Some of it is just plain gibberish, often just a few random words and a link. This kind is pretty easy to spot.

There’s also the kind you get because you actually signed up for it. In this case, it’s not actually spam, since you opted in. Most of the time, this form of commercial email message (usually from larger, well-established companies) is relatively safe. There’s usually a link at the bottom you can follow if you want to stop receiving these messages.

Then there’s the stuff that tries to look like it’s from a legitimate business. Usually this sort of message has quite a bit of text, and many times it’s written with passable English grammar and spelling. It can be selling a reasonable-sounding product, but the difference is that it’s from a company you’ve never done business with, and from whom you did not sign up to receive email. There will usually be an “unsubscribe” link at the bottom of the message as well.

However, in this case, you do not want to click that link. When you do, it takes you to a website that asks you to enter your email address to take yourself off the list. What you’re actually doing is confirming that the email address they have on file is a good one. Basically, your address can then be sold to any number of spammers. It will only cause more spam (and scams) to appear in your inbox.

The only way to deal with this kind of spam is to ignore it. It’s a pain, but it’s a bigger pain if it multiplies (I learned that one the hard way several years ago). Either adjust the settings on your spam filter, or just manually delete the messages every time.

The victim in this case was contacted by a person who claimed to be their grandson. He told the victim that he’d been in an auto wreck in Vancouver, and needed $900 because he hadn’t purchased insurance on the rental car. The victim wired the money, then received another call from the crook, asking for an additional sum. However, by this time the victim had been informed that it was a scam.

Still, $900. Nobody needs to lose that.

If you are a grandparent, it is imperative that you are informed about this type of crime. The con artists are banking on your not being able to recognize your grandchild’s voice. Through websites like Facebook, it is very easy for criminals to get information about family members online, which can add legitimacy to a caller’s story.

If someone calls, press them for information that only the real grandchild would know. Better yet, hang up and call the grandchild directly. I’ve heard of several cases of this scam being averted by the phrase, “No, meemaw, I’m not in Canada.”

They may claim to be in jail, injured, or in some other bind, but you have to avoid panicking in this situation. Know that in most cases, that call is a scam, especially when the caller claims to be overseas. Ask for a callback number and contact the parents or the grandchild himself.

Also know that money is irretrievable once wired out of the country.

If you know someone who is a grandparent, make sure you tell them about this scam. And have your kids give them a call now and then, just so they know their voices. It’s an easy scam to avoid if you’re informed.

No, I am not paying tribute to the Alvin and the Chipmunks movies with the title of today’s post. They’re terrible. I now tack the words “The Squeakquel” onto everything that’s a “part two” in a series because it cracks me up. Rocky II: The Squeakquel. See? Hilarious.

Anyway, here are three more examples of spam I received this past week. The crooks in this first case are hardly trying. Just like the people who made the Alvin and the Chipmunks movies. Ba-zing!

From: Support <Laura.Ferelli@service.amazon.com>
Date: Sunday, February 28, 2010 1:31 PM
To: <email address>
Subject: Confirm Order #05830659

Your Order Id:153517648031959 Accepted.
Details

Thank you.
Amazon.com Customer Service

The word “Details” was linked to a website in Romania. I’m no expert on Amazon’s server setup, but I’m pretty sure their website isn’t hosted in Romania. I’m also completely certain it will have the word “Amazon” in the URL, no matter where it is hosted.

Here’s one that uses a real name and email address from Rady Children’s Hospital in San Diego. Everything else about it is fake:

From: Nespeca, Mark MD
Date: Monday, March 01, 2010 3:26 AM
To: chan@hotmail.com
Subject: You Have A Pick Up

Greetings,

You have a consignment containing a bank draft of 450,000.00 United States Dollars and gift items which await an outstanding payment of $240 .

For claims, Please confirm your ful name, home address, and telephone number with Mr. Garry Moore. Contact email and phone number are

tnt-services@admin.in.th and (+234) 802 378 8093 respectively.

