All posts by FPU

What is Affinity Fraud?

At the beginning of Side 3 of Grand Funk Railroad’s 1970 Live Album, Mark Farner shirtlessly tells the audience this (edited for clarity):

Brothers and sisters, there people out there that look just like you, or maybe your brother…but they’re not. And when they hand you something, don’t take it. Don’t take it, okay?

Now, Mark was referring to the kind of party supplies that might circulate at a rock concert in 1970, but he also could have been talking about affinity fraud almost fifty years later.

Affinity fraud targets people who are members of a group, and uses that group identity to lure victims into the scam. Some of the most common targets are religious groups or church members, people with a shared ethnicity, or those who have served in the military. The con artist will be a member of the targeted group, or will claim to be, and attempt to recruit others to help bring in more victims.

Generally, these scams take the form of phony investments or Ponzi schemes.

There are a variety of ways to identify affinity fraud. Here are a few things to look for:

Is the person offering the investment using membership in your group as his “in?”

A shared identity can be a great way to build community, but remember that the human tendency to trust those we see as similar to ourselves can be used against us. Just because someone claims to be a member of your group doesn’t mean they are. There is no physical barrier to lying; “I’m the same as you” can be uttered by anyone, whether it’s true or not.

Are the investment materials (brochures, flyers, etc.) filled with symbols or phrases familiar to your group?

A con artist targeting members of a church might festoon his written information with symbols or scripture (some even go so far as to imply that the “opportunity” has been sent from above). On the other hand, a scammer going after veterans might use flags, ribbons or eagles. Humans are emotional, and we respond strongly to symbols, but be cautious around any kind of investment offer that seems to be hitting those symbols a little too hard.

 Are the promised returns extremely high, or is the investment presented as guaranteed or having little-to-no risk?

Real investments carry risk. There is always a non-zero chance you will lose some or all of your initial investment. An investment presented as “risk-free” or “guaranteed” is always going to turn out to be a scam, because that’s not how investing works. Any investment promising double-digit returns is to be taken with a grain of salt.

Do the returns hinge on you recruiting others into the fold?

That’s a Ponzi scheme. You will lose all of your money.

Is the broker licensed to sell investments?

Never invest through an unlicensed broker. Whatever your (or your group’s) opinion of regulations, licensing requirements, or government in general, anyone selling investments without a license to do so is breaking the law. What other laws is this person willing to break? What about the ones that make stealing illegal? And don’t fall for excuses like, “I’m not licensed because the government doesn’t want your group to have access to this amazing opportunity,” either. That’s just someone stoking your emotions to goad you into action.

The U.S. Securities and Exchange Commission has a nice PDF available for download that goes into more detail about affinity fraud and how to report it to the SEC.

(However, it doesn’t contain a single reference to Grand Funk Railroad. You gotta read my articles for those.)

Two Things That Scream ‘Investment Scam’

There are a million online articles about investment fraud and how to recognize the signs. And you can go the detailed route of researching the opportunity, checking out the broker with FINRA, asking if the broker is licensed and with whom, and other steps.

Or you can go the expedient route and just look at these two questions:

  • Is the return being described as “guaranteed” or “risk-free?”
  • Is the broker telling you the investment is a “secret?”

If the answer to either question is “yes,” do not proceed any further. You are about to fall victim to an investment scam.

There is no such thing as a risk-free, guaranteed investment. Companies can use the money you invest to make good decisions that increase profits, which comes back to you as an increase in the value of your share; or they can make poor decisions or get buried by  a changing marketplace. Either or both can happen, and past performance is not an indicator of future growth. Any broker telling you the investment will only increase in value, with no risk of loss, is lying.

Scammers posing as investment brokers will sometimes attempt to portray the alleged opportunity as a “secret” that only certain people are allowed to know about. Usually this is a tactic to convince a potential victim not to talk to anyone else. Outside input is dangerous to scammer, since it only takes a couple people saying “that sounds kinda shady” to threaten the whole operation. That aroma of secrecy can also be used to dodge questions such as, “Why can’t I find any information about this investment online?” The reason is because it’s not legitimate.

As for actual “secret” investment deals…well, you know those high-profile cases where people get put in jail for insider trading?

Now, just because an investment scam passes this little test doesn’t necessarily mean it’s real. A savvy con artist may present a more realistic pitch, at which point you’ll have to do more research. Another question you can ask: who approached who?

