Check your accounts to identify this Amazon scam, check forgeries and credit card identity theft: Internet Scambusters #404
Russian criminals have masterminded a new Amazon scam involving spoof emails that phish for your password and other account details.
They're also the brains behind a hack attack on firms that archive checks, enabling them to launch a convincing counterfeiting scheme.
Other hackers meanwhile have found the easiest route to steal credit card information -- through hotel computer systems.
We cover all of these crimes, with tips on how to spot and avoid them, in this week's Snippets issue.
Now, here we go...
From Russia With Guile, The Amazon Scam
A new Amazon scam lurks in a wave of phishing emails launched by Russian identity thieves.
Several variations of the spoof email have been identified but they all have the same intention of trying to trick victims into giving away their Amazon ID and password.
Armed with these, the scammers order items from Amazon on the victim's account, since many users also store their credit card details online with the retailer, so they don't need to be re-entered.
They may also try to change victims' registered email addresses so Amazon's confirmation of the purchase goes to the crooks rather than the account holders, though Amazon will normally notify you of any attempt to change your address.
Ironically, the most common version of this Amazon con is, in fact, a bogus confirmation of a change in your registered email address.
Bearing the Amazon logo, it is sent to your existing address and is headed "Verify Your New Email Address." However, it doesn't say what this new address is supposed to be.
Instead, you're invited to click a "Confirm" button or a link that appears to be "http://www.amazon.com" but, in both cases, they take you to a bogus Amazon site in Russia that asks you to key in your password.
In other variations of this Amazon scam, the spoof email seems to be either a shipping notification or a cancellation confirmation for an item you didn't order.
Again, the crooks hope that, on realizing you haven't placed such an order, you'll click on a link that takes you to the same bogus Amazon page in Russia.
A similar trick using the name of department store Macy's surfaced recently. This time it pretends to be an email acknowledgment of a payment under the store's Star Rewards program.
Using artwork that looks like a real Macy's design, the message says "Your recent payment has been applied to your Macy's account."
The links too look like they point to genuine Macy's Internet addresses but they don't. Hidden behind them are links to a bogus site.
Just to make things worse, in both this and the Amazon case, once the scammers have a victim's sign-on information, they'll try it out on other sites, since many people use the same details and passwords for several retailers.
To avoid this type of phishing email, the most important thing is never to click on links inside such messages. Don't even attempt to copy and paste the links into your browser address bar.
Instead, open your browser (e.g. Internet Explorer, Firefox, Google Chrome or Safari) and type in the online store's address (e.g., "www.amazon.com"), sign on there and go to "Your Account" or "My Account" or something similar.
There you can check any details about email addresses, payments and orders. You can forward Amazon scam emails to firstname.lastname@example.org.
Amazon also has a helpful guide on email identification.
As a further precaution, you can also delete any of your credit card details the retailer holds. And, of course, make sure you use a different password for each online account you use.
For more about passwords, check out these earlier Scambusters issues.
New Counterfeit Checks Scam
Though there's not a lot you can do to prevent it, readers should be aware of a major hack attack that could result in a hit on their bank accounts.
Scammers have found the perfect way to forge what appear to be genuine checks, drawn on victims' banks and seemingly signed by them.
Once again, the crooks seem to be based in Russia. According to reports from the Associated Press, they hacked their way into three companies that provide a check scanning service for banks.
These companies generate images of the checks we write, so people who use online banking services can review them online.
Just think about it. Those checks contain bank account names and numbers, bank details (like routing numbers), home addresses and, worst of all, signatures.
After downloading them, the crooks use software to create identical new checks, with forged signatures. Usually, they're made out for just less than $3,000, which is the threshold for banks to query and verify withdrawals.
Using this technique, they may already have gotten away with an estimated $9 million and, although the three firms involved have now tightened security, the crooks still have thousands of account details and may be targeting other check scanners.
They pass the forged checks to "mules," recruited via work-from-home ads, who cash them, keeping a small percentage for themselves, then send the remainder through untraceable money-wiring services.
For now, it seems that the stolen check images and the counterfeits have mainly been drawn on business bank accounts rather than those of individuals, but security experts are convinced the crooks will try other online check archiving services.
A list of the compromised accounts has not been released but more than 200,000 check images are said to have been stolen.
If you're a small business, one way you can avoid falling victim to this scam is to set up a "positive pay" arrangement with your bank.
Under this process, you send your bank a list of checks you've issued each day and they are the only ones the bank will honor.
For individuals, the best thing you can do is to monitor your bank account online every day, to review and confirm any check payments you've made.
If there's something there you don't recognize, contact your bank immediately. Normally, if you notify them and are able to show you did not issue the check, the bank will cover the loss.
And, of course, looking for big-paying, easy-money, work-from-home schemes, remember that there's no such legal thing.
You can read about the "Top 10" tips to avoid being taken by work at home scams in a previous Scambusters issue, Work At Home Jobs: How to Avoid Getting Scammed.
If you're asked to cash a check and wire part of the money to someone else, it's almost certainly a scam.
Hotels Are Card Hackers Top Targets
Finally, on the theme of hacking and making a regular check of your online accounts, comes the disclosure that almost 40% of stolen credit card data comes from hotels.
They make a good target because they often use external companies to manage their computer systems, including credit card processing.
Careless "techies" at these external firms sometimes leave the digital door open to the hotel systems, enabling hackers to come in and steal customers' credit card information.
Prevention is down to the hotels themselves but, from a customer/guest point of view, the crime underlines again the vital importance of regularly monitoring your account.
According to a recent report in the newspaper USA Today, banks and credit card companies are now thinking of asking customers to check their online accounts every day.
Maybe you want to get a jump on them and start right now! It makes sense, too, to regularly monitor your accounts with online retailers.
Even though you're now wise to the Amazon scam, if someone gets your card details from a hotel hack, guess where they might go to use it?
That's it for today -- we hope you enjoy your week!