Scamlines 41: Firms, Employees Hooked in Phishing and Key-Capture Tricks

The many ways we fall for cons, thefts — and even unbelievable hoaxes

Our first couple of headlines for this latest collection of scam stories draw attention to a disturbing trend in the world of fraud — when organizations lose, or even knowingly give away, personal information that can be used in identity theft. And we reveal how one federal department decided to test its employees on this with a spoof email.

We also have the lowdown on two new phishing tricks, an explanation of a scam that goes by the name of “dugo-dugo”, a warning about bogus fire inspections, and a distressing tale of church pastors who learned the hard way that nothing is really free.

And we round off with an amusing hoax story — not really a malicious scam, but certainly an interesting test of people’s gullibility.

1. Key logging program steals SSNs on state computer

The scam: The state of Oregon’s Department of Human Services passes on 45 Social Security numbers to crooks who manage to install a keystroke recorder on one of the department’s PCs at Coos Bay, OR.

The malware was installed after an employee clicked on an email link that downloaded it. Information, including the SSNs, was then transmitted to an external address. The numbers belonged to local residents who were applying for assistance.

The solution: Apart from the obvious, oft-repeated solution of not clicking links (which we refer to a couple more times in this issue), this crime calls into question employee training and their access to the Internet.

It’s perfectly possible to disable hyperlinks (the highlighted words or phrases that take users to another site) and to automatically strip out email attachments. Many organizations already do this; perhaps they all should.

More about key logger programs here.

2. Firms give credit card numbers to bogus deputy sheriff

The scam: In Alameda County, CA, businesses unwittingly give away customers’ credit card details to a scammer posing as a deputy sheriff investigating a fraud. The crook phones the firms and asks for information about recently used cards.

Several comply. The stolen card numbers are subsequently used to make purchases.

The solution: Anyone can claim to be a police officer, especially over the phone, and it’s even easy to spoof caller ID.

For that reason, police are unlikely to ever seek credit card information in this way.

When you get calls from anyone seeking personal information — either yours or someone else’s — hang up, get the real organization’s number independently and call them back.

3. DOJ spoofs its own employees to see if they’re scam-proof

The scam: Well — not a scam but more a test of employee preparedness for one. An email sent from within the US Department of Justice about the Federal Retirement Thrift Investment Board (a sort of 401(k) for federal employees) invites department staff to click a link to a trick page that seeks their savings plan account information.

Some employees spot the con immediately, though they don’t know it’s a test, and send emails to colleagues warning them not to click the link. Later, the DOJ admits it was a security exercise.

So what? Who knows how many employees might have fallen for the con if their colleagues hadn’t been so sharp? Some people might think it was a sneaky trick but we applaud the effort to reinforce awareness of potential scams.

4. Dugo-dugo — it’s just like the grandparent scam

The scam: Here’s a new one on us — a scam called “dugo-dugo”. In fact it’s a familiar Filipino term for a trick used in many countries where families receive payments from other family members working either at sea or in another country.

Hundreds of families in the Philippines receive phone calls from an individual claiming either to be a ship’s captain or an employer saying their relative is in trouble and asking for money to bail them out.

Law enforcement believe the scam operates on a huge scale and is being run by a gang. So far, one man has been arrested.

The solution: This trick has many other parallels — like the grandparent scam, currently one of the most commonly reported fraud crimes in the US, in which victims receive a call supposedly from a grandchild in trouble, again seeking money.

Any calls of this type should be independently checked out. Be especially suspicious if you are asked to wire cash — employers and authorities don’t usually operate this way — and only send money when you’re 100% certain of the need.

We covered grandparent scams in this article.

5. Fire inspection is a false alarm

The scam: Posing as a state employee, a scammer approaches residents of North Platte, NE, especially, for some reason, parents with new babies, offering fire safety inspections.

He seems to be selling useless fire alarm systems but it’s not clear if he’s also trying to gain access to homes so he can steal stuff.

The solution: Don’t ever let people into your homes without proper identification. If there’s even a shadow of doubt, ask them to wait outside while you check with the relevant authority.

Fire inspections are generally not carried out in this door-to-door manner, and fire services don’t usually sell alarms.

6. Phishing website looks genuine but it’s a far cry from reality

The scam: A spam email appearing to come from the software download service, Steam, offers a free copy of the game Far Cry 2. Clicking the link takes victims to a bogus site that looks like the real thing.

If the recipient happens to be a user of the Steam service, they can be fooled into keying in their personal account details. It’s a phishing scam, giving the crooks access to all the victims’ downloads.

The solution: When invited to visit a website by clicking a link in an email, just don’t. And don’t even copy and paste the link into your browser. If you don’t know the correct address, search for the site online.

Steam has posted instructions on how to reclaim a hijacked account here.

7. “AOL Safety and Security Team” is just the opposite

The scam: Another phishing expedition, this time in Florida, where the state’s Consumer Services Commissioner warns America Online (AOL) users to be on the lookout for an email asking them to verify billing and account information.

It seems to come from the “AOL Safety and Security Team” but a link inside the message takes victims to a fake website where they’re asked to enter the relevant info.

The solution: AOL does not contact customers by email asking for personal information. As mentioned above, never click on links in messages of this type. Sign on to your AOL account as normal and check things out from there.

Want to know more about phishing? Check out this article.

8. “Free” video terminals cost $40,000

The scam: Across the state of Michigan, 24 pastors fall for a ruse that leads them to sign up for costly video terminals they think are free. They’re believed to be among 176 churches nationwide who sign up for the deal.

According to the Detroit Free Press, the ministers think they are signing shipping receipts for receiving the terminals but the documents are actually leases agreeing to payments said to total more than $40,000 a time.

Some of the churches are now suing the leasing firm and a couple of marketing firms linked to the deals.

The solution: Well, this is a TGTBT (Too Good To Be True) for a start, and we wonder if there was some fine print the pastors missed that would have given the game away. When something is purportedly offered for free or dirt cheap, always check out the terms and conditions carefully and re-read what you’re signing for.

9. Catch a few rays — from your PC!

The scam: In England, a website claims that a technology breakthrough allows people to get a suntan just by sitting in front of their PCs and soaking up invisible rays. 30,000 visitors to the site sign up to benefit from the “new technique”.

Later, the site is revealed as a front for a campaign highlighting the risks of skin cancer from real rays — from the sun.

The solution: Just goes to show how gullible we can be when we’re offered something that appears to be a great benefit without costing us a penny.

From invisible rays to free video terminals, from a bogus deputy sheriff to phony family-in-distress tales, this week’s roundup of the scam headlines illustrates how willing we are to believe lies that are too good to be true or to take explanations at face value, without question.

We can’t help but repeat one of our most important and useful pieces of advice about avoiding scammers: be a skeptic.