The Do Not Call Registry Doesn’t Stop Scam Calls (But Sign Up Anyway)

I’ve heard it dozens of times: so-and-so signed up for the Do Not Call Registry a year ago, but they keep getting scam calls, so obviously it doesn’t work. What’s the point?

And I’ve always replied: put your phone numbers on the list anyway.

Why?

Because it’s a filter.

When you put your phone number on the Do Not Call Registry, after a few weeks, you will stop getting calls…from legitimate businesses that use cold calls as their primary sales technique (telemarketers, in other words). Companies that do not want to be shut down for breaking federal laws.

You won’t stop getting calls from scammers. They’re not referring to the registry in the first place because they don’t care. At the same time, you will already know not to even bother picking up the phone, because you know that anyone calling once your phone number is in the Registry is willfully breaking the law. You already know they’re dishonest, without hearing a word they say. All you have to do it let it ring until it stops.

Utility Scams are an Ongoing Threat

It’s been a while since I brought up Utility Scams, so now is as good a time as any for a quick recap.

Utility Scams are an example of a distraction scam, and they generally target seniors. These scammers generally work in pairs. One will knock on the door and claim to work for the local utility company. He will claim they are testing something, or fixing something, or there’s some kind of urgent situation that requires the resident to allow him inside the house to do something with the circuit breaker.

While the homeowner is busy with this person in the basement, his partner will enter the home and look around for cash, jewelry or other valuables to steal. After a few minutes of pretending to work on something, the first person will claim the job is done and leave. By the time the resident notices the robbery, the scammers are long gone.

Your utility company should always contact you in advance if there really is an issue that requires someone to enter your house. However, such scenarios are extremely unusual. If someone appears at your door claiming to represent a utility, politely ask to see an ID badge. Regardless of the response, ask them to wait a moment. Close the door and lock it, make sure any other doors are locked, and call the utility company directly if you’re still unsure, or call the police if you’ve got a bad feeling. Do not simply let a stranger into your house on his word.

It’s also not a good idea to let on that you think this person is trying to commit a crime. This is an in-person scam, and it carries risks that aren’t really present with a scam phone call from the other side of the globe. They might just run, but they might not. It’s better to pretend to play along. Most likely they’ll take off as soon as you close the door—the point of most scams is to get in and out quickly. Standing around on someone’s porch in broad daylight for more than a couple seconds isn’t going to appeal to someone who doesn’t want to be seen.

Another Perspective on Passwords

The standard advice for creating passwords has long been this: use a long string of completely random letters (upper- and lowercase), numbers and special symbols. Make it so long and complex that nobody is able to guess (or remember) it, and it would take a computer billions of years to crack.

But recently a different perspective has emerged: what if those passwords were still long enough to foil a brute-force, script-based hacking attempt for long enough to make the attempt non-worthwhile, but made of words you might actually be able to recall without logging into your password manager app or plugin? What if you used something like a string of four random words?

Let’s look into a few options. I’ll be using the website How Secure Is My Password? to compare. Results on the site are given in the form of “It would take a computer about [length of time] to crack your password” (or “Your password would be cracked INSTANTLY” if you put in a real clunker like “abc123” or “password”). The results from this site are simply an estimate (not a guarantee), but it is useful in determining whether a password is lousy, decent, or excellent.

First, an example of the old random-string-of-characters method:

84xNMat88xy4TkVTE^5!UQty: 1 OCTILLION YEARS

Yeah. That is an unfathomably long time. Written out, that’s 1,000,000,000,000,000,000 years. If the universe is 13.82 billion years old, it would take a computer almost 72.5 million TIMES that long to crack your password.

In other words, that’s a very strong password. But now try to memorize it.

Now let’s try a string of four random words (“wheel,” “grout,” “oyster” and “button”), no spaces, all lowercase:

wheelgroutoysterbutton: 11 TRILLION YEARS

Now, technically, that’s not as secure as 1 octillion years. But on a practical level, we’re still in “might as well be forever” territory. You’re going to be pretty well-protected against a script-based hacking attempt.

What if we add a number, or a number and a symbol, or capitalized the words, or added dashes or spaces (not all online accounts allow this) between the words?

wheelgroutoysterbutton7: 494 QUADRILLION YEARS
wheelgroutoysterbutton7%: 76 SEXTILLION YEARS
WheelGroutOysterButton: 45 QUINTILLION YEARS
wheel-grout-oyster-button: 17 SEXTILLION YEARS
wheel grout oyster button: 169 SEXTILLION YEARS

They’re all fine options, and you’ve actually got a fighting chance of remembering them if needed, and an even better chance of actually typing them correctly if your password manager app/plugin isn’t available (or playing nice with a website, which does happen).

