Common internet scams and how to avoid them
7th Aug 2010 | 11:00
How to spot and protect yourself from online cons
Internet scams and how to beat them
You might think that internet fraud is rare, but the truth is very different. Its tentacles spread across the world and affect the lives of many people whose only crime was to be slightly naive.
"It's very sad, because sometimes when we get people in, the first thing we tell them is to go straight to the police," an anonymous bank manager told PC Plus magazine. A senior figure at a big high street bank, he asked to remain unnamed for security reasons, but sought us out to talk about the real-life effects of internet crime on people's lives.
He often has hapless victims crying in his office when they realise the truth, and what he sees is only a tiny fraction of what goes on.
Around the world, people are losing their savings, homes and dignity thanks to internet criminals. By far the most common attack is still phishing – the art of duping the unwary into believing that they're receiving emails from their bank or other institution. When they try to log in via the provided link, all they see is an error message apologising for heavy server load and asking them to try again later. In reality, their log-in details have been saved and the criminals now have access to their bank account.
Cheating the system
"I call phishing 'out cheating'," says economist Dr Darrin Baines. "You must at some level trust the person who's conning you. So, for example, someone sends you an email saying 'I'm in Africa, why don't you send me some money?'. There must be something in that narrative that triggers the feeling that they're worth trusting."
Happily, shoppers are becoming more web savvy, spending more online and getting ripped off less. "Last year an estimated £153million of card fraud took place over the internet – a decrease of 16 per cent from 2008, when e-commerce card fraud losses were approximately £182million," says Mark Bowerman, spokesperson for the UK Cards Association.
In the same period, credit and debit cards were used to buy a record £47billion worth of goods and services online, which was up 15 per cent from 2008. So the percentage of dodgy web transactions is dropping – but that doesn't mean you should get complacent.
Bowerman advises consumers to get familiar with the latest advice in the Cardholders section of the Card Watch website. Knowing which cons are in operation is key to staying safe online. In some cases, the swindles are old ones that have migrated to the internet. But what are they? Let's take a look at the scams, how to spot them and how to avoid them.
Every tentacle of internet crime is out to grab one thing: your money. Internet criminals contribute over a billion dollars a year worldwide to the underground economy. The key to staying safe lies in knowing the scammers' current favourite tricks.
One of the most common tricks is advanced fee fraud. The general approach is to dangle the promise of huge gains in front of the unwary and then ask for ever-increasing fees, expenses and local taxes before they dole out a slice of the fictional cash pie.
The scammers rely on victims spending so much in their fruitless pursuit that they feel compelled to keep going. Victims can end up bankrupt, homeless and suicidal.
The most common form of this scam is the infamous Nigerian 419 letter. The approach is made in an email that claims the family of a dead official need help exporting a huge fortune. Initially you're asked for your contact details, but identity theft isn't the goal. In return you'll be asked to pay some kind of fee. If you pay that, another email arrives asking for more money.
A close relative of the 419 scam is the fake lottery. This begins with an email claiming that you've won a huge amount in an overseas draw. In order to process your claim, you need to pay a local lottery tax. Enough people fall for fake lottery scams every year to make them very profitable.
The rule is that if you didn't enter a competition, you can't have won it. It's as simple as that, as our bank manager knows through bitter experience: "We get people coming in saying 'I've been told I've won a lottery abroad.' We ask if they've ever bought a ticket and when they say no, we ask why they think they've won," he says.
When gain is really loss
While we're talking about easy money, it's worth keeping your eye out for pump-and-dump scams. Here, criminals buy up a bucketload of unloved shares. Inboxes around the world are then sent spam tipping the stock as a sure-fire winner.
The hope is that people will contact their brokers, buy the stock and push its price higher. When the price shifts up, the scammers unload their holding and trouser a profit. This sell inevitably depletes the price and punters around the world are left nursing a loss.
The infallible prediction scam is also a criminal's favourite. Here you're promised, say, the name of a winning horse for a fee. You pay and you get a nag's name. But the scammer is also talking to other people, telling them different horses in the race will win.
Inevitably one will win and the person who receives that horse's name will believe the scammer is somehow in the know. When the next race comes along, the scammer contacts his pool of now seduced clients and sends them different horses' names. Again, some will inevitably get the winner's name, further enhancing his reputation. In essence, the scammer is playing a mathematical game where he can't lose.
Human loss for profit
Playing with emotion is a lucrative game for scammers, and within hours of a natural disaster, emails begging for help begin to flood inboxes. But these emails are spam, and rather than collecting money for charity, the sites they point to save credit card details for later use.
It's a nasty con that exploits human kindness, but it's easy to avoid by waiting until an appeal is launched in the media and visiting the official site when it's announced.
