Category: Uncategorized

Fraud calls directly to Customer Service

Pindrop releases 2017 report on fraudulent calls to customer service centers

The rauds are not only calling us directly, they are calling our banks and credit card companies trying to get more information in order to steal our money and benefits.  A new report provides some startling insights into how widespread this fraud is and how successful it can be.

There are call centers who handle customer service calls for banks, credit card companies, major retailers, and a variety of other entities.  We can call one and change our address or password, pay bills, and even withdraw money.  The report says that call centers are the “weakest links in online security.  61% of fraud losses from account takeovers involve the call center.”  Pindrop estimates that losses from calls to call centers were $14 Billion last year.

How does the call center know it is really talking to the right person?  Obviously they require a variety of personal information to authenticate that we are who we say we are.  But as a result of data breaches and underground traffic in personal information enterprising crooks may be able to convince the call center that it is dealing with its real customer.  For example, a caller pretending to be you may claim they have lost their credit card and ask that a replacement be sent to a new address controlled by the fraud.  And of course if they get access to your bank account they can just steal the money.

Organized crime has people around the world that can spend their days on the phone with call centers.  The frauds can spoof caller ID’s, use cheap mobile phones, Skype, or Google Voice to place the call, and use voice distortion software – all to hide their actual location.  Pindrop’s technology allows it to determine the actual location of the caller and thus whether the caller is a real customer.

Pindrop reports that fraud on call centers increased 113% between 2015 and 2016, and that fraudulent calls doubled in volume during that time, from one in every 2000 calls to one in every 937.  For US call centers 83% of such calls are coming from outside the United States.

Credit card issuers are one of the most frequent targets of this fraud, with 1 out of every 800 calls received coming from a fraud.   Banks have fraudulent calls coming at the rate of 1 in every 867 calls.  Insurance companies are also frequent targets, as are retailers.  Frauds often try to obtain access to loyalty cards or points (think frequent flyers or hotel points) that can be turned into money.

The highest fraud rate for a single industry was for device insurance, the policies people have for lost or stolen phones.  Fraudulent calls were 1 of every 194 last year, a 55% increase.

 

Did you get an email that looks like it comes from someone you know?

Have you received an email that looks like it came from someone you know, but it only had a hyperlink. What is that all about?
The FTC’s Chicago office has brought two cases against the people that use these spam emails to sell bogus diet pills.

Several years ago crooks hacked the Yahoo email accounts of a massive number of people, also obtaining the email contacts in these hacked accounts. Thus if they had hacked the account of Bob Heinlein, all of his contacts would receive an email containing a hyperlink, perhaps with a subject line such as “Hi, have you seen this?”

Those who click on the links are taken to web pages that look like articles by real consumer reporters, who claim that they tried diet pills and were “astonished” at how well they work. These fake news pages also claim that celebrities such as Oprah Winfrey use the pills, and contain fake testimonials from supposed users. The fake news pages have a hyperlink to one of the web sites where victims can order the Defendant’s worthless diet pills.

The FTC says that the Defendants in the Fowler case made at least $1.3 million from their efforts, and in Sale Slash at least $43.4 million.

Better Business Bureau Releases First Annual Fraud Report

 

BBB Releases First Annual Report for Fraud Complaints Made to Scam Tracker

 

As I’ve reported before, the Better Business Bureau has a relatively new program to capture complaints about fraud.  Those who file a complaint about a fraud with the BBB can also agree to talk to the news media and to share the complaint with law enforcement.  Scam Tracker complaints can be filed online here or by calling most local Bureaus. The Scam Tracker also has a useful feature that can graphically display all the fraud complaints filed by people in your area.  This really helps demonstrate just how widespread fraud really is.  Click here to see a map of your area or neighborhood and what frauds are being reported.

The BBB has just released a first ever report detailing the fraud complaints it received in 2016.  It includes some great features.  First, it breaks the frauds down into understandable categories and explains very nicely what is included. Second, it attempts to determine what age and sex is most often ripped off by each fraud.  It found that those 18-24 were overall most likely to be fraud victim, and those over 65 were the least likely to report a fraud.  However, the median actual dollar loss was highest for the over 65 group.  Third, they found that women were twice as likely to report a fraud as were men.  (But not that men are exposed to fraud less often).

The BBB calculated that the three most risky frauds for those over 65 were:

  1. Family/friend emergency (grandparent scams);
  2. Sweepstakes/Lottery Prizes (Jamaican lottery frauds); and
  3. Travel/Vacations (bogus ads to rent properties and timeshare resale fraud)

The most interesting innovation in the BBB report, though, is its effort to apply a “risk index” to complaints.  As we all know, of the billions of robocalls that are made only a small fraction of those receiving the calls are actually defrauded.  (Of course enough do get defrauded that the calls make money for the frauds).  In addition, many people file complaints about robocalls or other fraud attempts even when they do not actually lose money (such complaints are still valuable to law enforcement because they can help show patterns).

