E-Mail Swindle Uses False Report About a Swindle

[Dave Farber <dave () farber net>]

E-Mail Swindle Uses False Report About a Swindle

June 21, 2003
By KATIE HAFNER and LAURIE J. FLYNN






SAN FRANCISCO, June 20 - It was a clever, if not entirely
flawless ruse. Many of its potential victims saw through it
immediately. Others were less skeptical and were caught in
its snare.

On Wednesday, starting in the early afternoon, people
around the country began receiving an e-mail message with
"Fraud Alert" in the subject line. In the guise of concern
about a purchase from Best Buy and possible credit card
misuse, the message urged recipients to go to a "special"
BestBuy.com Web site and correct the problem by entering
their credit card and Social Security numbers.

E-mail posing as a fraud notice to carry out a fraud -
indeed preying on a consumer's fear of being defrauded - is
an illegal form of spam, the much-loathed tide of random,
unsolicited messages that pours into computer inboxes every
day.

"This is the electronic version of the call at night from
somebody purportedly being your credit card watchdog," said
Malcolm Sparrow, a professor at the John F. Kennedy School
of Government at Harvard, who specializes in fraud control.


Almost immediately after the e-mail messages went out,
thousands of calls from consumers started pouring in to
Best Buy's headquarters just outside Minneapolis.

Best Buy acted quickly to distance itself from the
deception. Within a few hours, two bogus Web sites were
shut down and customer service agents were busy telling
callers to disregard the e-mail messages. Those who had
given out their information were told to call their banks,
credit card companies and the Federal Trade Commission's
Identity Theft Program.

But much of the damage had already been done. It was an
electronic hit-and-run.

Law enforcement authorities are taking the case seriously.
"One person being defrauded is a terrible thing in itself,"
said Paul McCabe, an F.B.I. special agent in Minneapolis.
"But several thousand people did receive the e-mail."

In fact, perhaps as many as a million e-mails were sent out
by the fraud artists within a very short time, experts
said.

The United States attorney's office in Minnesota is also
involved in the investigation. Mr. McCabe said law
enforcement officials in other countries had become
involved, since the messages were also sent outside the
United States.

Dawn Bryant, a Best Buy spokeswoman, said that subpoenas
were served to Internet service providers that appear to
have been hosts of the fraudulent Web sites, if unwittingly
and that companies that sell domain names were also
subpoenaed. By this afternoon, the company had handled tens
of thousands of calls, she said.

The perpetrators, said Naomi Lefkovitz, a lawyer with the
F.T.C., could be charged under the 1998 Federal Identity
Theft Act. But catching them will not be easy.

"Once it's launched it's quite hard for law enforcement to
track down," Professor Sparrow said. "All of this stuff is
done so remotely. And chances are this one is being
operated from abroad."

Fraud artists posing as fraud investigators are part of a
time-honored tradition.

"There's a whole species of fraud involving companies
impersonating customer service organizations," said Jason
Catlett, president of the Junkbusters Corporation, a
consulting company. Once they have the credit card and
Social Security numbers in hand, perpetrators of such
schemes sell them to identity thieves.

The ability to send out mass e-mailings greatly increases
the potential yield. The number of people who fell for the
fraud is unclear. Given how widely the net was cast,
though, it is probable the scheme trapped quite a few
victims.

"Even if 99.99 percent of the people who got it were
sophisticated enough to see through it, if you send out a
million you'll get some victims," said David Sorkin, a
professor at the John Marshall Law School in Chicago and an
expert on spam and consumer protection. "Spam is so cheap
to send that you don't need a high response rate."

By Wednesday afternoon, Web bulletin boards were filling up
with news of the fraud. "Good to spread the word on this
fake as it is quite convincing," posted one recipient who
did not fall for the ploy.

"They are very brazen," another wrote. "Just be warned."


The Best Buy scheme was sophisticated, though not
particularly original. America Online, eBay, Wells Fargo
and Bank of America have been the unwitting participants in
similar deceptions.

In one scheme around tax time last year, e-mail messages
were sent in the guise of an official Internal Revenue
Service communication, alerting recipients to a problem
with their tax refund. "As the I.R.S. pointed out, the
I.R.S. doesn't e-mail people," Ms. Lefkovitz said.

Kevin Pursglove, a spokesman for eBay, said reports of
fraudulent e-mail schemes - including messages that ask for
credit card information - come in every day from customers.


"It's an ongoing issue for us," Mr. Pursglove said. "We are
currently working with law enforcement officials to track
them down."

David Kennedy, research director for TrueSecure, a security
company based in Herndon, Va., that advises corporations,
has seen an upswing in e-mail frauds lately. He has even
received some himself. "It has certainly surged in the last
three months," he said.

Most, but by no means all, consumers are shrewd enough to
be suspicious of e-mail requests for personal information.
People should know, Mr. Pursglove said, that "it's easy to
mimic the look of an official e-mail or Web page."

To carry off such a scheme, fraud artists collect e-mail
addresses, often using an automated program, and create a
master e-mail list. Electronically, they capture images
from a legitimate corporate site to create another Web site
with the same look.

The link to Best Buy included in the e-mail message looked
legitimate enough, and the fake Web site was the very image
of a Best Buy site.

But other aspects were clear giveaways. Not only were there
obvious grammatical mistakes, and strange return addresses,
but a telephone number accompanying a Staten Island mailing
address had an area code for Seattle.

"The silly mistakes are classic," said Ms. Lefkovitz of the
F.T.C. "It's another thing we try to warn people about.
Look for grammatical mistakes and other sloppiness."

Professor Sparrow said schemes like this provide a perfect
opportunity to educate consumers. "People should understand
that an incoming e-mail is just like an incoming telephone
call," he said. "If it's unsolicited you should never trust
it."

The fraudulent Best Buy e-mail messages were still arriving
in computers today, and will probably pop up here and there
for months to come, long after the spammers have
disappeared into cyberspace.

"But they'll be back," Professor Sorkin said, "with some
other scam tomorrow."

http://www.nytimes.com/2003/06/21/technology/21CARD.html?ex=1057184007&ei=1&en=c3fc947fa71553ae


---------------------------------

Get Home Delivery of The New York Times Newspaper. Imagine
reading The New York Times any time & anywhere you like!
Leisurely catch up on events & expand your horizons. Enjoy
now for 50% off Home Delivery! Click here:

http://www.nytimes.com/ads/nytcirc/index.html



HOW TO ADVERTISE
---------------------------------
For information on advertising in e-mail newsletters
or other creative advertising opportunities with The
New York Times on the Web, please contact
onlinesales () nytimes com or visit our online media
kit at http://www.nytimes.com/adinfo

For general information about NYTimes.com, write to
help () nytimes com.

Copyright 2003 The New York Times Company



-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/