Dot.con

1. Make sure you are purchasing merchandise from a reputable source. Do not judge a person/company by their web sites. Just because an individual or company has a professional-looking web site does not mean it is legitimate. Web sites can be created in just a few days; and after a short period of taking money, a site can vanish without a trace. Do your homework on the individual or company to ensure that they are legitimate. Check out other web sites regarding the person/company you plan to transact.
2. Try to obtain a physical address rather than merely a post office box and a phone number, call the seller to see if the number is correct and working. Check with the Better Business Bureau from the seller’s area. Be cautious when dealing with individuals/companies from outside your own country.
3. Send the potential seller e-mail to see if they have an active e-mail address and be wary of sellers who use free e-mail services where a credit card was not required to open the account. Consider not purchasing from sellers who would not provide you with this type of information.
4. Do not give out your credit card number(s) online unless the site is a secure and reputable site. Do not trust a site just because it claims to be secure. Sometimes a tiny icon of a padlock appears to symbolize a higher level of security to transmit data. This icon is not a guarantee of a secure site, but might provide you some assurance. Still, before using the site, check out the security/ encryption software it uses. Make sure the transaction is secure when you electronically send your credit card numbers.
5. Be cautious when responding to special offers (especially through unsolicited e-mail).
6. You should also keep a list of all your credit cards and account information along with the card issuer’s contact information. If anything looks suspicious or you lose your credit card(s) you should contact the card issuer immediately. ^{[ 4 ]}

The association with Nigeria was due to the massive proliferation of such confidence tricks from that since the mid-eighties. In the latter form, the schemers contacted mainly heads of companies and church officials through ordinary postal mail. The use of e-mail spam, instant messaging, and even text messaging for the initial contacts has led to other persons also being targeted, as the cost to the scammers to make initial contact is much lower. ^{[ 7 ]} The Nigerian Money Transfer Fraud operates in the following manner: The potential victim receives a letter or fax from an alleged “official” representing a foreign government or agency. An offer is made to transfer millions of dollars in “over invoiced contract” funds into the potential victim’s personal bank account. The potential victim is encouraged to travel overseas to complete the transaction; is requested to provide blank company letterhead forms, banking account information, telephone/fax numbers. The potential victim receives numerous documents with official looking stamps, seals and logo testifying to the authenticity of the proposal (electronic documents over Internet). Eventually potential victim must provide up-front or advance fees for various taxes, attorney fees, transaction fees or bribes. ^{[ 8 ]} The original medium for this scam was through mailers, it was in the late 1990s that the Internet was extensively used for the purpose.

Variance. One variant involves an alleged lawyer-con artist, representing the estate of some long-lost relative the potential victim the latter never knew he or she had (as the potential victim’s surname will be inserted into the e-mail message). The con artist will claim to have gone to a lot of trouble to find the victim in order to give him or her a share of the millions of dollars available if the potential victim will forward his or her bank account information to the con artist. ^{[ 9 ]}

Another variant involves the offers of con artists to buy some expensive item which the potential victim has advertised, by official, certified, bank or cashier’s check. The check will have an “accidentally” or mutually agreed higher value than the price of the item, so the con artist can ask the victim to wire the extra money to some third party as soon as the check clears. The check typically clears after one or two days, but the fact that it is counterfeit is not detected until several days or weeks later, by which time the victim has sent the item and the “additional money” to the con artist and his representative. Most banks will hold the victim accountable for the value of the counterfeit check. ^{[ 10 ]}

Another variant pretends to be a “winning notification” from a lottery company, requesting payment in advance to collect the sum that the potential victim has “won”. ^{[ 11 ]} This variant is prevalent in the Philippines or against Filipinos ^{[ 12 ]} through SMS text messaging.

Other forms of 4-1-9 schemes include: c.o.d. of goods or services, real estate ventures, purchases of crude oil at reduced prices, beneficiary of a will, recipient of an award and paper currency conversion. ^{[ 13 ]}

Example.

Request for urgent business relationship

First, I must solicit your strictest confidence in this transaction. This is by virtue of its nature as being utterly confidential and ‘Top Secret’. I am sure and have confidence of your ability and reliability to prosecute a transaction of this great magnitude involving a pending transaction requiring maximum confidence.

