Online identity spoofing is when someone else impersonates either you or your computer. Professional scammers have been known to impersonate famous actors, musicians, and athletes as well as other important political and corporate figures. For example, in 2010, Interpol Secretary General Ronald Noble had two Facebook accounts opened in his name by cybercriminals. They then used the profiles to contact various police departments to elicit sensitive information about police investigations.

IP Address Spoofing

Spoofing an IP address involves changing the header of an Internet protocol address (that allows servers to know where information is coming from) to match someone else’s IP. If your IP address is spoofed, this may cause you to be associated with illegal activities like hacking websites, and may also provide a hacker with access to systems that read your computer as “trusted.”

Security Tips

• It is difficult to fully guard against identity spoofing, as services such as Facebook and Twitter allow anyone to set up an account in any name. To report a spoofed Facebook page, you need to first have a Facebook account: then go to the spoofed profile, click the button next to “Message” and select “Report/Block.” Then click “This profile/timeline is pretending to be someone or is fake” and then “Pretending to be me” and finally “Continue.” If you have been spoofed on Twitter, file a report at this address: https://support.twitter.com/forms/impersonation.

• To avoid having your own Facebook or Twitter account hacked into, never share your password with anyone and make sure to sign out of each service before you close the tab or window.

• Your IP address is most at risk when you are using public Internet hotspots at places such as airports or coffee shops. When using these, it is a good idea to use an IP anonymizer such as Hotspot Shield (http://www.hotspotshield.com/) which temporarily assigns you a random IP address so that your computer’s own IP address is not compromised.

Auction Fraud

Online auction fraud is common and one of the most complained-about online issues today. Credit card fraud is a wide-ranging term for theft and fraud committed using or involving a payment card, such as a credit card or debit card, as a fraudulent source of funds in a transaction. You can run into several different scams when shopping online. While making purchases on an online auction site such as eBay, for example, you could end up paying for stolen or counterfeit goods, or for goods that never arrive at all. In addition to this, sellers can place false bids on their own goods to drive their prices up or could include disproportionately large or hidden shipping and handling fees.  A healthy dose of skepticism and caution is definitely required when shopping online: some sellers, unfortunately, take advantage of the scarcity of popular products such as the iPad or Nintendo 3DS to defraud buyers.

Email/IM Phishing Scam

The main goal of these scams is to obtain personally identifiable information or to get access to credit cards or bank accounts. Phishing is when someone attempts to lure you into compromising your password information through emails (usually claiming to be from a bank) and Web pages that appear to be legitimate but are not the real thing.

Keep in mind that banks and other financial institutions never contact clients by email first. If you think there may be a problem with your bank account or credit card, call your bank or credit card company or go to their legitimate website (remember to confirm that the Web address starts with https, as in https:www.abank.ca.)

There are a number of signs that can raise red flags about the legitimacy of emails that claim to be from a financial institution:

1. They request your password or account number. Banks will never ask you to “confirm” these.
2. They say you need to act immediately. These emails often try to prey on your fears by saying that your account will be closed if you don’t act right away.
3. They make spelling or grammar mistakes.
4. The link they want you to click has a long URL, often with a lot of meaningless numbers and letters. Banks actually keep their URLs as short as possible to help you remember them.
5. They don’t look or feel quite right. Phishing URLs sometimes try to copy the logo or other visual elements of a bank or financial institution, but they often don’t get it quite right. Even if it looks right, don’t trust an email claiming to be from a financial institution if it fails any of these tests.

Scareware

Scareware is the term used to refer to online “pop-up” alerts which claim to have detected a virus or other problem on your computer. These often claim to be from Internet security companies or from law enforcement agencies. Clicking on one of these can have a variety of negative effects, from downloading malware onto your computer to exposing your personal information. In some cases clicking on a scareware pop-up will simply freeze your computer, after which the scammers will try to extort money from you in exchange for unlocking it.