A large amount of spam concerns fake drugs, where spammers target those looking for a good time. Viagra, stimulants, smart drugs and prescription-only medicines are all apparently freely available via internet pharmacies. In some instances, outfits have even offered cannabis and ecstasy.
The problem with buying illicit drugs online is that you're hardly likely to complain if they don't arrive. If you don't get what you paid for, there's no comeback. And what happens if the pharmacy is simply collecting credit card details? It isn't worth the risk.
The cold call support con
Our final scam is that of the cold caller purporting to be from your ISP, who tells you that your PC is infected with a virus and needs fixing immediately. To do so, he gets your permission to 'access' your computer remotely in order to 'fix' the problem.
A few minutes later, he announces the problem is now fixed but that there's a small fee. He helpfully says that you can pay now with your credit card – and many people do. This swindle is spreading like wildfire as individuals try it.
Online auction scams
Online auction sites can be a hotbed of scams because each transaction relies on trust. "Many people say that following the herd is a bad thing, but the herd is a way of establishing a reputation of trust," says economist Dr Baines.
"Ebay was very successful because it allowed you to rate sellers. Amazon went down the route of rating products as well as sellers, but all of these sites work on the basis of the person's reputation." Trusting the herd to rate goods and sellers works, but there are several scams that savvy bargain hunters need to be aware of before they part with their cash.
1. Account hijack
Your 100 per cent positive trading reputation is worth money, and scammers want you to part with your password so that they can log in, change it and lock you out. While you try to convince the auction site's owners that you're the real owner, the scammer trades on your reputation by creating new listings for non-existent goods.
Scammers will use a phishing attack to pinch your details. To stay safe, remember that no reputable auction house will ever send you an email asking you to log in and verify your identity by following a link. Always log in directly.
2. Wire and escrow scams
Always use the site's built-in payment system. If a trader insists that you use a wire transfer system instead of PayPal, refuse. Wire transfer services aren't protected from fraud and you may never see your money again. The money wire scam usually involves something expensive (cameras are popular) being offered well under market value.
You win the auction and send the cash, but the transaction is refused. The seller emails to say that there's a problem with his PayPal account and asks if you can transfer the money using another, unprotected method. You send the money and the seller vanishes.
If your seller recommends another service, be sceptical because you might be sending your cash into a black hole.
3. Sending goods before payment
The winner of your auction suddenly has a problem getting the funds to you. He's very keen to resolve the situation and might even send you some documentary evidence that he'll have the funds to pay you in a while. But don't be fooled: this documentation is fake.
It's surprising how many people fall for this con every year. Never send goods to anyone without having first received payment to your PayPal or bank account.
4. The chargeback
This is arguably the easiest scam to operate using a reputable payment processing system.
It goes like this: you receive the money via PayPal and ship the purchased goods as promised. However, the buyer then complains to PayPal that nothing arrived. PayPal then refunds him, leaving you out of pocket.
You're only protected from a chargeback con if you ship to a PayPal-confirmed address and use a tracked service such as Recorded Delivery. Add the cost of secure shipping to the postal charge, but don't be tempted to charge over the odds. Making extra money off your buyer through inflated postage charges is nothing more than a cheap con itself – as we explain in more detail below.
5. Inflated or unknown postage charges
This is a borderline scam that tempts many new sellers keen to maximise their auction income. If you've ever sold anything on Ebay, you'll know that postage on a small item such as a book doesn't cost a lot - maybe £2 including the time to go to the Post Office.
Always take the postage charges into account when weighing up a bargain – especially if the stated postal method is second class, unrecorded post. If the seller says that he'll only tell you the postage charge if you win the auction, he's probably a con man – and you'd be very wise to look elsewhere.
6. Payment for information
This is an interesting scam because it involves selling information about how to get goods rather than selling the goods themselves. The listing page might show something like an iPhone, and the description is worded as if you'll be getting one, but what you actually buy is information about how to find items with descriptions that contain spelling mistakes and are therefore not being bid upon.
This is a handy tactic, but there's no need for you to pay for these details. Save yourself some money and use a free service such as www.missing-auctions.com instead.
7. Counterfeit goods
Sites such as Ebay work hard to remove counterfeit goods as soon as they appear, but some get through. You should be suspicious of any auction listing that shows a generic photograph, and be very wary of items where the label isn't on display. If the seller says that the item is "like" a well-known brand, leave it well alone.
Another tactic used by sellers of counterfeit goods is to keep to keep the listing short so people think they're missing out on a bargain. If you see any of these signs, it's a good idea to report the auction.
8. Shill bidding
Shill bidding - artificially inflating the price by bidding on your own goods - is illegal in the UK. It may be that a legitimate bidder is desperate to win an auction and will always outbid you, but sometimes the bidder is not what they seem.
