Avoid Being A Victim Of Internet Crimes

By Matthew Sant
(originally published in @Law – Spring 2009)

As an attorney who specializes in intellectual property transactions, I’ve seen the Internet develop from something few people had heard of to something that affects almost every aspect of our daily lives.  Unfortunately, anything as prevalent and widely used as the Internet is going to attract the attention of criminals.  The Internet is certainly no exception.  This article is designed to give you a basic overview of Internet crimes and suggest some common-sense tools that you can employ, hopefully to avoid becoming a victim.

Internet crimes occur in a number of way.  Sometimes, the Internet is merely a new way for criminals to commit traditional crimes or find their victims.  For example, people have always committed fraud and they continue to do so on the Internet.  Other crimes are unique or have been adapted to the Internet.  Some Internet-specific crimes include malicious code, phishing, and certain types of identity theft.  In all cases, Internet users are advised to take precautions to protect themselves from online criminals.

Internet Fraud.  The United States Department of Justice defines Internet fraud as “any type of fraud scheme that uses one or more components of the Internet – such as chat rooms, e-mail, message boards, or Web sites – to present fraudulent solicitations to prospective victims, to conduct fraudulent transactions, or to transmit the proceeds of fraud to financial institutions or to others connected with the scheme.”  Examples of Internet fraud include:

•Advance fee fraud, where the victim is offered something of value in exchange for paying a “small” fee in advance.

•Counterfeit goods offered online.

•Use of stolen credit card numbers to acquire goods and services online.

•Investment scams, including “pump and dumps” and market manipulation.

Even when they should know better, people are very trusting of e-mail they receive and Web sites they visit.  As a result, the Internet is rife with scams and fraud.  Some are almost comical — like the “419” scams where a foreign banker promises to split several million dollars with you if you fax him your personal information and bank account numbers.  Others are very sophisticated.

To avoid being scammed, whether on the Internet or in real life, remember the old adage:  “If something seems too good to be true, it probably is.”  You should also look for obvious warning signs.  Ask yourself, “Why did they select me for this special offer?” and “How can they make money this way?”  Notice unusual pressure tactics or urgency.  Most of all, be skeptical, use common sense and think before you act.

When conducting business over the Internet, whether buying goods or paying bills, you must always know who you are doing business with.  Be wary of anyone who conceals their identity, or of companies that don’t publish a physical address.  Use the Internet to research companies that aren’t known to you.  There are additional resources about Internet fraud available at http://www.usdoj.gov/criminal/fraud/internet/.

Malicious Code.  Malicious code refers to computer software that is installed on a computer without the user’s knowledge in order to intercept personal or financial data or otherwise use the compromised computer for unauthorized purposes.  Once installed on a computer, the malicious code can conduct a variety of operations.  It might secretly monitor the user’s online behavior or collect personal information such as passwords, account numbers and e-mail accounts.  Malicious code can change computer settings, disable anti-virus software and invite additional software programs to infiltrate and install themselves on the computer.  A compromised computer might be used to launch denial of service attacks or send spam e-mail.

The malicious code can come in the form of a virus, a worm or a trojan horse.  A “virus” is a self-replicating program that spreads by inserting copies of itself into other programs.  A “worm” is a self-replicating program similar to a virus, except it is self-contained and doesn’t need to be attached to another program to propagate.  And a “trojan horse” is a malicious program that is disguised as legitimate software, tricking the user into installing it.  All three types of malicious code deliver payloads that assist in the unauthorized activity.

It is often very difficult to identify a malicious code infection.  IT professionals can perform a forensic audit on a computer believed to be infected.  If operated correctly, software tools can analyze and diagnose an infection.  Anti-spyware programs can try to identify infections before they occur and help prevent them.  Other clues that a computer is infected with malicious code include an increase in the number of pop-up ads, unexpected toolbars or icons on your screen or an Internet browser that redirects you to unwanted Web sites.  In many cases, the only symptom might be slower CPU performance.  Sadly, in some cases, there may be no symptoms at all and the user will not suspect that his or her computer has been infected.

To lower your risk of infection from malicious code, you should take the following steps:

•Frequently update your operating system and Internet browser, and set your browser security level to detect and notify you about unauthorized downloads.

•Use anti-virus and anti-spyware software and maintain a firewall, and make sure to update all three regularly (or if possible, automatically).

•Avoid downloading anything from the Internet.  If you must download files or software, do so only from sites you know and can verify.  The purveyors of malicious code will often bundle their programs with “free software” in an attempt to entice the user to download and install it.  Even if the downloaded software works as advertised, it may have been packaged with malicious code.  In fact, many malicious software programs are offered as free “anti-spam” or “anti-spyware” software downloads.