Scareware can generally be avoided by running a pop-up blocker. Most browsers allow you to determine whether or not you see pop-ups:

• In Internet Explorer, select Tools, then Pop-Up Blocker
• In Firefox, select Tools, then Options, then Block Pop-Up Windows
• In Chrome, select Options, then Under the Hood, then Content Settings (under Privacy), then Pop-Ups and select “Do not allow any site to show up (recommended)”
• In Safari, select Preferences, then Security, then Block Pop-up Windows

Running a reliable Internet security program will also help keep you from receiving malicious pop-ups, as will some add-on programs such as AdAware and NoScript.

419 Scam

This scam, also known as the advance fee scam, starts with an email from someone who claims to need your help moving money out of another country. The catch is that you must provide some money up front, supposedly to cover a transfer fee, with the promise of receiving a small fortune when the task is complete. ^[14] Victims of this fraud typically lose thousands of dollars.

Chain Letter Scams

Chain letter scams involve sending an email to a large list of contacts which prompts them to forward it to their own contacts, and so on. In the email you are asked to send a small amount of money to a certain number of contacts and to add your name to the contact list. This supposedly guarantees that in the end a large amount of money will come back your way. The problem with this is that it is a modern-day version of a pyramid scheme: only the original senders ever make any money. Chain letter scams of this nature are illegal in most countries, including Canada and the U.S..

Postal Forwarding/Reshipping Scam

In this scam you are asked, either through emails or online job postings, to receive and then re-ship goods for a foreign company. The goods that come your way, however, are usually stolen or acquired through credit card fraud, making you an accessory to the scammers’ crimes.

“Congratulations, You’ve Won an Xbox…” Scam

This scam begins with an email telling you that you have won a popular gadget, such as a new gaming console, but to receive it, you have to submit your bank account or credit card information to cover shipping charges. Not only will you lose that money but you may also have your bank account or credit card compromised. If you legitimately win a product you will not be asked for any personal financial information or to pay for the shipping.

Gaming Console Threats

Because most gaming consoles today are able to connect to the Internet, they are now susceptible to some of the security issues that are associated with computers. While viruses have not yet become a problem with gaming consoles, the breach of Sony’s Playstation Network – which compromised the data of 77 million users – indicates that hacking and identity theft are a potential risk when using consoles.

Security Tips

Never reply to spam. Doing so only identifies your phone, email or IM account as active to the sender and guarantees you will get further unwanted messages. The most effective way to protect against email spam is to use a filtering system: some filters are available to purchase (such as Spamtitan) but there are also spam filters available as free online downloads (POPfile, Spamfence, Spamihilator). When dealing with content that does not offer filtering, such as forums and comment sections, you essentially have to rely on your own better judgment: anything that looks like marketing or advertising or generally out of place usually isn’t worth your attention.

Types of Spam Filters

• • List-based

    filters essentially categorize users as either trusted or not trusted and allow messages only from trusted users. You can use either blacklisting or whitelisting techniques to create your own lists: blacklisting means creating a list that specifies which users to decline mail from, while you can whitelist by creating a list that specifies which users to accept mail from.

  • Content-based

    filters, such as the filters used by most webmail services, evaluate individual messages to determine whether they are legitimate or spam rather than blocking all messages from a particular email address. This is done by evaluating the words and phrases in an individual message. A variety of content filters exist. The most basic are word filters which simply block any message containing certain, pre-specified words. Heuristic filters are a little more sophisticated and evaluate patterns of text and series of words. Bayesian content filters are the most advanced as they use mathematical probability to determine which messages are spam.

  • The most effective way to defend against mobile phone spam is to protect your email address. Avoid giving out your email address in a public forum or, if it is absolutely necessary to do so, write it in such a way that a person can read it but not a computer (for instance, write out the @ sign as “at” or the periods as “dot”). To prevent sales calls on your mobile phone the strategy is very much the same: never give out your mobile number if you do not have to.

