Cyber-Scams on the Uptick in Downturn

 

The bear economy is creating a bull market for cyber-crooks.

 

Experts and law-enforcement officials who track Internet crime say scams have intensified in the past six months, as fraudsters take advantage of economic confusion and anxiety to target both consumers and businesses.

 

Thieves are sending out phony emails and putting up fake Web sites pretending to be banks, mortgage-service providers or even government agencies like the Federal Bureau of Investigation or the Federal Deposit Insurance Corp. Cellphones and Internet-based phone services have also been used to seek out victims. The object: to drain customer accounts of money or to gain information for identity theft.

 

Avivah Litan, vice president with Internet-technology research company Gartner Inc., said clients are telling her that cyber-assaults on many banks have doubled in the past six months in the U.S. and other parts of the world, including the U.K., Canada, Mexico and Brazil. Though most are thwarted by computer-security defenses, such as spam filters and fraud-detection systems, that still leaves potentially millions of victims.

 

"They are all experiencing a lot more attacks, and a lot more ATM fraud" aimed at depositors' accounts, Ms. Litan said.

 

More than 800 complaints have been logged by the National White Collar Crime Center in Richmond, Va., so far this year from checking-account customers in the U.S. about mysterious, unauthorized transactions of $10 to $40 that appear on monthly statements. Craig Butterworth, a spokesman for the center, a federally funded group that assists police agencies, said investigators suspect a data breach or "phishing" campaign, where deceptive emails and text messages are used to acquire personal information, such as Social Security numbers, user names and passwords. Separately, a "penny" scam of phantom credit- and debit-card charges from 21 cents to 48 cents has generated 300 complaints, Mr. Butterworth said.

 

The FBI's Internet Crime Complaint Center confirms a increase in cyber-attacks. In its most recent Internet Crime Report, the FBI said it received 207,000 complaints about crimes perpetrated over the Internet in 2007, the latest year for which data are available, amounting to nearly $240 million in reported losses, or $40 million more than a year earlier. Organized groups in the U.S. and elsewhere are behind many of the crimes, experts say.

 

Until recently, most attacks were scattershot, with spam emails blasted randomly to thousands of computer users at once. Now crooks are starting to single out specific targets identified through prior research, a tactic called "spear phishing." In these attacks, emails are sent to the offices of wealthy families or to corporate money managers, for example. They address potential victims by name and company or appear to come from an acquaintance.

Executives Targeted

 

In one such attack, hundreds of senior executives across the globe received personally addressed emails in last April, saying they were being subpoenaed to testify before a grand jury by the U.S. District Court in San Diego, according to a federal courts spokesman in Washington, D.C. When users clicked on a link containing the attachment, their computers were infected with malicious software. The case was referred to the FBI, the spokesman said.

 

Panos Anastassiadis, chief executive of Cyveillance, an Internet security firm in Arlington, Va., that also examined the case, suspects fraudsters were trying to get "first-quarter financial results of publicly traded companies a week before everybody else."

 

Mr. Antastassiadis himself received an email but didn't open it because he says he knew better. He estimates that almost half of the recipients opened the documents, exposing themselves to the malware. Many also forwarded the bogus messages to their legal departments -- infecting them, too. Mr. Anastassiadis said an organized-crime ring based in Eastern Europe is believed responsible.

 

The use of cellphone text messages is a fairly new tactic. Earlier this month, customers of Associated Bank, a unit of Associated Banc-Corp, were among the recipients of email and cellphone text alerts warning them that their credit cards had been deactivated. The message directed them to call a telephone number and leave their account information. Customers of Norway Savings Bank in Maine were also among those hit by cellphone text messages about their debit cards shortly before Christmas.

 

In another case, emails bearing the logo of Franklin Bank of Jacksonville, Texas, which failed on Nov. 7, were circulating throughout Texas in November and December that also sought account numbers, personal-identification numbers and passwords from recipients. Prosperity Bank, which assumed all the deposits of the failed bank, said customers didn't lose any money.

 

In another new twist, scammers using Internet-based phone service are faking the caller-IDs of banks and other businesses in telephone phishing scams. Because the phone ID bears the name of a real company, victims have been tricked into supplying personal information. Some customers of the Bank of Lancaster County in central Pennsylvania, which became part of the PNC Financial Services Group Inc. in August, were targeted in this type of scam last summer, a PNC spokesman confirmed. Because of federal regulations and bank policy, any customers' money lost would have been reimbursed, he said.

 

Difficult times are also causing more people to fall prey to job- and business-opportunity scams that have migrated to the Internet from postal mail.

Job Board Scam

 

A 68-year-old woman in Pennsylvania, who asked that her name not be used because she is still being victimized, said she searched an online job board not long ago and received a "work-at-home" offer by email. The "job" was to cash checks that would be delivered by parcel post. She was to keep 10% of the money and return the rest. Skeptical, she took the first check to her bank, where a clerk promptly declared it a fake and confiscated it. After threatening to report the sender to police, the woman thought she had avoided trouble, but she hadn't.

 

"Suddenly I am getting phone calls from all over the country saying why did you send me these emails and checks? They are using my name and address. I have gotten calls from at least 30 or 35 people from all over the country, from California to Florida to Pennsylvania," she said.

Watching for Grammar

 

Identity thieves frequently post fake ads on job boards to ensnare victims, and they've become increasingly sophisticated in recent years, says Pam Dixon, executive director of the World Privacy Forum, a nonprofit public-interest research group. "It used to be you could pick them out by their bad grammar, but now it's much more difficult," she says. "You really have to be careful."

 

The Pennsylvania woman notified police and also contacted Identity Theft 911, a fraud-resolution company based in Scottsdale, Ariz., for help. The outfit, which provides the ID-theft resolution under contract with insurance companies, employers and credit unions, used credit monitoring and fraud alerts to try to prevent the incident from spiraling out of control.

 

Brian Lapidus, chief operating officer for the Fraud Solutions division of Kroll Inc., a company that also helps businesses and individuals resolve cases, said his company is fielding a growing number of calls from wary recipients of similar emails pitching too-good-to-be-true jobs, loans and sweepstakes offers. Even when advised of the risks, many respond anyway, Mr. Lapidus says.

 

"People want to believe that even in this economic climate, the cloud has a silver lining," he said.