Our Security Center is designed to help you be aware of how we’re working hard to keep your personal and financial information safe, and to help you know what to consider suspicious activity to ensure you don’t get caught in a scam.
While some consumers find unsolicited commercial email—also known as "spam"—informative, others find it annoying and time consuming. Still others find it expensive; they're among the people who have lost money to spam that contained bogus offers and fraudulent promotions.
Many Internet service providers and computer operating systems offer filtering software to limit the spam in their users' email in-boxes. In addition, some old-fashioned "filter tips" can help you save time and money by avoiding frauds pitched in email. OnGuard Online wants computer users to screen spam for scams, send unwanted spam on to the appropriate enforcement authorities, and then hit delete. 10 common spam scams are:
Here's how to spot these 10 common spam scams.
1. The "Nigerian" Email Scam
The Bait: Con artists claim to be officials, business people, or the surviving spouses of former government honchos in Nigeria or another country whose money is somehow tied up for a limited time. They offer to transfer lots of money into your bank account if you will pay a fee or "taxes" to help them access their money. If you respond to the initial offer, you may receive documents that look "official." They then ask you to send money to cover transaction and transfer costs and attorney's fees, as well as a blank letterhead, your bank account numbers, or other information. They may even encourage you to travel to the country in question, or a neighboring country, to complete the transaction. Some fraudsters have even produced trunks of dyed or stamped money to try to verify their claims.
The Catch: The emails are from crooks trying to steal your money or your identity. Inevitably, in this scenario, emergencies come up, requiring more of your money and delaying the transfer of funds to your account. In the end, there aren't any profits for you, and the scam artist vanishes with your money. The damage can sometimes be felt even beyond your pocket: according to State Department reports, people who have responded to "pay in advance" solicitations have been beaten, subjected to threats and extortion, and in some cases, murdered.
Your Safety Net: If you receive an email from someone claiming to need your help getting money out of a foreign country, don't respond. If you've lost money to one of these schemes, call your local Secret Service field office. Local field offices are listed in the Blue Pages of your telephone directory.
Forward "Nigerian" scams—including all the email addressing information—to firstname.lastname@example.org.
The Bait: Email or pop-up messages that claim to be from a business or organization you may deal with, such as, an Internet service provider (ISP), bank, online payment service, or even a government agency. The message may ask you to "update," "validate," or "confirm" your account information or face dire consequences.
The Catch: Phishing is a scam where Internet fraudsters send spam or pop-up messages to reel in personal and financial information from unsuspecting victims. The messages direct you to a website that looks just like a legitimate organization's site, or to a phone number purporting to be real. But these are bogus and exist simply to trick you into divulging your personal information so the operators can steal it, fake your identity, and run up bills or commit crimes in your name.
Your Safety Net: Make it a policy never to respond to emails or pop-ups that ask for your personal or financial information, click on links in the message, or call phone numbers given in the message. Don't cut and paste a link from the message into your Web browser—phishers can make links look like they go one place, but then actually take you to a look-alike site. If you are concerned about your account, contact the organization using a phone number you know to be genuine, or open a new Internet browser session and type in the company's correct Web address yourself. Using antivirus and anti-spyware software and a firewall, and keeping them up-to-date, can help.
Forward phishing emails to email@example.com and to the organization that is being spoofed.
3. Work-at-Home Scams
The Bait: Advertisements that promise steady income for minimal labor—in medical claims processing, envelope-stuffing, craft assembly work, or other jobs. The ads use similar come-ons: Fast cash, minimal work, no risk, and the advantage of working from home when it's convenient for you.
The Catch: The ads don't say you may have to work many hours without pay, or pay hidden costs to place newspaper ads, make photocopies, or buy supplies, software, or equipment to do the job. Once you put in your own time and money, you're likely to find promoters who refuse to pay you, claiming that your work isn't up to their "quality standards."
Your Safety Net: The Federal Trade Commission (FTC) has yet to find anyone who has become rich stuffing envelopes or assembling magnets at home. Legitimate work-at-home business promoters should tell you—in writing—exactly what's involved in the program they're selling. Before you commit any money, find out what tasks you will have to perform, whether you will be paid a salary or work on commission, who will pay you, when you will get your first paycheck, the total cost of the program—including supplies, equipment, and membership fees—and what you will get for your money. Can you verify information from current workers? Be aware of "shills," people who are paid to lie and give you every reason to pay for work. Get professional advice from a lawyer, an accountant, a financial advisor, or another expert if you need it, and check out the company with your local consumer protection agency, state Attorney General and the Better Business Bureau—not only where the company is located, but also where you live.
Forward work-at-home scams to firstname.lastname@example.org.
