Transcript Spam, Phishing and Fraud on the Net

Spam, Phishing and Fraud on
the Net
Sabrina I. Pacifici, Law Librarian
Founder, Editor, Publisher, LLRX.com
www.llrx.com
Author, beSpacific.com
www.bespacific.com
Barbara Fullerton, Director of Library Services
Locke Liddell & Sapp LLP
[email protected]
Be Alert, Be Wary, and Be
Informed
• This presentation highlights federal, state,
association, advocacy, corporate, commercial and
news related resources providing reliable data that
addresses the issues of spam, fraudulent website
claims and offers, and attempts to obtain personal
data to perpetrate ID theft.
• Websites and resources have been selected based
on authority and topical relevance. We welcome your
suggestions and recommendations for relevant sites
not mentioned, for inclusion in this guide.
Barbara J. Fullerton & Sabrina I.
Pacifici
Is This Spam?
Barbara J. Fullerton & Sabrina I.
Pacifici
This is Spam…
• Unsolicited Commercial Email (UCE), also
known as "spam" or "junk email"
– Email that is “unwanted, “inappropriate”
and no longer wanted…”
http://www.clickz.com/experts/em_mkt/em
_mkt/article.php/1492521
Stats on Spam
http://www.mailfrontier.com/threats/sta
ts.html
Barbara J. Fullerton & Sabrina I.
Pacifici
Spam Laws – Federal and State
• Spam Laws, Federal http://www.spamlaws.com/federal/index.html
– CAN-SPAM Act of 2003
http://www.spamlaws.com/federal/108s877.html
• Spam Laws, State http://www.spamlaws.com/state/index.html
Barbara J. Fullerton & Sabrina I.
Pacifici
The Difficulties of Tracing Spam Email – Report prepared at request of FTC
Barbara J. Fullerton & Sabrina I.
Pacifici
Example: Spam Reduction Policy
This is one of a number of internet and extranet sites (each, a “Practice Website”)
accessed through the Internet and sponsored, owned, controlled and/or
maintained by Mayer, Brown, Rowe & Maw (which is a combination of two
limited liability partnerships, each named Mayer, Brown, Rowe & Maw LLP, one
established in Illinois, USA, and one incorporated in England) (together with all
owned or controlled subsidiaries and affiliates thereof (collectively, the
“Practice”)) whose principal place of business in the United States of America
is 190 South LaSalle Street, Chicago, Illinois 60603-3441.
Introduction
Receipt of Unsolicited Bulk Email (UBE also known as "spam") is a growing
concern for Email users at the Practice. This document provides a description
of what the Practice is doing about it, why and how that affects senders.
• This document serves several purposes and addresses several types of
readers.
1. The user who wants to know what the Practice is doing about spam.
2. The legitimate user who finds that he/she is no longer able to send Email to a
Practice user
https://registration.mayerbrownrowe.com/registration/helpcenter/spam.asp
Barbara J. Fullerton & Sabrina I.
Pacifici
What Companies are Doing
• AMERICAN EXPRESS - How to Contact American Express
about Fraudulent E-Mails
• If you receive an e-mail that you believe could be fraudulent,
immediately forward it to
[email protected]. Please do not
forward the e-mail as an attachment. Please note that any
submissions to this email address will result in an autogenerated reply to notify you that we have received your e-mail.
If we find it to be fraudulent, we will immediately take
appropriate action. For consumers requiring additional
assistance, please contact us at Contact American Express
– http://www10.americanexpress.com/sif/cda/page/0,1641,21372,00.
asp
Barbara J. Fullerton & Sabrina I.
Pacifici
Barbara J. Fullerton & Sabrina I.
Pacifici
E-Mail Fraud
• From U.S. Bank: Email Fraud Information and Help –
Customer Alert and Data on Phishing Scams
http://tinyurl.com/2h3vv
• Email Threat Advisories
http://www.mailfrontier.com/threats/advisories/threat_index.html
• Firewall to fry spam – “A firewall designed to eliminate email
spam has been developed at Queensland University.”
http://tinyurl.com/4w23r
Barbara J. Fullerton & Sabrina I.
Pacifici
Barbara J. Fullerton & Sabrina I.
Pacifici
The Good Old Days…
Where are the Hackers?
Hackers now chase money…
not just the thrill of breaking into a
website.
What is Phishing?
--- listening to music by the band called Phish
--- a hobby, sport or recreation involving the ocean,
rivers or streams…nope
“Fishing for personal information”
• Use “spoofed” e-mails and fraudulent
websites designed to fool recipients into
divulging personal financial data such as
credit card numbers, account usernames and
passwords, social security numbers, etc.
