All posts by FPU

Avoiding Vacation Rental Scams

So you’ve found the perfect vacation rental for an amazingly low price. You contact the owner of the property and, unbelievably, the price shown on Craigslist is correct and the unit is available for the dates you need. The owner was a bit hard to reach, but he travels all over the world for business (and of course he does—who else but a successful international businessperson could afford such a house in such a location to begin with?).

Payment is arranged by wire transfer (a little unusual, you think, but again—world traveler business type, right? He probably has reasons for his preferences, and they’ve obviously served him well, right?).

You make your payment and pack for your vacation, still not quite believing the deal you’re getting. Oceanfront! And that pool…

You arrive at the property on a Sunday morning and are delighted to find it looks even better than the pictures. You ring the doorbell to be greeted by…the permanent residents of the house, who aren’t renting it out to anyone, and who are wondering why there are a bunch of weird people with suitcases at their front door.

You’ve been taken in by a classic vacation rental scam, and good luck getting your money (that you wired to a stranger) back. What could you have done differently?

First, you could have been more wary of a price that’s too good to be true. There’s no real reason for the owner of a rental property in an extremely popular location to offer a huge discount as long as that demand exists.

Now, I’m not a huge fan of Craigslist for finding vacation rentals, but I’m also not a huge fan of Craigslist in the first place due to the overall potential for fraud. I’m sure there are plenty of legitimate rental listings. However, Craigslist should not be the only place the property is listed. Check vacation rental websites in the area and make sure the property is represented elsewhere as available.

The owner being hard to reach or unresponsive is a red flag. If the entire conversation takes place via email, that’s also suspect. There should always be a phone number with a name attached to it that you can verify with a search. A legitimate business should want to be easy to find and reach. If you find yourself leaving a message every single time you call, that can be another sign of trouble.

Finally, the unusual payment method is a warning that something is not right. You should never wire money to a stranger for any reason. Some rental scammers request that you purchase gift cards and pay by relaying the card information to them. Don’t do it. You want a payment method that leaves paper trail and has some fraud protection, and you want a buffer between the transaction and your deposit (checking/savings) account. In other words, if you can’t pay with a credit card, look elsewhere.

Sign Up for Activity Alerts Everywhere You Can

Receiving and paying your bills online instead of through postal mail is a good idea. It’s not only convenient, but it also helps fight identity theft and other types of fraud (the fewer pieces of paper floating around in the world with your personal information on them, the better).

But your financial accounts may offer online features you’re not taking advantage of just yet. Most credit card providers and deposit institutions (i.e. credit unions and banks) that offer online access also offer alerts that let you know when activity has occurred on your account. Alerts can be an important tool in detecting unusual transactions or changes as early as possible.

Every financial provider is different, but many will offer alerts for new charges or withdrawals. Other options may include notifications for a change of address, phone number, email address or other contact information. Remember that identity thieves will sometimes attempt to change these details in an existing account in order to hide their activities from the victim. If you get an alert that your address has been changed (and you’re not the one who did it), it’s time to contact that institution and report the suspicious activity.

Fear and Fraud

Humans are an emotional animal. No matter how advanced our technologies or societies become, no matter how objective or logical we believe we are, primal emotions can still affect our behavior, and when someone manipulates those feelings into a heightened state, we find ourselves at risk of making mistakes.

Many types of fraud work by stoking one of our most basic emotions: fear. The assumption goes: if you can make someone afraid, they’ll believe anything you say, even if it makes no logical sense.

Here is a list of several common scams and how they use fear to trick victims into handing over money or personal information:

  • Phishing: uses the fear of losing access to money (“your debit card has been deactivated”) to trick victims into visiting a website that harvests personal information
  • Medicare scam: uses fear of losing access to health care to convince victims to reveal personal information
  • Tech Support scam: uses fear of malicious software to trick victims into handing over control of their computer
  • IRS scam: uses fear of imprisonment to get victims to load prepaid gift cards, then pass along the card information to the scammer
  • Missed Jury Duty scam: uses feat of imprisonment to obtain credit or debit card information
  • Grandparent scam: uses fear of loved ones’ safety to lure victims into wiring money or loading prepaid cards with cash
  • Lottery scam: mostly appeals to greed (another primal emotion), but also stokes fear of missing out on a once-in-a-lifetime opportunity to trick victims into falling for a counterfeit check scheme
  • Ransomware: uses fear of losing access to important files to extort payments from victims

In other words, a lot of scams operate by inciting fear.