We are top official of the federal government contract review panel who are interested in importation of goods into our country with funds which are presently trapped in Nigeria. In order to commence this business we solicit your assistance to enable us transfer into your account the said trapped funds.

The source of this fund is as follows; during the last military regime here in Nigeria, the government officials set up companies and awarded themselves contracts which were grossly over-invoiced in various ministries. The present civilian government set up a contract review panel and we have identified a lot of inflated contract funds which are presently floating in the central bank of Nigeria ready for payment.

However, by virtue of our position as civil servants and members of this panel, we cannot acquire this money in our names. I have therefore, been delegated as a matter of trust by my colleagues of the panel to look for an overseas partner into whose account we would transfer the sum of us$21,320,000.00(twenty one million, three hundred and twenty thousand U.S dollars). Hence we are writing you this letter. We have agreed to share the money thus; 1. 20% for the account owner 2. 70% for us (the officials) 3. 10% to be used in settling taxation and all local and foreign expenses. It is from the 70% that we wish to commence the importation business.

Please note that this transaction is 100% safe and we hope to commence the transfer latest seven (7) banking days from the date of the receipt of the following information by Tel/Fax; 234-1-7740449, your company’s signed, and stamped letterhead paper the above information will enable us write letters of claim and job description respectively. This way we will use your company’s name to apply for payment and re-award the contract in your company’s name.

We are looking forward to doing this business with you and solicit your confidentiality in this transaction. Please acknowledge the receipt of this letter using the above Tel/fax numbers. I will send you detailed information of this pending project when I have heard from you.

Yours faithfully,

Dr. Clement Okon

Note; please quote this reference number (ve/s/09/99) in all your responses. ^{[ 14 ]}

Prevention.

1. Be skeptical of individuals representing themselves as Nigerian or foreign government officials asking for your help in placing large sums of money in overseas bank accounts. Be skeptical also of entities offering prizes that require you to shell out money or any equivalent to allow the processing of your winnings, among others.
2. Do not believe the promise of large sums of money for your cooperation.
3. Guard your account information carefully. ^{[ 15 ]}

Prevalence. Washington Post reported that “[s]ince May 2003, nearly 11 million recipients of phishing e-mail clicked on the links. Of those, 1.8 million recalled filling out the information requested. Phishing attacks grew 28 percent from May 2004 to May 2005. About 73 million adult e-mail users reported more than 50 phishing e-mails during the 12-month period. 2.42 million adults reported losing money because of phishing attacks. Victims said their banks and credit card companies took the biggest hits. Victims recovered 87 percent of their funds. Major U.S. Internet service providers reported 150 to 200 uniquely identifiable phishing attacks against their brands. Pay Pal and eBay are the top spoofed sites. Citibank is the primary bank target for phishing scams.” ^{[ 25 ]} As of September 2005, according to the Anti-Phishing Working Group (APWG), the number of unique phishing reports received in September was 13562, the number of unique phishing sites received in September was 5259, the number of brands hijacked by phishing campaigns in September was 106, the number of brands comprising the top 80% of phishing campaigns in September was 6, the country hosting the most phishing websites in September was the United States, Phishing which contains some form of target name in URL amounted to 50 % of total attacks, phishing which provides no hostname but only IP address amounted to 34 % of total attacks, percentage of sites not using port 80 amount to 8 % of total attacks. The United States remains the on the top of the list of phishing hosts with 31.22%, with the top 10 breakdown as follows; China: 12.13%, Republic of Korea: 10.91%, Germany: 3.16%, Canada: 2.97%, Japan: 2.44%, France: 2.31%, Poland: 2.24%, Brazil: 1.98%, Romania: 1.98% . In September 2005, the APWG witnessed several new phishing attacks which utilized people’s willingness to assist during times of desperation; the attacks being against The Red Cross, The Salvation Army, Hurricane Katrina Donations, and Hurricane Rita Donations. ^{[ 26 ]}

Variance. “Spear phishing,” targets members of a particular organization and the sender would claim to be its e-mail provider. The sender will prompt you to download special software, which could install spyware or adware. Spyware and adware would record personal information later. ^{[ 27 ]}

Examples. The following are examples of phishing e-mails.

