Scam artists are in hot pursuit of your identity. And they're cooking up a growing number of so-called phishing schemes, using e-mails that look like they're from a reputable source to cull personal data needed to steal your hard-earned money.
One recent phishing expedition involves e-mails promising a $571.94 income-tax refund. The messages direct recipients to a sham site where they are asked for details such as their credit-card and Social Security numbers. (You can see the site here.)
What made this hoax especially effective was that it used a legitimate government site, www.GovBenefits.gov, to direct would-be victims to its own page. The government quickly caught wind of the hoax and on Dec. 1 fixed the loophole that enabled phishers to use its site as a conduit. "We made it so that you can't use the redirect" the way the phisher had exploited it, says Curtis Turner, project manager of GovBenefits.gov.
As the online shopping season kicks into full gear, you're probably spending plenty of time wielding your credit card while on the Net. And with tax-preparation time just around the corner, refund-related frauds could reappear.
"Phishers will try to abuse this again in the future," says Graham Cluley, a senior technology consultant at virus and spam monitoring firm Sophos, based in Oxford, England. "Both companies and consumers need to be careful they're not helping" phishers. The recent hoax serves up some useful reminders on how to protect your personal details, identity -- and dough.
How does the tax-refund scheme work?
Recipients got an e-mail from firstname.lastname@example.org that appeared to promise a tax refund and asked users to click on a GovBenefits.gov Uniform Resource Locator (URL), described as the place to go for accessing tax returns. But when victims copied and pasted that link into their Web browsers, GovBenefits.gov directed them instead to a criminal Web site that had a fake IRS form asking for personal information.
GovBenefits.gov has logged more than 19 million visitors since it launched in April, 2002, and centralizes information about government benefit programs that had been formerly spread across 31 million Web pages. As a collaborative effort managed by the Labor Dept. and involving 10 agencies ranging from Homeland Security to the Social Security Administration, GovBenefits.gov redirects visitors to more sites than your typical organization.
What should I do if I receive one of these e-mails?
You can file a complaint with the Federal Trade Commission, which maintains a database of identity theft cases used by law enforcement agencies for investigations. If you go to the FTC's identity theft site, you can find a link to a complaint input form that's secured with encryption.
Skittish about links? Then call the FTC's Identity Theft Hotline, toll-free: 877 ID-THEFT (438-4338) or write the Identity Theft Clearinghouse, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, D.C. 20580.
If you want to verify solicitations for information from the IRS, call the IRS customer service line at 800 829-1040. If you think you're getting tricked onto a phony IRS site, somebody asks you to fill out an overly inquisitive IRS form, or you suspect other forms of fraud, you can report it to the Treasury Inspector General for Tax Administration at 800 366-4484. They're coming up with more ways to fight these thefts all the time (see BW, 9/12/05, "An ID-Theft Crackdown Gains Momentum").
How prevalent are the phishing schemes aimed at culling personal data?(see BW Online's Tech Stats, "Phishing for Dollars")
Phishing is one of many ways that thieves can gather information used to steal identity. The Anti-Phishing Working Group received 15,820 unique reports in October, compared with only 6,957 the same month last year. The industry association discovered 4,210 phishing sites in October, an explosion from 1,142 a year earlier.
Phishing accounts for less than 10% of the identity theft crimes in the U.S., according to Javelin Strategy & Research. Javelin estimates that identity fraud ensnared around 9.3 million victims in 2004, causing $52.6 billion of losses in the U.S.
What can I do to protect myself from identity theft?
"Don't believe every e-mail you read, and double-check [what it says] with the agency it came from," advises GovBenefits.gov's Curtis Turner.
Be careful with Web site links -- especially in e-mails from the Internal Revenue Service. In the case of the refund hoax, IRS employees who received the e-mail could tell it was a scam, says IRS spokesperson Michelle Lamishaw.
Although the link did contain the actual address www.govbenefits.gov as a prefix, it also had what Lamishaw considered an "incredibly long" line of code at the end. The fake IRS form asked for information that you wouldn't see on a real one, such as more than one credit-card number.
And, of course, be leery of any e-mail that requests account information, Social Security numbers, or passwords. Banks and other legitimate establishments won't ask for these details through e-mail.
The FTC advises that you close accounts that might have been tampered with and call the fraud departments at a major credit agency such as Equifax (EFX), TransUnion, or Experian.