Thank you.

Miss Margaret Hagopian

Of course, this is a pretty typical “Lottery Scam” setup. As often happens, there is some disagreement about who is sending the message. Is it Mark Nespeca (who apparently is a real doctor)? Is it Gary Moore? Miss Margaret Hagopian? Also, why would you be contacting a company in Thailand (.th) for something involving a hospital in San Diego? Nothing here makes sense at all. I’m sure $240 is just the tip of the iceberg. By the time you wired $8,000 overseas, you’d probably begin to suspect something.

I’ve noticed more scams and spam using real names and email addresses from real businesses lately. The thing is, their choices seldom make any sense. Why would a children’s hospital be giving you nearly half a million dollars out of the blue?

Our final contestant today is doing the exact same thing with another healthcare-related business (this time with Continuum Health Partners, based in New York, I believe). This time, it’s Nicholas “Patrick Chan” Romas, MD, Director of Hang Sang Bank. The offer isn’t some crummy $450,000, though:

From: Nicholas Romas, MD
Date: Tuesday, March 02, 2010 1:31 AM
To: chan45@8u8.com
Subject:

Dear friend,

Greetings to you.

I’m Mr.Patrick Chan, Director of Hang Seng Bank.  I am contacting you because I have a 42 million

dollars business proposal for you. For details, contact me confidentailly at  p.chan45@8u8.com

Thank you

Mr. Patrick Chan

Business Proposal

This message and any attachments are confidential and intended solely for the use of the individual or entity to which they are addressed.  If you are not the intended recipient, you are prohibited from printing, copying, forwarding, saving, or otherwise using or relying upon them in any manner.  Please notify the sender immediately if you have received this message by mistake and delete it from your system.

Name confusion, geographic confusion, it’s all here. The confidentiality notice at the bottom is a cute touch, too. It makes it look like you’re getting some kind of secret information that’s going to help you get your mitts on $42 million.

All three of these are similar, insofar as they’re using the names of real companies to lure victims. I’ll also bet you a buck fifty those last two come from the same person or persons. One has chan@hotmail.com in the recipient line and the other has chan45@8u8.com. Too similar to be a coincidence.

I don’t know exactly what these people are trying to accomplish with these messages. The first one looks like a malware attempt, and the other two are lottery-style scams. I’m not pursuing them to find out! As always, delete with extreme prejudice.

The iPad is…well, I guess it’s sort of like a giant iPhone, except you can’t make phone calls on it. It’s one of a new category of devices called “tablet computers.”

Personally, I think they’re sort of dumb. They might be good if you’re solely a consumer of content, but they seem limited if you’re actually creating content (video, music, writing, etc.).

I’m sure it will be a big hit anyway; there is a very large, dedicated population that answer “Strongly Agree” to the survey question, “I will always buy any new product Apple releases.” Maybe I’m just not hip enough to get it. I don’t look anything like the people in Apple commercials.

However, since this object has a huge buzz surrounding it, there are already a thousand “Free iPad” scams popping up, many on Facebook and Twitter. In fact, I just did a search on “Free iPad” on Twitter, and there are several new scam messages being posted every minute.

The thing is, this whole scenario seems really familiar. In fact, it’s just one letter away from the “Free iPod” scams that were all over the Internet seven or eight years ago. The only difference is that Facebook and Twitter didn’t even exist back then. The opportunity for scammers to spread their message has grown exponentially—in 2002, they mostly relied on popup advertisements and spam email.

Oh, you say the link took you to a Facebook fan page with thousands of comments from people who claim to have received a free iPad?

Those are fake. It is so extremely easy to create fake positive comments from fake users. You have to just ignore this garbage, no matter how realistic the offer may seem.

