Prevent fraud by slowing down: it’s not just about the Internet.

Yesterday I wrote about the problem with “shortened” web addresses on Twitter and other social media outlets—namely, that the actual web addresses are obscured, which could lead to malware infections on your computer.

I suggested using a shortened URL decoder, sort of a “reverse lookup,” such as LongURL, to check links before you click. It takes a few extra seconds now, but it can save you massive headaches later.

I also spoke about the need to back off a little when it comes to instant online gratification. Phishing attacks, for example, thrive on getting victims to respond without thinking.

Today, though, I came across a small article about yet another set of mystery shopper scam victims. The details aren’t that important for our purposes today. Suffice it to say they lost around $4,000 they couldn’t afford (assuming they’re like most of us).

I started thinking about how the concept of slowing down doesn’t just apply to shortened web addresses. Think about the mystery shopper scam setup, and how each approach plays out.

Scenario #1: You receive an email offering lucrative employment as a mystery shopper. Not wanting to miss out on a big payout, you immediately respond. You are mailed a cashier’s check and instructed to cash it, keep some, use some for purchases at Walmart, and wire the rest back as quickly as possible, or you’ll miss out on future opportunities to work for them again. You rush out the door to your financial institution, hit the Wal-Mart and wire a few thousand dollars back via Western Union. About a week later, you find out the check was fraudulent and that you owe your financial institution $2,600. Life goes on, but with a painful “learned that one the hard way” lesson under your belt.

Scenario #2: You receive that same email, but decide to take a moment and check it out first. You Google a snippet of the message or the name of the company, and find thousands of people telling you it’s a scam. You delete the message and life goes on.

Bonus Scenario: You’re an avid Fraud Prevention Unit reader, and already know without checking that it’s a scam. You delete the message and life goes on.

There are a lot of scams that depend on victims who either act without thinking or who haven’t taken any time to be educated first. In fact, a vast majority of these crimes seem to hinge on a quick response from their victims.

I’m a big advocate of stepping back and taking a moment to think. There was an auto advertisement on television several years ago that just offended my every sensibility. I think it was for some kind of Toyota SUV, but I can’t quite remember. What I do remember is that it featured sped-up footage of a generic “supermom” (that’s not a compliment—I feel sorry for these people and their kids) dropping her children off at a million different places. The tagline had something to do with “your supercharged family.”

I could not believe they were depicting this lifestyle as something you should strive for. Now, if you honestly enjoy constant stress, then I guess I can’t vouch for you, but when I hear 99% of people talk about how frantic their lives are, they’re complaining, not bragging.

The thing is, many people think they don’t have a choice. I say you do. You can find space to slow down and take some time to think, but not if you’re convinced that you’re powerless to do so. Tell the kids to pick one sport they love, instead of signing them up for ten just to show off how busy you are.

That frantic, stressed-out, hollow-eyed, constantly-on-the-go way of living doesn’t lend itself to thinking before you act. It’s not only bad for your health, it will make you more susceptible to phishing and lottery scams and every other type of fraud under the sun.

So the same idea that applies online goes for your offline life, too: just take a second and relax, think about your decisions. It’s when you’re in a hurry that preventable mistakes happen. I’ll loan you some live Dead tapes if you need some mellow tunes, okay?

LongURL: How to see where a shortened URL takes you before you click.

Twitter (and to some extent, Facebook) have seen the rise of the URL Shortener.

When you want to share a link on Twitter, you run into a problem: the web address you need to paste takes up most or all of your allotted 140 characters, which leaves no room for your commentary, or extends beyond 140, which renders the link useless. However, sharing links is about half of what people use Twitter for (other than pointless babble and talking about what they just ate. Amiright?).

Along came the URL shorteners.

With a URL shortening website, you can enter a long web address, and the site will create a link that only uses up a few characters, which leaves room for you to tell people exactly what the link is.

For example, if you wanted to point to this article on Twitter, you could paste this link:

http://fraudpreventionunit.org/2010/01/12/longurl-how-to-see-where-a-shortened-url-takes-you-before-you-click

Or you could use this:

http://bit.ly/cMIkCZ

The first one uses up 109 characters, which only leaves you room to say “Cool!” or something, which makes the link look suspicious. The second link only uses 20, which leaves you 120 characters, more than enough for a short sentence or explanation.

