StopSign®

As we get closer to April 15th here in the U.S., tax scams will be on the rise. Every year phishers, scammers, and hackers take to the Internet and attempt to rook as many people as possible into forking over their banking information and hard-earned cash. We’ll give you some pointers on how to detect, and avoid, some of the more common tax scams.

Most tax scams involve someone claiming to be from the IRS, and the scam will more than likely involve identity theft. These scammers pose as legitimate IRS employees and try to fool you into giving them personal and/or financial information. (e.g. passwords, Social Security numbers, PIN numbers, bank account information, credit card numbers, and even your mother’s maiden name) Any information they gain can be used to try to get access to one or more of your accounts and rob you blind. While snail mail scam attempts are not unheard of, it’s much easier for the bad guys to send out false IRS emails or set up fake IRS websites.

When it comes to figuring out if an email or web site is really from the IRS or if it’s part of an elaborate tax scam, there are usually some tell-tale signs to distinguish the fake from the real. First off, if the name of the Internal Revenue Service or any other federal agency is spelled wrong, that’s a dead giveaway. Another common problem is bad grammar and/or odd phrasing of words. Many of the email or website tax scams come from overseas, and non-native English speakers will usually get something wrong when they write the content for their scam.

There are innumerable ways that someone can try to take advantage of you, but here are some of the more common IRS tax and/or refund scams to watch out for:

• Fake Links and Phony Websites: The IRS says that this is the most common tax scam: Someone claiming to be from the IRS and sending out an email promising tax refunds when you click a link in the email and fill out a form on a web page. Phishing scams involving an identical-looking (but fake) IRS website are all too common. Just remember that the only way to get a refund is by sending in your tax return to the IRS, not by clicking a link you get in an email.

  We’ve got a blog post on “How to Spot a Fake Website” that can help you figure out what’s real and what’s a scam.

• Form W-8BEN: Even though form W-8BEN is a real tax form, a rising tax scam is for someone claiming to be from the IRS and asking you to fill out Form W-8BEN. This is particularly nasty because this form requires personal financial details to be submitted, and should only be submitted through your financial institution. (The IRS will never ask you to fill out a W-8BEN form.) In general the IRS doesn’t send unsolicited emails to taxpayers and they certainly don’t discuss or request tax account information via email.

• Fake Refunds: One of the scams the IRS warns taxpayers about are emails or letters promising refunds that don’t actually exist. They could claim to detail some new “economic recovery” law you’re eligible for (and an increased tax refund) if you register your bank account info with the IRS, or they may even offer to pay you to take part in an IRS survey. If you sign up, instead of a bigger refund or a fat check you’ll be funding a scammer for his or her next vacation. If you want to maximize your refund, consider hiring a trusted professional instead of signing up for something from an unsolicited email.

• Virus-infected tax forms: Malware attacks aimed at U.S. taxpayers tend to rise during tax season, and fake W-2 forms in an email can be filled with trojans, spyware, or viruses. Before opening any email attachment, make sure you are expecting an email with an attachment or you may unwittingly give hackers access to your computer. Once they’re on your system, a hacker can install key logging software to capture everything you type (emails, passwords, shopping cart items, Internet searches, etc.) without you knowing about it at all.

• Threatening emails: Some tax scams take a hard-nose approach to their phishing attempts. You could receive an email threatening you with legal consequences if you don’t respond to an e-mail or register on a website provided, which will be conveniently run by the scammer. Things they may tell you that you’ll be liable for include additional taxes, huge legal fees, or a reduction of tax refunds.

As long as there are taxes, there will be tax scams aimed at innocent people. If it sounds too good to be true, it probably is. If it sounds too fishy, it probably is. If you think someone is trying to scam you, or if you think you were the victim of a tax-related scam, contact the IRS, your bank (including credit card companies and other financial institutions if applicable), and your local police department.

It’s hard to believe that in a time of crisis people could stoop so low as to try to scam people trying to help out those in need. The Haitian earthquake disaster of January 12th 2010, however, has seen it’s fair share of scammers preying on those who would help.

If you’re looking for a way to donate to help the people of Haiti, we suggest you go directly to the charitable organization(s) themselves, or through a trusted source, in order for you to not fall for a scam. To help you find a reliable source we have put the links of a few organizations who are taking the donations and putting the money to good use.

• Red Cross Donation Page

  Clicking on this link takes you to the Red Cross donation form online, where you may choose how you would like your donation distributed.

• Google Disaster Relief Page

  You may also visit Google’s page to donate to other charities such as UNICEF and CARE.

