Here is this week’s Fraud Report
Pindrop releases 2017 report on fraudulent calls to customer service centers
The rauds are not only calling us directly, they are calling our banks and credit card companies trying to get more information in order to steal our money and benefits. A new report provides some startling insights into how widespread this fraud is and how successful it can be.
There are call centers who handle customer service calls for banks, credit card companies, major retailers, and a variety of other entities. We can call one and change our address or password, pay bills, and even withdraw money. The report says that call centers are the “weakest links in online security. 61% of fraud losses from account takeovers involve the call center.” Pindrop estimates that losses from calls to call centers were $14 Billion last year.
How does the call center know it is really talking to the right person? Obviously they require a variety of personal information to authenticate that we are who we say we are. But as a result of data breaches and underground traffic in personal information enterprising crooks may be able to convince the call center that it is dealing with its real customer. For example, a caller pretending to be you may claim they have lost their credit card and ask that a replacement be sent to a new address controlled by the fraud. And of course if they get access to your bank account they can just steal the money.
Organized crime has people around the world that can spend their days on the phone with call centers. The frauds can spoof caller ID’s, use cheap mobile phones, Skype, or Google Voice to place the call, and use voice distortion software – all to hide their actual location. Pindrop’s technology allows it to determine the actual location of the caller and thus whether the caller is a real customer.
Pindrop reports that fraud on call centers increased 113% between 2015 and 2016, and that fraudulent calls doubled in volume during that time, from one in every 2000 calls to one in every 937. For US call centers 83% of such calls are coming from outside the United States.
Credit card issuers are one of the most frequent targets of this fraud, with 1 out of every 800 calls received coming from a fraud. Banks have fraudulent calls coming at the rate of 1 in every 867 calls. Insurance companies are also frequent targets, as are retailers. Frauds often try to obtain access to loyalty cards or points (think frequent flyers or hotel points) that can be turned into money.
The highest fraud rate for a single industry was for device insurance, the policies people have for lost or stolen phones. Fraudulent calls were 1 of every 194 last year, a 55% increase.
Have you received an email that looks like it came from someone you know, but it only had a hyperlink. What is that all about?
The FTC’s Chicago office has brought two cases against the people that use these spam emails to sell bogus diet pills.
Several years ago crooks hacked the Yahoo email accounts of a massive number of people, also obtaining the email contacts in these hacked accounts. Thus if they had hacked the account of Bob Heinlein, all of his contacts would receive an email containing a hyperlink, perhaps with a subject line such as “Hi, have you seen this?”
Those who click on the links are taken to web pages that look like articles by real consumer reporters, who claim that they tried diet pills and were “astonished” at how well they work. These fake news pages also claim that celebrities such as Oprah Winfrey use the pills, and contain fake testimonials from supposed users. The fake news pages have a hyperlink to one of the web sites where victims can order the Defendant’s worthless diet pills.
The FTC says that the Defendants in the Fowler case made at least $1.3 million from their efforts, and in Sale Slash at least $43.4 million.
BBB Releases First Annual Report for Fraud Complaints Made to Scam Tracker
As I’ve reported before, the Better Business Bureau has a relatively new program to capture complaints about fraud. Those who file a complaint about a fraud with the BBB can also agree to talk to the news media and to share the complaint with law enforcement. Scam Tracker complaints can be filed online here or by calling most local Bureaus. The Scam Tracker also has a useful feature that can graphically display all the fraud complaints filed by people in your area. This really helps demonstrate just how widespread fraud really is. Click here to see a map of your area or neighborhood and what frauds are being reported.
The BBB has just released a first ever report detailing the fraud complaints it received in 2016. It includes some great features. First, it breaks the frauds down into understandable categories and explains very nicely what is included. Second, it attempts to determine what age and sex is most often ripped off by each fraud. It found that those 18-24 were overall most likely to be fraud victim, and those over 65 were the least likely to report a fraud. However, the median actual dollar loss was highest for the over 65 group. Third, they found that women were twice as likely to report a fraud as were men. (But not that men are exposed to fraud less often).