The way to protect yourself from this subtle con is to set yourself a clear limit not bid a penny more. If the seller is shill bidding and outbids you, he wins his own item and wastes his time instead of getting your cash.
9. "I'm not an expert"
Be wary of sellers who declare that they're not quite sure of what they're selling. It could be a ruse to hide the fact that the goods are either faulty or something other than what you think you're buying. When used with the phrase "sold as seen", it's a sign that you could be bidding on a rip-off.
Ask questions and get the seller to be more specific. If he or she is continually evasive, stay away from the auction and consider reporting your suspicions.
10. Original but pirated material
In your eagerness to keep up with the latest releases, don't be tempted to buy DVDs of blockbusters that are yet to be released in the UK. What you might get from the seller may be a badly printed pirate copy of the film on DVD-RW, featuring wobbly camera work, the sounds of sweets being eaten and the heads of the other people in the cinema. It's a much better idea to wait!
Social networking scams
Social networking provides rich hunting grounds for online criminals simply because of the inherent trust that we place in our friends. As economist Dr Baines says: "It's not what you do, it's what people think of you."
You might not fall for a scam presented to you directly via a phishing email or other source, but if information comes from someone you know, you'll be more likely to trust it. The problem is, your friend might not be as informed as you. Worse still, their account may have been hacked, and the bad guys might be tweeting out links to a trojan or dodgy sites.
This attack vector might sound familiar. If you were around during the early days of email, it was very common to receive messages from concerned friends who wanted to warn you about the latest virus threat.
These detailed hoax malware that did impossible things such as physically breaking your CPU. The aspects of human nature exploited by these hoaxes (trust and fear) are alive and well, and ready to spread real malware today.
Be wary of apps
In the race for revenue, many social-networking sites allow users to install web apps and to pass the time playing embedded games. However, the proliferation of apps is such that it's difficult to keep up with new ones, even for the site's dedicated security staff.
Because of this, there's a real danger that you could accidentally install malware. Without proper antivirus protection, you could then see your Facebook or MySpace account hijacked and used to send spam and malware, or your credit card details being sold and abused.
Search for any app that you want to install to see if it's been reported as dodgy – and ensure you're running decent antivirus software too. Hackers who specialise in malware for social-networking sites know that good lies can travel around the world faster than they can be exposed. A good example is the rise in cons that rely on worried friends passing on supposed advice about how to avoid the latest threat.
A flurry of wall posts on Facebook that include a link to a malicious web page can lend a level of credibility to a phishing site that can't be achieved easily in any other way. There's a good chance that many people will repost the link for their pool of friends to read without even checking the site to see if it's legitimate first.
When you receive such a link from a friend, the first thing you should do is to search for it to see if it's been flagged as a scam. If it has, the responsible thing to do is to warn others by posting the news. It may embarrass your friend, but you'll be saving their bacon in the long run, as well as that of their other friends. Just be careful how you word the update – you don't want it to appear as if you've been hacked too!
The friend in trouble
A growing problem for social networking sites with chat facilities is the 'friend in trouble' scam. After hijacking an account, the con man starts a chat with somebody. He exchanges hellos and then says he has a problem. He's on holiday in a dodgy part of the world and, unsurprisingly, has been robbed. Can you help him out by wiring him the money he needs to get home? Why wouldn't you want to help out a friend you know in real life?
That's the central mechanism that makes this con work. Your job is to try to decide whether you're about to ignore a real plea for help. The easiest way of telling if the person is really your friend is to ask several questions only the real friend would know the answer to. Remember that the scammer has access to the information in your profile, the profile of the account he's hijacked and those of your mutual friends.
Because of this, be sure to ask about unique events that may have happened decades ago, and which neither of you has spoken about for years. It's surprising just how quickly a scammer will make his excuses and leave, whereupon you must contact the account's real owner and tell him what happened.
"Is this you?"
This scam hints at the power inherent in the trust people put in their friends online. Earlier this year, Twitter users began to receive direct messages, discretely warning them that they should delete a photo they'd uploaded to another site.
These messages were from a friend's account that had been hacked, and the victims had no knowledge of the other site and had never uploaded such a photo, but deliberately vague wording worried many people into clicking on the link and becoming infected with malware on the landing page.
What's clever about this scam is that the warning from a friend and the seeming need for discretion means that we're more likely to risk clicking on the link. In such cases, you should verify that your friend sent you the message. Don't do this by replying directly – instead use a different communication method such as a phone call or email.
First published in PC Plus Issue 297
Liked this? Then check out Facebook: the hotbed of cybercrime?
Sign up for TechRadar's free Weird Week in Tech newsletter
Get the oddest tech stories of the week, plus the most popular news and reviews delivered straight to your inbox. Sign up at http://www.techradar.com/register