  • If you are receiving marketing calls on your mobile phone, you can add your number to the Do Not Call Registry.Telemarketers are not allowed to call numbers on this list: the exceptions are charities registered in Canada, political parties, and general-circulation newspapers. As well, telemarketers can call you if you have an “existing business relationship” with them: this is defined as having bought, leased or rented something from the telemarketer, having a written contract with the telemarketer that is still in effect or has expired less than eighteen months ago, or having asked the telemarketer about a product or survey in the last six months.

  • Well known VoIP providers (such as Vonage or Skype) carry calls through their closed systems and they already implement a certain amount of protection against SPIT. Much the same as with email spam filters, whitelisting seems to work effectively against SPIT because you are creating a safe and closed calling list

Spam Email

Spam Email is often disguised in an attempt to fool any anti-spam software you may have installed. Spammers try to find ways to modify or conceal their messages to achieve this, such as putting spaces between letters or replacing key letters with numbers or characters so that spam filters will not be triggered. While your anti-spam software may not always be able to catch this, you should be able to identify it fairly easily. Spam may be used to bombard you with unsolicited messages, which may include inappropriate or offensive adult content. Spam may also contain malware or be part of a “phishing” scam (see the Online Scams section below).

Instant Messaging (IM) Spam

Instant Messaging spam (IM Spam) is similar to spam email. The main difference is that rather than focusing their efforts on bombarding your email inbox, spammers attempt to fool you on an instant messaging service such as BlackBerry Messenger or Apple’s iMessage. While not as common as spam email, IM spam is more difficult to block out because no particular software exists specifically for spam received while using instant messaging services. A good way to avoid most of it is to create a closed list of friends from whom instant messages are accepted. Even then, it is always possible that a computer belonging to someone within your “safe” list could become infected, so any strange link you receive via IM should be verified before you click on it.

Forum and Comment Spam

Spam is also often found in online forums and discussion boards and in the comments sections of online newspaper and magazine articles Spammers can attack these by posting spam messages as comments. These may be simple ads but can also include links leading to malicious websites.

Mobile Phone Spam

It is possible to receive spam messages through email, text messages or even phone calls on your mobile phone. On top of the usual issues with spam, you may be charged for these unsolicited text messages or pay valuable minutes for the intrusive phone calls.

SPIT (Spam in VoIP Sessions)

SPIT (Spam over Internet telephony), or VoIP

(Voice over Internet Protocol) spam, comes as a phone call using VoIP. While it is not yet very common, the biggest problem surrounding SPIT is that on average, voice messages are 10 times larger than email messages and therefore consume a lot of bandwidth. This could lead to significantly decreased call clarity and quality. The prevalence of SPIT is expected to rise as the same sources that produce large amounts of spam email can easily modify their messages into VoIP spam calls.

Spam refers to unsolicited bulk messages being sent through email, instant messaging or other digital communication tools. It is generally used by advertisers because there are no operating costs beyond that of managing their mailing lists. It could also take place in chat rooms, in blogs and more recently within voice over internet conversation (such as Skype). Beyond being a simple nuisance, spam can also be used to collect sensitive information from users and has also been used to spread viruses and other malware.

Online identity theft is the theft of personal information in order to commit fraud. This can happen through your email account but it can also be a result of online purchases or other situations where you give out sensitive information such as your credit card information or your social insurance number.

A related concern is identity spoofing, in which the victim is impersonated on social networking sites such as Facebook or Twitter. Identity spoofing may also involve spoofing someone’s IP address (the unique number associated to your computer as you surf the internet). The purpose of identity spoofing on social networking sites can range from a simple prank to more serious attacks aimed at shaming or hurting someone’s social networks. Internet Protocol spoofing is used by hackers to cover their tracks or to gain access to places normally closed to them.

Risks relating to online shopping can include overspending or receiving items that do not match their description once you have already paid for them (or not having received any item at all). Because of the distance between the buyer and seller online, shopping on the Internet puts consumers particularly at risk of receiving shoddy goods.

