Establishing Digital Trust: Don't Sacrifice Security for Convenience
Anyone who has spent time playing online games, visiting dating Websitesor online poker rooms knows this. I routinely invent identities thatallow me to accomplish whatever it is I need to do online withoutcompromising my personal privacy. I use one persona to subscribe tovarious news services, another to play online games and another one tochat with young hackers about their activities and motivations.
It really wouldn't make sense to go into an IRC chat room and announcethat I'm a network security analyst for one of the choicest hackingtargets in the world, and expect to get any really good scoop out of theexperience. On the other hand, I play 'Joe stupid hacker wannabe' prettywell, when necessary.
The reason I tell you this is to share another, more interesting, eventwith you. Recently, I received a certified letter in the U.S. mailaddressed to one of my online aliases. This dispatch contained twoletters and a check. We'll get to the check in a moment, but the twoletters were very interesting to read.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i The first regarded a lottery award claim final notification from anaddress in London, Ontario, Canada. According to this letter, I wasawarded a portion of a second-tier lottery prize, based on a ticketnumber (with a serial number for validation) and the winning numbers.Most importantly, my share of this award would be a lump sum payment of$139,221.76 U.S.
Now, I think this is very cool. The only problem is that I don't play thelottery. Ever. And certainly not by alias. I'm pretty sure I didn't winanything. But let's move on to the next letter to shed more light onthings.
The second letter explained that because there were fees and taxesinvolved in processing the winnings for this lottery, the awardnotification company had arranged for financial sponsors to provide thenecessary funds to release my lottery winnings immediately upon thecompletion of the claim process. All I need to do, they tell me, isprovide them with my bank routing numbers for them to arrange a wiretransfer of my winnings to my account. Right. Like that's going tohappen. Or, maybe they'll just wait until I deposit the check in myaccount, and then they'll have the routing numbers from the cancelledcheck.
Of course, the check itself is probably high-grade rubber, or stolen, orsomething else that would cause law enforcement to be interested in mefor bank fraud. At the very least, I would end up getting whacked forthe bounced check charges from my financial institution.
Interestingly enough, it very clearly states in the letter that I shouldbe careful not to make this award public until after the funds have beendeposited. I wonder why they wouldn't want me to go to the press aboutthis major windfall I was planning on turning into a philanthropicfoundation. Maybe I'm supposed to wait until after they've emptied mybank account and ruined my credit.
What's wrong with this picture?
The phishing people are expanding into new markets to conduct theirscams. They've moved steadily into phone scams. We hear about more peoplegetting phone calls regarding problems with their credit card accounts.They are informed of fraudulent activity associated with their card, andthe ''account manager'' needs account data for verification. Believingthe caller is trying to help them, they provide card numbers andexpiration dates over the phone to perfect strangers. They never considerverifying the caller's identity or whether they have a legitimate needfor that data.
Now, scam artists have begun to move into other arenas. Surely, peoplewill think that if they received this letter, signed by a real personeven, it must be true. Look, the letter is even signed in ink. Except,the person named in the letter doesn't exist. (Here's a thought: If therecipient of an award doesn't exist, is there any reason why theoriginator should?)
I've also seen cases where individuals receive faxes addressed to them andmarked ''URGENT & CONFIDENTIAL''. It offers great wealth to the personwho will just send their banking data to an individual representinghimself as the Director of Project Implementation for the Ministry ofEnergy and Mineral Resources, South Africa. Doesn't that soundimpressive? A quick Web search on the area code listed in the fax revealsit was transmitted via a Maritime Satellite phone. Somewhere ininternational waters, the South African Director of ProjectImplementation wants you to volunteer your financial accounting data.
Another Web search on the name and address of the lottery company inLondon, Ontario gave similar results. Not only does the company notexist, the street in the address does not exist. The phone number isobviously valid or how else would they arrange the ''payout''?
Fortunately, these people have not escaped the attention of lawenforcement.
The Royal Canadian Mounted Police and U.S. postal regulators continue todevelop leads and investigate individuals involved in these scams. It'sdifficult because the perpetrators running these operations use cellulartelephones and stay one step ahead of investigators.
Now about that check.
It appears to be a legitimate cashiers check drawn on a well-known U.S.bank for a significant amount of money. We know the bad guys don't playwith their own cash, and the check is certainly good enough to passmuster at most legitimate check cashing institutions. A bank, however,would probably spot it as a fake. If I were to deposit it into mychecking account, they would still have my bank routing information.
In any event, cashing the check itself is bank fraud and punishable byfederal jail time.