Bit.ly is just one of the popular URL shorteners. Others that spring to mind offhand are Ow.ly, Tr.im, and Tinyurl.com. WordPress has its own service, too; Wp.me.

Now, here’s the problem. When you look at a shortened URL, there’s no way to tell where it takes you. Of course, you can look at the text it was pasted with, but there’s a problem there, too: several years ago, somebody discovered that it’s possible to lie on the Internet.

What this means is that a person with questionable intentions could post a shortened URL and tell you it’s a link to an interesting video or article, but have the link actually take you to a site that will install some form of virus or spyware (read: financial and identity theft risk) onto your computer.

Along comes LongURL, a shortened URL decoder.

LongURL is a site that allows you to paste a shortened URL and it will tell you the address of the site it points to. It’s sort of like a reverse phone lookup.

It’s not just a website, either. If you’re using Mozilla Firefox as your web browser (and, to be honest, you really should be), you can install LongURL as a plugin. This means you don’t have to visit the LongURL website every time you want to expand a URL.

“But,” I can hear some of you saying, “isn’t it awfully inconvenient to have to check out every shortened URL before I click it? I don’t want to slow down!”

Well, that’s one of the attitudes that keeps Internet crime so lucrative. It’s been a long time since malware was the exclusive domain of nerdy suburban kids and college students trying to cause disruptions or simply stroke their own egos by putting out a widespread and annoying (but relatively harmless) virus. These days, most of the people creating malware and using all these different tactics to distribute it are involved in organized crime and/or terrorism (or at best, extremely scummy marketing practices). It’s all about money now.

When you insist on unconsciously following any link you feel like following, without taking a moment to consider the possible consequences, all in the name of not wanting to slow down, you’re playing right into these criminals’ hands. It won’t be long before you fall for a shortened URL phishing attack and end up with a computer just brimming with bad juju.

I mean, it’s hard enough to keep your computer clean if you are paying attention, what with so much of the software industry’s insistence on rushing sub-par products to market that are vulnerable to things that, frankly, should have been eliminated 15 years ago (all in the name of speed, as usual). If you’re just blindly speeding along and not taking a couple seconds to look where you’re going, you’re going to run into something nasty before too long.

Ask yourself this: “Would I rather take an extra five seconds to check out what this URL is pointing to, or would I rather end up with a computer full of viruses (which could take hours or days to fix) or an identity theft situation (which could take months to fix)?”

Go to LongURL. Pay attention. Stay vigilant. Slow down.

Remember that Facebook phishing email? There’s a MySpace version, too.

We all knew it was coming. Below is the full text:

From: Manager Stephan Goldman
To: [incorrect email address] 
Date: Thursday, January 07, 2010 9:02:10 AM 
Subject: MySpace Password Reset Confirmation!

Hey [incorrect username] ,

Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.

Thanks,
Your MySpace.

Attached was a file called “MySpace_document_49792.zip” that recipients would be advised to not touch with a thirty-nine-and-a-half-foot pole. Whatever’s in that ZIP file, you don’t want it. Trust me on this.

Once again, social networking sites are never going to email you a new password, and in general aren’t going to email you files at all.

Who the heck is “Manager Stephan Goldman?”

Anyway, delete this garbage if you receive it, okay?

Western Union phishing email: “Your Money Transfer Control Number: 590575482”

Here is the full text of an email message I received Wednesday morning:

From: westernunionresponse@mail.westernunion.com
To: [as usual, not my address] 
Sent: Wednesday, January 06, 2010 9:26 AM
Subject: Your Money Transfer Control Number: 590575482

Dear customer,

Thank you for using the Western Union Money Transfer®.

Your money transfer has been authorized and is now available for pick up by the receiver.

Transfers to certain destinations may be subject to further delay or additional restrictions.

TRANSACTION DETAILS:

Your Money Transfer Control Number [MTCN] is: 590575482

Please use this number for any inquiries.

Date of Order: Wed, 6 Jan 2010 16:26:48 +0100
Amount Sent: $94.50

You can cancel this transfer by using the hyperlink below:

http://wumt.westernunion.com/WUCOMWEB/transactions/HomePage/cancel.php?session=&mtcn=590575482&summ=94.50&date=Wed, 6 Jan 2010 16:26:48 +0100

Thank you for using Western Union!