Date: Thu, 02 Dec 2004 07:35:28 -0300
From: Suntrust Billing Department
To: Abnelson
Subject: Failure to confirm your records may result in your account suspension.

Dear valued SunTrust member,

Due to concerns, for the safety and integrity of the online banking community we have issued the following warning message.

It has come to our attention that your account information needs to be confirmed due to inactive customers, fraud and spoof reports. If you could please take 5-10 minutes out of your online experience and renew your records you will not run into any future problems with the online service. However, failure to confirm your records may result in your account suspension.

You can confirm your account records by logging in to your internet banking account. Once you have confirmed your account records your internet banking service will not be interrupted and will continue as normal.

To confirm your bank account records please click here.

Thank you for your time,
SunTrust Billing Department.

————————————————————————————————————————
© 2004 SunTrust Banks, Inc. All rights reserved. - Equal Housing Lender - Member FDIC

or

Subject: Verify your E-mail with Citibank

This email was sent by the Citibank server to verify your E-mail address. You must complete this process by clicking on the link below and entering in the small window your Citibank ATM/Debit Card number and PIN that you use on ATM.

This is done for your protection - because some of our members no longer have access to their email addresses and we must verify it.

To verify your E-mail address and access your bank account, click on the link below:

https://web.da-us.citibank.com/signin/citifi/scripts/
email_verify.jsp

———————————————————-

Thank you for using Citibank ^{[ 28 ]}

The link however goes to a non-secure site at http://www.securecitibank.us. Said domain was registered to a certain Wayne Stanford of 3057 sunrise cir, marina CA, 93933, United States, and not to CitiBank itself. ^{[ 29 ]} After the initial Citibank phishing attacks, another set of phishing emails were circulated on a different premise, to wit:

Recently there have been a large number of identity theft attempts targeting Citibank customers. In order to safeguard your account, we require that you update your Citibank ATM/Debit card PIN.

This update is requested of you as a precautionary measure against fraud. Please note that we have no particular indications that your details have been compromised in any way.

This process is mandatory, and if not completed within the nearest time your account may be subject to temporary suspension.

To securely update your Citibank ATM/Debit card PIN please go to:

https://www.citibank.com/signin/citifi/scripts/login2/update_pin.jsp

Please note that this update applies to your Citibank ATM/Debit card - which is linked directly to your checking account, not Citibank credit cards.

Thank you for your prompt attention to this matter and thank you for using Citibank!

Regards,

Riley Buckner
Head of Citi® Identity Theft Solutions

Copyright © 2004 Citicorp. All rights reserved.
Do not reply to this email as it is an unmonitored alias.

ozmpjdyvexo utcbt vuqr znrwvsowwvi

The link however ends up to a website in Asia. The genuine CitiBank page is forced to appear behind the scam’s pop-up web page. ^{[ 30 ]}

Prevention. Two of the basic clues in determining a phishing email are the email’s typographic errors and the sophistication of the email’s content and grammar. Misspellings and faulty grammar in the bogus email should bring alarm bells ringing in mind.

1. Use anti-virus software and a firewall, and keep them updated. Some emails may contain software or scripts that can harm your computer or track your activities on the Internet without your knowledge, by themselves or by unleashing viruses or spyware.
2. Be aware of corporate e-mails requesting or require personal financial information (credit card numbers, account usernames, passwords and social security numbers). Also be aware of e-mails coming from usual service providers requesting verification of certain account information (email addresses, passwords, credit card numbers, etc.) A sender may mimic an Internet service provider (ISP), bank, online payment service, or even a government agency. Phishers often convince e-mail recipients to respond when they hijack brand names of banks, credit card companies and e-retailers.
3. If you normally transact with the company requesting the information, and if the company’s office can be contacted by phone without incurring unwelcome charges, call to confirm. A potential fraudster would have difficulty taking over the company’s phone system to perpetuate his/her scheme.
4. Do not reply, either querying/confirming the sender’s need for the information or worse, sending the information requested through email. Legitimate companies do not ask for personal information via email. Further, e-mail is not a secure method of transmitting personal information. Updating information with the company’s website would be a better option, while updating information within company’s premises and authorized personnel would be the best.
5. Do not click on the e-mails link, even if you are curious where the link would lead you. Go directly to the company’s website by typing the website’s URL address in your browser’s address bar, if you need to.
6. Do not openany attachment or downloading any files from emails you receive. These files may contain viruses or spyware.
7. If you need to update your personal information in the company’s website, make sure that the site is secure by looking for signs in your browser that it is in fact secure; such as a “locked” yellow padlock at the lower right corner of your browser, or the “https://” in your browser’s address bar (the “s” appended to “http” to mean “secure”). Still, these indications are not foolproof, as fraudsters may be technologically sophisticated to develop or mimic secure sites.
8. If the personal information shared that is vulnerable to fraud is of financial nature, be aware of or check your credit card or account activity, and report anomalous transactions to the concerned company or service provider, if they occur. If your statement is late, call your credit card company or bank to confirm your billing address, if not your account balances.

