Identity Theft Examples Using Social
Engineering and Phone Phishing Techniques
Major Thefts of Online Credit Card Info
The Federal Trade Commission estimates that nearly 10 million
Americans had their identities stolen in 2003, costing consumers
and businesses more than $50 billion. Unauthorized access to checking
accounts through phishing is one of the fastest-growing types of
identity theft. Banking experts think electronic fraud will slow
the growth of e-commerce.
There is an increasing frequency of websites being hacked and
security systems being compromised. Some of the more significant
include the hacking into CD Universe’s Website and the stealing
of three hundred and fifty thousand (350,000) credit card numbers.
More recently, furniture retailer IKEA’s website was broken
into, exposing thousands of customers’ personal identifying
information. The IKEA incident was followed several days later
by the hacking of Western Union’s website, where the hackers
left evidence of having made electronic copies of the credit and
debt card information of over fifteen thousand (15,000) customers.
Give Till It Hurts
A bogus donation request which is being sent out online may result
in identity theft, financial losses and the diversion of charitable
gifts from the intended recipients.
The request comes in the form of an executable file virus attached
to an e-mail message.
Upon execution, the user is presented with a donation request
form to fill out. The e-mail appears to come from the American
Red Cross, United Way and the September 11th Fund. Once the
form is complete, the personal and confidential information on
the form is uploaded to a non-Red Cross Web site.
The Red Cross stresses that they only accept credit card information
through a secure portal on a Web site, not through an e-mail message.
Circulation of Fictitious IRS Forms and Bank Letters
Attached are samples of a fictitious document that is not a
genuine IRS Form and a fraudulent letter addressed to a bank
customer purporting to be from the customer's bank.
Documents like those attached are being circulated nationwide
in an attempt to steal your identity and money by
having you disclose personal and banking information. Accordingly,
when the perpetrator of the fraud contacts your bank in person,
telephonically or through electronic means, they have all the necessary
customer information to appear credible.
Fake IRS form.(pdf) Fake
bank letter.(pdf)
Form W-9095 - Application Form for Certificate Status / Ownership
for Withholding Tax
Fax #: 1-914-470-9245
Monique Meeuws
Military Families Targets of Latest Tax Scam
Military families are the target of two new tax scams designed
at robbing the families of their credit card information by promising
refunds from the IRS. Mark Everson, the newly appointed IRS Commissioner,
is warning taxpayers that these inquiries are not from the IRS.
In one scam, families are contacted by telephone and told they
are speaking with a representative from the IRS. They are informed
that because they have a family member serving in the military
they are entitled to a special $4,000 tax refund. To receive the
refund, the families are told they must pay a $42 fee that covers
postage. The military families are then asked for a credit card
number to pay for the $42 fee. There is no $4,000 tax refund available
for families of members in the armed forces.
The other new scam is appearing in e-mail messages, again to military
families. The message appears to have been sent by the IRS. Taxpayers
are urged to follow a link to a website where they are asked to
fill in personal and financial information. The website referred
to in the e-mail message is not an IRS site.
Got a phone call today from a man claiming to be from the National
Privacy Association. He said he was going to remove
our phone number from the 92 calling lists it is now on if I
would verify my savings and checking account numbers.
He said if I do not verify this information our accounts are in
danger of being drained so I should just tell him my account numbers
and he would fix it.
When I resisted his request he assured me that I was making a
big mistake and that he already had a list there with the numbers
on it but just had to verify that they were correct.
This really frightened me as I have never had a
telemarketer be so insistent. They are usually polite when
I say I am not interested. This man said I had requested
to be removed from all lists and that since I refused to verify
any information I was wasting his time.
Was I right to refuse his demands?
07/12/02
A Wholesome Name to Start With
I would like to draw your attention to a web site called
counterfeitlibrary.com where people openly trade, buy, sell, advertise
and discuss things such as: hacked ebay and paypal accounts,
selling peoples credit information, conducting fraudulent
ebay auctions, selling fake id's, selling bank accounts under
fake names, etc.
All of this is done OPENLY. There are indications of people
there who, through their jobs, have access to thousands of people's
credit information, which they sell it for $50 or so per victim.
I have personally talked to people who have had their ebay accounts
hijacked by "members" of this site. They watched
helplessly as the hackers defrauded innocent buyers, and then likely
used both parties information to obtain credit cards in their names,
etc.