For one thing, the iPad hasn’t even been released yet. So there’s no way all these people on Twitter posting “Just playing with Ashley’s new ipad. It was free just for giving an email address at this website” are telling the truth. I’m guessing a lot of these are hacked accounts, but many of them have usernames that follow a specific pattern, which means the accounts were created solely for running a scam. The thing is, even if you know an Ashley and someone you know and follow on Twitter posts this message, ignore it. Tell your friend they’ve been hacked, though.

I’m not sure what happens if you follow the links in these messages. According to what I’ve read, many ask you for a cellular phone number, and then sign you up for a $40/month “service.”

The service? Taking $40/month away from you. I’m sure there are others that take you to infected sites that load your computer up with malware.

The bottom line here is this: nobody is giving away free iPads. Apple doesn’t send thousands of free anything to random people for evaluation. There’s still this lingering myth that the Internet is full of offers like that (“Git on the Innernet n’ you get all kindsa free stuff!”), and I’m not sure where it comes from. It’s not true and it never has been. I’ve been using the Internet since around 1994 and I’ve never once seen a legitimate offer.

Apple is a company that has a singular vision; they already know what their audience wants. Testing is done in-house, not by sending out millions of dollars worth of product for free. By the time it’s at the booth at the Consumer Electronics Show, it’s been tested a million times by people the company knows.

Want one? Cough up.

Turns out I wasn’t giving the con artists enough credit. My new estimate is 30 seconds.

The same rules apply here as when dealing with possible Haiti Earthquake Scams. Be extremely wary of unsolicited charity donations. The best way to help is to contact your favorite organization first and turn down all other requests.

There is a short article on the topic at Scambusters that identifies a couple additional threats beyond fake charities, and both involve malware.

Basically, if a stranger sends you alleged photos of the earthquake damage, do not open these attachments because they are infected with a virus. In fact, don’t even open the message at all. There is plenty of footage coming in through official news sources.

Also, beware of fake news stories that come up in search engines. These can lead to websites that are infected with malware as well. According to the Scambusters article, these sites were up within hours of the earthquake. Just go directly to your favorite news source’s website and get your information from there. Many will even have a list of trustworthy resources if you want to donate to relief efforts.

Okay, so I know more than a few. I know many, and almost all of them have something in common: their computers are constantly being infected with viruses, trojans and other types of malware. I’m not talking about the occasional adware popup or tracking cookie—these machines are usually just crawling with malicious software.

There’s sort of an old myth that your twelve year old is always going to know more about the computer than you. Perhaps this is true when it comes to first-person shooters and making goofy videos, but kids don’t know everything about computers, and security is one of those areas where they generally seem to lack the fundamentals.

Of course, they’re invincible, too. There’s always that. Ask them sometime; “Is it even possible that you might run into a virus on the Internet?” They’ll probably look at you like you’re an idiot. Again.

But it happens, and it seems to happen a lot. You’ve got to educate your kids about malicious software, because a keylogger doesn’t care who downloads itself; it’s going to send login and password information, whether it’s to a Facebook profile (bad news) or your financial accounts (worse).

First, if you’ve got kids using the Internet, try to keep an eye on them at least some of the time. Since this is impossible, though, make sure you’re using Firefox with the NoScript plug-in. No Internet Explorer! There are more holes in that browser than a hunk of Swiss.

Secondly, learn about the various dangers yourself, and make sure you warn your kids. No kid is going to be able to resist “lol is this you?” or “lol funny video” followed by a shortened URL, unless someone tells him that such links lead only to malware.

Thirdly, obtain the burliest antivirus and firewall software you can afford, and pay the money to keep it updated. This is vital anyway, but if you’ve got kids clicking a mile a minute on Facebook and Twitter, you really need to take maximum precautions.

I suppose you could try to limit your kids’ access to the Internet, but you could also try to wrestle a grizzly bear while you’re at it. Good luck with that one.

Finally, consider getting your own computer or laptop that the kids aren’t allowed to even touch, and use that one for business and banking. At least your accounts will be safe(r), assuming you’re taking the necessary precautions on this computer as well.