Distinctions with other frauds

1. Online Credit Card Fraud. Online Credit Card Fraud is more geared towards the use of credit cards over the Internet. It is a direct act to utilize another person’s credit card information to pursue transactions online; the information being acquired through insidious schemes (through keylogging spyware, phishing, etc.) or by cracking the credit card account itself. Fraudulent use of credit cards (accounts) is governed by the Access Device Regulation Act of 1998 (Republic Act 8484) in the Philippines. The deterrence of the practice, especially if electronically pursued, is supplemented by the e-Commerce Act of 2000 (Republic Act 8792) and covered by A.M. 01-7-01-SC (Rules on Electronic Evidence). On the other hand, phishing is only the preliminary means to pursue actual online credit card fraud. As a technical subterfuge scheme, it plant crimeware onto PCs to steal credentials directly, often using Trojan keylogger spyware. Phishing, however, may also be utilized to acquire information to allow identity thefts, a springboard to the commission of estafa, and other crimes. It may also be pursued to gain access to non-financial accounts (such as email accounts) to pursue other frauds. The scheme is not limited to aid the commission of violating the access device law.
2. Spyware utilizing spam. Both means of acquiring information uses e-mails extensively. The distinction exist in the kind of information being sought, the purpose for the information sought, and the method being pursued by the two schemes. Phishing is aimed primarily in acquiring specific personal information (similar to those in bio-data), while spyware, besides this specie of information, may even pursue the determination of a victim’s online behavior patterns, among others. Phishing is necessarily related to the commission of fraud. On the other hand, while spyware’s gathering of information does not discount the possibility of the commission of fraud, it may be merely an insidious means to acquire consumer information for product development or marketing. Phishing does not necessarily need a software to acquire its objective, but merely the possible gullibility of its victim. The victim’s intervention is always present for it to occur.. Spyware is software, and it is installed either by the gullibility of the victim, by indiscriminate clicking of “ok” buttons, by agreeing to the terms of a contract of adhesion by another software where the spyware is bundled, or even by scripts or viruses without the victim’s intervention. Phishing emails may provide links towards a fake website to gather the information sought or to install spyware. Spyware through spam emails provide links to install spyware. Finally, some spyware are installed to get the victim to part with his money for an antidote, while some phishing attacks are made to get the victim to part with his money, period.

Prevention. Pharming could be combated if browsers would authenticate websites’ identities.

1. Server side. In order to remove pharming as a threat, servers would have to add another layer of authentication. To prove that the online merchants, banks, etc. are who they purport themselves to be, it might require them to obtain a certificate from a certificate authority, such as VeriSign.
2. Client side.
1. Response to certificates. When one visit the websites of the online merchant, banks, etc., a dialog box appears, prompting one whether the latter would want to trust the certificate. If the name on the certificate does not match the website one tries to access, something is amiss. One should leave the website, as the website being accessed is not the actual electronic merchant, bank, etc. being sought. If the certificate corresponds to the website, one needs to save the certificate so that the browser would determine if it has reached the right URL address on the next visit. ^{[ 39 ]}
2. Netcraft toolbar (http://toolbar.netcraft.com/). Another simple solution that works in some cases is a browser plug-in from Netcraft that displays information about the site being visited, such as its geographic location. ^{[ 40 ]}