The BBB has attempted to calculate three factors to determine the riskiest frauds.

  1. Exposure (how likely are you to be exposed to the con?)
  2. Susceptibility (if you are exposed, how likely are you to lose money? And
  3. Monetary Loss (if you lose money, how much is it likely to be?

Using that formula the Report concludes that the ten riskiest frauds are:

  1. Home Improvement Scams (the fraudsters actually appear at your door and ask to do work)
  2. Fake Checks and Money Orders (See the Baker Fraud Report explaining these)
  3. Employment Scams (These often include fake checks)
  4. Online Purchase Scams (goods ordered from a web site that are never delivered, or that again involve a fake check in an overpayment fraud); and
  5. Advance Fee Loan Frauds (you apply for a loan online or by phone, are asked to pay fees for things such as insurance but there is no loan every made).
  6. Investment frauds
  7. Romance Scams (see Baker Fraud Report for more).
  8. Tech Support Frauds (see Report on these here)
  9. Family/Friend Emergencies (Grandparent frauds), and
  10. Sweepstakes/Lottery/Prizes (see Report on Jamaican Lottery Frauds)

FTC settles with Mule that collected money from victims of IRS impersonators

The FTC announced this settlement with Joel Treuhalf and his company on February 15.  The FTC alleges that the defendant hired “runners” in Florida to pick up the money victims sent after being defrauded by IRS impersonators.  The runners went to Western Union and MoneyGram outlets to collect the money, kept 7% for themselves, and then deposited the rest into several different bank accounts.  The deposited money then made its way to India.  The FTC alleges that “In less than eight months, from July 2015 to February 2016, Defendants collected more than $1.5 million from approximately 3,000 consumers throughout the United States.”  Click here to read more about money mules.

Can You Here me Fraud — Is this for real?

Can you hear me frauds: No evidence that this is actually happening

Over the last several weeks there have been many news reports asserting that there is a new fraud underway in which a person receives a phone call that asks “Can you hear me.”  When the person answering the phone says “Yes” the call ends.  This is then supposedly used to sign people up for things they don’t want and didn’t intend to buy.

But is this true? Is this happening?  Snopes.com has reported that they have been unable to verify that this is actually happening.  I have also talked to the Canadian Antifraud Centre, which handles mass marketing fraud complaints from all Canadian (and even American) consumers, and they tell me that they have seen absolutely no evidence that this is a real fraud tactic.

Do scam tape record victims?  Absolutely.  Telemarketing frauds, especially those that take payment by credit cards, routinely tape record a “verification” after they make a deceptive sale.  They use these recordings to challenge those who later realize that they have been defrauded and challenge the transaction with their credit card company.  Of course these verifications recordings do not include the deceptive claims.  The FTC has also seen companies that claim they have such recordings even when they do not.  Other frauds even doctor these tapes to make it appear that victims agreed to the charges when they really did not.   This tactic may stave off complaints by individual challenges, but I have never seen this work as a defense in an FTC consumer fraud case.

Stop Robocalls for FREE – if your phone service works over the Internet

If there is one thing everyone hates it is prerecorded “robocalls.” Though the Federal Trade Commission has the Do Not Call list, and has brought over a hundred cases closing down robocall operations, these continue to be a problem. I got one ten minutes ago. The FTC recently reported that complaints about robocalls went up 50% in 2016, so we are nowhere near an end to these.

A company called Nomorobo offers a free service to block robocalls, even many by politicians, while still allowing calls about prescription refills and the like. But it does not work with the traditional land line phones most of us grew up with. But many of us now get our phone service through the internet, often packaged with our TV cable system. (Apparently it does not work with Magic Jack).

To get this just go to Nomorobo.com. This company won the FTC award for the best technology to fight robocalls. They do this by compiling a list of known robocalls and not permitting those to ring through to your phone.

But what about calls to my mobile phone?

Nomorobo also offers a service for cell phones, though you have to pay for it. They also offer a paid service that will also block calls on one smartphone for $1.99 per month. In addition, there are a variety of apps, some free, designed to help. This article by a cell phone industry group lists some of these apps.

What about my old home landline?
Sorry, I’m not aware of any effective way to cheaply end calls to landlines, though the Federal Communications Commission has announced that it is working with the phone companies to find a way to end the scourge of robocalls.

TOP TEN FRAUDS FOR 2016 — NCL

The National Consumers League has just released data on the top 10 complaints they received in 2016. You can find it here. A few points to mention about their data, and some useful tips.

• #1 overall was things ordered over the internet that were paid for but never received. This includes used cars, counterfeit designer or sports goods, event tickets, and pets.

• #2 was sweepstakes and lottery fraud, such as Jamaican lottery fraud.