– Anti-Phishing Working Group
http://www.antiphishing.org/
Barbara J. Fullerton & Sabrina I.
Pacifici
Example of Phishing
From: Customer Support [mailto:[email protected]]
Sent: Thursday, October 07, 2004 7:53 PM
To: Eilts
Subject: NOTE! Citibank account suspend in process
Dear Customer:
Recently there have been a large number of cyber attacks pointing our database servers. In order
to safeguard your account, we require you to sign on immediately. This personal check is requested
of you as a precautionary measure and to ensure yourselves that everything is normal with your
balance and personal information. This process is mandatory, and if you did not sign on within
the nearest time your account may be subject to temporary suspension. Please make sure you
have your Citibank(R) debit card number and your User ID and Password at hand. Please
use our secure counter server to indicate that you have signed on, please click the link bellow:
http://211.158.34.249/citifi/. Note that we have no particular indications that your details have
been compromised in any way. Thank you for your prompt attention to this matter and thank
you for using Citibank(R)
Regards,
Citibank(R) Card Department
(C)2004 Citibank. Citibank, N.A., Citibank, F.S.B.,
Citibank (West), FSB. Member FDIC.Citibank and Arc
Barbara J. Fullerton & Sabrina I.
Pacifici
How to Detect Deception
• Publish your mail server addresses (to thwart
spoofing)
• Educate customers (and employees)
• Establish online communication protocols
• Create a response plan now
• Proactively monitor for phishers and fraud
• Make yourself a difficult target
http://www.cio.com/archive/090104/phish.html
Barbara J. Fullerton & Sabrina I.
Pacifici
Prevent Phishing
from Fraud Watch International
•
•
•
•
•
•
Never click on hyperlinks
Use Anti-SPAM filters
Use Anti-Virus Software
Use personal firewalls
Keep all software updated
Always look for https and
sites that ask for “personal
information”
• Keep computer clean from
Spyware
• Know Fraudulent activity on
the Internet
• Check your credit report
immediately for free!
• If unsure, ask!
Barbara J. Fullerton & Sabrina I.
Pacifici
Industry Sponsored Anti-Phishing Efforts
• “The Anti-Phishing Working Group (APWG) is an industry
association focused on eliminating the identity theft and fraud
that result from the growing problem of phishing and email
spoofing.” http://www.antiphishing.org/
– An updated chart of examples of phishing attacks submitted
to antiphishing.org are available here:
http://www.antiphishing.org/phishing_archive.htm
• White Paper, Anti-Spam Technical Alliance, 22 June 2004,
http://tinyurl.com/2qaje
• Microsoft Anti-Spam Virtual Press Room,
http://www.microsoft.com/presspass/events/antispam/material.a
sp
• TECF – Trusted Electronic Communications Forum
http://www.tecf.org/
– “The Trusted Electronic Communications Forum (TECF) is a
global, cross-industry consortium of industry leaders focused
on efforts to eliminate the phishing and spoofing attacks that
lead to identity theft and brand distrust.”
Barbara J. Fullerton & Sabrina I.
Pacifici
Barbara J. Fullerton & Sabrina I.
Pacifici
What is ID Theft?
“Identity theft is a crime in which an imposter obtains
key pieces of information such as Social Security and
driver's license numbers and uses it for their own
personal gain.”
ID Theft Resource Center
http://www.idtheftcenter.org/index.shtml
Barbara J. Fullerton & Sabrina I.
Pacifici
Preventing ID Theft tips from CNN.com &
FTC.gov
• Find out how your information
will be used
• Pay attention to your billing
cycles
• Put passwords on all your
accounts
• Minimize the ID information &
number of cards you carry
• Find out who has access to
your PI at work and verify
records are kept in a secure
location
• Legitimate organizations with
whom you do business have the
info needed & should not ask you
for it
• Give your SSN only when
absolutely necessary
• Order a copy of your credit report
from the 3 major credit reporting
agencies
• Use one credit card for Internet
purchases. Minimum amount.
Barbara J. Fullerton & Sabrina I.
Pacifici
Barbara J. Fullerton & Sabrina I.
Pacifici
http://www.bespacific.com/mt/archives/cat_id_theft.html
Barbara J. Fullerton & Sabrina I.
Pacifici
Federal Legislation on ID Theft
• Identity Theft Penalty Enhancement Act (ITPEA), signed by
the President on July 15, 2004 - To amend title 18, United
States Code, to establish penalties for aggravated identity theft,
and for other purposes.