The key is to understand that the use of fear is an extremely common (if not the most common) tactic, and to be able to recognize when someone is trying to make you afraid. This requires a certain amount of self-awareness, and I’m not really sure how one goes about developing that, other than to just slow down and take a moment whenever a stranger is presenting you with alarming information, instead of reacting immediately.

Unless they’re shouting “duck!”

$500/week to wrap your car in ads? Better think again.

I still haven’t encountered anything that contradicts this fraud prevention axiom:

“Cash this check then wire the money back to me” is a sure sign of a scam.

It’s a fairly easy pattern to spot when it comes to things like lottery scams, because the scammers almost literally use that exact wording. But there are other times where the “wire the money back to me” stage is a little more obscure.

One such case is the Car Wrap Advertising Scam. Below is a scan of an actual letter used to initiate this scheme after the would-be victim responded to a random email or text message offer. This letter came with a cashier’s check for $2,390.00 (click to enlarge):

In this case, they’re not directly saying “wire the money back to me,” but they are telling you to give it to someone else, in the form of setting up a payment to a “Decal Specialist.”

What happens when you contact this person? You’re instructed to wire the money from the check, which will eventually be returned as fraudulent, putting you on the hook for the cash you gave away. It’s the same pattern as a lottery scam, only with an additional step in between.

One reason this scam continues to work is that there are actual wrapped cars out there. We’ve all seen them. However, even in cases where these aren’t company-owned vehicles, legitimate car wrap advertisers share certain features:

  • They don’t randomly contact you out of the blue via text message or email
  • They don’t take everyone who applies; they’ll want to know how far you drive each day, where you drive, what kind of car you have, and your driving record
  • They’re not going to pay you $500 per week. About $1,000 per month seems to be the ceiling, and that’s for absolute ideal (for the advertiser) circumstances (i.e. you drive hundreds of miles per day in an area extremely densely-populated with people within the ad’s target demographic; I’m guessing your car has to meet certain visibility criteria as well, because I’ve mostly seen these ad wraps on lifted, customized 4×4 pickups)
  • You don’t pay them at any point, and you’re not responsible for passing along money to whomever applies the decals (“Hey stranger we’ve never met in person, here’s a few thousand dollars to give to someone else for us. We’ll just trust you to not keep it.”)

If you’re truly interested in turning your vehicle into a billboard, there are a few links to apparently legitimate agencies in this Penny Hoarder article. But before you act on anything online, be sure to do a lot of research first, and always get in writing what you are agreeing to do and how you will be compensated. If it’s too easy to get the gig, it’s probably a fraudulent offer.

What is ‘Brushing?’

In theory, getting free stuff sounds great. But what if it’s stuff you don’t particularly need or want, and it just keeps coming?

A new scam called “brushing” involves exactly that. Reports are growing of people receiving shipments from Amazon of items they didn’t order, sometimes the same item over and over, with no real mechanism available to stop the unwanted deliveries.

What exactly are they up to?

Shady sellers are creating fake Amazon accounts, then buying their own products and shipping them to random addresses. They then post five-star reviews of their own products. Since the system shows the item was actually bought by the reviewer, this review appears as a “Verified Purchase,” which makes the review more prominent, and the great average customer rating boosts the item’s rank in Amazon’s search function. The ultimate goal is to sell sub-par products to consumers tricked by the high average product rating.

What should you do if unordered shipments start showing up?

First, contact Amazon to let them know you’re getting them. Amazon will attempt to figure out who is behind the scam and delete the seller.

For the most part, Amazon has been telling people to either keep, donate or discard the actual items shipped. That part is up to you.

So far it doesn’t appear that the people receiving the shipments have had their accounts compromised. However, if you start getting things you didn’t order, go ahead and change your Amazon password (which you should do now and then anyway). The addresses used for shipping seem to be chosen at random, though there may be a link between previous purchases from overseas sellers using the Amazon platform. When you’re shopping on Amazon, pay attention to the “sold by,” “fulfilled by” and “ships from” information, and favor domestic sellers (or Amazon itself) and orders that are fulfilled by Amazon.

Fakespot.com is a good resource for checking out products on Amazon for fake reviews (it also works with Yelp, TripAdvisor and the Apple App Store). It’s not foolproof, but it can at least give some insight as to how trustworthy an item’s reviews are. All you have to do is paste the URL of the Amazon item into Fakespot, and it will give a letter grade and a percentage of high-quality reviews as determined by the site’s algorithm. Anything with less than 80% high-quality reviews, I would avoid. Pay attention to the negative reviews, too, to see what customers who didn’t like the product are saying. If fewer people buy items with tons of fake five-star reviews, the motivation for the brushing scam might dry up a little.

