Sunday, January 06, 2008

Of Scams, Spam and Other Cybercrap...

In my posting about "get paid to..." websites like Bux.to, I had quickly mentioned that I would try to write something about how to recognize scams, hoaxes, urban legends, phishing, get rich quick schemes, etc... I would even include chain letters / e-mail forwards (ugh) in this list of what I consider to be nefarious "social engineering"-type activities. I will just be collectively referring to these using the term "cybercrap" going forward for lack of better terminology and for simplicity's sake.

Getting duped by cybercrap is probably more common than anyone would like to admit or imagine. It can sometimes happen to even the smartest, web-savviest of people. Some schemes have become so sophisticated and persuasive, that being able to recognize them as cybercrap would require a deep understanding of how certain Internet communication protocols and software work... knowledge that most average Internet users would most likely have virtually no familiarity with.

  • Perhaps the most obvious and telltale sign of scams in general (not necessarily web or e-mail based scams, but also those that come via phone, postal mail or in person) are ones that come unsolicited, asking you to disclose financial or socially sensitive information -- things like bank or credit card numbers, driver's license or social insurance numbers, etc. -- usually on the premise that you have won some type of prize in a draw that you do not remember entering, or a promise that you'll be receiving significant sums of money, exotic vacations or major prizes like automobiles & appliances in return.
    • My basic rule is that it is usually harmless to provide personal information that can be found in a phone book like your name, address and phone number... but even then, it is advisable to use caution and discretion, since you probably don't want to verify this information to suspicious parties in case it is used for a junk mail or calling list.
    • If the offer comes disguised under the name (or variation of a name) of a reputable company, service or charity that you are a customer of, there is no reason for them to be asking you again for information that they should already have records of. If information needs to be verified, you can ask what they currently have in their records and confirm whether updates are needed.
    • If you have won a prize, there is no reason that you should ever have to provide financial information such as your bank account, credit or debit account numbers, have to commit to purchasing something first, or have to be charged any type of "handling" or "processing" fees -- even if it is just a penny... once a scammer has access to your accounts, it is already too late.
    • Your Social Insurance/Security number should never have to be disclosed to any commercial organizations. The only parties that should ever need this information is yourself, the government, your employer and your financial institution. If you are requested to also provide one or more pieces of government-issued identification number such as your driver's license or passport number, etc., this should immediately raise red flags, there is a very good chance the information will be used for the purposes of identity theft, or for applying for credit cards or bank accounts fraudulently under your name.
    • All your correspondence with a reputable company that comes unsolicited should always remain courteous and professional at all times. If the representative that you are corresponding with becomes pushy, rude, impatient or excessively persistent, even after you have repeatedly declined, you can safely bet that you are probably not dealing with a legitimate organization. It would be safe to consider that the person is probably trying pressure and extract information from you. Even if they are indeed legitimate, you should always be treated respectfully as a prospective or valued customer. You have every right to choose to refuse your business to them if you feel that you are being not being treated respectfully. You have no obligation to provide explanations for refusals, and you certainly do not have to try ending the call politely. Simply hang up.
    • If you receive a phone call and a recorded message instructs you to press a number on your phone keypad to "claim your prize" or to "speak to a representative", do not press any numbers. Simply hang up. There is no reason that you should need to take any action to speak to somebody when you were the one who received the call in the first place. There is a chance that by pressing the indicated number, that you will be transfered to a line where you will be changed expensive tolls or overseas long distance fees.
  • When registering accounts on websites, consider the information that is being asked for. Again, it would be wise to use the "phone book" rule.
    • Because the nature of the Internet is virtually "anonymous", there is nothing stopping you from "testing the waters" by providing inaccurate or incomplete information. This is an especially helpful tactic if you are in doubt. You should always be able to go back to edit or correct your profile information afterwards if you choose or need to do so. At the very least, you should be able to simply cancel your test account and register a new account using more accurate information.
