Hoaxes, Frauds and Scams

The dawn of the Internet Age has brought many new ways for businesses and their customers to interact. Many goods and services that, prior to the late 1990s, could only be purchased through personal visits to a brick-and-mortar business establishment can now be purchased for home delivery - overnight, if desired - using email and/or a standard web browser.

Of course, as more and more honest, legitimate businesses find new customers on the Internet, so have the crooks and con artists likewise found cyberspace to be fertile ground for frauds and scams. Many of these scams are distinctive and uniquely suited for the electronic world, but many others (such as the infamous Nigerian Scam) are simply updated versions of schemes that have been around for decades.

E-mail, of course, is an ideal medium for scammers to ply their trade, especially since the number of inexperienced "newbies" continues to rise around the world. In many cases, common sense will tell you if an email or website is fraudulent, or at the very least, suspicious. There are many clever tricks used by scammers, though, to dupe even the most vigilant person into their traps.

Scam or "Spam"?

It is certainly true that many frauds and scams are circulated in the same mass-mailing format as run-of-the-mill "spam", or Unsolicited Commercial E-mail (click here for more info on "spam"), however, not all spam is fraudulent. Annoying, yes, but not, in most cases, illegal. In general, the object of the scammer is to fool you into giving him something you have that he wants. Money, of course, is still the main goal, but more and more they are trying to get you to give them personal information about yourself - credit card numbers, bank account numbers, Social Security Numbers, etc. - that will allow them to commit, among other things, identity theft. In some cases, the object is to get you to visit a bogus web site that will surreptitiously download malicious software onto your computer, allowing them to remotely control it for use in hacking exploits such as a "Distributed Denial of Service" (DDoS) attack. Whatever the motive behind it, scams and frauds are all about separating you from your valuables in one way or another.

Hoaxes

Hoaxes are sometimes nearly impossible to distinguish from scams and frauds, and in fact can be used as a vehicle to commit fraud. In general, though, hoaxes are about trying to get you to believe something that isn't true, and act on it, rather than to engage in a fraudulent financial transaction. The lines can be blurry, though. Many hoaxes are, essentially, "Internet practical jokes" that sometimes have unfortunate consequences. Hoaxes tend to have a very long lifespan as well. The first great Internet hoax, the infamous "Good Times" virus (1994) still gets spread around by well-meaning new Internet users. In recent years, another prevalent Internet hoax revolves e-mails urging the recipients to delete the files jdbmgr.exe or sulfbnk.exe from their hard drive if they exist, allegedly because they are virus files (they're not - they're important Windows system files, see here for a rundown on this hoax). This perennial favorite is still making its way around as well. Many well-known Internet hoaxes of the last several years are simply re-workings of "urban legends" that have been around for decades.

How can I tell if an e-mail message is a hoax, fraud or scam?

It's not always easy, but start with your own common sense. If it seems fishy or phony to you, chances are it is.

You also have many powerful tools at your disposal that can help you ferret out the truth - search engines like Google, Yahoo! and Bing are very useful for seeing how widespread the e-mail is, and what other people have said and done about it. If the e-mail message contains distinctive bits of information such as company name(s), names of individual people, telephone numbers (especially toll free numbers), try plugging them into the search box to see how many "hits" you get. You might be surprised to find how well-known it is.

There are also a number of popular web sites that collect and track information about hoaxes, scams and frauds, and most of them have their own search features built in. A few of the more accredited and respected of these sites are:

www.scambusters.org
www.snopes.com
urbanlegends.about.com
www.quatloos.com

"Phishing"

A generic type of scam that has become very common via e-mail since 2002 has come to be known as "phishing". This involves a "spoofed" (i.e., forged) email, usually appearing to be from a well-known company or business, requesting the recipient to "verify" account data. Amazon.com and eBay are among the most frequently spoofed companies, but probably the most prevalent target is PayPal. These messages often contain images that are exact duplications of the firm's logos and trademarks, all the more to look legitimate and official. Here is an actual, typical example of this scam:

The objective, of course, is to get unwitting PayPal users to click on the link to a forged or otherwise bogus website and give away important personal information. These sorts of "phishing" messages are usually sent as spam to millions of addresses, and they can be sure to reach a large number of actual PayPal account holders (or Amazon, or eBay, or whatever the target "audience" is).

It is important to realize, also, that the sites these messages attempt to get you to access can be designed in a way that important information can be taken from your hard drive without your knowledge. The tendency of many people who receive a message like this, and who do not have PayPal accounts will be to click on the link and tell them they've "made an error". Doing so may expose personal information on their computer to "harvesting".

For a more thorough and detailed discussion of "phishing", see:

www.antiphishing.org

A Few Rules of Thumb

• E-mail is a very insecure medium, and is easily forged. Do not assume that the name in the "From:" line is the real person or company that actually sent the message.
• Just as you should not believe everything you read in a newspaper or magazine, be equally skeptical of information you read in e-mail or on websites.
• Never, ever give sensitive, personal information (including passwords) in response to an e-mail or website query unless you are absolutely sure that you are dealing with the person or company you believe you are. When purchasing over the web, make certain that the business or company is using a Secure Server (implementation of Secure Sockets Layer [SSL] or Transport Layer Security [TLS] to encrypt data between your computer and theirs). You can tell if this is the case by looking at the URL in the box at the top. If it begins https: instead of http:, then you are communicating via a secure session, and the business is more than likely legit - OR - if you see a small "padlock" icon in the corner of the browser window, and the icon appears to be "locked", that is an indication that your session is SSL/TLS-encrypted. SSL/TLS websites make use of digital certificates issued by trusted third parties.
• No matter how urgently an e-mail message implores you to "pass on this virus warning to everyone in your address book", and no matter how authentic it appears to be, do not blindly forward it to all your friends - you may be proliferating the next "Good Times" virus. Even if it comes from your best friend, or your mother, don't pass it on - research it first, and think how smart and cool you'll look when you can reply, "It's a hoax - check this website for the real story".
• Look before you click on a link, whether it's in an e-mail or on a website. It may not be leading you where you think it is. With most e-mail programs and web browsers, if you pass your mouse pointer over the link without clicking, you can see the actual destination displayed on the program screen (usually at the lower left). If the link says "Click here to go to GoodCompany.com," but the link destination displayed is actually NeverHeardOfEm.org, the link may lead to a malicious site.
• Never open an e-mail attachment unless you are absolutely, positively certain about who sent it, why they sent it, and what the attachment actually is.
• Obtain and use good anti-virus software, and update it weekly, at least. Penn users may download officially supported anti-virus software (PennKey authentication required) from the Supported Products website.

Should I report it, and if so, to whom?

If you have received an e-mail message or visited a website that appears to be perpetrating a hoax, fraud or scam, take a little time to research it as suggested above. In most cases, you'll find that it's well-known and well-documented, and in many instances is simply a variation on an "oldie but goodie". As long as you have not responded or acted in the manner they're attempting to get you to do, you can generally delete it and not worry about reporting it to law enforcement or computing support staff. If you're still in doubt, though, you can contact Penn Information Security at security@isc.upenn.edu and request help.

Last updated: Friday, April 23, 2010