– The President’s remarks upon signing the bill:
http://www.whitehouse.gov/news/releases/2004/07/200407153.html
– The text of the bill:
http://thomas.loc.gov/cgi-bin/bdquery/z?d108:h.r.01731:
For Reference, see also the Fair and Accurate Credit Transactions Act of
2003, H.R.2622, To amend the Fair Credit Reporting Act, to prevent
identity theft, improve resolution of consumer disputes, improve the
accuracy of consumer records, make improvements in the use of, and
consumer access to, credit information, and for other purposes.
Became Public Law No: 108-159.
http://thomas.loc.gov/cgi-bin/bdquery/z?d108:h.r.02622:
Barbara J. Fullerton & Sabrina I.
Pacifici
Selected Pending Federal Legislation
• Anti-phishing Act of 2004, S. 2636, introduced July 9, 2004 http://thomas.loc.gov/cgi-bin/query/z?c108:S.2636.IS:
– See also The Anti-Phishing Act of 2004: A Useful Tool
Against Identity Theft,
http://writ.news.findlaw.com/ramasastry/20040816.html
• The SPY BLOCK Act, S. 2145, introduced February 27, 2004
– 11/19/2004 Placed on Senate Legislative Calendar under
General Orders. Calendar No. 811.
– http://thomas.loc.gov/cgi-bin/query/z?c108:S.2145.RS:
• The Safeguard Against Privacy Invasions Act or Spy Act,
H.R. 2929
http://thomas.loc.gov/cgi-bin/bdquery/z?d108:h.r.02929:
• Social Security Number Privacy and Identity Theft
Prevention Act of 2003, HR 2971,
http://thomas.loc.gov/cgi-bin/query/z?c108:H.R.2971.IH:
Barbara J. Fullerton & Sabrina I.
Pacifici
Sites Sponsored By Advocacy Groups
• National Fraud Information Center/Internet Fraud Watch
http://www.fraud.org/welcome.htm
• The Better Business Bureau Online
http://www.bbbonline.org/idtheft/phishing.asp
• Call For Action
• http://www.callforaction.org/
• Identity Theft Resource Center
http://www.idtheftcenter.org/index.shtml
• Privacy Rights Clearinghouse
http://www.privacyrights.org/identity.htm
• Center for Democracy and Technology webpage on Spyware
- http://www.cdt.org/privacy/spyware/
• Internet Fraud Tips from the National Consumer League’s
Internet Fraud Watch
http://www.fraud.org/tips/internet/phishing.htm
Barbara J. Fullerton & Sabrina I.
Pacifici
Barbara J. Fullerton & Sabrina I.
Pacifici
Federal Trade Commission Resources on ID Theft
•
•
•
•
•
The Federal Trade Commission (http://www.ftc.gov) serves as
clearinghouse to receive consumer complaints and provide assistance.
National and State Trends in Fraud and Identity Theft, January –
December 2003,
http://www.consumer.gov/sentinel/pubs/Top10Fraud_2003.pdf
ID Theft: When Bad Things Happen To Your Good Name: “a stepby-step guide to prevent ID theft that also provides useful
documentation on services and resources available to those who are
already victims of fraud.”
http://www.ftc.gov/bcp/conline/pubs/credit/idtheft.htm
ID Theft Complaint Input Form
https://rn.ftc.gov/dod/widtpubl$.startup?Z_ORG_CODE=PU03
ID Theft Alert website reviews how identity thieves work, provides
government reports and Congressional testimony, law enforcement
updates and links to other identity theft sites.
http://www.consumer.gov/idtheft/
Barbara J. Fullerton & Sabrina I.
Pacifici
Barbara J. Fullerton & Sabrina I.
Pacifici
Barbara J. Fullerton & Sabrina I.
Pacifici
Security Freeze to Prevent ID Theft
• Your file cannot be shared with potential creditors. Most
businesses will not open credit accounts without checking
a consumer's credit history first.
• Must write to all 3 credit companies; set-up with PIN
• You can order a credit report, but no one else can
• Only available in 2 states
– California and Texas
– Louisiana and Vermont make it available July 2005
– See this AP article, Credit bureaus shun identity theft weapon,
http://msnbc.msn.com/id/5841962/, for more details
• Only you can unfreeze it
• Used only in extreme measures
• Fee for lifting the freeze: $10-$15 for each transaction
Barbara J. Fullerton & Sabrina I.