      • In addition to your regular e-mail address, I would advise setting up at least one semi-anonymous "junk" e-mail account using any of the myriad of free web-based e-mail account services that are available (such as Microsoft Hotmail/Windows Live Mail, Yahoo! Mail, Google GMail, etc.). You can then provide your "junk" e-mail account for website account registrations, mailing lists, and other potential spam-generating sources. This can help you to keep your main e-mail account cleaner for personal or professional correspondences only.
      • On a side note, speaking as somebody who has experience developing and maintaining various websites, I would personally just hate it if people kept registering dummy accounts. Providing false information when registering a profile may be against the terms of service for some websites, and impersonation or using information that does not belong to you may even be unlawful depending on where you live. Please use discretion. If possible, cancel any dummy accounts that you have created if you decide not to use the website.
    • If you need to provide payment via credit card, verify that the website is using a secure form of data encryption or authentication system (known as Secure Sockets Layer - SSL). Most modern and widely used web browsers should indicate this by displaying security icons (e.g. a lock/key) somewhere, and change the colour of the your address bar (usually yellow -- use caution or avoid submitting data if the address bar turns red or remains white). Also check to ensure that the URL in the web site address bar begins with "https://" (secure HTTP) instead of the standard "http://". Depending on your web browser's security preferences, you may also see a confirmation prompt dialog window.
      • Note that just because a website uses SSL and data encryption, this does not necessarily guarantee legitimacy. It is quite easy to create fake signed certificates -- although it may not necessarily appear to be issued by an authentic "root" certificate signing authority. Most web browsers should (depending on your security preferences) display a prompt dialog to warn you of this, but more often than not, the average Internet user would probably not understand or basically ignore the prompt anyway.
      • If available, using trusted third-party escrow payment services like PayPal could help to provide an extra layer of security and peace-of-mind.
  • Be extremely cautious if you choose to respond to unsolicited offers via e-mail -- better known as "spam". As a matter of fact, you should always simply ignore and delete spam messages. Never click on any links, images or download/open attachments in suspicious e-mails.
    • Never reply or click links that are provided to "unsubscribe" from spam e-mails. Spammers usually use responses to in order confirm that your email address is an actively used e-mail account with a real live person on the other end. Chances are "unsubscribing" from spam message will only result in you getting even more spam, as your e-mail address will probably be sold to other spammers looking for verified working e-mail addresses.
    • Checking the e-mail header data and sender domains may help somewhat, however for most average Internet users, deciphering this information is probably not practical. Also, the presence of faked headers may easily mislead or confuse even those with intermediate knowledge. Checking that the domain of URLs in the message simply by eyeballing the status bar of your web browser or looking at the sender's email address domain is also not always reliable. Checking links, form targets and other references would likely require examining HTML source. Not only would you need to have good knowledge of HTML, but without very careful evaluation, some of the more well-crafted phishing messages obfuscate or create illusions that links are pointing to legitimate domains when in fact they are not. In short, the only way to really determine with absolute certainty if a message is a phishing scam, is if you have the knowledge to properly analyze headers and HTML source code... knowledge that average non-technical users most certainly wouldn't have.
    • Phishing schemes are typically e-mails sent to you disguised to be from reputable organizations that you might actually have a prior established relationship with. Obviously if you do not do have prior business with the organization that you have received the message from, you can be fairly certain that the message is part of a phishing scheme. Make it your practice to never click any links or send any information requested via e-mail. Even if the message is threatening that your account will be canceled or that your service will be in some way affected unless take some kind of action, you should never click any links provided in the e-mail message. Open the website directly by typing the URL yourself in your web browser address bar (or use your bookmarks/favorites), and confirm on the website if action really needs to taken on your part. If so, you should be able to enter the needed information on the website itself.
    • Help to stop fraudsters by reporting them to the appropriate authorities. In Canada, PhoneBusters is a government and RCMP/OPP-operated public service programme devoted to investigating and stopping fraud. Their website also has a lot of very helpful information about how to recognize, report and stop fraudulent activity, as well as a list of known popular scams that are currently making rounds.