————————————————————————–
DO NOT REPLY TO THIS EMAIL.

I knew right away this was a phishing email. If I didn’t have these articles to write, I would have deleted it without even looking at the message itself.

Usually, when we think of “phishing,” the first thing that comes to mind is an urgent message that appears to be from a financial institution, instructing us to visit a website and log in to “verify” our account information. This results in revealing personal and account information to someone who will use it for theft (financial, identity or both).

This is a different tactic: make the recipient think a withdrawal is about to be made from their account, and hope they panic and click the link to cancel the transaction.

There is a distinct advantage to this method: when you send a message that claims to come from a financial institution, you usually have to pick one, which limits your potential victims.

For example, if you send out a million messages that look like they came from Chase or HSBC, 90% of your potential victims don’t have accounts at the institution you picked. They recognize it as phishing right away (and will likely recognize your next attempt as such, even if you happen to pick an institution they have a relationship with).

With this Western Union attempt (and its direct ancestor, the PayPal Phishing Email), they take advantage of the fact that anyone can use Western Union. You don’t have to have an account with any particular institution to wire money this way.

Now, I’ve never used Western Union. In fact, at my previous job as a bank teller several years ago (!), I completely weaseled my way out of learning how to use their new Western Union machine, because it arrived during my last two weeks on the job and I didn’t feel like getting into it. Yes, I told them that.

However, a quick look at their website tells me you can wire money online, and I’d be willing to bet that the text of this phishing email is directly taken from a legitimate Western Union message. In fact, the text of the message uses a real website (wumt.westernunion.com).

The thing is, if you look at where the link actually takes you (it’s not the same as the text in the message), it’s a website hosted at “wumt.westernunion.com.yhe3essr.com.pl.” This is a classic phishing-style URL. Like I said, I’ve never used Western Union, and I don’t know much about them. However, I know this much: they’re not based out of Poland (.pl).

I wonder what happens if you follow that link—does it try to steal personal information, or does it install malicious software (or both)? I sort of wish I had a junk computer to try it out on. I’d probably just enter rude words in all the “name” and “address” fields.

I’m sure this message has been received by thousands of people already. It’s trickier than the usual “verify your information” attempt, and I’m sure the success rate will be much higher, unfortunately.

As usual, though, there are lots of telltale signs that something isn’t quite right. When you get these messages, just take a moment to relax and think about it, and you’ll be fine.

Tax Season Scams

Everyone’s favorite time of the year is coming up soon, so to protect yourself from scammers and identity thieves, here are a few quick tips to remember:

  1. The IRS is never going to initiate contact via email. Ever. Even if you filed your taxes online. If there is a problem with your filing, they will contact you via telephone or postal mail.
  2. If the IRS does contact you, they are never going to ask you to “verify” personal information such as your Social Security number, account information, credit card numbers or anything else. They’re the IRS; they already know what they need to know about you.
  3. If you do get a phone call, don’t automatically trust what pops up on caller ID, since this information can be easily spoofed. If they’re asking to verify personal information, it’s probably someone trying to steal your identity.
  4. On a similar note, beware of phone calls at strange times. The IRS isn’t going to call at 1 AM or 11 PM.
  5. If you’re paying someone to prepare your tax return for you, make sure you’re dealing with someone you trust and who knows what they’re doing. It doesn’t matter who prepares your taxes, you are ultimately responsible for what gets filed.
  6. Also beware of tax preparers who make wild claims about how big of a tax return they can obtain for you.
  7. Finally, a lot of large, nationwide tax preparation companies advertise a “service” in which they write you a check before your taxes are even prepared or filed, based on an estimate of what you will receive. While this is not a “scam,” know that these advances are loans, which you will have to pay back with interest. If they give you more than you get back from the IRS, the excess will come out of your pocket.

Like I’ve said before, just about anything can be turned into a scam. The best defense is to be prepared by knowing what to watch out for.

Lastly, If you do get a suspicious email, forward it to phishing@irs.gov. Don’t open any attachments, and don’t click on any links contained in the message. These could infect your computer with spyware or other malicious software.

Fraudulent Facebook email contains malware attachment.

There’s a new fake email message making its way around the web the last few months. This time, it targets Facebook users.