• If you’d like a really simple way to donate, you may donate to the Red Cross via a text message. Just text the word “HAITI” to 90999 and $10 will be sent to Red Cross relief efforts.

UPDATE: USA Today has an article about the FBI fielding over 170 Haiti fund-raising scams recently. The FBI has a team of computer analysts and fraud investigators reviewing the scam complaints.

If it’s the end of the year then that means it’s time for Christmas, Hanukkah, Kwanzaa, and the annual ramp up of holiday-related scams, phishing, and other related online naughtiness. If only Santa had enough room on his Naughty List for all of the digital scammers!

It seems like every year the “bad kids” of the online world all seem to come together to get some year-end maliciousness out of their system. Increases in email spam, fake friend requests on social networking sites, and identity theft are part and parcel for the holiday season and this year is no different. If anything the current economic problems in America and the rest of the world make us all more likely to be a victim of holiday scams since we’re all on the hunt for great deals and looking for a way to stretch our holiday budgets.

Here’s a breakdown of some of the more common scams, schemes, and potential problems that you’ll find this year:

• Fake gift cards

  A perennial favorite, fake gift cards are often touted as being sold for cheaper than their original price (e.g. a $25.00 gift card being sold for $10.00), but many times are either completely fake, stolen and worth no money, or have had most if not all of their value used already. We suggest that you avoid these at all cost unless you get them from the store they are actually from (like Amazon.com gift cards) or another reputable vendor.

• Fake charities

  Organizations like the United Way, Red Cross, and Toys for Tots do wonders for people across the country, but be careful when making a donation. Be sure that the representative you’re talking to is actually working for a charitable organization and not his or her own pocketbook.

• Holiday e-cards

  Even though the real ones can be fun, e-cards in general have been known to mask trojans and spyware that are installed on your PC without your knowledge. Be especially careful when you receive an e-card in your inbox during the holidays.

• Lyric websites

  When looking for Christmas carols you might end up finding malware. Many lyric sites are chock-full of advertising, popups, and it’s easy to accidentally click “OK” on a software install button. Be very careful when getting your play list ready for your carolers.

• Fake websites

  These tend to come out of the woodwork and often look very convincing. Identity theft and stolen credit card numbers are the usual gifts that are given to holiday scam artists when they set up a fake website that copies an online store or charitable website. Check out our post on “How to Spot a Fake Website” for additional details on how to know which are fake and which are real.

• Online fraud

  eBay, CraigsList, and other online auction and shopping sites have great deals and a lot of hard-to-find gifts. They also have a lot of fraud associated with them since anyone with an email address can set up an account. Make sure to look for user ratings if possible (eBay in particular has a pretty darn good rating system for buyers and sellers) to see what a seller’s track record is like before you click on the buy button.

We hope that you find these tips useful this holiday season, and we wish you and yours the very happiest of holidays! And if you’ve got kids and they’re still young enough to believe in Santa Claus, check out this Naughty or Nice form that asks a few questions and lets them know what list they are on.

Social networks such as Facebook, Twitter, and MySpace are wonderful ways to connect with friends and family. Unfortunately they also provide excellent resources for online crooks to gain sensitive information via social engineering, a term synonymous with con games in the world of computer security. By learning what social networking is, you can protect yourself from would-be (virtual) attackers and keep your data safe.

What is “social engineering”?

Social engineering is a non-technical intrusion using human interaction (thus, the “social” in “social engineering”) to gain information which directly, or indirectly, leads to a scam of some kind. The information compromised can be of any variety: passwords, access to computers and/or networks, account information, or anything else that can lead to additional data, money, identity theft, hacked accounts, or other problems for the victims. It’s considered a safer and easier way to run a con since the scammer rarely has to be physically present in front of the victim, so the Internet provides an excellent medium for these kinds of scams.

How does social engineering affect my social networking accounts?

Attempts to phish for information are notorious online, and you should learn how to protect yourself from phishers. Instant and direct messages, emails, chat… all forms of online communication have the potential to be tapped, spoofed, or intercepted. Whether it’s email, a social networking site, or something else, all it takes is one unsecure account and a bit of luck in order to gain access from hundreds, if not thousands, of other users. With access to one unsecured account, the scammer now has the trust of all of their friends and followers of the real account owner. The flood gates are now open for additional phishing attempts, data loss, and other forms of digital mischief.

Social engineering is very simple and very effective. The weakest link in any computer security scenario will always be a human, and social networks are chock full of them. With enough patience it’s only a matter of time before a scammer finds a victim.

