Identity Theft

Identity theft, or fraud, is a crime in which someone wrongfully obtains and uses another person's personal data in some way that involves fraud or deception, typically for economic gain. It usually results in the loss of personal data, such as passwords, user names, banking information, or credit card numbers. Online identity theft is also known as phishing. Thieves have found ways to illegally acquire people's personal information through scams, stealing from mailboxes, or even looking through trash cans or dumpsters. Now that identity theft has moved online, criminals can scam many more people.

The Federal Trade Commission provides a few ways identity thieves acquire your information.

Preventing Identity Theft

Guard your financial information. Only provide your credit card or bank account number when you are actually paying for something with it.

Keep your social security number and personal information confidential. Never disclose your personal information; this includes your address, Social Security number, and telephone number. These things can unlock your identity. Don't give this information to anyone unless you're sure who it is and why it's necessary to provide it. If prompted for it, practice due diligence: investigate who is gathering the information, why they are collecting it, and how they will use it.

Beware of imposters. Crooks pretending to be from companies you do business with may call or send an e-mail, claiming they need to verify your personal information. Be especially suspicious if someone contacts you and asks you to provide information they should already have. Things that indicate a message may be fraudulent are misspellings, poor grammar, odd phrasings, Web site addresses with strange extensions, Web site addresses that are entirely numbers where there are normally words, and anything else out of the ordinary. Additionally, phishing messages will often tell you that you have to act quickly to keep your account open, update your security, or urge you to provide information immediately or else something bad will happen. Don't take the bait. Before responding, contact the company directly to confirm the call or e-mail is actually from them.

Keep your mail safe. Your mail contains account numbers and other personal information. Collect it promptly from your mailbox and ask the post office to hold it if you're going away.

Get off credit marketing lists. Credit bureaus compile marketing lists for pre approved offers of credit. These mailings are a gold mine for identity thieves, who may steal them and apply for credit in your name. Get off these mailing lists by calling The Federal Trade Commission at 1-888-5-OPTOUT (1-888-567-8688) (your social security number will be required to verify your identity). Removing yourself from these lists does not hurt your chances of applying for or getting credit.

Memorize your passwords and PIN numbers. Don't leave them in your wallet or on your desk where someone else could find them.

Lock it up. Keep your personal information locked up at home, at work, at school, in your car, and other places where you might keep it so others won't have easy access to it.

Stay safe online. Don't send sensitive information such as credit card numbers by e-mail, since it's not secure. Look for clues about security on Web sites. At the point where you are asked to provide your financial or other sensitive information, the letters at the beginning of the address bar at the top of the screen should change from "http" to "https" or "shttp" and a little lock may appear in your browser. Your browser may also show that the information is being encrypted, or scrambled, so no one who might intercept it can read it. But while your information may be safe in transmission, that's no guarantee that the company will store it securely.

Pay attention to a company's online or software privacy policy. Most companies have an online privacy policy to inform users of their information collection practices. Always check this privacy policy before disclosing any personal information. If you are unable to locate this privacy policy, inquire about one, and request that the company post it to their Web site. Refuse to submit any personal information without reading a privacy policy first. It is important to understand how an organization might collect and use your personal information before you share it with them.

Check your credit reports regularly. If you find accounts that don't belong to you or other incorrect information, follow the instructions for disputing those items. Everyone can request free copies of their credit reports once a year. Federal law entitles all consumers to ask each of the three major credit bureaus for free copies of their reports once in every 12-month period. You don't have to ask all three credit bureaus for your reports at the same time; you can stagger your requests if you prefer.
NOTE: Do not contact the credit bureaus directly for these free annual reports. They are only available by calling 877-322-8228 or going to www.annualcreditreport.com. You can make your requests by phone or online, or download a form to mail your requests.

You can ask for free copies of your credit reports in certain situations. If you were denied credit because of information in a credit report, you can ask the credit bureau that the report came from for a free copy of your file. And if you are the victim of identity theft, you are on public assistance, or if you are unemployed but expect to apply for work within 60 days, you can ask all three of the major credit bureaus for free copies of your reports.

Establish policies and rules for information security. Rules should be established in your home, providing guidelines for secure and proper computer use.

Never leave important data unattended. The simple act of closing files and logging-off or locking your computer before leaving your desk can limit your security risk.

