"Phishing" and Other Online Identity Theft Scams: Don't Take the Bait
While identity theft is a growing problem online, with some vigilance and caution, individuals can better protect themselves. This Alert tells you how to spot some of the latest online identify theft scams targeting financial sector customers and what you can do to better protect yourself from falling victim to these scams. "Phishing" — Fraudulent Emails That Steal Your Personal Information "Phishing" is a scam that uses spam email to lure you into revealing your bank or brokerage account information, passwords or PINs, Social Security number, or other types of confidential information. Often the emails falsely claim to be from brokerage firms, banks, credit card companies, Internet auction sites, electronic payment services, or some other service that you use. In other instances, the emails purport to be from government agencies. To appear genuine, these emails may use:
-------------------------------------------------------------------------------- Real Life Example: In January 2004, consumers across the country received an e-mail that appeared to be from the Federal Deposit Insurance Corporation (FDIC), the independent federal agency that insures bank deposits, notifying them that the insurance on their deposits had been suspended at the direction of the Department of Homeland Security due to suspected violations of the PATRIOT Act. Further, the e-mail directed consumers to provide their bank account information by clicking through to a Web site that, while appearing very similar to FDIC's Web site, was in fact a fraudulent Web site located on a server in Pakistan.
Today's Trojan Horses are malicious software programs that hide in files attached to an email or that you download from the Internet and install on your computer. While these programs can take many forms, Trojan Horses used in identity theft scams usually take the form of keystroke loggers—programs that log the keystrokes you type and allow scamsters to find your usernames and passwords, giving them access to your online accounts. Recently, Trojan Horses have been showing up in "phishing" scams. Real Life Example: During the summer of 2003, a Pennsylvania teenager contacted several members of a financial Web site, alerting them to the availability of a new stock-charting tool. The tool was actually a keystroke-logging program that captured the typing activity of any user that downloaded it, and periodically e-mailed it back to the teen. Using this technique, the teen gained access to the online brokerage account of an investor who had unsuspectingly downloaded the keystroke-logging program. Using the investor's brokerage account number and password, the teen proceeded to execute a series of options trades that wiped out almost all the investor's cash holdings. The SEC and the U.S. Attorney's Office for the District of Massachusetts have taken civil and criminal action against the youth.
Some scamsters are creating phony Web sites that misappropriate the name or Web site content of legitimate brokerage firms to solicit business from unwary investors. By stealing the identity of a legitimate brokerage firm, scamsters can claim that they are members of the Securities Investor Protection Corporation (SIPC) and registered with NASD. Potential investors may be urged to go to SIPC's and NASD's Web sites to "verify" the phony brokerage firm, giving them a false sense of security. Using these phony Web sites, the unlicensed brokerage firms often attempt to sell shares of small U.S. companies to investors in other countries. After the sale, the price usually falls and the investors lose their money. In a twist on this scam, the fraudsters may offer to help investors recover their losses by selling their thinly traded stocks (usually, bought through another scam). However, in order for the transaction to proceed, the investor must first deposit money in an "escrow account" or buy a performance bond. The phony firm then vanishes with the money. Real Life Example: In February 2004, the Missouri Secretary of State's Office issued a cease and desist order against a company for stealing the name of a real brokerage firm and creating a fraudulent "virtual office," including a phony Web site and fake Kansas City address. Using this stolen identity, the operators of the phony firm solicited international investors offering to exchange thinly traded securities for shares of Yahoo stock. The fraudsters required investors to deposit money in an escrow account at the National Bank of Greece in Cyprus to comply with "short sale regulations," telling investors that the money would be returned after the exchange was completed. Investors were told that the phony firm's agents were licensed investment bankers and that it was a member of the Securities Investor Protection Corporation (SIPC). While this was true of the legitimate brokerage firm, located in Minnesota, it was not true of the fraudulent virtual firm.
1. Beware of e-mail requesting personal information. Don't reply to or click on a link in an unsolicited email that asks for your credit card, bank or brokerage account information, passwords or PINs, social security number, or other types of confidential information, even if it looks like the email comes from a financial institution with which you do business. When in doubt, log onto the main Web site of your credit card, bank or brokerage firm at the normal Web address you use or call your firm using a telephone number that you know or one from a previous account statement to inquire about whether the request for information is legitimate. Alternatively, you can obtain the main office address and primary telephone number for any brokerage firm through NASD BrokerCheck. You also can visit the Anti-Phishing Working Group's Web site to find out about some of the latest phishing attacks. 2. Leave suspicious Web sites. If you think a Web site is not legitimate, leave it immediately. Legitimate firms typically offer customers a number of ways to contact them. 3. Keep your personal and financial information secure online. Here are a few simple steps that you can take to make your information more secure when you go online. Keep your computer system up to date with the latest security patches.
5. Order a copy of your credit report. It is a good idea to check your credit report every year. You should obtain a copy of your credit report from each of the three major credit bureaus. Equifax Look for accounts you did not open and any unexplained transactions. 6. Review your account statements. This is your last line of defense. If you are victimized, the sooner you catch it, the better. Regularly review your online account information for unauthorized trades, cash withdrawals, or any other unrecognized activity; do the same as soon as you receive each monthly or quarterly statement. If you have moved, make sure to update your postal address with all of the firms where you have accounts. If you receive your statements by email and change your internet service provider or otherwise change your preferred email address, make sure to update your email address with all of the firms where you have accounts. Immediately report any suspicious activity to your brokerage firm. 7. Act quickly if you believe you've been scammed. If you believe that you're a victim of one of these scams, you need to act quickly. For example, you may only have 60 days to report a loss or theft of funds through an electronic funds transfer to limit your liability. Identity Theft. If you believe your identity has been stolen, the Federal Trade Commission's Identity Theft Web site contains step-by-step directions of what you should do.
Courtesy of: http://www.nasd.com/Investor/Alerts/alert_hacker.htm |