Spear phishing

The standard-issue phishing attack relies on sheer numbers as the key to its success; by sending tens of millions of emails, the chances of hooking a few thousand victims is pretty good, regardless of how sophisticated the message itself is.

But there is another type of phishing attack, known as spear phishing, which exchanges quantity for quality, by using insider information to target businesses. Spear phishing attacks are smaller in scale but arguably more effective than their poorly-spelled, randomly-selected cousins.

In a spear phishing attack, you might get a message at your job that appears to come from someone you work with, often a member of management or from another department. This message may request information about financial accounts, login and password information, ask you to open a file or link, or ask that you authorize a wire transfer from your employer’s account. If you comply with these directions, you will make your company vulnerable to financial or data loss.

Most established businesses have a website that reveals the names of management, the board of directors, and people from various departments, which gives would-be cybercriminals the information they need to impersonate an insider.

Communication is the key to preventing spear phishing attacks. Think about any request received via email – is this how the head of the IT department or the CEO really talks? Why are they sending you a file out of the blue? Is it your job to initiate wire transfers? The best defense is to simply confirm with the apparent sender if the message is legitimate or not. Spear phishing attacks use some of the same techniques as regular phishing emails, such as disguised links or infected file attachments. It pays to double-check before you take any action.

What is a ‘Reshipping’ scam?

Last time, we looked into Money Mule scams and how they could potentially land you in legal trouble for being an unwitting accomplice to money laundering. This time, we’ll look at the ‘reshipping’ scheme, another type of work-at-home scam.

Reshipping scams work almost identically to money mule schemes, except that instead of receiving electronic deposits and making outgoing wire transfers, victims are lured into accepting shipments of goods (usually electronics), repackaging them, and sending them to someone else. The criminal organizations recruit through job websites and via unsolicited emails, and may set up legitimate-looking websites to give the appearance of an established company.

Where did the reshipped goods come from? When cybercriminals steal things like credit card information, they have to have a way to turn that available credit into cash. Creating fake cards and getting cash advances in-person isn’t practical, so consumer goods are purchased using the stolen payment information. These goods are laundered by way of reshipping schemes, then sold off into the black market around the world. The cash generated from this is subsequently laundered via money mule scams and other methods.

Just as with money mule schemes, just being a victim of reshipping fraud can get you into trouble because you’re the only domestic, easily traceable link in the chain.

The internet is great for job hunting, but you have to be wary of offers that seem a little too easy or where the bar seems to be set too low. Remember that the majority of work-at-home offers are not legitimate employment opportunities. Anyone instructing you to, “Take this item, then give it to these other people for me,” is trying to conceal the origins of whatever it is they’re asking you to touch, whether money or consumer goods. They want you as the only traceable step in the transaction, and they’ve got a reason for wanting it that way.

What is a ‘Money Mule’ scam?

Cybercriminals rake in a lot of cash from their activities (such as mystery shopper scams, lottery and romance scams, and identity theft), which creates a problem: for the most part, they can’t simply start using the funds for personal gain because financial institutions generally ask questions when dealing with amounts in the hundreds of thousands or millions. They need to launder the money to give the appearance of legitimate origins.

Enter the “money mule.”

Criminal organizations set up fraudulent businesses and recruit people with online work-at-home advertisements. These victims are hired under titles like “Transfer Agent” to act as intermediaries between non-existent business entities, supposedly to legally circumvent bureaucratic requirements, fees or taxes.

Anyone who responds to one of these offers will be instructed to open a new account, usually at a specific large bank. The victim receives incoming wire transfers in the $10,000 range, keeps a certain percentage, and then wires the rest (in chunks of around $3,000) to various (fraudulent) companies around the world. Repeat this for a few cycles between a few hundred victims, and the original source of the money becomes obscured.

Unlike the majority of scams, you may notice a difference here: in this case, the mule actually can make a profit. So why not look for a “Transfer Agent” job online and become a “victim,” make a quick couple hundred bucks and then get out?

Because, also unlike other scams, there can be legal consequences for the victim. In an effort to crack down on this type of activity, financial institutions are getting good at noticing suspicious wire transfer activity, and you could end up getting arrested when (not if) you get caught. Not worth it.

The key is to be very suspicious of any job opportunity that seems like it pays too much for the work required, shows up out of the blue (even if you’ve posted a resume on a job website), and steer clear of anything that involves receiving funds via wire, then disbursing those funds to others.

