more money. Things like increasing the distance between the thrower and the pyramid, making the surface of the table and the bottles a bit rougher (to increase friction), and perhaps some other innovative approaches (any suggestions?).

By the way, the activity must be providing very good return on investment (ROI), because there are hardly any capital costs (you don’t even need high school education) and operating costs. Your initial setup may cost a few hundred bucks for the bottles, table and the ball and some prizes for display, but once you start running the show, it’s almost an all-profit-no-loss venture.

So, want to be rich and successful quickly? This milk bottles-and-ball pyramid might just be your answer. :)

kids wondering over a milk bottle trick stall

Image source: dccradio via Webshots

{ 17 comments }

Bank Of America Scam Email - Watch Out For This Crap

by golbguru on December 6, 2006

I got an email yesterday, supposedly from Bank of America, notifying me that my online account access is blocked. Incidently, I was messing with some alert settings on BoA website the previous night and thought this email might be a result of that..and almost fell for it. Here is a screen shot of the email.

boascam

For a moment I thought “Ok, look’s like I clicked something and screwed something up…or BoA hasn’t recovered from it’s recent website fiasco” and was about to click on the link in the email when I started noticing the fishy stuff (see image below). Also, this is the first time I came across a BoA scam…they might have been floating around, but I never got them till now. However, this one was better than some other crappy scam emails I have seen in the past.

boascam2

Fishy stuff is almost invariably in the form of some typos and stuff that conveys an unnecessary sense of urgency. Also, that link was intended to be masked but it wasn’t apparent from the email directly. I checked up the html and got this code:

boascam4

Most bloggers are familiar with html and will immediately notice that it’s sort of a botched attempt. Bad job scammers :). For those who are not familiar with html here is what the scammers were trying to do. This link example.com here seems as if it points to “example.com” but if you click on it, it will take you to my archives page. In a similar way, the scammers were trying to fradulently link me to that “http://zicada.com….” stuff by falsely masking it by the Bank of America link. I don’t think they got it right. Anyways, to check where the link would have taken me, I copy-pasted the address in my browser and got this (click on the image to enlarge it):

boascam3

Ok, now this is not a bad job at all except the “Mother Maiden Name” thing. The only other things that easily blow this off are the url in the address bar (notice the “zicada.com…” whatever), and the lack of a padlock image that is usually present near the right hand bottom corner of your browser window and looks like this: padlock banking.

Watch out for this scam.I will write about some more tricky scams in future posts. Till then here are some quick tips to avoid getting scammed:

1. If you don’t see this padlock image padlock banking, never put your sensitive information on such a website/webpage.

2. Watch out for typos and grammar errors. Scammers always seem to be horrible at these things.

3. Don’t click on links in your email unless you have solicited them yourselves. (I won’t add “or unless you get them from a trustworthy source”. I have had utter crap links from very trustworthy people).

There are some more finer points, but that will be a topic for another post.

{ 63 comments }