  • Hoaxes, urban legends, chain letters & forwards: these are e-mail messages that your friends, family, co-workers and other contacts forward en-masse to practically everybody they have listed in their e-mail address book. Forwards could be considered as any innocuous viral FUD (fear, uncertainty & doubt) "news" stories, rumours, plain text games, images, slide shows, movie clips or documents that usually have some kind of message -- sappy, scary, mundane, offensive, x-rated or otherwise.
    • Forwards are mainly just harmless fun that you or your contacts just want to share for a laugh. Sometimes they can be interesting or entertaining, but other times they may be annoying, impersonal, or a nuisance if you have received the same thing multiple times before from other contacts.
    • Chain letters, hoaxes and urban legends are those that attempt to play on your emotions or make dubious claims. Usually they include claims that by simply forwarding the message on to as many of your contacts as possible, wonderful and magical things will happen to you (or terrible things if you don't). Regardless of whether you are superstitious or not, there is nothing that any e-mail message can technologically, physically, metaphysically or magically make possible by simply forwarding the message to X number of your contacts.
      • Bill Gates or insert_name_of_a_famous_billionaire_or_corporation_here can not track private e-mail messages and certainly nobody could know who you are & where you live based on your e-mail address alone. There's a good chance that nobody, no matter how rich or famous they are, is going to be sending their fortunes out to millions of random people any time soon... that's a whole lot of tax paperwork!
      • A deposed Nigerian prince probably wouldn't be needing the help of a completely random stranger to help him wire large sums of money from his bank account.
      • A gorgeous babe, handsome hunk or your secret crush will not be spontaneously compelled to call or show up on your doorstep to passionately make out with you because you were such a big hero and you forwarded an ancient druid prayer to 50 friends.
      • Something "special" or "totally worth it" will not pop up on your screen after you forward the message and press random key(s) on your keyboard... OK, maybe something can, but that only means that either you were duped into doing something that your computer operating system or application already does anyway, or that your computer has been infected with a virus, worm or malware.
      • Little Timmy who fell down the well and died will not come to haunt you at night because you neglected to forward his tragic story to at least 20 of your friends.
      • Perhaps the only thing that might happen is that you would make yourself look foolish to your friends for believing such nonsense (unless all your friends also don't know any better).
    • Snopes.com is a fairly extensive website resource which contains lots of excellent information debunking many hoaxes, myths, urban legends (there are other hoax-busting websites out there, but Snopes is probably the most well-known in my opinion). Chances are, there is already something there that covers or touches on the very e-mail forward (or a variation of it) that you received. Instead of impulsively believing information that has been forwarded to you via email, do some research and get the straight facts & truth first.
    • Search reliable and reputable news outlets and find credible sources to verify claims. It is absolutely frightening how many people just take information that has been sent to them from friends via e-mail as truth without checking. Even though so-called "references" or "authoritative" sources may be provided, references can be faked very easily. It is generally not a good idea to just take the word of a complete stranger as truth, even if it is from a "friend of a friend's sister's ex-boyfriend's aunt". If a story really is as significant as it appears, there should probably be something about it that has been reported recently by major news outlets.
      • If you must forward a message, help to stop spread misinformation and FUD by replying or forwarding the facts along with the message. Not only would you look smart, but you would be helping to better inform your friends, relatives and overall make the world a better place. ;-)
Phew! This was an exceedingly long and rambling post! I hope it helped, even if you might have already known some or all of this already. Even though a lot of this could probably be considered as common sense, the fact is that year after year, people really do still continue to fall for scams and hoaxes. I don't claim to know everything or be a fully qualified expert on this subject matter, but having an extensive background in computer programming and having been on the Internet since the early WWW stages around 1993, I merely just wish to share my own personal experience.

What I have touched on here barely scratches the surface of the subject of cybercrap -- this is such an broad, extensive and voluminous subject that I can not say that I have covered every aspect. I might write more about this in a future posting. Stay tuned!

Posted by Ahsy at 1/06/2008 03:02:00 p.m.

Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)