Three low-tech scams and how to avoid them

For all the attention given to cybercrime like phishing and data breaches, there is still a lot of fraud that occurs outside of electronic channels. Here are just three low-tech crimes and how to steer clear of them.

Dumpster Diving

Big data breaches are alarming due to their sheer scope (and infuriating because the victims did absolutely nothing wrong to cause the theft), but remember that a lot of identity theft still begins with someone digging around in a garbage can for credit applications or documents containing personal information.

The simplest solution to prevent dumpster diving is to shred every single piece of junk mail or document that contains personal information before you throw it out. A cross-cut shredder is the way to go, and they start at under $20 for a small one that can do one or two sheets at a time.

It’s also a good idea to find out how any businesses you utilize store and discard sensitive information. Paper documents containing personal information need to be locked securely, and they need to either shred old documents themselves or contract with a licensed and bonded document destruction company.

Contractor Scams

When your home needs repairs, make sure the work is your idea to begin with. Don’t trust a stranger who appears at your doorstep offering to fix your roof or asphalt your driveway. Use an established contractor with a physical address and some form of online presence (if not a website, at the very least some reviews that indicate that other people have heard of the company before).

Only hire businesses that work under a contract, with the price agreed upon before any work is done. A lot of contractor scams start with a verbal agreement on a price, then when the (often shoddy) work is completed, the victim finds out the price has doubled, tripled or worse. Also watch out for demands for upfront payment – another popular home repair scam is to weasel a large “deposit” out of the victim, then disappear. Anything over 20% before work starts is suspicious. You’ll pay the rest when the work is done to your satisfaction.

Finally, be especially wary after a major weather event (tornado, flood, etc.) that causes damage to your house. Fraudulent contractors come out of the woodwork after disasters, and when you’re trying to put your home back together and get things back to normal, a walk-up approach can seem tempting, but remember: losing money to a contractor scam is only going to add to your problems. Stick with an established company to save headaches later.

Sticky Mailbox Lid

There are some scams that are so tacky, the perpetrators should be ashamed of themselves. This is one of those. These crooks target mailboxes with pull-open lids, coating the inside with a sticky substance so that anything someone drops into the box stays on the lid. The crook then walks up and takes the envelope in hopes it contains a check or cash. If you’re mailing something at a mailbox with a pull-open front, double-check to make sure your envelope went all the way down. So far the cases I’ve read about happened in New York City, but I’m sure it’s just a matter of time before this two-bit scheme makes its way across the country.

“Mailbox full” phishing attacks

When you get an email message telling you that your mailbox is full, or that your “quota has been exceeded,” it’s a good idea to double-check before you respond in any way. It might be a phishing attack designed to harvest your login credentials, infect your computer with malware, or both.

Most email service providers have a limit to how much space incoming messages can take up on the server. The size of this limit often depends on whether or not (and how much) the user is paying for the service (free providers give you less than ones you pay for).

If you leave hundreds and thousands of messages unread because you never check your mail, or don’t set up your email program to remove messages from the server after reading, you can reach this limit and new messages won’t get through.

That said, if you get a “mailbox full” message, chances are it’s not from your email service provider at all, and clicking on any links could lead to trouble. Here are a couple things to look for.

Bad spelling/bad grammar: these days, large internet service companies hire people who know how to spell and write to compose official messages. Strange grammatical constructions or misspelled words are an immediate tip-off that the email isn’t legitimate.

Who is it from? If you were really looking at an official message about your iCloud email account, you would think the sender’s address would be “[username]@icloud.com.” Same with att.net, hotmail.com, gmail.com or any of the others. Yet in a majority of cases, phishing emails appear to come from an address that has nothing to do with the service provider. Keep this in mind, though: some more sophisticated and/or targeted attacks might not have this flaw.

Where do the links go? You can see where a link takes you without clicking on it by hovering your mouse over the link and waiting for the little popup window to display the address. On a mobile device, you can hold your finger down on the link (instead of tapping) and a window will pop up showing the address. Again, if it’s from your actual email provider, that link is going to lead somewhere related to the business (and related to the sender’s address). A message about your Gmail account is going to point to something hosted at google.com, for example. Beware of lookalike addresses, though; the architects of these attacks will sometimes set up websites with addresses like “att.net-verification.com.br” where at first glance it appears to point to an att.net site, but the actual address is “net-verification.com.br.”

The best practice is to never interact directly with this type of message in the first place. If you think there might be a real issue with your email account, go directly to the provider’s website to find out if there really is a problem and how to correct it. If you did click on a suspicious link, run a virus scan to make sure you haven’t been infected with malware, and change any affected account passwords immediately.