4. Weight Loss Claims
The Bait: Emails promising a revolutionary pill, patch, cream, or other product that will result in weight loss without diet or exercise. Some products claim to block the absorption of fat, carbs, or calories; others guarantee permanent weight loss; still others suggest you'll lose lots of weight at lightning speed.
The Catch: These are gimmicks, playing on your sense of hopefulness. There's nothing available through email you can wear or apply to your skin that can cause permanent or even significant weight loss.
Your Safety Net: Experts agree that the best way to lose weight is to eat fewer calories and increase your physical activity so you burn more energy. A reasonable goal is to lose about a pound a week. For most people, that means cutting about 500 calories a day from your diet, eating a variety of nutritious foods, and exercising regularly. Permanent weight loss happens with permanent lifestyle changes. Talk to your health care provider about a nutrition and exercise program suited to your lifestyle and metabolism.
Forward weight loss emails to email@example.com.
5. Foreign Lotteries
The Bait: Emails boasting enticing odds in foreign lotteries. You may even get a message claiming you've already won! You just have to pay to get your prize or collect your winnings.
The Catch: Most promotions for foreign lotteries are phony. The scammers will ask you to pay "taxes," "customs duties," or fees, and then keep any money you send. Scammers sometime ask you to send funds via wire transfer. Don't send cash or use a money-wiring service because you'll have no recourse if something goes wrong. In addition, lottery hustlers use victims' bank account numbers to make unauthorized withdrawals or their credit card numbers to run up additional charges. And one last important note: participating in a foreign lottery violates US law.
Your Safety Net: Skip these offers. Don't send money now on the promise of a pay-off later.
Forward solicitations for foreign lottery promotions to firstname.lastname@example.org.
6. Cure-All Products
The Bait: Emails claiming that a product is a "miracle cure," a "scientific breakthrough," an "ancient remedy"—or a quick and effective cure for a wide variety of ailments or diseases. They generally announce limited availability, and require payment in advance, and offer a no-risk "money-back guarantee." Case histories or testimonials by consumers or doctors claiming amazing results are not uncommon.
The Catch: There is no product or dietary supplement available via email that can make good on its claims to shrink tumors, cure insomnia, cure impotency, treat Alzheimer's disease, or prevent severe memory loss. These kinds of claims deal with the treatment of diseases; companies that want to make claims like these must follow the FDA's pre-market testing and review process required for new drugs.
Your Safety Net: When evaluating health-related claims, be skeptical. Consult a health care professional before buying any "cure-all" that claims to treat a wide range of ailments or offers quick cures and easy solutions to serious illnesses. Generally speaking, a cure-all is a cure none.
Forward spam with miracle health claims to email@example.com.
7. Check Overpayment Scams
The Bait: A response to your ad or online auction posting, offering to pay with a cashier's, personal, or corporate check. At the last minute, the so-called buyer (or the buyer's "agent") comes up with a reason for writing the check for more than the purchase price, and asks you to wire back the difference after you deposit the check.
The Catch: If you deposit the check, you lose. Typically, the checks are counterfeit, but they're good enough to fool unsuspecting bank tellers and increase the balance in your bank account—temporarily. But when the check eventually bounces, you are liable for the entire amount.
Your Safety Net: Don't accept a check for more than your selling price, no matter how tempting the plea or convincing the story. Ask the buyer to write the check for the purchase price. If the buyer sends the incorrect amount, return the check. Don't send the merchandise. As a seller who accepts payment by check, you may ask for a check drawn on a local bank, or a bank with a local branch. That way, you can visit the bank personally to make sure the check is valid. If that's not possible, call the bank the check was drawn on using the phone number from directory assistance or an Internet site you know and trust, not from the person who gave you the check. Ask if the check is valid.
Forward check overpayment scams to firstname.lastname@example.org and your state Attorney General. You can find contact information for your state Attorney General at www.naag.org.
8. Pay-in-Advance Credit Offers
The Bait: News that you've been "pre-qualified" to get a low-interest loan or credit card, or repair your bad credit even though banks have turned you down. But to take advantage of the offer, you have to pay a processing fee of several hundred dollars.
The Catch: A legitimate pre-qualified offer means you've been selected to apply. You still have to complete an application and you can still be turned down. If you paid a fee in advance for the promise of a loan or credit card, you've been hustled. You might get a list of lenders, but there is no loan, and the person you've paid has taken your money and run.
Your Safety Net: Don't pay for a promise. Legitimate lenders never "guarantee" a card or loan before you apply. They may require that you pay application, appraisal, or credit report fees, but these fees are seldom required before the lender is identified and the application is completed. In addition, the fees generally are paid to the lender, not to the broker or person who arranged the "guaranteed" loan.