Jeff Landis 09/09/02
Examples
In one notorious case of identity theft, the criminal, a convicted
felon, not only incurred more than $100,000 of credit card debt,
obtained a federal home loan, and bought homes, motorcycles, and
handguns in the victim’s name, but called his victim to taunt
him —saying that he could continue to pose as the victim
for as long as he wanted because identity theft was not a federal
crime at the time —before filing for bankruptcy, also in
the victim’s name.
While the victim and his wife spent more than four years and
more than $15,000 of their own money to restore their credit and
reputation, the criminal served a brief sentence for making a false
statement to procure a firearm, but made no restitution to his
victim for any of the harm he had caused. That case, and others
like it, prompted Congress in 1998 to create a new federal offense
for identity theft.
Your Husband the Deadbeat
Attempting to get identity information, one caller speaks to women
he can reach during the daytime and states that he is phoning about "your
husband’s credit card payment, which is overdue." The
caller than asks the wife to confirm her husband’s Social
Security number and requests other personal information.
In one instance, the women’s husband had died three years
earlier and had no credit cards. Another wife reported that her
husband only had one credit card, and it was not the one mentioned
by the caller.
A False Sense of Security
Scammers on the Net have been setting up fake websites which profess
to be the security department of your favorite web portal or auction
site. They email you with a request to verify your account
login and password, perhaps even your payment account or credit
cards numbers.
Looking very official, complete with logos and proper sounding
URL such as www.security.ebay.com or some such, they soon take
over your account and make purchases on your behalf, shipping the
merchandise to a different address from your own.
As If The Taxman Alone Isn't Bad Enough
03/04 - Some taxpayers in Michigan have received e-mail notices
from non-Internal Revenue Service sources claiming they are being
audited and must complete a questionnaire within 48 hours to avoid
financial penalties, according to the Attorney General’s
office.
The taxpayer is asked for his or her Social Security number, bank account
numbers and other confidential information.
Taxpayers are being advised not to provide the requested information.
The IRS does not conduct e-audits nor does it notify taxpayers of a pending
audit by e-mail, the Attorney General’s office said.
Cold Calling Cons
03/04 - Alaska - The Anchorage Police Department is investigating
a recent rash of what are believed to be fraudulent phone calls
targeted at Alaska Communications Systems customers.
A spokeswoman for the Anchorage-based telecom company said hundreds
of customers over the past two weeks have reported receiving phone
calls from someone claiming to be an ACS representative and asking
them for personal information such as credit card numbers, Social
Security numbers and birth dates.
The callers, most of whom have heavy foreign accents, tell the
customers they need the information so that they can save them
money on their monthly phone bills, Pease said.
ACS is not making such calls, and the company's customer service
reps would never ask for such personal information.
The department's fraud division began an investigation Tuesday
and determined that the calls are coming from out of state, possibly
from New York.
$100m computer fraudster stole identities
of 30,000 Americans then bank accounts were plundered by Nigerian
gangsters who bought confidential data
From James Bone in New York - timesonline.co.uk
01/05 - A BRITISH immigrant who worked on a help-desk for a New
York software firm has been jailed for 14 years for his part in
the largest identity theft in American history.
Philip Cummings, 35, who now lives in Cartersville, Georgia, apologised
to the court for downloading passwords and credit information and selling
them for $30 (£16) each to a ring of Nigerian immigrants who used
them to cheat about 30,000 people out of an estimated $50 million-$100
million. The federal district court in New York received statements from
around 300 victims who had seen their bank accounts emptied and fake
loans taken out by the Bronx-based gang.
“I'm very, very sorry for my conduct in this case," Cummings said at the
sentencing hearing on Tuesday. “I normally don't get into this kind of
trouble."
Cummings, who emigrated to America when he was 15, originally faced up
to 50 years in prison but agreed to a plea bargain last year on fraud
and conspiracy charges.
Claiming he needs a heart transplant, he appealed for leniency. But the
judge said the crime was too serious and ordered him to report to jail
on March 9. Although a British citizen, he did not seek consular assistance.
District Court Judge George Daniels said the case emphasised how easy
it was to wreak havoc on people’s financial and personal lives,
and called the personal suffering of the victims “almost unimaginable”.
In 1999 and 2000, Cummings provided technical support on the help desk
of Teledata Communications, a Long Island company that provides the software
needed to run credit checks at America’s “big three”credit-history
bureaux: Equifax, Experian and TransUnion.
His job allowed him access to passwords and codes that enabled him to
download individual credit reports.
Cummings regularly met a friend called Linus Baptiste at Baptiste’s
home in the New York suburbs. There they would use one of Baptiste’s
five computers to download credit reports.