•Never click on links inside pop-up ads or in new or redirected browser windows, including links that say “close” or “exit.”  Use your operating system to close these windows.

Phishing. “Phishing” is an Internet-specific crime that attempts to fraudulently acquire sensitive information by masquerading as a trusted entity in an apparently official communication.  The companies most commonly imitated in phishing attacks include national banks such as Chase, Citibank, Wells Fargo and Bank of America, networking sites such as MySpace and Yahoo, and e-commerce sites such as eBay, Amazon.com and PayPal.  Although phishing has only recently entered the public consciousness, the techniques have been employed since the late 1980s and the term “phishing” (probably based on the hacker term “phreaking”) was first coined in the mid-1990s.  Good statistics on the scope of phishing are difficult to obtain and verify, but one current estimate is that over 3 million Americans will lose an estimated $3 billion per year from successful phishing attacks.

Most phishing attacks are very sophisticated – I’ve seen a few that are barely distinguishable from an authorized communication.

•Don’t trust the look and feel of the e-mail or Web site – the illegal Web sites can be exact duplicates of the real site.

•Don’t trust the name or e-mail address of the sender – those fields are easily forged.

•Don’t trust the URL address in your browser – even this can be faked.

•Phishers have used images instead of text to disguise the nature of the phishing e-mail and to make it harder for filters to detect them.

No reputable company should ever send you an e-mail that prompts you for your password, social security number or account information or directs you to a Web site that requests this information.  But phishing attacks are becoming more sophisticated.  Now, phishers are sending e-mails containing important information about your account – a verification, a coupon or a notice of suspicious activity.  They will then invite you to click a link in the e-mail to access your account.  I’ve even seen one that included the disclaimer “To protect your identity, we will never ask you for your personal information or account information in an e-mail.  Please click here to access our secure server.”  The link was to a fake Web site designed to gather your personal and account information.

As a general rule of thumb, never click on a link in an e-mail sent to you by anyone you do not know personally, even if you think you recognize the URL address in the link.  This especially includes e-mail that purport to come from your bank or well-known companies such as PayPal or eBay.  If you want to verify the information in the e-mail, close the e-mail, open your Internet browser manually and type the Internet address directly into your browser.  From there, you can navigate to your account information or type a query into the search function.  If the e-mail communication is legitimate, you will be able to find what you need.  If in doubt, call customer service at the phone number provided on the Web site you manually opened – do not call any phone numbers contained in the e-mail, they too might be fake.

Identity Theft.  “Identity theft” is the deliberate assumption of another person’s identity, usually to gain access to their finances or credit.  Identity thieves acquire personal information in a number of ways, including inside access to personal data, stolen or diverted mail, and social engineering or “pretexting.”  In fact, much of the information identity thieves need to commit their crimes is available from public records and commercial databases.

While it is difficult to quantify with precision, we know that identity theft is widespread.  In 2006, the total value of identity theft in the United States was estimated to be $15.6 billion and the average loss per person was estimated at $1,882.

A 2003 survey from the Identity Theft Resource Center found that:

•Only 15% of victims find out about the theft through proactive action taken by a business.

•The average time spent by victims resolving the problem was about 330 hours.

•73% of respondents indicated the crime involved the thief acquiring a credit card.

The Internet is fertile territory for identity thieves.  Not surprisingly, identity theft is closely related to phishing, because phishing is often the means used to obtain the personal or financial information necessary to commit identity theft.

While it is impossible to eliminate the risk of identity theft, there are a number of things you can do to minimize the chances of being a victim.

•Monitor your credit for unusual activity.  Under the Fair Credit Reporting Act, you are entitled to a free copy of your credit report every 12 months.

•Secure your personal information at home and work, especially information that you store on computers.

•Put extra passwords on bank accounts and credit cards, especially ones you use or access online.

•Shred bank and credit card statements and other documents that have personal information on them.

What to do if you are a victim of an Internet crime.  If you suspect that you are the victim of an Internet crime, you should immediately take the following steps:

•Contact any financial institution or credit card company that may be involved.  Close any tampered or fraudulent accounts and dispute any fraudulent charges.  Even though they can’t save you from the inconvenience of having your identity stolen, your financial institution often will not hold you liable for the loss if it is reported promptly.

•Place a fraud alert on your credit report – this prevents an identity thief from opening new accounts in your name.  The initial alert will survive for ninety days, whereas an extended alert is good for seven years.

•File a criminal report with local law enforcement and, possibly, with the Federal Trade Commission.

|@Law|

Matthew Sant is a partner in the Newport Beach office of Irell & Manella LLP, where he specializes in corporate and intellectual property transactions.”