The Bad Uglies are getting smart - and nasty!

In the past it was third class mail that brought the scams - with some via first class if the scammer had some capital. The number of people who fell for them was probably fairly high, percentage-wise - but the number of people that got any particular scam probably wasn't all that high due to the up-front cost.

Telephone scams were pretty much a local thing - long distance charges were too expensive. The locals could be dealt with by the local police if/when they were caught.

Then came the internet and "free" e-mail (at least is was free to send millions from the spammers and scammers' point of view) so the number of recipients went up and the amount of attempts went up. The subjects and methods have evolved to where we now talk not just about spamming (unsolicited advertising e-mail) but about "phishing" (trying to get information used to perpetrate a fraud using e-mail) and even "spear-phishing" where the targets are carefully selected and the content crafted to look like an internal memo for example.

Now, with the cost of large quantities of long distance falling to almost nothing, we have moved to "Vishing" or use of the telephone to try to get information to be used to perpetrate a fraud - get credit card info or identity info for identity theft.

I have 4 phone lines and a Panasonic phone switch with a bunch of smart, multi-line phones throughout the house. When we first moved in, I was given the opportunity to select the 3 numbers for our house - ours, our kids' and a fax line - and selected them roughly in a sequence. The first 5 digits are the same and the last two are 44, 55, 66 respectively. The 4th, business line came later and is in a completely different exchange.

Many times recently, I'll hear the house line (the first of the three) ring, and watch as all 3 original lines light up in sequence; another "war" dialer telephone spammer - almost guaranteed to be from out of Canada (i.e. the US) as this type of non-random, automated dialing is actually illegal in Canada.

Each time this happens I know that we've been targeted (along with all the other 30+ numbers between our 3 in sequence and who knows how many others at the same time) for advertising of some sort or other.

Lately however I'm fairly certain that some of these spammers are in fact VISHING - Voice Phishing - i.e. crooks trying to separate me fraudulently from either my money directly via credit card fraud, or through identity theft, indirectly. One such call I've received several times starts off talking as if they are affiliated with my credit card company and proceeds from there to try to get me to talk to one of their representatives. Another talks of "Macy's, Bloomingdales, ... and other well known stores. I've never had the time to actually follow through and see just how far they go - but maybe one day.

The fact is that because I have more than one line in a fairly close sequence, I have more information about the fact that this is not a highly targetted call (i.e. one that KNOWS who they are calling and might therefore be "all right" to talk to - if you ever think that such a thing is possible - at least to some people)

I know that it is a brute-force-and-ignorance tactic playing on pure statistics and quantity of attempts with the expectation that even if only a miniscule percentage of people fall for the line, it will be profitable.

You, and others, may not realize this though. You don't know that they are probably hitting many hundreds of numbers from a computer-run VOIP (Voice over internet protocol) gateway that purchases bulk long distance from some legitimate carrier at pennies per thousand minutes and can initiate literally thousands of such calls per minute - at least you don't know unless you hear all your neighbours' phones ring at exactly the same time too.

The Phishers/Vishers are playing on the typical human characteristic to "want to believe," and with perfectly crafted scripts they "social engineer" their way into your life, gathering small facts that they'll use to lull you into a false sense that they know more about you than they really do, so you'll feel comfortable telling them slightly more, and so on, until they have enough to impersonate you to a bank or credit card company and make your lives miserable in the process.

The most recent line of pseudo spear-phishing/vishing uses both e-mail and the telephone. SANS Internet Storm Center is reporting on a new round of spam that purports to come from the IRS - US Internal Revenue Service, offering you $80 to fill out a brief questionaire. They follow this up with a phone call (hey, you answered an IRS questionaire and they know it, so it must be OK to talk to them because if they weren't the IRS they wouldn't know you filled in the form... right?) and using this false sense of trust they get more information - info that can be used to generate IDs and get credit cards and impersonate you.

From: Internal Revenue Service [mailto:security@IRS.gov]

Sent: Friday, August 24, 2007 5:23 AM

Subject: IRS Survey : $80.00 to your account - Just for your time!

Importance: High

Congratulations!

