'Spoofing' uses e-mail for rip-offs
Source: Denver Post
By Jennifer Beauprez
Date: July 15, 2003
Consumers should be wary of a new kind of spam that on the surface looks like it comes from a legitimate company. But in reality, the e-mail aims to gather information used for ripping off people.
The e-mail messages appear to come from well-known and trusted companies that direct the recipient to a phony website - also possibly resembling a legitimate company site - that requests confidential financial information or a Social Security number. Criminals can use this personal information to drain bank accounts, ring up bad debts or commit other crimes.
Called "brand spoofing" or "phishing," these spam messages are on the rise, experts say.
"They're preying on the unsuspecting," said Susan Larson, a vice president of SurfControl, a Scotts Valley, Calif.-based firm that filters e-mail and Internet activity. "Even though these things look personal and are coming into your e-mail, they're not to be toyed with."
Identity theft is the fastest- growing crime in Colorado and the rest of the nation. Last year, identity theft reports surged 88 percent to 162,000, from about 86,000 in 2001, according to the Federal Trade Commission.
And over the past few months, a number of well-known companies have been spoofed, including Earthlink, Best Buy, UPS, Bank of America, PayPal and First Union Bank, according to SurfControl and the Federal Trade Commission.
PayPal, which handles electronic payments for e-commerce customers such as eBay, started seeing spoof e-mails in early 2002 but they were simply bad imitations, said Kevin Pursglove, Pay-Pal spokesman. In the past few months, those e-mails have become far more sophisticated, he said.
"They've done a fairly good job of imitating an Internet site," he said. "Most every major Internet company has had to deal with these so-called spoof e-mails."
PayPal is working with law enforcement to track down the spammers and is looking at new technologies to keep them out of customers' in-boxes.
Meanwhile, even the most savvy Internet users could be duped, Larson said. Some of these spoof messages promise fraud protection and lure e-mail recipients by telling them a product has been ordered with their credit card or a recent purchase has been canceled.
"More people are doing online banking, shopping, putting their credit cards out there and dealing with passwords," said Larson. "In a way, we've become less skeptical. Some of the these things don't look strange."
Experts say even if a person actually has done business with that company, he or she never should click on the hyperlink inside the e-mail. Customers should instead go to the company's main website or call its customer service number, usually listed on a bill or statement.
A person believing he or she has been duped should cancel the credit card immediately and file a scam report at www.ifccfbi.gov.
If you're not sure whether a message is legitimate, send suspicious e-mail to the Identity Theft Resource Center at email@example.com .
People may see more of these scams get worse before they get better.
Spammers can use myriad computer servers to mask their identities, and they often operate out of the country and thus out of reach of the U.S. law. The operations also shut down quickly, leaving cold trails for investigators.
"It isn't easy," said Dave Mahon, special agent leading the FBI's Denver cybercrime unit. "But we'll certainly go after it until we have a dry hole, especially if it's a high dollar amount lost."
The FTC also will pursue such cases, but at this point the agency has not taken any action, an FTC spokesperson said.
Consumers should be wary of bogus e-mails that pretend to be from a trusted company and ask for updated account information. MXLogic, a Denver e-mail filtering firm, offers some tips to protect yourself:
Don't trust e-mail headers. They can be forged.
Never fill out a form in an e-mail message. No one knows exactly where the data will be delivered.
Never click on a link in an e-mail message. Scam artists can make those websites look like familiar, legitimate companies.
Never give out personal or confidential information through e-mail. E-mail is not encrypted and can make many stops on the way to its recipient.
If in doubt, throw it out. Always go to the company's website directly to access your account information.
Original article: http://www.denverpost.com/Stories/0,1413,36~33~1512495,00.html
^macro[showdigestcomments;^uri;'Spoofing' uses e-mail for rip-offs]