Okay, does this post officially put me in the “old person complaining about young people” camp? It does sort of have that “I tell ya, the kids today, with their Facebooks and their Twitters,” flavor doesn’t it?

I don’t know, but I know it’s important to get your kids hip to the dangers of malware as soon as you can. Your own financial security may depend on it.

Honestly, I’m not entirely sure that is identity theft.

I suppose I’m something of a purist in this case. To me, “identity theft” occurs when someone obtains your personal identifying information without your permission, and uses it to open new financial accounts, obtain credit, medical services or employment, or evade arrest.

To me, someone just swiping your checkbook and passing checks all over town falls under the umbrella of simple “theft.” I suppose on some level the thief is implying that he or she is you, but credit is not being obtained in your name in this case. It’s sort of like someone just stealing your cash. The thief doesn’t have your Social Security number or date of birth, all he has is your checkbook. Once those stop working, he’ll abandon them.

Not that having your checkbook stolen isn’t a massive headache. I’m not saying it’s something to take lightly at all. It’s just that I don’t think it constitutes identity theft per se.

I also don’t believe that simple credit card theft usually equals identity theft. Once again, the thief may be implying that he or she is an authorized user of your credit card, but that’s as far as the crook is taking things. They’re not changing your address so you don’t get the bills, they’re just burning through your card for a couple days until they max it out.

Once again, it’s a pain for the victim, but it’s not quite identity theft.

My parents were among the victims of the Heartland Payment Systems data breach back in 2008. Their credit card (which they had used once at a restaurant) suddenly showed two charges of $850 at an electronics store in California. One call to the credit card company was all it took—I don’t even think my dad had to finish his sentence before the customer service person said, “Yes, there was a data breach…aaaaaand you’re all fixed.” There was no need to place alerts on credit reports or anything. A crook had used their credit card numbers, they called the company, problem solved. In a case of true identity theft, it would have taken a lot more than one phone call to remedy the situation.

Again, I’m not saying this type of theft can’t be a hassle, because it can be. I guess I’ve just been seeing the term “identity theft” get thrown around a lot, and it seems useful to place a few limits on the term, if only for clarity.

One final point: you’ll never hear me use the phrase “ID theft” as shorthand for identity theft. Your ID is a card with your picture and information on it. Your identity is all the non-public personal information about you—date of birth, Social Security number, credit reports, etc.

To me, “ID theft” sounds like somebody just stole your driver’s license. Of course, identity theft could involve someone stealing your ID (and then manufacturing a new one with their picture and your information), but “ID theft” is a term that obscures rather than illuminates.

These days, they’re everywhere. How many do you have?

I know I’ve got plenty; offhand, about 20 work-related passwords, and probably 30 personal ones. Now, some of these are stored by email clients, and since I’m not using public computers, I often check the “Remember Me” box, but still…it’s a lot of passwords.

Are your passwords easy to guess? They shouldn’t be. If you’re using your dog’s name for all your passwords at the same time you’re constantly posting photos of said dog on Facebook, you could be opening yourself up to all kinds of trouble.

Twitter even banned a list of 370 “obvious” passwords recently. Among these were clunkers like “password” and “password1,” but also some pretty specific ones like “NCC1701″ (the Enterprise’s registration number from Star Trek) and “trustno1″ (Fox Mulder’s password from The X-Files).

Strong passwords contain letters, numbers, and even characters (such as !@#$%&). It’s really in your best interests to use strong passwords, change them regularly and never use the same password for everything. “123456″ is going to take a lot fewer guesses than “fh34JF$x.”

However, don’t make them so difficult they’re impossible for you. Back in high school, several of us realized that you could make your programming class passwords very long, as well as include spaces. I immediately changed mine to “Weasels Ripped My Flesh…RZZZZ!” (from a Frank Zappa album).

The chances of (blindly) typing that mess correctly were about 1 in 15—nobody could get into my account, including myself most of the time. Two days later, I changed it to a six-letter sequence.

