January 7, 2005

E-mail fraud on the increase

An ocean of opportunity for criminals

By Rick Dexter
Special to the Times

Editor’s note: This is a repeat of the June Computer Column. E-mail fraud is on the increase and the information contained in this article is essential for e-mail users to protect themselves.

E-mail fraud is on the rise. There has been a noticeable increase in the number of fraudulent e-mails disguised as important messages from legitimate companies. They claim that your account might have been compromised and direct you to click on a link to update your personal information, change your password, or log in to check your balance. These e-mails are most commonly disguised to be from large, well-known companies such as E-bay, Citibank, Earthlink and PayPal. Some even claim to be from government agencies.

These e-mails can look extremely official. The criminals who send these e-mails take graphics from company websites and imbed them into the e-mails to make them appear legitimate. They also forge the sending address and make it look like a support or customer service address. These e-mails may tell you that your account has been compromised, ask you to verify personal information, or alert you that your automatic credit card charge was not processed. All of them have one thing in common: they contain a link for you to click to “conveniently” provide personal information, account numbers, or passwords. This link can be disguised to send you to another Web site, usually offshore, that also can look legitimate. Once you type the requested information, the data is captured and used in various types of financial frauds.

The Internet community has called this type of scam “phishing” because it is intended to “hook” as many people as possible into clicking on the links. E-mails are sent in SPAM fashion to a mass-mailing list, hoping to capture a fraction of a percentage of people who will click the link and deliver a credit card number, password, or other juicy personal information that can be exploited. If a scammer can send to a million e-mail addresses and only a few of those people give away account passwords or ATM codes, it can be extremely profitable. Nobody really knows how many people fall for these scams, but I’ve heard some estimates that 1 in 5 people click.

As a general rule, never click a link in an unsolicited e-mail. If you think the e-mail might be legitimate, go directly to the company’s web site by typing their address into your Web browser. Never trust an e-mail that asks you to click to log in to a site to type in any personal information, no matter how legitimate it appears to be.

If your account is truly compromised, companies usually disable your account and contact you by telephone or postal mail, not by e-mail. However, it’s just as easy to make fraudulent phone calls so don’t give out personal information to a caller unless they can verify their identity. It’s usually best to hang up and call the company back directly. Never call a phone number listed in an e-mail because some e-mail scams will list bogus phone numbers, and when you call they ask you for information to “verify” your account. Most financial institutions have security departments that deal with e-mail and phone fraud. Check your last statement or the back of your card to find the phone number for customer service and ask for the fraud department. With a little care and awareness, you can avoid taking the bait in a phishing scam.

Rick Dexter, founder and CEO of NDYNAMICS Network Professionals in Campbell, lives in Almaden. Dexter has over 25 years of experience designing and supporting computer networks, particularly for small businesses and startups seeking reliable and scalable IT infrastructure. If you have a computer question that you would like to have answered in a future column, e-mail it to computerconnection@ndynamics.com.