Verify the Legitimacy of Every Request for Personal Information You Receive
Email addresses can easily be purchased in bulk from direct advertising firms, as well as magazines and other sources. There are companies out there that claim to be able to offer databases with as many as 500 million different email addresses. If you own a Twitter account, you can even purchase up to a million followers too. Padding your social media sites has become a big business.
Scammers take advantage of the availability of these lists by purchasing them for their own use for what has become know as “phishing” – a portmanteau formed from “phreak” (which itself is a combination of “freak” and “phone”) and “fishing.” In short, phishing is when scammers go fishing for victims by email. Their goal is to obtain your trust or financial information, such as a bank account or credit card number, to rob you or your personal information in order to commit identity theft, or both.
The typical phishing scam begins when you get an email with the logo of your bank, credit card company or a major online merchant announcing, for example, that for security reasons you are being asked to re-confirm your account information. A link is provided. You click and reach an online form, again with the same official logo, which asks you for your name, address, account number, password or PIN number (whichever one is relevant), and perhaps a few additional bits of information. You fill out the form and click “Submit.”
Individuals and Corporations Are Both Targeted
If you think that a scam like this would stay clear of the largest and most secure corporations associated with the internet, then think again. From (at least) 2013 to (at least) 2015, Google and Facebook employees were targeted in an elaborate international phishing attack, which tricked them into sending an estimated $100 million to an overseas banking account. In March 2017, at the request of U.S. authorities, a Lithuanian citizen was arrested at his home by police in that Baltic country. He was extradited to the U.S. five months later to stand trial for allegedly impersonating a Taiwanese electronics manufacturer that provides equipment to both Google and Facebook in order to send massive numbers of these fraudulent emails to employees of those companies. He is charged wire fraud, money laundering and aggravated identity theft.
The scam was first uncovered by Google itself, which contacted authorities. Both Google and Facebook claim that they have since recovered most of the funds lost by their staff. But large corporations are not only victimized. They potentially can also inadvertently create the problem itself.
Equifax, one of the three largest consumer credit reporting agencies in the world, which collects and aggregates information on over hundreds of millions of individuals consumers and businesses around the globe, was victimized in 2017 by a large-scale security breach. To reassure consumers, it set up a separate website to allow them to access their credit records. Shortly thereafter, a cybersecurity researcher cloned that site, proving that scammers could do the very same thing to enabling them to the passwords and personal information of victimized consumers a second time.
One of the most widely identifiable examples of phishing has long been associated with scammers in Nigeria. These emails they began to distribute in bulk as early as the 1980s are also known as 419 scams, a reference to the section of the Nigerian criminal code that outlaws fraud. Since then, however, copycat scammers have set up shop in Amsterdam, London and other locations as well.
Their emails followed a predictable pattern. They usually claiming that someone who sounds respectable died without heirs and left a fortune. The sender, who generally identified himself as the deceased’s attorney or a high-ranking government or tribal official, claims to be writing to ask you to allow him to transfer the funds to your bank account in order to overcome local financial bureaucracy. In exchange, he says he will share the fortune with you equitably. If you respond, you will be invited overseas to sign some paperwork. Those who took the offer up were then convinced to pay thousands of dollars in processing fees, or pay the supposed attorney his own percentage in advance. And then the scammers disappear, or instead give you a check in exchange for your cash. The check, however, will bounce when you deposit it back home. In actuality, those victims were lucky. Other wound up dead.
By every standard – technology, content, graphic design, and psychology − phishing is a very sophisticated scam. If you receive an email with your bank’s logo that informs you that you should reconfirm your password due to a security threat, your immediate reaction will be to assure your online security and comply with the request.
But here’s a general rule: First verify the legitimacy of every request for personal information that you receive. You can do this in several ways:
- Call or write the bank, credit card company or other financial institution that ostensibly is asking you to respond
- Surf the internet for phishing warnings using keywords from the same text
- Check the latest phishing warnings on the website of a government cybersecurity agency, such as the U.S. Computer Emergency Readiness Team
- Consider purchasing anti-phishing computer software
If you think you have been victimized by a banking or online account scam due to phishing, consult with our fund recovery experts at MyChargeBack