From: sgh12345@sg1es.tnc.edu.tw
Date: Monday, February 15, 2010 8:49 AM
To: undisclosed-recipients:
Subject: You’ve Won

You’ve been awarded (500,000.00GBP) from microsoft lottery for claims send info:full name, address, age, country,to mr stephen scott via email to msnclaim@movmail.com

Interesting that someone from Taiwan (.tw) would be sending a message to an American about a prize of British Pounds. Also weird how an alleged representative of Microsoft would forget to capitalize the company name, not to mention direct you to a non-Microsoft website.

Next up, an exciting offer from Robert “Sgt. Lee Johnson” Brhel, who is either in Hong Kong (.hk) or Iraq, he’s not quite sure:

From: Robert Brhel
Date: Friday, February 12, 2010 6:47 PM
To: none
Subject: Please send your reply to this E-mail address:  sgtlee1971@yahoo.com.hk

Greetings,
My name is Sgt. Lee Johnson, a member of the U.S. ARMY USARPAC Medical Team, which was deployed to Iraq in the beginning of the war in Iraq. Please do visit the BBC website stated below to enable you have insight as to what I’m intending to share with you, believing that it would be of your desired interest one-way or the other.
http://news.bbc.co.uk/2/hi/middle_east/2988455.stm
     Also, could you get back to me having visited the above website to enable us discuss in a more clarifying manner to the best of your understanding. Please send your reply to this E-mail address:  sgtlee1971@yahoo.com.hk
Thanks,
Sgt. Lee Johnson.

I left the link intact in this one because it leads to a legitimate news story. From seven years ago. Even if this message was real (which it’s not), I’m pretty sure somebody has found a home for that cash by now.

This is actually a pretty common variation on the old Nigerian 419 scheme. This time, it’s “I’m a soldier and I found a pile of money in whatever-country-I’m-fighting-in,” which inevitably leads to, “Hey person-I’ve-never-met, want to share it with me? Just wire me some money first.” As always, the “delete” key is your friend.

Finally, an attempt to infect you computer (and probably add it to some malicious botnet), wrapped up in a fake message from a real anti-fraud organization:

From: “National Health Anti-Fraud Association” <admin@nhcaa.org>
Sent 2/13/2010 1:39:53 AM
To: [removed]
Subject: Complaint registered against you

We have received a complaint regardding transaction No: 8711322 dated 01/28
/2010 in value of $ 2.871,00 representing the check issued by your company
to Fillmore Inc that was later deposited in the companies bank account.
If you feel this is an error please review the attached complaint document and contact us imediatly with proof to clear out this situation.
The copy of the check issued to your name is attached to this email as well as the original complaint.
Please call at 800-2661-7711 to sort out this situation. Your email was pro vided by the persson that filed the complaint.
You can also get in touch with our staff using the information on our websi
te.

NHCAA – National Health Anti-Fraud Association

This one contained a virus-infected attachment. The clever part here is that they used a real website…that deals with fraud prevention. Gutsy, although I’d posit that most legit messages aren’t going to contain mangled spelling like ”imediatly.” I mean, that’s not even close, is it?

NHCAA.org is already aware of this message; there’s a warning on their front page. Attempts to scare people into opening attachments seem to be the flavor of the month. Any time you get an urgent message accusing you of something and instructing you to open a file, you can assume it’s fake. Whatever you do, leave those attachments alone.

The specific case highlighted in the article was not related to identity theft; rather, the victim simply had a very similar name to that of a robbery suspect. However, she spent five days in jail before her husband was able to bail her out. It also took two years to get her criminal record expunged.

Mistakes like this are apparently relatively common, due to identity theft and errors. You might not be able to control who has a name just like yours, or who types in a name incorrectly, but you can still take steps to prevent identity theft that could lead to your wrongful arrest. It may not eliminate the possibility, but at least you can try to minimize it.

At the very least, the article shows that getting arrested for something you didn’t do isn’t fun. Stay vigilant.