How can I protect myself from being a victim?

The easiest way to guard against social engineering is to be skeptical of offers presented in emails, online, and over the phone. Social engineering attempts prey on every aspect of human behavior (greed, compassion, fear, love, etc.) and can even exploit outside events such as natural disasters and current news topics in order to extract information from the victim. Here are a few specific things you can do:

• Ensure the legitimacy of anyone claiming to be a representative of a company, government office, or organization.
• Never reveal personal information unless you are certain of their need for the information and that the information will be held in the strictest confidence.
• Keep your passwords and other account access data secure. No company or it’s representatives should ever ask for your password, no matter how convincing the story they give you.
• When entering sensitive information online, make sure you’re really on the web site you think you are on. Read our “How to Spot a Fake Website” post to learn more.
• Never send sensitive and/or personal information via email or instant message to anyone, even friends and relatives. Spoofing emails and IM information is too easy.

If you come across a social engineering attempt, make sure to contact the service you used when the attempt occurred. Most social networking sites, companies, and organizations have a computer security team that handles these issues and you can help stop the spread of these attacks. Listed below are some resources for a few online services regarding safety, abuse, reporting, and/or support. To find out how to report on other sites, check their Help or Support links.

• StopSign: http://support.stopsign.com/
• Facebook: http://www.facebook.com/safety/
• Twitter: http://help.twitter.com/
• MySpace: http://www.myspace.com/index.cfm?fuseaction=cms.viewpage&placement=safety_pagehome
• Bebo: http://www.bebo.com/Safety.jsp
• Second Life: http://secondlife.com/policy/security/

Online fraud can come come in a variety of ways; forged emails from financial institutions, fake websites that look like a legitimate brand’s domain, and even in the form of instant messages. When a crook uses a computer to try to get you to reveal sensitive information to them it’s called “phishing”, and the really good phishers make it very difficult to tell the difference between them and the real thing.

Phishing is an example of social engineering, which is any social or interpersonal communication used for fraud of some kind. A phisher works by passing himself off as a legitimate source, often by mimicking a well-known source (a company, a friend, etc.). Under the pretense of being a trustworthy representative, the phisher crafts a message to potential victims that seems authoritative. And while most people won’t click through on these messages, a very small percentage of people is all that is necessary for the phisher to make money and/or wreak havoc.

It’s not just credit cards, bank accounts, and Social Security numbers that they’re seeking. They’ll take usernames, passwords, email addresses, URL history, cookie data… anything and everything that they can get their hands on that might get them closer to parting you and your money. We’re going to show you how to detect the 3 most common online frauds: email, fake websites, and instant messages.

Emails

Email is probably the most common method of phishing attempts. The price is right for spamming (basically free), and distribution of an email can go world-wide in a matter of minutes. A common tactic used by phishers to spread their “bait” is to write an email and use forged email addresses of major banks to inform you that there is a problem with your account. Another trick they employ is to tell you that you’ve won a prize. The safest thing is to not click on any link from an email that you aren’t 100% sure is from a real person or company. Also remember that no company should ever ask for the password to your account in an email! That’s a sure sign of a scam.

Fake websites

If the spam emails don’t ask you to reply back with your account data to “verify” you, they will usually have a link in the email that takes you to a website where you will be prompted enter this information. These phishing websites can look very convincing, too, especially since it’s quite easy to clone another website. Many major ecommerce websites such as PayPal, eBay, and Chase.com have been cloned into a fake website used for phishing purposes.

Fake websites come in a variety of forms, but they all usually have tell-tale signs of being a scam: using an IP address (http://127.0.0.1) vs. a regular domain name (http://example.com/), having a URL that isn’t on the actual domain (for example, http://blog.stopsign.example.com would not be our blog; but at first glance it looks like it), etc. For more information about fake websites, read our blog post on how to detect fake websites.

Instant messages

The scam methods used in IM’s are similar to those from emails. But instead of trying to get you to directly enter information, they usually just provide a link to a website that does all the dirty work for them. It’s best to ignore and/or block unknown users whenever they try to get to you.

Bonus tip: Alternate ways phishers try to catch you

As with most fraud schemes, phishing is a growing resource for crooks and it’s always changing. One alternate method phishers use to scam you is to use a real website to phish. In fact right around the time this post was being written, a Twitter phishing scam made it’s way around the Twitter using their Direct Message (DM) system and tweets, causing a lot of buzz about phishing on the immensely popular service (we even have a StopSign Blog Twitter account). You’ve got to be on your toes all the time to keep yourself safe, but with the tips we’ve written about, you should be able to recognize some of the more common scam methods.