The messages all have something to do with your Facebook password, using subject lines such as “Password Reset Confirmation Email.” They contain an attachment that is supposed to be your new password, but is actually a pretty nasty Trojan horse program that opens your computer up to a variety of attacks. One of these programs is known as Bredolab, and it’s just bad news all around. Below is the text of an example message from “The Facebook Team:”

Hey,
Because of the measures taken to provide safety to our clients your password has been changed. You can find your new password in attached document.

Thanks

The Facebook Team

There are other fake Facebook messages that try to lure victims with a “New Login System” message and contain a disguised link. In this case, it seems to be a pretty standard password-stealing attempt, but given the amount of malware that can be spread and the fraud that can be committed with a hacked Facebook account, it could lead to much worse problems than someone just messing with your Facebook page.

Facebook is never going to send you an email message with your password as an attachment. In fact, they’re never going to send you an attachment at all. If you get one of these messages, hold your cursor over the link (DO NOT CLICK) and you’ll see that the message actually takes you to a non-Facebook website (most likely hosted overseas).

Furthermore, Facebook isn’t going to “confirm” your request for a password reset unless you’ve actually requested it, and any links contained in these messages will be hosted at Facebook.com, not a website with just an IP address (numbers separated by periods, as in “123.45.678.90”), and not a website hosted overseas.

Once again, a new threat just goes to reinforce the old rules of thumb: never open an attachment in an email message you weren’t expecting, and never click on links in an unsolicited email message without verifying first that the message is legitimate.

What is the deal with Facebook and Twitter lately? It seems like they’ve both been targets of an awful lot of phishing, fraud and malware activity these past few months.

Both sites have astounding numbers of users—I recently heard that if Facebook was a country, it would be the fourth most populous in the world, just behind the U.S.—so I imagine it has to do with the sheer numbers involved. When you’ve got over 300 million potential victims, even a 0.1% success rate (1 in 1,000) is a pretty large number of people.

New phishing attempt: this one is just sort of pathetic.

I had two really sad phishing attempts in my inbox this morning, but just in case somebody out there isn’t sure, let me state this very clearly: these are fraudulent messages, and the only correct response is to delete them immediately.

Here is the full text of the first one:

From: Federal Credit Bureau
To: [not my email address]
Sent: Wednesday, December 23, 2009 10:00 AM
Subject: Your Credit Score has been decreased.

Your Credit Score has been decreased. You need to download your credit history file from Federal Credit Bureau website and carefully review it. Use your personal hyperlink.

==========================================
Federal Credit Bureau

And here’s attempt number two:

From: Federal Credit Bureau
To: [not my address again]
Sent: Wednesday, December 23, 2009 9:26 AM
Subject: You have some wrong items in your Credit Report.

You have some wrong items in your Credit Report. You need to download your credit history file from Federal Credit Bureau website and carefully review it. Use your personal hyperlink.

——————————————————————–
Federal Credit Bureau

In both cases, the word “hyperlink” contained a link to a website hosted at a “.co.uk” address.

The thing is, I know they’ll hook a few people with these messages, so let’s take a closer look.

For one thing, no federal entity is going to contact you via email, ever. Right away, you know this is a phishing attempt.

For another thing, federal entities (at least here in the U.S.) use a “.gov” domain. The “reply to” addresses for these were “information@fedcb.org” and files@fedcb.org.” That “.org” is a dead giveaway.

Finally, as stated above, the links contained in the messages took you to a “.co.uk” domain. For those of you who don’t know, that means a website hosted in the United Kingdom. The U.S. government doesn’t host its websites on overseas networks.

Of course, if you’re living in the U.K., this address might not immediately strike you as odd; but still, aren’t the British government’s websites hosted on “.gov.uk” domains, not commercial “.co.uk” sites?

As always, if you’ve received this message or anything similar, just delete it. That link takes you somewhere you do not want to visit, I guarantee it.

Fraud Alert: beware of callers who claim to represent Medicare.

Last week, a member of our credit union had a close call with a Medicare scam.

The member received a phone call from someone who claimed to be from Medicare. The caller stated that they were going to issue the member a new Medicare card, and needed the member’s account and routing number to proceed.

As soon as the member revealed this information, the line went dead. Sensing trouble, the member immediately called REGIONAL and had alerts placed on the account before any fraudulent withdrawals could occur.

I think this is what they call a “teachable moment.”

