Neff Zone Column

Print Edition: January 6, 2007

PHISHING NOT ALLOWED HERE

When I read the front page story in the Cadillac News a couple of weeks ago about Don Borman foiling an Internet scam artist a light bulb went on. I faced the very same scam last summer.

As any outdoorsman will tell you, sometimes you can cast a line in a trout stream a thousand times and come up empty, but if you get just one strike and land a big one your day is a success. It’s that way with another kind of angling pronounced the same as "fishing," but this one begins with the letters "ph." It’s the cyberspace version of high tech trolling, and the aim of "phishing" is to hook a whopper.

Both Don and I were approached by someone supposedly responding to a classified ad. What made each of us suspicious was that an "Internet operator" was to act as a go-between. Ah, but Don and I proved to be more wily than average cybertrouts.

In my case, a couple of days after my ad appeared I received a late night call from an "Internet operator" who explained that someone using a computer was "calling" me and that the caller would type their message, the operator would read it to me, I would respond, and the operator would type my reply back to the caller.

The "caller" indicated they were interested in buying my item and through our "conversation" I was given their e-mail address with instructions to e-mail them the next day with a description of the item for sale. Like Don, I immediately thought something smelled fishy (pun intended).

When I sent an e-mail the next day, I did not use my regular e-mail address; I used an alternate e-mail account that I have for occasions when I want to be incognito.

When the reply came from the person claiming to want to buy my item said: "You will be receiving an overdraft Money Order, which will cover the money for the pickup (pickup and shipping to the final destination) as well as the money to be paid to the company that will take care of the pickup and the documentation with you. So please, as soon as you receive the Money Order, go and cash it immediately, deduct the money that accrues to you, and send the balance to the Head Office of the company that handles the shipment in London United Kingdom via the nearest money gram agent in your area. Deduct the money gram charges from the balance and send the remaining to London immediately."

Not so fast. Why would someone in London, England pay me more than the item was worth and have it shipped across the Atlantic? Why should I cash the money order immediately and wire them the balance?

Later in the e-mail came the real reason for the alleged purchase. "I will need for final issuance of the USPS Money Order to you. (1) Full Name, (2) Mailing address, (3) your direct telephone number, (4) acceptance of my offer, (and other personal information). This was an obvious phishing expedition, but (like Don) I didn’t take the bait.

The scam goes something like this: Someone sends you an overdraft check and you’re supposed to cash it, keep what’s owed to you, and send them the balance. You follow instructions, the check bounces, and you lose a bunch of money. The "phisher" makes some easy cash and uses your personal and financial information for illegal purposes.

I later learned that USPS money orders are easily faked and are one of the main tools phishers use to defraud unsuspecting victims. According to MSN Money: "Money orders used to be as good as gold, but that was before technology made it easy to forge financial instruments. A common scam today involves fake money orders from overseas being sent to unsuspecting Americans."

Postal inspector Paul Krenn says: "People who are accepting the money orders as payment aren't familiarizing themselves with the security features (like watermarks). We've found there are a number of people who will accept them without knowing what they're accepting. "

The number and sophistication of phishing scams sent out to consumers is continuing to increase dramatically. Experts like the National Consumers League’s National Fraud Information Center www.fraud.org and the Anti-Phishing Working Group www.antiphishing.org suggest several things you can do to avoid becoming a victim of these scams.

-Be suspicious of any email with urgent requests for personal financial information. Phishers typically include upsetting or exciting (but false) statements in their emails to get people to react immediately. The most common form of phishing are emails pretending to be from a legitimate retailer, bank, organization, or government agency. The sender asks to "confirm" your personal information for some made-up reason: your account is about to be closed, an order for something has been placed in your name, or your information has been lost because of a computer problem.

-Avoid filling out forms in email messages that ask for personal financial information.

- Never enter your personal information in a pop-up screen. Legitimate companies, agencies and organizations don’t ask for personal information via pop-up screens. Install pop-up blocking software to help prevent this type of phishing attack (free pop-up blocker at www.panicware.com ).

-Only open email attachments if you’re expecting them and know what they contain.

-Know that phishing can also happen by phone. You may get a call from someone asking for your personal information.

-Always ensure that you're using a secure website when submitting credit card or other sensitive information via your Web browser. To make sure you're on a secure Web server, check the beginning of the Web address in your browsers address bar - it should be "https://" rather than just "http://"

-Ensure that your browser is up to date and security patches applied. In particular, people who use the Microsoft Internet Explorer browser should immediately go to the Microsoft home page http://www.microsoft.com and download the new 7.0 browser which has a built-in phishing filter.

-Always report "phishing" e-mails to the following groups: forward the email to reportphishing@antiphishing.com, forward the email to the Federal Trade Commission at spam@uce.gov, notify the Internet Fraud Complaint Center of the FBI by filing a complaint on their website: www.ifccfbi.gov/. You can also report the problem to law enforcement agencies through the National Fraud Information Center/Internet Fraud Watch, www.fraud.org or 800-876-7060.

Don Borman did exactly the correct thing, he was skeptical, vigilant, and he reported the scam to the proper authorities. Bravo!

The bottom line in all of this is that banks, money order issuers, e-mail providers, and communications companies can only do so much to protect consumers against phishing scams. You are your own best defense by guarding your personal and financial information and by having a healthy skepticism about deals that don’t appear to ring true. A phisher can’t catch you if you don’t take the bait.

Jim Neff is a local columnist. Comments to neffzone@gmail.com. Read Neff Zone columns online at www.neffzone.com/cadillacnews.