Forward unsolicited email containing credit offers to email@example.com.
9. Debt Relief
The Bait: Emails touting a way you can consolidate your bills into one monthly payment without borrowing; stop credit harassment, foreclosures, repossessions, tax levies and garnishments; or wipe out your debts.
The Catch: These offers often involve bankruptcy proceedings, but they rarely say so. While bankruptcy is one way to deal with serious financial problems, it's generally considered the last resort. The reason: it has a long-term negative impact on your creditworthiness. A bankruptcy stays on your credit report for 10 years, and can hurt your ability to get credit, a job, insurance, or even a place to live. To top it off, you will likely be responsible for attorneys' fees for bankruptcy proceedings.
Your Safety Net: Read between the lines when looking at these emails. Before resorting to bankruptcy, talk with your creditors about arranging a modified payment plan, contact a credit counseling service to help you develop a debt repayment plan, or carefully consider a second mortgage or home equity line of credit. One caution: While a home loan may allow you to consolidate your debt, it also requires your home as collateral. If you can't make the payments, you could lose your home.
Forward debt relief offers to firstname.lastname@example.org.
10. Investment Schemes
The Bait: Emails touting "investments" that promise high rates of return with little or no risk. One version seeks investors to help form an offshore bank. Others are vague about the nature of the investment, but stress the rates of return. Promoters hype their high-level financial connections; the fact that they're privy to inside information; that they'll guarantee the investment; or that they'll buy it back. To close the deal, they often serve up phony statistics, misrepresent the significance of a current event, or stress the unique quality of their offering. And they'll almost always try to rush you into a decision.
The Catch: Many unsolicited schemes are a good investment for the promoters, but not for participants. Promoters of fraudulent investments operate a particular scam for a short time, close down before they can be detected, and quickly spend the money they take in. Often, they reopen under another name, selling another investment scam.
Your Safety Net: Take your time in evaluating the legitimacy of an offer—the higher the promised return, the higher the risk. Don't let a promoter pressure you into committing to an investment before you are certain it's legitimate. Hire your own attorney or an accountant to take a look at any investment offer too.
Forward spam with investment-related schemes to email@example.com.
Con artists are clever and cunning, constantly hatching new variations on age-old scams. Still, skeptical consumers can spot questionable or unsavory promotions in email offers. Should you receive an email that you think may be fraudulent, forward it to the FTC at firstname.lastname@example.org, hit delete, and smile. You'll be doing your part to help put a scam artist out of work.
How to Report Spam
If you receive an email that you think may be a scam:
Supporting Sources: OnGuardOnline.gov
Phishing email messages take a number of forms. They might appear to come from a financial institution, a company you regularly do business with, or from a social networking site such as Facebook or LinkedIn. To avoid getting hooked:
If you should ever receive an email that you believe to be a phishing scam using our name and logo, please forward us a copy, as well as emailing a copy to email@example.com and to any company, or organization impersonated in the phishing email. You may also report phishing email to firstname.lastname@example.org. The Anti-Phishing Working Group, a consortium of ISPs, security vendors, financial institutions, and law enforcement agencies, uses these reports to fight phishing.
Contributing source: OnGuardOnline.gov
Secure your phone Most mobile phones let you set up a password or PIN, requiring that it's entered into your phone prior to use. This ensures that your phone can't be used if it's lost or stolen. Make sure that you always have this feature enabled and that your password or PIN is not shared with anyone.
Beware of trojans and spyware Trojans and spyware are viruses and software that are used by fraudsters to steal personal details when installed on your computer or mobile phone. They're usually installed without your knowledge when you follow a link, open an attachment, or download software from a fraudulent email or text message.
To protect yourself:
Install security software Just like your computer, mobile phones are vulnerable to viruses, some of which can give fraudsters access to your personal information.
To keep your information safe:
Keep your mobile software up-to-date On occasion your mobile phone manufacturer will likely release software updates for your phone. These should be downloaded and installed regularly to ensure your mobile phone has the most current and up-to-date software installed.
Avoid sharing your mobile phone If you have to share your mobile or send it off for repairs:
The prevalence of malware as a vehicle for organized Internet crime, along with the general inability of traditional anti-malware protection platforms (products) to protect against the continuous stream of unique and newly produced malware, has seen the adoption of a new mindset for businesses operating on the Internet: the acknowledgment that some sizable percentage of Internet customers will always be infected for some reason or another, and that they need to continue doing business with infected customers.
Common types of malware delivery mechanisms
The anatomy of malware attacks
To infect a computer through a Web browser, an attacker must accomplish two tasks.