So it’s really a matter of what you’re comfortable with and what the website you’re using requires (some force you to use at least one uppercase letter, number and symbol).

However, bear in mind that this type of brute force hacking is probably not even remotely the biggest threat to your online accounts. It doesn’t matter HOW many octillion years it would take a computer to guess your password if you fall for a phishing email and type it into a compromised website, or if the company that owns the website keeps its list of logins and passwords in a plain-text file and experiences a data breach.

Your best practice, regardless of the type of passwords you use, is to regularly change them, avoid reusing them across different sites, and to know how to recognize a phishing attempt.

Scams That Target College Students

I may be biased here, but I can’t be the only one who thinks a couple hours of “How To Recognize a Scam” training every year would be of great benefit to high school students. Of course, such an undertaking is easier proposed than implemented, but it seems like an important life skill that needs to be touched on at some point.

There are a variety of scams that prey upon current and incoming college students. Here is a brief rundown of a few common ones.

Federal Student Tax Scam

This scam begins with a phone call that may use caller ID spoofing to look like it came from the IRS. The caller will inform the recipient that they haven’t paid their “Federal Student Tax” and will face dire consequences if the tax is not paid immediately. The caller will demand payment via wire transfer or prepaid cards (iTunes, Green Dot, etc.).

Of course, there is no such thing as a “Federal Student Tax,” and the IRS doesn’t call you on the phone about unpaid taxes anyway. Plus, even if you do owe back taxes, it’s impossible to pay them via wire transfer or prepaid cards.

Unpaid Tuition Scam

Another telephone-based scam, this one appears to come from the college admissions office and claims that tuition has not been paid and the student will be un-enrolled if payment is not made immediately via credit card, wire transfer, or other unusual method. A variation of this scam impersonates an FBI agent and claims that the student will be arrested if the bill isn’t paid right away.

If you really have not paid your tuition, they’re not going to call you on the phone and insist that you pay immediately, especially with a credit card or wire transfer (and especially especially with an iTunes card). Your college probably doesn’t take credit card payments over the phone. You should also never reveal personal information to someone who contacted out of the blue; if you’re truly convinced the call might be legitimate, hang up and contact the admissions office directly. Also, the FBI doesn’t get involved in matters of late college tuition payments.

Advance Fee Scams

College students are often bombarded with alleged opportunities for student loans, scholarships, financial aid and jobs. Some of these are perfectly legitimate, but many are not. There are a lot of individuals and companies charging fees for things you can do on your own for free, such as filing FAFSA paperwork or filling out job applications. Some won’t even provide the service claimed, they just want your banking information to set up a recurring charge.

Never trust an offer of “just give us the money and we’ll do the rest,” and remember that legitimate scholarships are never “guaranteed” (and they usually have requirements beyond you having a pulse).

Greed and Fraud

A few weeks ago, I posted an article about the relationship between fear and fraud. Basically, if someone is trying to make you afraid, then asking for money or personal information, it is very likely that they are trying to steal from you.

There is another emotion that scammers will often prey upon: greed. That all-too-human desire to get something for nothing, and to be the one with the most.

The most obvious example I can think of is the old Lottery Scam. By stoking greed with the promise of vast, out-of-nowhere riches, the perpetrators of this scam hope you won’t notice how suspicious the hoops they’re asking you to jump through are. The promise of millions of dollars is misdirection; while you’ve got your eyes on the prize, you might not remember how unwise it is to wire a few thousand dollars to a stranger, or that “cash this check and wire the money back to me” is a weird request to begin with.

Other examples include the Car Wrap Advertising scam, the Pigeon Drop scheme (“I found money, let’s share it!”), and of course the old Nigerian 419 scam (“I’m an exiled prince; help me retrieve my fortune and I’ll share it with you,” which at this point isn’t even a “classic” scam; it’s positively an antique).

It’s the same tip as with fear: if someone is trying to spark greed, then asking for money and/or personal information, they are trying to scam you.

Avoiding Vacation Rental Scams

So you’ve found the perfect vacation rental for an amazingly low price. You contact the owner of the property and, unbelievably, the price shown on Craigslist is correct and the unit is available for the dates you need. The owner was a bit hard to reach, but he travels all over the world for business (and of course he does—who else but a successful international businessperson could afford such a house in such a location to begin with?).