Protect your personal information. Since not divulging any personal information is rarely possible, exercise caution when sharing personal information such as your name, home address, phone number, and e-mail address online. To take advantage of many online services, you will inevitably have to provide personal information in order to handle billing and shipping of purchased goods.

The old rule of thumb still applies – if something sounds too good to be true, it probably is.

Don't respond to e-mail messages that ask for personal information. Phishing is when crooks send fake e-mails that scare you into giving them private information, credit card numbers and online passwords, for example, then use that information to steal from you.
For example, you may receive an official looking e-mail that looks like it's from your bank, your Internet Service Provider, your credit card company or even the IRS. Open it and you'll see a warning that your account is about to expire or worse. To fix it, they say you need to click on a link to update your information, usually a Web-based form for entering your social security number, credit card or bank passwords. Don't do it.

Call your bank, credit card company or service provider if you see a suspicious e-mail. When in doubt, contact the company by phone or by typing in the company Web address into your Web browser. Don't click on the links in these messages as they make take you to a fraudulent, malicious Web sites.

Online offers that look too good to be true usually are. The old saying "there's no such thing as a free lunch" still rings true today. Supposedly "free" software such as screen savers or smilies, or messages stating that you've surprisingly won a contest without ever entering are enticing hooks used by companies to grab your attention.
You will find lots of stuff to download online – all free of charge. What you don't see is the real cost, the nasty surprise they fail to mention – adware and spyware, including malware that can steal from you.
Lots of free software and services are bundled with advertising software ("adware") that tracks your behavior and displays unwanted advertisements. You may have to divulge personal information or purchase something else in order to claim your supposed content winnings. If an offer looks so good it's hard to believe, ask for someone else's opinion, read the fine print, or even better, simply ignore it.

Review bank and credit card statements regularly. The impact of identity theft and online crimes can be greatly reduced if you can catch it shortly after your data is stolen or when the first use of your information is attempted. One of the easiest ways to get the tip-off that something has gone wrong is by reviewing monthly statements provided by your bank and credit card companies. If a charge looks suspicious, contact your credit provider to have it removed to help avoid future losses.
Additionally, many banks and services use fraud prevention systems that call out unusual purchasing behavior. In order to confirm these out of the ordinary purchases, they might call you and ask you to confirm them. Don't take these calls lightly – this is your hint that something bad may have happened and you should consider looking into help with identity theft.

Get a credit report from all three major credit reporting agencies at least once a year. The law says you can get a free annual report, which allows you to review your credit and check to see if someone has opened accounts in your name. If you find anything wrong, contact the credit agencies to report the error.

Avoid pop-ups like the plague. Like its name suggests, pop-ups are Web browser windows that pop up as you are surfing the Internet. If you have a newer computer, pop-ups are usually blocked by default. Keep it that way. Above all, never enter personal information in a pop-up window, since it could be a phishing site. Be smart and don't become another identity theft victim.

If You Are a Victim of Identity Theft

There are several steps you should immediately take if you feel your identity has been stolen or used without your permission. Most credit card companies will not hold you responsible for charges made by a thief, but you need to act quickly.

• For any accounts that have been fraudulently opened or accessed, contact the security departments of the appropriate creditors or financial institutions, and explain what happened. Close these accounts. Put new passwords on any new accounts you open.
• Contact the fraud departments of each of the three major credit bureaus (Equifax, Experian, and Trans Union) to report that your identity has been stolen. Ask that a "fraud alert" be placed on your file and that no new credit be granted without your approval. Here are the numbers for reporting fraud:
  Equifax – 1-800-525-6285
  Experian – 1-888-EXPERIAN (397-3742)
  Trans Union – 1-800-680-7289
• Contact your local police department to file a report. The report may be filed in the location in which the offense occurred, or the city or county in which you reside. When you file the report, provide as much documentation as possible, including copies of debt collection letters, credit reports, and your notarized ID Theft Affidavit.
• File a complaint with the Federal Trade Commission (FTC) by calling the ID Theft Hotline: 1-877-IDTHEFT (1-877-438-4338)

Help for victims is a phone call or a click away. Call the Federal Trade Commission toll-free, 877-438-4338, or go to www.consumer.gov/id theft for step-by-step advice about what to do if you're a victim of ID theft.