The best defenses to these online scams and frauds generally rely on caution and skepticism when using the Internet. For example:

• You should only open email from trusted senders and use spam filters or anti-spam software (some anti-spam software is available online free of charge, such as Spamfence).
• Verify any request for your personal information online before responding. For example, no reputable financial institution will ever ask you for highly personal information via email: to find out if a request is legitimate, call your bank or navigate to their website (do not follow links in an email claiming to be from a bank or credit card company).
• Don’t give out personally identifiable information (your full name, your age, your address, your social insurance number, etc.) without a good reason.
• Turn any device that uses the Internet to offline mode when they are not in use (most mobile devices have an “Airplane mode” that turns off their Internet functions).
• You can also help to minimize your risk by visiting only trusted sites.

The sections that follow give more detail on these threats and more detailed security tips for each.

Types of Advance Fee Fraud 

Since the evolution of the “419 Fraud” letters from the 80’s, scammers have evolved and updated their tactics. Today, the types of advance fee fraud schemes are limited only by the imagination of the perpetrators who create them. They may involve the sale of products or services, offering of investments, lottery winnings, “found money”, or other opportunities. Some fraudsters will offer to find financing arrangements for clients who pay a “finder’s fee” in advance. Soon after the contract is signed and the finder’s fee is paid, the victim finds out that they are not eligible for financing and the perpetrator has made off with their money. The following are some common examples of advance fee fraud scams:

• Beneficiary fund scam –

  The scammers often present some type of story about needing your help to get money from a bank in another country. The story will usually involve someone who has died and the perpetrator alleges that if they do not act quickly, the money will be turned over to the government.

• Lottery scam –

  Scam claims that you have won money in an overseas lottery. The letter or e-mail will usually ask for personal information to confirm your identity so you can collect your winnings.

• Investment scam –

  An investment company contacts you and needs your assistance in investing money overseas. The letter or e-mail will look as though it is coming from a reputable investment firm or government official. The letter will ask you to contact the company, where you will be asked to pay some sort of fee up front in return for a hefty profit that does not exist.

• Romance scam –

  Scammers pull at the heart strings of those on internet dating websites and chat rooms by asking for money for sick relatives, or money for a plane ticket to meet you in person.

An article recently published in the New York Times described an advance fee fraud scheme that carried on for years, claiming almost 2,000 victims and $26 million. The Company appealed to people looking for investors for their businesses. During a time when job insecurity was high, bank requirements for loans were strict, the Company provided high hopes for those just trying to make a living by making them believe they would invest in their business or find investors for them. The hopeful entrepreneurs only needed to pay up-front fees of between $10,000 and $40,000. Unfortunately, the Company did nothing with the money. When clients started complaining and asking for their money back, phone calls were not returned and files were transferred to someone else. One victim, who felt as though he was fairly business savvy, looked to the Company to help him find investors for a multi-use development project. After paying $15,000 in “due diligence” fees and over $1,000,000 in pre-development costs, the victim was forced to declare bankruptcy on one of his businesses. Because the Company worked diligently to make their business appear legitimate, they were able to de-fraud even the smartest of business owners. Sadly, the money lost by victims is generally very difficult to recover. Companies like this word their contracts to make it almost impossible for victims to sue for fraud. Therefore, it is imperative to understand the warning signs of a suspicious business opportunity.

Definition

Theft of a page from the original site and publication of a copy (or near-copy) at another site.

Information

Pagejacking does not mean taking over a page on the original site. In fact, the original site can be completely unaware that the theft has occurred.

Pagejackers siphon off traffic indirectly though the search engines. The stolen pages are copies or near-copies of the original pages. The stolen pages are then submitted to the search engines in an attempt to duplicate the rankings of the original pages. After the pages are submitted, the stolen pages are switched in favor of pages which earn revenue for the thieves. To further complicate matters, sometimes cloaking is involved.