A popular method used by phishers (scam artists who try to get you to reveal sensitive information like credit card numbers, bank accounts, etc.) to scam you is to hire a web developer to create a fake web site to do all of the phisher’s dirty work. Because it’s relatively simple for a decent web developer to copy another web site, it’s easy to be fooled with a fake web site. These fake sites are even more convincing when you see the name of your bank or some other online service in the URL (commonly know as the Internet address, or “web site”); but there are simple ways to spot a fake web site.

Common URL set ups

All HTTP URLs (i.e. your basic web site) follow a common format:

http://domain.tld/

For example:

http://example.com/

The “domain” is the actual domain name (e.g. “example”) and the “tld“, or top level domain, is the “com” portion.

The actual domain and the tld (e.g. “.com”, “.net”, “.org”, etc.) will always be the last parts of the URL before the first single forward slash (“/”) or a question mark (“?”) in an Internet address.

It’s important to note that a domain can have sub-domains before the “domain.tld“, such as our own http://blog.stopsign.com/, but only the real domain owners will be able to use the domain.tld format as described above to build/use their web site.

Spotting a fake/scam web site

Spotting a fake URL is as simple as looking for the domain.tld (in the right place) in the URL. If your bank is Chase, then you would expect to see http://www.chase.com; but if you saw http://www.chase.com.example.com/ then you know that you’re not really on chase.com; you’re on example.com.

Examples of valid example.com URLs:

• http://www.example.com/
• http://example.com/
• http://blog.example.com
• http://www.example.com/blog/
• http://www.example.com?string

Examples of invalid example.com URLs:

• http://www.example.fakeurlgoeshere.com/
• http://example.fakeurlgoeshere.com/
• http://www.example.com.fakeurlgoeshere.com?string

Did you see how all of the valid URLs have “example.com” before the first single forward slash and/or the first question mark? That’s the key to knowing what is real and what is a scam.

There’s a lot to worry about online, and as an internet security software company we hope that you use our StopSign products to help keep you safe. But even if you don’t use our software, there are a few things you can easily do to ensure that you are less likely to be the victim of phishing, malware, or internet fraud.

1. Secure? For sure! – “https”.

   When a web page requests personal information, like your Social Security number, when you’re making an online purchase, or if you need to access your bank account online, make sure that you look in the address bar of your browser to make sure you are on a secure server.

   It’s easy to see if the site you’re on is secure by seeing if the URL starts with “https”. Non-secure websites use “http”, so just look for that additional “s”. No real company who is concerned for your security will ever ask you for any sensitive, banking, or credit card-related information without a secure server in place. Anything else is a scam, pure and simple.

2. Watch where you’re browsing.

   A lot of phishing attempts are done by using similarly-named domains or by tricks with the URL. The domain name of the website you are trying to view should always be before the “.com” (or “.net”, or whatever top level domain they use).

   For example, our blog is supposed to be on stopsign.com. If you saw blog.stopsign.example.com, that is not the official StopSign blog, because our domain name (stopsign) isn’t before the “.com”. See our blog post “How to Spot a Fake Website” for more information on fake websites.

3. Use a secure password.

   Making a secure password is a simple solution to staving off the casual hacker who wants to try to break into one of your online accounts. Often one of the first things they do is use a “dictionary” of common passwords and/or common words to try to access accounts. See our blog post “12 Tips for Making a Good Password” for additional details and tips on secure password creation.

4. Don’t open that email attachment.

   Like most people you probably get dozens of emails per day. It’s not uncommon to get attachments to your email with pictures from friends and family, but make sure that you never open an email attachment from an unknown person. Lots of viruses and spyware are spread online by email, and if you open one of them you’ll be instantly infected.

5. If it’s too good to be true.

   Beware the scam artists online who prey on the kind-hearted and the uninformed. The Nigerian scams (and their many variants), “donation” seekers who want your bank account information, and other pests flood the internet daily. If something you’re being told seems too good to be true, it is, and if an email or website is asking you for private information it’s more than likely a scam or some other type of internet fraud. Unless of course it really is from your bank or the government, but it would still be on a secure server (when in doubt, give them a call and ask if they actually sent the email), and you should also be sure to watch where you’re browsing!

So there you go… 5 simple things that you can easily do to make sure that your browsing experience is safe and worry-free.