• #3 was fraud involving fake checks. These were up by 1/3 from 2015.

• #4 was demands for money that you really don’t really owe, such as IRS impersonators.

• # 5 was tech support fraud, wanting money to fix supposed problems with your computer.

• Average losses for these fraud complaints doubled from the year before, with the biggest losses coming from romance scams.

• The age range with the most complains were victims 26-35 years old

Helpful tips:

• Before paying money to any business check them out with the Better Business Bureau. The BBB has reports on essentially ALL real businesses, not just members. It is easy to check in advance. Go to BBB.org.

• Especially if you are buying on line never pay any way other than by credit card. If you use a credit card you may be able to get your money back if it is a fraud. Anyone who will not take a credit card is very likely a fraud.

• Never pay for anything by buying gift cards.

The National Consumers League takes consumer complaints on line and shares them with law enforcement in the US and Canada. They also download these complaints into the FTC’s Consumer Sentinel Database. Many of these are internet-based complaints, often from around the world. You can file a complaint with them here.

Operation Avalanche takes out International Computer System Used by Frauds

We all get dodgy spam emails, some of which initially appear to be legitimate bills or notices from companies we deal with. But many of these are actually “phishing scams” that have attachments which, when opened, install secret programs on our computers. Some news reports, in fact, suggest that the hack of John Podesta’s emails at the Democratic National Committee were the result of such an attack.

But if our emails are not dumped onto wikileaks, what exactly happens if we open a bad attachment? In December the Justice Department, working with Europol and 40 other countries, announced “Operation Avalanche” against a massive worldwide operation that had been providing very sophisticated computer support to hide the activities of the crooks since at least 2010.

What were the frauds?
This seems to involved both ransomware and stealing money from victim’s online bank account.

Ransomware
This fraud appears to be exploding in size, and is expected to account for a billion dollars in losses in 2016. In addition to defrauding businesses, it also is now being seen on people’s personal computers and cell phones. It is relatively simple. A victim opens an email attachment from a phishing email, which then encrypts all the data on the computer or phone. The victim gets an email telling them they can only get their data back if they send money through bitcoin to the fraudsters. It is essentially impossible to learn who received the money.

Stealing money from bank accounts
This was the other fraud that was involved here. After victims opened the attachment, spyware on their computer would monitor keystrokes on their computer and thus get the login information for victims’ online bank accounts. The frauds would then wire money from the victims account to a money mule, someone working with the fraudsters. The Mules would then buy goods, presumably computers and other electronics, and ship them to the fraudsters. (for more on how mules operate see this article on Baker Fraud Report.

What were the effects of this fraud?
Hundreds of millions of dollars were lost through the fraud using the Avalanche network. Tens of millions of computers were infected. This network was using at least 500,000 infected computers every day. The cybercriminals use the computers they have infected as networks, known as “botnets.” Thus if your computer is running slow it may be part of a botnet, sending email and other information when you don’t even know it. This enterprise sent at least one million phishing emails out every week.

So what did Operation Avalanche Accomplish?
This enterprise was involved in sending out more than two dozen of world’s most pernicious families of malware. Five people were arrested, 37 locations were searched, and 39 servers were seized. Another 221 servers were taken off line. In addition, law enforcement crippled the connection between individual computers and this fraud network. Thus for likely millions of people, the spyware is still on their computers, but communications now go back to law enforcement instead of the fraudsters.

DOJ press release
Europol press release

FTC shuts down Craigslist rental fraud

FTC shuts down large Craigslist rental fraud

Many people looking for a house to rent or buy go to Craigslist. Craigslist provides a great free service – but the crooks are using the site as well to rip people off. The FTC has just shut down Credit Bureau Center. This company advertised attractive rentals by posting pictures of great places at good prices. Addresses were not provided in the ad. Those interested in renting could only contact the company by email. The company responded by email, telling victims that in order to see the property they had to go to a website, get a “free” credit report, and bring it along to the walkthrough.

But those who obtained the credit report were not told that by putting in their credit card number and other personal information, such as a social security number, they were really signing up with a credit monitoring service – and would be charged $29.95 every month until they could make the charges stop. The FTC says that this company billed victims for more than $6 million.

There was no walkthrough. The rental properties either did not exist or the Defendants had no right to rent them. The fraud was all about conning people into providing their credit card numbers.

The FTC’s court brief said between it and the BBB there were over 500 consumer complaints.

This is not the only case involving fake houses offered for sale on craigslist. Last fall there were news reports of a search warrant being served in Santa Barbara, CA.

A study was released a year or so ago doing an in depth look at Craigslist rental frauds.