The BBB calculated that the three most risky frauds for those over 65 were:
- Family/friend emergency (grandparent scams);
- Sweepstakes/Lottery Prizes (Jamaican lottery frauds); and
- Travel/Vacations (bogus ads to rent properties and timeshare resale fraud)
The most interesting innovation in the BBB report, though, is its effort to apply a “risk index” to complaints. As we all know, of the billions of robocalls that are made only a small fraction of those receiving the calls are actually defrauded. (Of course enough do get defrauded that the calls make money for the frauds). In addition, many people file complaints about robocalls or other fraud attempts even when they do not actually lose money (such complaints are still valuable to law enforcement because they can help show patterns).
The BBB has attempted to calculate three factors to determine the riskiest frauds.
- Exposure (how likely are you to be exposed to the con?)
- Susceptibility (if you are exposed, how likely are you to lose money? And
- Monetary Loss (if you lose money, how much is it likely to be?
Using that formula the Report concludes that the ten riskiest frauds are:
- Home Improvement Scams (the fraudsters actually appear at your door and ask to do work)
- Fake Checks and Money Orders (See the Baker Fraud Report explaining these)
- Employment Scams (These often include fake checks)
- Online Purchase Scams (goods ordered from a web site that are never delivered, or that again involve a fake check in an overpayment fraud); and
- Advance Fee Loan Frauds (you apply for a loan online or by phone, are asked to pay fees for things such as insurance but there is no loan every made).
- Investment frauds
- Romance Scams (see Baker Fraud Report for more).
- Tech Support Frauds (see Report on these here)
- Family/Friend Emergencies (Grandparent frauds), and
- Sweepstakes/Lottery/Prizes (see Report on Jamaican Lottery Frauds)
The FTC announced this settlement with Joel Treuhalf and his company on February 15. The FTC alleges that the defendant hired “runners” in Florida to pick up the money victims sent after being defrauded by IRS impersonators. The runners went to Western Union and MoneyGram outlets to collect the money, kept 7% for themselves, and then deposited the rest into several different bank accounts. The deposited money then made its way to India. The FTC alleges that “In less than eight months, from July 2015 to February 2016, Defendants collected more than $1.5 million from approximately 3,000 consumers throughout the United States.” Click here to read more about money mules.
Can you hear me frauds: No evidence that this is actually happening
Over the last several weeks there have been many news reports asserting that there is a new fraud underway in which a person receives a phone call that asks “Can you hear me.” When the person answering the phone says “Yes” the call ends. This is then supposedly used to sign people up for things they don’t want and didn’t intend to buy.
But is this true? Is this happening? Snopes.com has reported that they have been unable to verify that this is actually happening. I have also talked to the Canadian Antifraud Centre, which handles mass marketing fraud complaints from all Canadian (and even American) consumers, and they tell me that they have seen absolutely no evidence that this is a real fraud tactic.
Do scam tape record victims? Absolutely. Telemarketing frauds, especially those that take payment by credit cards, routinely tape record a “verification” after they make a deceptive sale. They use these recordings to challenge those who later realize that they have been defrauded and challenge the transaction with their credit card company. Of course these verifications recordings do not include the deceptive claims. The FTC has also seen companies that claim they have such recordings even when they do not. Other frauds even doctor these tapes to make it appear that victims agreed to the charges when they really did not. This tactic may stave off complaints by individual challenges, but I have never seen this work as a defense in an FTC consumer fraud case.
If there is one thing everyone hates it is prerecorded “robocalls.” Though the Federal Trade Commission has the Do Not Call list, and has brought over a hundred cases closing down robocall operations, these continue to be a problem. I got one ten minutes ago. The FTC recently reported that complaints about robocalls went up 50% in 2016, so we are nowhere near an end to these.
A company called Nomorobo offers a free service to block robocalls, even many by politicians, while still allowing calls about prescription refills and the like. But it does not work with the traditional land line phones most of us grew up with. But many of us now get our phone service through the internet, often packaged with our TV cable system. (Apparently it does not work with Magic Jack).
To get this just go to Nomorobo.com. This company won the FTC award for the best technology to fight robocalls. They do this by compiling a list of known robocalls and not permitting those to ring through to your phone.
