Imagination is the Limit
When it comes to defrauding people online, the only limit is the imagination of the would-be fraudster. The ways of defrauding people vary widely and these different fraud schemes target differing classes of users. User class varies based on particular user’s activities online. The same user might fall into differing user classes depending on what they are doing online. This particular guide is how to avoid online fraud for general consumers or general users of the internet. Later on, we would cover fraud involving specific classes of users like the following:
Business User Fraud
This group of users uses the internet primarily for business contacts and business activities.
Affiliate Webmasters & Online Marketing Fraud
Fraud targeting this specific class of users center around promoting products online and referring people online. There are quite a bit of fraudulent programs out there and they target online promoters.
There are many fraudulent dating websites that share certain common characteristics that should raise a red flag for people that use websites to find dating partners.
Job Hunting Fraud
There are many E-book sellers, training program merchants that target people that are looking for jobs. There are specific schemes that this type of fraud operate in and should raise red flags.
Classified Ads Buyer Fraud
Classified ads is a fast growing category of websites that gets millions of users who want to buy & sell things. Unfortunately, these sites also unwittingly host lots of fraudulent activity. These include people selling fake products, hawking defective products and other fraudulent or misleading activities.
This is a subset of commercial online fraud and this targets people who are selling items. It is a fairly complicated scheme but definitely worth knowing about because the losses could be huge.
For other fraudulent schemes targeting other classes of users, we will touch up on these in future guides on a periodic basis.
General Consumer Fraud
When analyzing and trying to spat online fraud and coming up with solutions or preventive measures, you have to keep in mind that when it comes to general consumer fraud, despite their differing methods and their differing avenues of contact, they all share four common characteristics. These characteristics flow in chronological order. The key elements in any type of online user fraud are as follows: Step 1: Acquire information. Step 2: Contact victim. Step 3: Gain victim’s confidence. Step 4: Extract funds. That is the most basic configuration of online fraud for the target general consumers. All of them follow that sequence. All of them have these elements. Let us analyze each of these elements carefully and the sequence so you can avoid being victimized by online schemes.
Step 1: Acquiring victim information
This step is very basic. It is the means of identifying people to defraud. Fraudsters would have to get a list of possible people that they can pull their schemes on. Online identifying people to defraud uses automated means. For example, gathering E-mail and harvesting address books. When it comes to chat, scammers would use internet messaging platforms like AOL instant messaging (AIM), Yahoo! instant messaging (YIM), Microsoft MSN chat and ICQ. The scammers would use a variety of devices to find contact information. They could either infect instant messaging accounts and then suck up their contact list, or they could use sophisticated software to scour the internet for publicly available E-mail and instant messaging contact information.
In terms of gathering E-mail, one particularly effective way scammers get E-mail is through the use of generators. What these generators would do is they would make variations of the same E-mail and would keep hitting the E-mail server from thousands of different locations using very sophisticated software to see which E-mails are not bounced. When a randomly generated E-mail address does not bounce, it means that the mail server does not respond back to the spammer’s mail server and this E-mail does not exist. The E-mail then gets put on a white list and then gets distributed to other spammers for them to hit in the future. Increasingly with the rise of social networking websites like Facebook and Twitter, social network sites are being used for fraud purposes. What they would do is run sophisticated software to go through a list of seed Facebook profiles and load their friend’s names, and then the robot would then go to the friend’s profile and then it would have a list of their friends as well and then go to those friends and find their list and so on and so forth. Using these methods, scammers are able to compile list of millions of names fairly quickly.
Facebook has established certain anti-leeching mechanisms where you have to enter image verification for you to access a page. This cuts down on harvesting of Facebook profile friend’s names but has not put an end to it because many of these scammers and would-be spammers would use cheap Indian labor to manually type in the image verification code. A lot of these image code services are present in India, Bangladesh, Pakistan and other low-wage countries. While it is too expensive to manually crack the image verification in the U.S. scammers use cheap foreign labor to get around this. To sum up, online fraud requires acquiring the information from the potential target victims and this is done usually through automated systems to make the process as low cost to the scammer and spammer as possible.
Step 2: Contact potential victim
Once the harvesting of victim’s contact information is complete, this stage is where the spammer and scammer would contact the potential victim. We use the term spammer and scammer separately, although they do tend to overlap and they overlap a lot in their contact phase of online fraud because most of the time, scammers do not use one-to-one connections to contact their victims. This is too time intensive and cost them too much. What they would do is use spamming mechanisms and processes. In terms of the current discussions, when we say spam, it refers to sending a lot of undifferentiated messages to people you do not know using automated means. In this particular situation, spammers and scammers overlap. In the contact phase for Email fraud, all these E-mails are mostly sent using botnets. Botnets are infected zombie computers that have spyware or malware installed that allows them to be used by scammers as E-mail machines or public web mail. Using either of these mail systems, spammers send millions of messages with fraudulent information in them to perpetrate their scams. When it comes to instant messaging, the same process works, but instead of E-mail the scammer would use thousands of instances of instant messaging program and then distribute the target list through those instances. There are limits to instant messaging spam if you are just using one instance. This is the reason why they use thousands to speed up the process.