First, Medicare is never going to call you asking for your financial account information, nor would they need this in order to issue new cards.

However, I know these people can be convincing on the phone, and when someone is telling you your Medicare could be cut off, it’s hard not to react.

So that’s the other lesson today: if you get that sinking feeling seconds after a phone call or revealing information on a website, call the affected financial institution immediately to have your account locked down (and, ideally, start the process of closing the account and opening a new one with a different number).

If you’ve revealed more than just an account number and are concerned about identity theft, call the three credit reporting agencies right away and have identity theft alerts placed on your credit reports:

TransUnion: 1-800-680-7289
Equifax: 1-800-525-6285
Experian:  1-888-EXPERIAN

Even though you could just call one of the above, and the other two will have the information within 24 hours, go ahead an call all three yourself, just to make sure.

The faster you act, the less chance the bad guys have of harming you.

Identity Theft Alert: Fraudulent H1N1 vaccination email.

It looks like there’s a new H1N1 flu vaccination scam going around. The intent behind this one seems even worse than the fly-by-night “selling you garbage that does nothing to protect you” schemes; this one is designed to steal your identity.

People have reported receiving emails that claim to be from the Centers for Disease Control. The message instructs the potential victim to visit a website and create a “vaccination profile” (whatever that is). One version contains the subject line, “Creation of your personal Vaccination Profile.”

At any rate, it’s a phishing scam. If you click the link in the message, you will be taken to a page that looks like an official CDC website, but is just a decoy designed to persuade you to reveal personal information. I haven’t heard yet if anyone’s fallen for it, but I’m sure there have been a few victims.

For one thing, you don’t have to create a “vaccination profile” on any website to get an H1N1 vaccine. I’m pretty sure you just show up somewhere that has the vaccine, and they jab you in the arm. The CDC does not have your email address, and will never contact you in this way to obtain personal information.

This just goes to show how literally anything can be twisted for fraudulent purposes.

Scam Alert: Microsoft Awards 2009

Here’s one that seems to mostly circulate around Europe, but I’m sure some folks here stateside have ended up with this message in their inbox, too:

Microsoft Lottery Promotion
Unit 7, Metro Trading Centre,
Second Way, Wembley, Middlesex,
HA9 0YU – United Kingdom

DATE: 14th of March 2009

Microsoft Lottery! E-mail is pleased to announce you as one of the 10
lucky winners in the ongoing Microsoft E-mail Promotions.

Microsoft Lottery! is a free service that does not require you to register
or be a Microsoft registered user before winning.

This award program is conducted anually to promote the use of the
Internet.You have been awarded ONE MILLION GREAT BRITAIN POUNDS.

To file for your claim, do contact our accredited corresponding claims
agent as below for category “A” winners immediately with your Name and
Phone Number for the speedy release of your fund;

AGENT: Gabriel Phillip
EMAIL: g.phil.@live.com
Tel: +44 703 5963368

Warning!!! Winners that do not respond to this notice within seven days of
receiving this E-mail will authomatically be disqalified.

FOR VERIFICATION, PLEASE REPLY TO THIS MESSAGE WITHOUT MODIFYING THE SUBJECT.

There is no need to include any additional information in your reply.

Regards

Notification Department
Microsoft On-line Email Draws

Let me make this perfectly clear: This is a scam. Éste es fraude. C’est une escroquerie. Dieses ist ein Betrug. Ciò è un raggiro. This is a scam, innit, guv’ner?

(By the way, I used Babelfish for those translations. English is the only language I speak reliably well. If I’ve said something bizarre in your native tongue, please correct me.)

More specifically, this just is a variation on the old advance fee fraud. If you respond, you’ll be instructed to wire money or send a cashier’s check to someone. Then you’ll never hear from them again. Just like with a lottery scam.

As it turns out, Microsoft does give away awards every year. However, they give them to people like Peer Bork from the European Molecular Biology Laboratory, not randomly to people like you and me (to be somewhat blunt about it). Unless you happen to be a research scientist of some renown, in which case you might be in the running for 2010.

But even then, they’re not going to notify you by email and say “Winners that do not respond to this notice within seven days of receiving this E-mail will authomatically be disqalified.” For one thing, Microsoft knows how to spell “automatically” and “disqualified.”

For another, they give their awards to people who are doing notable work and advancing knowledge. It’s not a random giveaway.