But what about calls to my mobile phone?
Nomorobo also offers a service for cell phones, though you have to pay for it. They also offer a paid service that will also block calls on one smartphone for $1.99 per month. In addition, there are a variety of apps, some free, designed to help. This article by a cell phone industry group lists some of these apps.
What about my old home landline?
Sorry, I’m not aware of any effective way to cheaply end calls to landlines, though the Federal Communications Commission has announced that it is working with the phone companies to find a way to end the scourge of robocalls.
The National Consumers League has just released data on the top 10 complaints they received in 2016. You can find it here. A few points to mention about their data, and some useful tips.
• #1 overall was things ordered over the internet that were paid for but never received. This includes used cars, counterfeit designer or sports goods, event tickets, and pets.
• #2 was sweepstakes and lottery fraud, such as Jamaican lottery fraud.
• #3 was fraud involving fake checks. These were up by 1/3 from 2015.
• #4 was demands for money that you really don’t really owe, such as IRS impersonators.
• # 5 was tech support fraud, wanting money to fix supposed problems with your computer.
• Average losses for these fraud complaints doubled from the year before, with the biggest losses coming from romance scams.
• The age range with the most complains were victims 26-35 years old
• Before paying money to any business check them out with the Better Business Bureau. The BBB has reports on essentially ALL real businesses, not just members. It is easy to check in advance. Go to BBB.org.
• Especially if you are buying on line never pay any way other than by credit card. If you use a credit card you may be able to get your money back if it is a fraud. Anyone who will not take a credit card is very likely a fraud.
• Never pay for anything by buying gift cards.
The National Consumers League takes consumer complaints on line and shares them with law enforcement in the US and Canada. They also download these complaints into the FTC’s Consumer Sentinel Database. Many of these are internet-based complaints, often from around the world. You can file a complaint with them here.
We all get dodgy spam emails, some of which initially appear to be legitimate bills or notices from companies we deal with. But many of these are actually “phishing scams” that have attachments which, when opened, install secret programs on our computers. Some news reports, in fact, suggest that the hack of John Podesta’s emails at the Democratic National Committee were the result of such an attack.
But if our emails are not dumped onto wikileaks, what exactly happens if we open a bad attachment? In December the Justice Department, working with Europol and 40 other countries, announced “Operation Avalanche” against a massive worldwide operation that had been providing very sophisticated computer support to hide the activities of the crooks since at least 2010.
What were the frauds?
This seems to involved both ransomware and stealing money from victim’s online bank account.
This fraud appears to be exploding in size, and is expected to account for a billion dollars in losses in 2016. In addition to defrauding businesses, it also is now being seen on people’s personal computers and cell phones. It is relatively simple. A victim opens an email attachment from a phishing email, which then encrypts all the data on the computer or phone. The victim gets an email telling them they can only get their data back if they send money through bitcoin to the fraudsters. It is essentially impossible to learn who received the money.
Stealing money from bank accounts
This was the other fraud that was involved here. After victims opened the attachment, spyware on their computer would monitor keystrokes on their computer and thus get the login information for victims’ online bank accounts. The frauds would then wire money from the victims account to a money mule, someone working with the fraudsters. The Mules would then buy goods, presumably computers and other electronics, and ship them to the fraudsters. (for more on how mules operate see this article on Baker Fraud Report.
What were the effects of this fraud?
Hundreds of millions of dollars were lost through the fraud using the Avalanche network. Tens of millions of computers were infected. This network was using at least 500,000 infected computers every day. The cybercriminals use the computers they have infected as networks, known as “botnets.” Thus if your computer is running slow it may be part of a botnet, sending email and other information when you don’t even know it. This enterprise sent at least one million phishing emails out every week.
So what did Operation Avalanche Accomplish?
This enterprise was involved in sending out more than two dozen of world’s most pernicious families of malware. Five people were arrested, 37 locations were searched, and 39 servers were seized. Another 221 servers were taken off line. In addition, law enforcement crippled the connection between individual computers and this fraud network. Thus for likely millions of people, the spyware is still on their computers, but communications now go back to law enforcement instead of the fraudsters.
DOJ press release
Europol press release