Pacifici
At Home: Preventing ID Theft
• If you are buying a new computer, you need
to take the following steps to prevent your
information from being stolen from your old
computer
– Clean your disk
– Destroy that hard drive, or remove it
– Donate rest of computer to charity or recycle it
Barbara J. Fullerton & Sabrina I.
Pacifici
Other Resources on PC Security, Spam and ID
Theft, sponsored by the federal government
• FTC-Spam Homepage
http://www.ftc.gov/bcp/conline/edcams/spam/index.ht
ml
• FTC ID Theft Homepage http://www.consumer.gov/idtheft/
• FTC Consumer Information Security website http://www.ftc.gov/infosecurity/
• United States Postal Service, Pub 280, August 2003,
Safeguard your personal information,
http://www.usps.com/cpim/ftp/pubs/pub280.pdf
Barbara J. Fullerton & Sabrina I.
Pacifici
Department of Justice Resources on
ID Theft and Online Fraud
• Criminal Division, Fraud Section
http://www.usdoj.gov/criminal/fraud.html
• Special Report on "Phishing“
http://www.usdoj.gov/criminal/fraud/Phishing.pdf
• Foreign Corrupt Practices Act (FCPA)
http://www.usdoj.gov/criminal/fraud/fcpa.html
• Identity Theft and Identity Fraud
http://www.usdoj.gov/criminal/fraud/idtheft.html
• Internet Fraud
http://www.usdoj.gov/criminal/fraud/Internet.htm
Barbara J. Fullerton & Sabrina I.
Pacifici
Federal Deposit Insurance Corp. and
Social Security Administration Resources
• FDIC
– When a Criminal's Cover Is Your Identity
http://www.fdic.gov/consumers/privacy/criminalscover/index.html
• Social Security Administration
– Identity Theft And Your Social Security Number,
http://www.socialsecurity.gov/pubs/10064.html
– Public Fraud Reporting Home Page,
http://www.socialsecurity.gov/oig/public_fraud_reporting/index.htm
– Enhancing Social Security Number Privacy
http://www.socialsecurity.gov/oig/communications/testimony_speec
hes/06152004testimony.htm
– Fact Sheet, Social Security Identity Theft, Committee on Ways &
Means
http://waysandmeans.house.gov/media/pdf/ss/factsheet.pdf
Barbara J. Fullerton & Sabrina I.
Pacifici
State Specific Resources on
ID Theft: California
• California: Financial Information Privacy Act
http://www.privacy.ca.gov/sb1/sb1.htm
• ID Theft: http://www.privacy.ca.gov/cover/identitytheft.htm
• California Right to "Freeze" Your Credit History
http://www.privacy.ca.gov/financial/cfreeze.htm
– How to put a freeze on your credit file http://www.privacy.ca.gov/financial/cfreezeon.htm
• DMV Information about Fraud and Identity Theft http://www.dmv.ca.gov/consumer/fraud.htm
• Office of the Attorney General, Identity Theft Data
http://caag.state.ca.us/idtheft/index.htm
Barbara J. Fullerton & Sabrina I.
Pacifici
More State Resources on ID Theft
• Louisiana credit freeze info
http://www.ag.state.la.us/calerts/alert0004.aspx
• Links to State Attorneys General Websites
http://www.findlaw.com/11stategov/indexag.html
• ID Theft Statutes as of July 2003
http://www.ncsl.org/programs/lis/privacy/idt-statutes.htm
• National Conference of State Legislatures (NCSL), Identity
Theft Information,
http://www.ncsl.org/programs/lis/privacy/idtheft.htm
• Identity Theft Legislation updated as of August 20, 2004
http://www.ncsl.org/programs/lis/privacy/idt-01legis.htm
• 2003 Enacted Identity Theft Legislation
http://www.ncsl.org/programs/lis/privacy/idt-03enacted.htm
Barbara J. Fullerton & Sabrina I.
Pacifici
Credit Card Companies
• Equifax
Phone: 800-685-1111; P.O. Box 105788, Atlanta, GA 30348
• Experian
Phone: 888-397-3742; P.O. Box 95554,
Allen, TX 75013
• TransUnion
Phone: 888-909-8872; P.O. Box 6790, Fullerton, CA 92834
• Consumer Info’s Free Credit Report
http://tinyurl.com/49rug
Barbara J. Fullerton & Sabrina I.
Pacifici
Don’t Like those Nasty PreApproved Credit Card Offers?
Opt Out!
1-888-5OPTOUT
Good for 2 years or permanent
What is Spyware?
Any technology that aids in gathering
information about a person or organization
without their knowledge. On the Internet
(where it is sometimes called a spybot or
tracking software), spyware is programming
that is put in someone's computer to secretly
gather information about the user and relay it
to advertisers or other interested parties.