Both of these steps can occur quickly and without the victim's knowledge, depending on the attacker's tactics.
One way for an attacker to make a victim's browser execute their malicious code is to simply ask the victim to visit a website that is infected with malware. Of course, most victims will not visit a site if told it is infected, so the attacker must mask the nefarious intent of the website. Sophisticated attackers use the latest delivery mechanisms, and often send malware-infected messages over social networks, such as Facebook, or through instant messaging systems. While these methods have proved successful to a degree, they still rely on tempting a user to visit a particular website.
Other attackers choose to target websites that potential victims will visit on their own. To do this, an attacker compromises the targeted website and inserts a small piece of HTML code that links back to their server. This code can be loaded from any location, including a completely different website. Each time a user visits a website compromised in this manner, the attacker's code has the chance to infect their system with malware.
Contributing source: OnGuardOnline.gov
Vishing exploits the public's trust in landline telephone services, which have traditionally terminated in physical locations which are known to the telephone company, and associated with a bill-payer. The victim is often unaware that VoIP makes formerly difficult-to-abuse tools/features of caller ID spoofing, complex automated systems (IVR), low cost, and anonymity for the bill-payer widely available. Vishing is typically used to steal credit card numbers or other information used in identity theft schemes from individuals.
We will never call you to request that you update or verify your personal or financial details over the phone. If you ever receive a call requesting this information, please call us using the phone number on your account statement, on the back of your ATM or Debit Card, or local telephone directory to confirm the call is legitimate.
Vishing is very hard for legal authorities to monitor or trace. To protect themselves, consumers are advised to be highly suspicious when receiving messages directing them to call and provide credit card or bank numbers. Rather than provide any information, if speaking to a human ask them for an incident number and then hang up. Then place a call to the number printed on your credit card or billing statement from a telephone number the bank has on file, usually your home land line. While consumer caller id is trivial to fake the bank's call center gets much more reliable billing information provided by trunked 1-800 service and thus both parties have high confidence the other party is who they claim to be.
Area codes can mislead. Some scammers send emails that appear to be from a legitimate business and ask you to call a phone number to update your account or access a "refund." Because they use Voice over Internet Protocol technology, the area code you call does not reflect where the scammers really are. If you need to reach an organization you do business with, call the number on your financial statements or on the back of your credit card. And delete any emails that ask you to confirm or divulge your financial information.
Security. If you use VoIP for your home phone service you should know that VoIP calls are transmitted over the Internet, which raises security risks that are not an issue with regular telephone service. For example, VoIP services can be attacked by computer viruses or worms; you can be subject to SPIT (Spam over Internet Telephony), a different kind of spam, and left with mass voice mail messages in your inbox; and you can be caught in a denial of service attack.
Contributing source: OnGuardOnline.gov
Similar to phishing, smishing uses cell phone text messages to deliver the "bait" to get you to divulge your personal information. The "hook" (the method used to actually "capture" your information) in the text message may be a website URL, however it has become more common to see a phone number that connects to an automated voice response system.
The smishing message usually contains something that wants your "immediate attention", some examples include "We're confirming you've signed up for our dating service. You will be charged $2/day unless you cancel your order on this URL: www.????.com."; "(Name of popular online bank) is confirming that you have purchased a $1,500 computer from (name of popular computer company). Visit www.?????.com if you did not make this online purchase."; and "(Name of a financial institution): Your account has been suspended. Call ###.###.#### immediately to reactivate". The "hook" will be a legitimate looking website that asks you to "confirm" (enter) your personal financial information, such as your credit/debit card number, CVV code (on the back of your credit card), your ATM card PIN, SSN, email address, and other personal information. If the "hook" is a phone number, it normally directs to a legitimate sounding automated voice response system, similar to the voice response systems used by many financial institutions, which will ask for the same personal information.
This is an example of a (complete) smishing message in current circulation: "Notice—this is an automated message from (a local credit union), your ATM card has been suspended. To reactivate call urgent at 866-###-####".
In many cases, the smishing message will show that it came from "5000" instead of displaying an actual phone number. This usually indicates the SMS message was sent via email to the cell phone, and not sent from another cell phone.
This information is then used to create duplicate credit/debit/ATM cards. There are documented cases where information entered on a fraudulent website was used to create a credit or debit card that was used halfway around the world, within 30 minutes.
Twishing is a combination of the words Twitter and phishing. The idea is that bait is given out—the concept behind the term phishing—to Twitter users with the hopes that while most will ignore the bait, a small percentage will be tricked into revealing their user names and passwords. Twishing may also be seen written in lowercase as twishing.