When it comes to social network contact, the same automated process applies, but this time they use a web interface to contact people on Facebook separately. This gets a little bit trickier because Facebook has IP monitoring. IPs are like the fingerprints of each computer connection. Although E-mail and instant messaging spamming uses IP spoofing as well and other IP tricks, it uses a different IP spoofing route for social networks. What they do is they would contact through social network contact buttons, E-mail or short messages through those sites. The final element of the contact phase of online fraud is the body of the communication. This is where the spammer and the scammer’s creativity kicks in. We have all received E-mails regarding rich former dictators looking for assistance with very big bank deposits they have overseas. This is called the “419 Nigerian” E-mail scam, but that is just one form of the contact text that is sent out. They come in a wide range of forms and we will cover that below.
Step 3: Getting the confidence of the victim and accessing private information
This stage focuses on the content of the communications. The first part of the communication involves contacting the person and getting their attention. These vary in form and content based on the avenue of communication. E-mail is different from instant messaging which is different from social networking. They all have their differences. For E-mail, getting the attention of the potential victim is a two-stage process. First, the subject line must catch their eye. I am spamming you is probably not going to get clicked, opened and read. The chances of somebody buying from that E-mail are quite low. Remember this is not primarily a guide to preventing being a victim of spam. This is a guide for online fraud prevention.
As discussed earlier, the tactics of spamming applies but this guide focuses primarily on when online scams are effectuated using spamming methods. When it comes to E-mail, the scammer would use headings that are designed to get your attention. For example, your account balance is due, customer support type of headings, or any type of headings that you would normally be on the look out for because it is important like test results or the like. The E-mail scammer’s key objective is to get you to click the inbox title and read the E-mail. In the E-mail, they get your confidence by either posing as an official website like it is a bank statement form or a beta invitation for online gaming. Again the variations really are limitless. The only limit is the imagination of the scammer. The bottom line is it would lead you to a very nice-looking or official-looking E-mail.
Another common variation of this is an E-mailed social network notification. For example, somebody added you as a friend or somebody is now following you on twitter, that kid of notification. For instant messaging, to get the victim’s confidence, a lot of the times they would try to establish or trick the victim to thinking there was a prior relationship or they knew somebody who knew them. Another variation is dating scams that the robot being used for instant messaging being used is pretending to be a woman and there are a lot of come-ons. To add credibility, some IM robots are programmed not to spam a link immediately when somebody responds to their instant messaging chat request. They would send fake responses. This is usually done through a Markov logic chain. If you send a string of texts to an IM robot, the IM robot would read what you said and if it has a keyword that it is programmed for, what it would do is take the keyword and automatically post the message that is triggered by that keyword. It would look at a certain time that you are chatting with an actual human being just enough to get your attention to keep on chatting and then it would hit you with a URL.
Another avenue for scams is the social network and getting your confidence through the social network like Facebook operates around the same parameters as the instant messaging scam. What they would do is they would try to send you messages that would get you to add a person as a friend and then they would contact you asking for personal information, but they would do this in a very subtle way. It will not be very obvious like, “Hey, I want to log in to your bank account.” It is very subtle, asking you who your favorite pet is, what your pet’s name is, your favorite high school professor’s name and other information that is often used by web-based E-mail and social network or online banks as challenge questions for security purposes. Whatever information the scammer is asking you in social network sites is actually very important. They are not just wasting their time. Whatever they do is geared towards the goal of getting your confidence, getting you to divulge private information and then as discussed below, using that information to your financial harm.
Step 4: Extracting funds/benefits from the victim
At this stage, the victim has been identified, contacted and a level of confidence has been established. This final stage involves extracting value from the victim. Value comes normally in the form of money–money from bank accounts and money from sales of spammed products. Another form of benefit is when the scammer uses the online fraud to have the victim download malicious code so that their computer becomes part of a botnet. This then adds value to the scammer’s existing botnet.