Dear Customer,

You’ve been selected to take part in our quick and easy 8 questions survey In return we will credit 80.00 to your account - Just for your time!

Please spare two minutes or your time and take part in our online survey so we can improve our services.

Don’t miss this chance to change something.

To continue click on the link below:

htm://www.irs.gov/login.asp=survey

© Copyright © 2007 Internal Revenue Service U.SA

Then they phone you - you, after all, gave them your phone number!

“ Hello Mr I fell for-it, this is Tim from the IRS.  Thank you for filling out the survey, however you didn’t leave any details for us to deposit the $80.  If you provide me with some information now we can arrange payment.”

“uh, ok”

“Let’s start with verifying some details, starting with your social security number....”

.....

So you've gone to what you think was the IRS based on the fact that they sent you an e-mail (have you ever given the IRS your e-mail address?) and given them your phone number and other information (I bet they should already have it if they are really the IRS) and then received a call from them where they ask you to verify to them who you are by giving them your SSN- instead of offering to verify to you that they are in fact from the IRS!!! 

The first thing to understand is that the e-mail they sent was done using HTML - so the text you read where it tells you what the URL of the web site you are being directed to if you click the link DOES NOT HAVE TO BE ANYTHING LIKE WHAT YOU READ!!! - it can, and most times does, point to a system that is somewhere in a different country (Russia is the most typical, but it can be literally anywhere)

Even if it really points to where it should, in many cases (and government computers are not immune to this) it in fact points to a page that the scammers have hacked into the legitimate site's system, or to a computer that has taken over the Domain Name System (DNS) entry for their site through any of several ways.

It may even point to one of the literally millions of 'bots (robot machines - taken over by the crooks by getting people to click on a link that downloads virus software into their system that allows the crooks to take it over and make it do anything they want - done in the millions) that then pass it up the chain to the "real" server where you will be baited and wowwed into giving up your information.

The point of this article is to make you aware that the scams have again jumped to use another "free" (or at least almost no cost) technology - the long distance telephone call - and that the stories are getting more and more sophisticated.

You, my reader, simply can't trust anything that comes to you unbidden, and you have to be skeptical about things that come linked to anything you might have inadvertently done like fill in a prize draw at the local supermarket like I saw my wife do today, or fill in an online questionaire, etc. The truly nasty crooks will use even the smallest piece of information to lull you into thinking they know more than they do; "oh, Ms. XXX - I see you're in the Vancouver area (which they can figure out just by what IP address you used to look at their web page - you didn't even fill in the form!!!) and off they go using their social engineering skills to get you into deep trouble and themselves deep into your identity and wallet.

How do you protect yourself? Well, the first thing is to never tell them information unless they tell you how to contact them - and you do that. Get their phone number and tell them you're going to hang up and call them back so you know who they are. In fact, ask them how you can verify their affiliation with the IRS or whoever (I did this with Canada Revenue Agency for example) by asking what telephone directory entry you can call to ask to be transferred to them.

In my case I was told to look up CRA in the blue pages - and call their 1-800 number (which got me Ottawa) and ask for the Vancouver statistics division (which took the lady in Ottawa almost 5 minutes to find as I was the first to ever ask for it) and then ask for anyone working on a particular study - tell them a specific case number and go from there.

Having done this, I was absolutely certain that I was talking to a CRA representative and that they had both the knowledge of what was going on, separate from the original person who called me, and that it was a legitimate survey and requirement (workforce survey) - and no, they didn't pay me anything but threatened to prosecute me if I didn't comply.

So - be skeptical - and make them prove who they are using things that take a LOT to scam - yellow pages entries (they cost a LOT) for example or independent directories on the net. And look up on Google or other search engines to see if others have penetrated a scam like what you are hearing. Chances are good that you're not the first they have called or contacted.

There's even a Wikipedia page on the 419 Nigerian letter scam - yet as recently as last week a financial advisor in Kelowna, BC fell for the scam to the tune of over $80,000!

And I guess that if all else fails and you get taken - bite the bullet and tell people so that others don't get taken - or, as in the case of the 419 scam, somebody sets up the scammers to get even; see www.419eater.com for some wonderful details of scamming the scammers!