According to recent studies, more targeted, monetarily driven malware attacks are now the trend. As technology improves to counter these attacks, look for criminals to fall back on social engineering tactics. Be prepared for online scams to be repackaged as updated and more targeted attacks.
A quick look at leading online scams, which account for billions of dollars in annual losses, shows that Internet users remain vulnerable to incredible offers. Through Web pages and email, people are asked to provide money to claim prizes, liberate fabulous sums from escrow, take advantage of financial mistakes and other never-fail "free money" deals. A fundamental principle is the watchword for this phenomenon: "If it sounds too good to be true, it probably is."
According to a recent report from the FBI and the National White Collar Crime Center, who operate the Internet Crime Complaint Center (IC3), online crime complaints nearly doubled from 2003 to 2004. Though they identify a sizable list of online scams, here's a solid "top 5" slate to ponder:
- The Nigerian scam: Since it first appeared in the early 1980s this scam alone accounts for billions of dollars lost. It works like this: A recipient receives an unsolicited fax, email or letter that references Nigeria, or another African country. It typically mentions overcharged or double-invoiced oil or other service and supply contracts where a highly placed contact wants to get the excess money out of the country. Bequests whose funds won't be available for some time or a charity that needs money while waiting for funds to get through probate or out of escrow. Other versions are about pending payments from employment or a contract or other promises of big money in the near future. Variations are endless, and the reasons often are alarmingly plausible, and there's always a catch -- the victim (email recipient) must part with money to shake funds loose for sharing. Victims who fall for the initial pitch are repeatedly asked to fork over more money to speed things up as complications and delays stack up. In the end, a victim gets nothing and faces large losses, if not financial ruin.
- Online auction scams: Victims find apparently valuable goods at outrageous discounts, and hand over their money to scammers through eBay or other online auction sites. Instead of the merchandise, victims either receive nothing or shoddy knockoffs that aren't worth the asking price. According to the IC3, this scam accounts for about three-quarters of all complaints it handles.
- Reshipping/Postal Forwarding scams: You've seen these email cons: "Work at home, handle shipments, make big bucks!" An offshore outfit needs a U.S. insider to obtain a U.S. shipping address and bank account to accept goods and ship them outside the country. Activities may involve electronic funds transfers into your bank account, after which money gets transferred offshore. For each transaction, the sender claims you would receive a cut from the proceeds. What's really going on is that scammers use stolen credit cards to make online purchases, which are then shipped to you. You forward the items to the thieves, who resell them overseas. When you transfer money in and out of your account, you involve yourself in wire fraud or money laundering. After a while, the thieves either ransack your bank account and disappear or authorities come after you for participating in illegal activities.
- Free merchandise scams: You get an email (or popup ad) that says you've won or that you qualify for a free game console, laptop computer, plasma TV or other common source of "gadget envy." All you must do to collect is visit a Web page and provide credit or debit card data (and PIN, as needed) for small shipping and handling charges. But the item never arrives, and mysterious entries show up in your monthly credit card statements. The only thing that's really been turned over, of course, is access to your financial information for deliberate misuse.
- Phishing scams: You receive an email that says it's from a bank or a credit card company, and it asks you to confirm financial or account information for some plausible sounding reason. Should you visit the Web page that's linked in the message? You'll see a site that often looks exactly like the real thing -- except it's not, and exists only to collect account numbers, PINs, passwords and other data you share with it. This info may be used to make illicit online purchases or fuel attempts to steal from your accounts. Stop to consider that financial institutions and credit card companies won't ask you for data they already have, nor do they send email to request it. If you're ever in doubt about an appeal for such info, use the phone to call the sender (and don't use the number from the message, either).
The biggest problem with these scams is that they target those who are ill equipped to withstand them. FBI and FTC reports indicate that the elderly are particularly susceptible to online fraud. Unfortunately, those on small or fixed incomes are also least able to survive financial losses unharmed, particularly if they're tricked into surrendering some (or all) of their life's savings.
This top five list serves as a reminder that in the criminal world, there aren't really new scams, just new victims. Keep that in mind as you sort through your ever-growing deluge of spam.
About the author: Ed Tittel has been following IT certifications since the mid-1990s and is perhaps best known for originating the "Exam Cram" series of Cert Prep books. He's contributed to titles on numerous information security certifications, including Security+, TICSA, and CISSP. He also surveys infosec certifications twice a year for SearchSecurity.com. Contact Ed at firstname.lastname@example.org.