Sextortion on the Rise

Sextortion

 One of the new kinds of cybercrime has resulted in a new word – Sextortion.  This term has come to cover two different kinds of online activity. It is not surprising that sexual predators or those trafficking in child porn sometimes obtain, or coerce people into providing, nude pictures or videos and use those for blackmail. A number of these have been prosecuted.  In fact, Nigerian police recently arrested two Canadian women, Kardashian look-alikes, who apparently had sex with wealthy Nigerian men, recorded the events, and then blackmailed them for money.

But this has also become a very widespread scheme run internationally by organized fraud gangs.  A group that deals with this fraud, scamsurvivors, says that it has helped over 15,000 people around the world who have become victims.   Though victims are often reluctant to go to law enforcement, UK officials say that the number of complaints that they receive have doubled in the last year, and they are aware of at least four suicides.  In addition, this scam has been targeting young members of the U.S. military.

Here is how it works

A young man (usually) meets a beautiful young woman online at a chat site or a dating site.  They communicate, perhaps texting and exchanging photos, and then she suggests that become friends on Facebook.  Before long they both use webcams such as Skype to perform sexually explicit acts.  The crooks tape record the session, and then demand money or they will send the video to the victim’s family and friends.  Sometimes victims are called by the woman’s “father” claiming the girl was underage, and that this was therefore child pornography that could be reported to the police and result in criminal charges against the guy.

Who is behind this?

The organized frauds appear to be operating primarily from the Philippines, Morocco, and the Ivory Coast. But of course the victim does not know that they are dealing with someone outside the country.

How do they contact victims?
It is sometimes dating sites, but they often reach victims through chat sites such as such as chatroulette or omegle.   The frauds also typically set up fake Facebook profiles, stealing pictures of women from porn sites or other places on the internet.  Then they scour Facebook for likely subjects.  From looking at a victim’s Facebook page they may have a good idea of their social status and thus how much money they have.  Some frauds also seem to be using Linkedin to contact potential victims.

Who are the women?

The “women” in these situations don’t really exist.  They are computer generated sexbots, though that is not apparent to the viewer.  Those running the frauds can easily control the actions of these bots, making them wave, toss their hair, or do other things.

Who are the victims?

The vast majority of victims are males between 15 and 25.  Some are young members of the military.  The Naval Criminal Investigative Service (NCIS) reports that it received 300 sextortion reports over four years, but in 2016 they received more than 120.  It seems likely that this fraud is also targeting military members in other countries as well.  Here is a good article on the response to this scam by the US military.

How much do they want?

This varies depending on the fraudsters estimate of ability to pay, but initial demands seen to be about $500.  Of course anyone who pays will face demands for still more money.

What effect does this have on victims?

Like many frauds, victims suffer from more than the loss of money.  As noted, there are several reported suicides. In addition, victims who are Muslim or come from a family with strong religious beliefs may be especially worried.

How do victims pay? 

Most of the time the money is sent through Western Union or MoneyGram, though a few use Paypal.  Other payment methods are possible.

What if you don’t pay? 

In this fraud the gangs apparently do not actually follow up with their threats.  It is easier to just move on to new victims.

Similar tactics of recording sessions on webcams are also sometimes used by romance scammers, and those frauds have been known to actually post explicit videos.  But romance fraudsters tend to have a longer term interest in their victims and may know about their ability to pay or vulnerability to this type of blackmail.

What is law enforcement doing? 

International fraud is a real challenge for most law enforcement.  However, after a suicide in Scotland by a 17 year old victim UK police worked with Interpol to take action in the Philippines.  In 2014 police searched a number of large operations near Manila that were engaged in this fraud and arrested at least 55 people.  These fraud operations had victims in Hong Kong, Singapore, the UK and the U.S.  U.S. service members were also victims.

The woman in charge of one operation was reportedly the owner of two different Western Union outlets that was used to receive the money from victims.  In an interesting twist, this enterprise was texting with potential victims and convincing the victims that they had a problem with their phones. The fraudsters sent them a “fix” to install on their phone which contained a Trojan virus.  This allowed the fraudsters to download all the victims’ contact information.  Armed with that information, the crooks apparently could even threaten to send the video to specific people such as their mother or father.

There is an excellent TV news report on this effort on Undercover Asia.  It runs about 45 minutes but is extremely well done and is fascinating.

I’ve seen no news on convictions in this case.  In the Philippines victims must file formal complaints, and many victims are, understandably, reluctant to come forward.

Law enforcement in the UK has also made a real attempt to educate the public about this fraud and encourage victims to come forward.

 What to do if you’re a victim.

DO NOT PAY!  I would recommend as a first step going to scamsurvivors.com.  They have a step by step guide for victims to go through, such as closing down all Facebook pages and cutting off all communications from the fraud.

COMPLAIN TO LAW ENFORCEMENT.   Even if  an agency can’t help with this particular instance,  the information you provide may help them stop the fraud and help protect other people from becoming victims.  Here is information on where and now to complain.