Defined by searchCRM.com
Barbara J. Fullerton & Sabrina I.
Pacifici
What is Adware?
Any software application in which advertising
banners are displayed while the program is
running. The authors of these applications
include additional code that delivers the ads,
which can be viewed through pop-up
windows or through a bar that appears on a
computer screen.
Defined by searchSmallBizIT.com,
http://searchsmallbizit.techtarget.com/
Barbara J. Fullerton & Sabrina I.
Pacifici
Resources on Spyware
•
•
Who Downloaded the Spyware? Not Me! by Chris Hayes, May 24,
2004, http://www.llrx.com/features/spyware.htm
Spyware: What You Don't Know Can Hurt You, Hearing by the
Subcommittee on Commerce, Trade, and Consumer Protection, April
29, 2004, Link to Witness List & Prepared Testimony, Related
Documents and Bills,
http://energycommerce.house.gov/108/Hearings/04292004hearing1255/hearing.htm
•
•
•
Spyware Warrior, Waging the war against spyware
http://www.netrn.net/spywareblog/
Spyware vs. spyware
“Lawmakers are preparing to attack spyware, but efforts could
criminalize common tools and techniques currently in use.”
http://www.infoworld.com/article/04/08/30/HNspyware_1.html
McAfee releases VirusScan with intrusion prevention
http://www.infoworld.com/article/04/08/30/HNmcafeevirusscan_1.html
Barbara J. Fullerton & Sabrina I.
Pacifici
Blog devoted to fighting spyware – Spyware Warrior
Barbara J. Fullerton & Sabrina I.
Pacifici
Additional Resources on Spyware
•
•
•
•
•
•
From Lehigh University Library & Technical Services, Guide to Spybot
Search & Destroy 1.3: Downloading, Installing, and Using Spybot http://www.lehigh.edu/~inlts/help/spyware/spybotinstall.html
beSpacific.com, the blog on law and technology news: postings on
spyware
http://www.bespacific.com/mt/mtsearch.cgi?IncludeBlogs=1&search=sp
yware
And for broadband users, this article,
http://www.thebusinessledger.com/Articles.asp?artId=573&isuID=25
recommends free applications and software.
Fraud Watch International
http://www.fraudwatchinternational.com
Techweb
http://www.techweb.com
2004's Most Popular Viruses, and Hacking Tools, Douglas Chick
http://www.thenetworkadministrator.com/top2004hackertools.htm
Barbara J. Fullerton & Sabrina I.
Pacifici
http://www.lehigh.edu/~inlts/help/spyware/spybotinstall.html
Barbara J. Fullerton & Sabrina I.
Pacifici
Spyware Warrior – links to spyware help forums and free anti-spyware software
Barbara J. Fullerton & Sabrina I.
Pacifici
Selected Anti-Spyware Articles & Resources
•
•
•
•
•
•
•
•
•
Spy Stoppers by Cade Metz, March 2, 2004,
http://www.pcmag.com/article2/0,4149,1525474,00.asp
Compare Top Spyware Removers,
http://www.spywareremoversreview.com/
Spyware - It's lurking on your machine, by Cade Metz,
http://www.pcmag.com/article2/0,1759,978170,00.asp
Your PC May Be A Haven for Spies, by Dan Tynan,
http://www.pcworld.com/news/article/0,aid,116526,00.asp
Poor Defenders – “Some anti-spyware companies use confusing ads,
and our tests show their $20-$60 products are less effective than free
competitors.” http://www.pcworld.com/news/article/0,aid,118362,00.asp
http://www.pcworld.com/resource/printable/article/0,aid,116302,00.asp
Special Report: Readers Take The Offensive Against Spyware, Aug. 9,
2004, http://tinyurl.com/3jadn
The Soft Invasion, by Walter S. Mossberg, August 2004, WSJ,
http://ptech.wsj.com/archive/report-200408.html
Microsoft’s Protect Your PC site
http://www.microsoft.com/athome/security/protect/
Barbara J. Fullerton & Sabrina I.
Pacifici
Selected Software
Ad-Aware http://www.lavasoftusa.com/software/adaware/
Spybot Search and Destroy
http://www.spybot.info/en/index.html
PAL Emergency Response
http://www.winxpfix.com/PAL-Emergency-Response.htm
AVG Anti-Virus free edition
http://free.grisoft.com/freeweb.php/doc/1/
Barbara J. Fullerton & Sabrina I.
Pacifici