Beware fake gov't sites and spoofed email accounts

Duke Franklin had lost his Social Security card, so he applied for a replacement on the Social Security Administration (SSA) website. He clicked on the first link that came up in his search and followed the instructions to fill out the required forms to apply for a new card. The site asked for some personal information and a $150 fee. He was told to send his birth certificate and other personal items to a specified address. The site said the SSA would mail his new card within a few days to a few weeks. After waiting more than two months, he called the phone number listed on the website but it was "out of service." He realized he'd  been scammed.

We're the government (but not really)

Duke was a victim of a new government services website scam reported by the FBI on its Internet Crime Complaint (IC3) website on April 7. (See Criminals Host Fake Government Services Web Sites to Acquire Personally Identifiable Information and to Collect Fraudulent Fees.)

From the numerous complaints the IC3 received from May 2012 through March 2015, it determined that criminals were setting up fake government services websites (such as the SSA and the Internal Revenue Service) to trick potential victims into revealing their personally identifiable information (PII) and pay fraudulent fees.

The PII that criminals usually request includes a victim's name, address, email address, Social Security number and date of birth, among other things. The victims are willing to give up this information because they're fairly confident they're dealing with actual government service agencies.

When data-grabbing criminals compromise PII in any fraudulent activity, they can use it for many illegal purposes, including creating fake driver licenses, passports, documents to obtain loans or filing for fake federal income tax refunds on behalf of victims. Or they can sell or trade the stolen data in underground forums to other cybercriminals who can use it for similar purposes.

The FBI says that the scam typically evolves in this way:

• A victim uses a search engine to contact a government service agency to obtain a new or replacement document.
• The first link in the search is usually fraudulent.
• The victim provides PII in online forms filling in the requested PII to acquire documents.
• After the victim submits the form, the fraudster requests a fee ranging from $29 to $199. 
• After the victim pays the fee, he or she is told to send a birth certificate, driver's license, employee badge or other personal items to a specified address. 
• The fraudulent site tells the victim that the request will be processed in a few days or several weeks.

As in the opening case, the victim never receives the requested documents and can never reach anybody to help.

The FBI gives this advice when attempting to contact a government agency online:

• "Use search engines or other websites to research the advertised services or person/company you plan to deal with." 
• "Search the Internet for any negative feedback or reviews on the government services company, [its] Web site, … email addresses, telephone numbers, or other searchable identifiers." 
• "Research the company policies before completing a transaction." 
• "Be cautious when surfing the Internet or responding to advertisements and special offers." 
• "Be cautious when dealing with persons/companies from outside the country." 
• "Maintain records for all online transactions."

And, of course, victims should file a complaint with the FBI's Internet Crime Complaint Center.

Email account compromise scam

On August 27, the FBI reported that fraudsters are directing the sophisticated email account compromise (EAC) scam to individuals in the general public and at professional business firms, including financial and lending institutions, real estate companies and law firms. (The business email compromise scam, which I'll report on in the January/February issue of the column, obviously targets businesses rather than individuals.)

The FBI reported that between April 1 and June 30, "21 complaints related to the EAC scam were filed with the IC3, with reported losses of almost $700,000. The FBI has identified approximately $14 million in attempted losses associated with open FBI EAC investigations."

The scam's purpose is to use a victim's stolen or spoofed email address to contact his or her financial institution and make an unauthorized request to wire funds to the fraudster's account outside of the U.S. or to a money mule in the U.S., who'll then transfer the funds to the fraudster's account.

The scammers compromise email accounts of potential victims via computer intrusion and social engineering techniques. Typically, a fraudster will gain access to a victim's real email account address when doing reconnaissance work. The fraudster adds, changes or deletes a character to create a spoofed email account that resembles the victim's real account.

The spoofed email fools a financial institution employee who unwittingly wires the money to the fraudster. According to the FBI victims reporting the scam are indicating that "criminal actors are starting to follow up on wire transfer requests by calling to confirm the transactions or to comply with wire transfer protocols, thus making the transaction appear more legitimate."

The FBI reports these examples of the EAC scam:

Financial/brokerage services

• "An individual's e-mail account is compromised by a criminal actor. The criminal actor, who is posing as the victim, sends an e-mail to the victim's financial institution or brokerage firm requesting a wire transfer to a person or account under the control of the criminal actor."
• "An accounting firm's e-mail account is compromised and used to request a wire transfer from a client's bank, supposedly on behalf of the client."

Real estate

• "A seller's or buyer's e-mail account is compromised through an EAC scam. The criminal actor intercepts transactions between the two parties and alters the instructions for the transfer of funds." 
• "A realtor's e-mail address is used to contact an escrow company to redirect commission proceeds to a bank account associated with the criminal actor." 
• "A realtor receives a link within an e-mail from an unknown person who is requesting information related to property. When the realtor clicks on the link, the criminal actor is able to access the realtor's e-mail account. The intrusion exposes client information, which the criminal actor then uses to e-mail the clients and attempt to change wire instructions for loan processing proceeds."

Legal

• "A criminal actor compromises an attorney's e-mail account, which results in the exposure of client bank account numbers, e-mail addresses, signatures, and confidential information related to pending legal transactions."
• "The attorney's compromised e-mail account is used to send overlaid wire instructions to a client."
• "A criminal actor compromises a client's e-mail account and uses it to request wire transfers from trust fund and escrow accounts managed by the firm."

If you believe you've been a victim of the EAC scam, the FBI advises these steps:

• "Contact your financial institution immediately upon discovering the fraudulent transfer."
• "Contact law enforcement."
• "Request that your bank reach out to the financial institution where the fraudulent transfer was sent."
• "File a complaint at www.IC3.gov, regardless of dollar loss. Provide any relevant information in your complaint and identify that your complaint pertains to the EAC scam."

The FBI recommends these tips to help protect yourself from this scam:

• "Do not open e-mail messages or attachments from unknown individuals."
• "Be cautious of clicking links within e-mails from unknown individuals."
• "Be aware of small changes in e-mail addresses that mimic legitimate e-mail addresses."
• "Question any changes to wire transfer instructions by contacting the associated parties through a known avenue."
• "Have a dual step process in place for wire transfers. This can include verbal communication using a telephone number known by both parties."
• "Know your customer. Be aware of your client's typical wire transfer activity and question any variations."

More help for the community

I hope you'll share this information with your family, friends and clients and include it in your outreach programs. We must step up our efforts to educate the public about these problems.

As you can see, cybercriminals take advantage of any opportunity to develop schemes to trick consumers and rob them of their resources. Even though they have the upper hand, an educated community will help curb the damage.

Please contact me if you have any identity theft issues you'd like me to research and possibly include in future columns or if you have any questions related to this column or any cybersecurity and identity theft issues. I don't have all the answers, but I'll do my best to help. Stay tuned!

Robert E. Holtfreter, Ph.D., CFE, CICA, CBA, is distinguished professor of accounting and research at Central Washington University in Ellensburg, Washington. He's also on the ACFE  Advisory Council and the ACFE Editorial Advisory Committee. His email address is: doctorh007@gmail.com.