While very large, elaborate schemes have been uncovered, pagejacking is not the sole province of the technically proficient. Many would-be-thieves are of a decidedly low-tech variety.

Tips To Protect Against Pagejacking

For people with the time and expertise, cloaking is one way to protect your source code. Like most tools, cloaking can be used for wrongdoing, but also for legitimate purposes. Using cloaking to protect your source code is a preventative measure.

Unfortunately, sometimes corrective actions are needed; cases where your people (lawyers) need to talk to their people (webhosts). Before that happens, however, you need to determine if anyone is using your pages without your consent. One way is to search for phrases that should uniquely identify your site. This can be done by searching for large blocks of text using an “exact phrase” option. The odds of finding multiple occurrences of an exact phrase decrease as the size and complexity of the phrase increases.

But you need to understand that most wire fraud issues are really email hacks. So let’s try to see what happened in your situation from what we know of other, similar situations we’ve heard about.

The most frequent way hackers get wind that a person is about to wire a large sum of money is by hacking the closing agent’s, real estate attorney’s, settlement agent’s or real estate broker’s email accounts.

Once they hack into any of these email accounts, they monitor the emails, waiting for the right time to copy or mimic the owner of the email account to send out fraudulent wire instructions to an unsuspecting homebuyer. When these hackers send you an email, they will instruct you to wire the funds to their bank account. They may even give you a phone number to call to confirm the wire, but that phone number will be a phony number to a person that is an accomplice to the fraud.

The other way this happens is that the criminals will learn about you through their prior hack and then hack into your email account and monitor the many hacked email accounts they have looking for active real estate transactions. They will then send them a fake email telling them where to wire the money. Again, the information will be fraudulent and any information on the email is there to entice you to fall into the scam.

In the first case, if the settlement agent, lender, broker or other person’s email was hacked, they may have some responsibility for the fraud, and the company or its insurance coverage, may reimburse you. But if your email was hacked, you won’t be able to blame anybody else other than yourself.

Recently Sam had a person who called him with a situation similar to yours. In that instance, the homebuyer’s email had been hacked. The hackers had monitored his email, knew he was buying a home, knew when to send him wire instructions and what to say. And, like you, he lost a considerable amount of money.

No system is completely secure. In fact, the Pentagon hosts hackathons in order to have talented coders and programmers search for ways criminals can break into their systems. But the entire wire system is at risk the way it is handled now and the financial world needs to create a two-step authentication method to safeguard people and their money in these sorts of transactions.

Two-step authentication might look the way it does on your Gmail account; you can activate two-step authentication, so when you login to an account, there is a second security step to make sure that the sender and the receiver are in agreement as to what will transpire in the transaction. We’re not sure what the system would look like, but title companies, escrow companies and settlement agents should come up with a more secure way to set up the system so we safeguard these transactions in a better, smarter and hopefully hack-proof way.

In the meantime, here are a few steps to take to protect yourself: (1) Never wire funds to anybody or any institution unless you have checked the wire instructions independently with your title company, settlement or closing agent. (2) If you can’t or won’t confirm the information over the phone, most title companies, settlement companies and closing agents post their wire instructions online, so be sure you check their official websites. If they do, you can compare those instructions with the instructions you received. (3) Some agents will confirm the instructions you received over the phone if you give them the information you received. Just make sure you are talking to the right person at the right place.

The system is far from perfect now, but we tell our readers to be vigilant and when it comes to wire transfers and to verify and reverify the information from trusted sources. As you found out, if you receive an email, you need to make sure it’s from a trusted source. If you receive a text, you must make sure it’s from a trusted source. If you receive a call, you need to make sure it’s from a trusted source.

In the end, you need to have a good working relationship with your settlement agent to make sure that you know that “trusted” source. We can see the day when you go to see the closing or settlement agent in person and then go to the bank to initiate the wire transfer. That way, you have face to face information with your trusted source.