Baptiste, who has pleaded guilty and is awaiting sentencing, sold the
credit reports to a ring of about 20 street criminals, composed mainly
of Nigerian immigrants, who used the information to loot the bank accounts
and credit cards of unsuspecting victims.
Entering his guilty plea in September, Cummings admitted that he recorded
the information on to a laptop computer that he gave to Baptiste.
“I left the computer with him and when I asked what he was doing, he said
he wasn't doing it any more," he told the judge. “I didn't know the magnitude."
The first target was Ford Motor Credit Corp’s branch in Grand Rapids,
Michigan, which began receiving complaints from customers. Armed with
confidential information from the credit reports, the gang had been able
to drain bank accounts, open lines of credit and change customers’ addresses
to receive duplicate credit cards.
The ring moved on to other companies across the country. An investigation
was started when a clerk at a Washington Mutual Bank in Florida noticed
that the branch had been billed for 1,100 credit reports it did not order.
Barbara Cusumano, the former head of an airline anti-fraud unit, told
the court she “went crazy”writing to everybody after discovering
that $1,500 had been illegally charged to her credit card by someone
in Florida. Florida police told her they would not investigate because
her loss was less than $5,000.
Her case was investigated only when authorities realised it was part
of the larger scheme. “One of the messages this sends is that if
you stay under the threshold, you can do what you want,”she said.
CHINESE DISCO LOTTERY
Attention all security personnel and store managers:
Please print and share this memo with ALL mall employees.
Be on the look out for people approaching customers and offering to sell
them scratch off variety lottery tickets. This is a scam. Repeat:
THIS IS
A SCAM. The lottery tickets are legitimate looking, normal sized
scratch
off tickets with tan backgrounds, black and green lettering, and the words
CHINESE DISCO LOTTERY printed across the top. On the left is
is a gray
area to be scratched off revealing a prize. On the right is an image
of a
young Asian couple dressed in 1950's style clothing dancing beneath a disco
ball.
The tickets are almost always being offered for sale by a young nicely
dressed male and female who claim they are raising money for university
scholarships for underprivileged youths. This is NOT a legitimate
lottery.
THE TICKETS ARE FAKE: Each ticket claims to be a winner of between
$25.00
and $5,000.00. The back of the tickets advise the holder to mail
in a copy
of their identification, along with various personal information including
checking account number and bank routing number. The tickets state
this
information will be used for direct deposit of winnings. Local authorities
verify this information is being used to make withdrawals from the account,
open new accounts, as well as more in depth identity theft. They
confirm
this is occurring nation wide and is well organized.
If you see any activity of this sort, please contact a member of mall
security immediately.
Ron Petlansky,
Security Director
Christiana Mall
Christiana, Delaware
Mortgage Company Insiders Sell Personal Info
to Scammers
02/07 - A grand jury in Seattle has indicted six people in connection
with a massive identity theft scam that used insiders at a mortgage and
escrow firm to siphen around $335,000 from customers of Bellevue mortgage
company, according
to a statement from the U.S. Attorney for the Western District of
Washington on Wednesday.
According to a recently unsealed indictment, two identity theft ring
leaders: Charles Griffin and Bianca Bowler recruited a Seattle resident,
Juanita Booker, who worked at a Bellevue, Washington mortgage company
supply them with personal and financial information for numerous people
who had applied for mortgages at company. They also roped in one Raynette
Armstrong, who worked at a local escrow firm and also provided them with
personal and financial information on clients of the escrow firm. That
information was used to locate and tap bank accounts and create phony
drivers licenses using the names and information of the victims, but
bearing the photographs of the co-conspirators. Bowler and a third co-conspirator
were caught with elaborate computer set-ups for manufacturing counterfeit
drivers licenses when their Seattle home.
For anyone who has ever applied for a mortgage and had to fax off a
big pile of tax returns, bank statements and W-2's to God Knows Who,
this story is a nightmare come true.
According to the U.S. Attorney, after lifting the sensitive data, the
conspirators traveled to various banks in Oregon and Washington to drain
bank accounts, opened credit accounts and racked up huge charges at large
stores such as Lowes, Home Depot, Best Buy, and Wal-Mart and jewelry
stores such as Friedlanders and International Jewelers.
Apparently, the scheme came to light after one of the co-conspirators,
who was on probation for another wire fraud scam, was paid a visit by
probation officers, who discovered the elaborate fake-ID making setup.
In light of the recent hacks at TJX, etc. These kind of stories just
remind us that, more often than not, low tech approaches to stealing
data work perfectly fine: in this case: find a crooked insider or two,
then pay them off to get the data you want.
|