They can then use that network of zombie computers to send more spam and to attack websites. Many of these botnet operators make a lot of money being hired as mercenaries to take down an entire website or an entire network. They use zombie networks to pull this off. In the context of E-mail, extracting funds take the form of showing you an official-looking web page. You click through to try to log in and then you retrieve an official-looking page that looks exactly like the real bank or web mail or other website that contains private information and you try to log in obviously. For some reason, it will not take it because it is fake and then in frustration, you leave. However, the scammer already has your real information and then it would go to the real website and log in. Once they log in, they extract your funds if it is online financial website or extract your information if it is a web-based E-mail or a social networking site. In the latter case, they would then use that account to spam your friends or in the case of web-based E-mail, spam your address book. By spamming, they can be sending out messages to once again go through the fraud steps listed above so they can expand their network of victims or they can directly send spam material in trying to trick or convince the recipient to buy a specific product. When the recipients buy, the spammer makes money through affiliate commissions.
A similar thing plays out when it comes to instant messaging. After the exchange of discussions with the instant messaging robot, it drops a link. The victim then clicks a link and either loads a page with malicious code that then installs on the computer so the computer becomes part of a botnet, or it is a page of a porn site, a dating site, a penis enlargement site or any product or service that pays the spammer an affiliate commission or any other page that hawks a product that pays the spammer an affiliate commission. In social networking sites, the same thing plays out. They would get your contact information and then use that to try to access online banks or other websites or even have access to your social network account so they can then send further spam or through your communications through the social network site. They can spam you directly there, sending you a link, you click on the link and you are taken to an attack page or to a sales page. One key variation of this stage for social networking websites is to have you like or share a particular scam page, which then scams other people so you become an unwitting accomplice to the scammer. This is not as common as more direct value extraction methods, but it does benefit the scammer because by you putting on your wall a dubious fan page that has a link to an attack site or a data collection site, you become a part of the scheme. Since social networks are very viral, this is a fairly potent way for a scammer to reach huge amount of people in a small amount of time.
Key Elements to Prevent Victimization
Follow these simple common sense tips to avoid becoming a victim:
Never click a link that looks dubious to you. Study the domain name. If it is just a collection of random numbers and letters mashed up together, not a good sign.
Official Looking Websites
Whenever you are presented an official-looking page, always be very skeptical especially if that page came from a link in an E-mail. Study the page carefully. Look at the domain name. Is it the same domain name as the real page? Look for misspellings or look for something that is off. Do not enter your private information if any red flags come up.
When you receive an E-mail that has an official formatting of a bank, a gaming system or claims to be official notification of a social network site, hover over the link that is asking you to click and see if the spelling is right. A lot of the times, they try to trick you to go to an attack site by sending you an “official E-mail” so be very careful.
Friend of a Friend
Always confirm the identity of people that contact you through social network sites. If they mention the name of a friend, contact that friend. Ask them if they know this person and what does this person looks like. Ask if this person have an account on Facebook and have them send you the link. If it does not match the person who contacted you, ignore further messages from that person. Just make sure that you verify your friend requests because it can get really annoying when they start contacting you and just trying to extract personal information from you. Another thing to think about when it comes to social network verification is always remember that you are not a bad person if you do not add that person as a friend. Do not feel duty bound that just because somebody is a friend of a friend or claims to be a friend of a friend that you have to add them. This could lead to big headaches later on if the person that you added is actually a scammer hell bent on trying to get your personal information so they can steal your money, steal your identity and extract other value from you.
Be careful of personal information you share through social network sites. When somebody is chatting with you and asking you personal information, you have to think back to challenge questions that are asked by banks, web mail sites, social networking sites and avoid giving the answer to these questions. It would be a good idea to go to the security section of your web mail or your bank or any other website that you access that has sensitive personal information which asks challenge questions in case of password retrieval. Get accustomed to these types of questions so when somebody asks you these questions that you do not know real well, red flags would go up.
Invest in high-quality antivirus software or internet security software. In case you got tricked into loading an attack site or you click a link and you go to an attack site, you can still have a layer of protection when you have a powerful antivirus, anti-spyware features installed. What the software would do is block you from opening that site. It is a stopgap measure. The first layer really is common sense because you cannot rely on software protecting you because scammers cycle through domain names very quickly. An attack site that was live today might not be live after a few hours and antivirus companies, even the most proactive ones, cannot possibly be expected to be on top of all new attack sites that are put online. While it is good to have a software block you, you should follow these steps so you could have the right mindset to avoid being victimized.
The Conclusion of How To Better Avoid Online Fraud
With a healthy dose of skepticism and the right amount of common sense, your chances of avoiding online fraud victimization increases dramatically. Remember to keep the tips discussed in mind above. Know how online fraud schemes work. Know how they are spread and proliferated. Using this information together will help you minimize your chances of losing time, money and peace of mind through online fraud schemes.