Payment is arranged by wire transfer (a little unusual, you think, but again—world traveler business type, right? He probably has reasons for his preferences, and they’ve obviously served him well, right?).

You make your payment and pack for your vacation, still not quite believing the deal you’re getting. Oceanfront! And that pool…

You arrive at the property on a Sunday morning and are delighted to find it looks even better than the pictures. You ring the doorbell to be greeted by…the permanent residents of the house, who aren’t renting it out to anyone, and who are wondering why there are a bunch of weird people with suitcases at their front door.

You’ve been taken in by a classic vacation rental scam, and good luck getting your money (that you wired to a stranger) back. What could you have done differently?

First, you could have been more wary of a price that’s too good to be true. There’s no real reason for the owner of a rental property in an extremely popular location to offer a huge discount as long as that demand exists.

Now, I’m not a huge fan of Craigslist for finding vacation rentals, but I’m also not a huge fan of Craigslist in the first place due to the overall potential for fraud. I’m sure there are plenty of legitimate rental listings. However, Craigslist should not be the only place the property is listed. Check vacation rental websites in the area and make sure the property is represented elsewhere as available.

The owner being hard to reach or unresponsive is a red flag. If the entire conversation takes place via email, that’s also suspect. There should always be a phone number with a name attached to it that you can verify with a search. A legitimate business should want to be easy to find and reach. If you find yourself leaving a message every single time you call, that can be another sign of trouble.

Finally, the unusual payment method is a warning that something is not right. You should never wire money to a stranger for any reason. Some rental scammers request that you purchase gift cards and pay by relaying the card information to them. Don’t do it. You want a payment method that leaves paper trail and has some fraud protection, and you want a buffer between the transaction and your deposit (checking/savings) account. In other words, if you can’t pay with a credit card, look elsewhere.

Sign Up for Activity Alerts Everywhere You Can

Receiving and paying your bills online instead of through postal mail is a good idea. It’s not only convenient, but it also helps fight identity theft and other types of fraud (the fewer pieces of paper floating around in the world with your personal information on them, the better).

But your financial accounts may offer online features you’re not taking advantage of just yet. Most credit card providers and deposit institutions (i.e. credit unions and banks) that offer online access also offer alerts that let you know when activity has occurred on your account. Alerts can be an important tool in detecting unusual transactions or changes as early as possible.

Every financial provider is different, but many will offer alerts for new charges or withdrawals. Other options may include notifications for a change of address, phone number, email address or other contact information. Remember that identity thieves will sometimes attempt to change these details in an existing account in order to hide their activities from the victim. If you get an alert that your address has been changed (and you’re not the one who did it), it’s time to contact that institution and report the suspicious activity.

Fear and Fraud

Humans are an emotional animal. No matter how advanced our technologies or societies become, no matter how objective or logical we believe we are, primal emotions can still affect our behavior, and when someone manipulates those feelings into a heightened state, we find ourselves at risk of making mistakes.

Many types of fraud work by stoking one of our most basic emotions: fear. The assumption goes: if you can make someone afraid, they’ll believe anything you say, even if it makes no logical sense.

Here is a list of several common scams and how they use fear to trick victims into handing over money or personal information:

  • Phishing: uses the fear of losing access to money (“your debit card has been deactivated”) to trick victims into visiting a website that harvests personal information
  • Medicare scam: uses fear of losing access to health care to convince victims to reveal personal information
  • Tech Support scam: uses fear of malicious software to trick victims into handing over control of their computer
  • IRS scam: uses fear of imprisonment to get victims to load prepaid gift cards, then pass along the card information to the scammer
  • Missed Jury Duty scam: uses feat of imprisonment to obtain credit or debit card information
  • Grandparent scam: uses fear of loved ones’ safety to lure victims into wiring money or loading prepaid cards with cash
  • Lottery scam: mostly appeals to greed (another primal emotion), but also stokes fear of missing out on a once-in-a-lifetime opportunity to trick victims into falling for a counterfeit check scheme
  • Ransomware: uses fear of losing access to important files to extort payments from victims

In other words, a lot of scams operate by inciting fear.

The key is to understand that the use of fear is an extremely common (if not the most common) tactic, and to be able to recognize when someone is trying to make you afraid. This requires a certain amount of self-awareness, and I’m not really sure how one goes about developing that, other than to just slow down and take a moment whenever a stranger is presenting you with alarming information, instead of reacting immediately.

Unless they’re shouting “duck!”