FTC's Identity Theft Site

McAfee's Top Ten Tips to Protect Your Personal Information and Identity

DOJ's Identity Theft and Identity Fraud

Privacy Rights Clearinghouse Identity Theft: What to Do if It Happens to You

McAfee's 8 Tips on How to Protect Yourself Online

Internet Auctions, Online Classified Advertisements, and Buying Online

Things to Remember When Shopping Online

Make sure to use a secure browser. Most browsers are capable of SSL encryption and other security features. Features such as the Secure Sockets Layer (SSL) encrypt your personal information as it is sent over the Internet.

There are two ways to determine if a Web site encrypts data before it is sent over the Internet.
The first is that the URL displayed in the address bar will begin with the abbreviation "https". This stands for Hypertext Transfer Protocol Secure. Web pages that do not encrypt data only display "http", without the "s".
Secure web pages will also display a second indicator, which differs depending on the particular browser being used. In most browsers, a small lock will appear in the bottom-right corner of the browser window.

For more additional information, visit How to Recognize a Secure Web site Using SSL from OnGuard Online

Shop only with companies you are comfortable with. Ask for paper documentation, such as a catalog or a brochure, if you are unfamiliar with an online merchant. This should help you become familiar with the vendor's services and policies. Never deal with an online merchant whose policies are not explicitly clarified.

Get all the details. Before you buy something, get a complete description of the item; the total price, including shipping; the delivery time; warranty information; the return policy; and who to contact if you have problems. Legitimate companies will almost always provide this information.

Ask about delivery, returns, warranties and service before you pay. Get a definite delivery time and insist that the shipment is insured. Ask about the return policy. If you're buying electronic goods or appliances, find out if there is a warranty and how to get service.

Pay by credit or charge card. Using your credit card online ensures that you will be protected by the Fair Credit Billing Act. This law provides consumers with the right to dispute charges made to their accounts. If unauthorized charges are made to your credit card, by law you are liable only for the first $50, and many companies don't require you to pay anything.

Keep records. Keep a record of confirmation numbers and purchase orders. Print them out and keep personal copies. Online orders are covered by the Federal Mail/Telephone Order Merchandise Rule. This rule states that merchandise ordered online must be delivered within 30 days unless otherwise noted. Your records will be able to provide proof of the date and time of purchase.

Beware of imposters. Someone might send you an e-mail pretending to be connected with a business, or create a Web site that looks just like that of a well-known company. If you're not sure that you're dealing with the real thing, find another way to contact the legitimate business and ask.

Guard your personal information. Don't provide your credit card or bank account number unless you are actually paying for something. Your social security number should not be necessary unless you are applying for credit. Be especially suspicious if someone claiming to be from a company with whom you have an account asks for information that the business already has.

McAfee's The ABCs of Safely Shopping Online

McAfee's The Do's and Don'ts of Online Shopping

The Better Business Bureau's Shopping Tip List

Internet Auction & Online Classifieds Fraud

Online fraud is one of the fastest-growing crimes on the Internet. Although it can take many forms, the most common type of auction and classified fraud involves a seller failing to send an item, or sending an item that is significantly different from what was promised in the listing. This type of fraud occurs on eBay, Yahoo Auctions, Craigslist, and similar other auction and classified sites.

The best protection you have against fraud is your own common sense.

Tips to Avoid Fraud on the Internet

Transfer money through an online escrow service. Most auction sites maintain lists of these services, such as PayPal.

Use a credit card. Under federal law, you can dispute the charges if you paid the seller with a credit card and the goods were never delivered or if they were misrepresented. If you are paying through an intermediary service, ask what happens in the case of disputes.

Never buy anything from a seller who asks for payment to be wired to them or mailed to a P.O. Box.

Understand how the process works. Many online advertisements and auctions simply list items that people want to sell. They don't verify that the merchandise actually exists or that it is described accurately, and they can't guarantee that the sellers will keep their promises.

Know who you're dealing with. If the seller is unfamiliar, check with your state or local consumer protection agency and the Better Business Bureau. Some Web sites have feedback forums, which can provide useful information about other people's experiences with particular sellers. Be sure to get the name of the seller or business, physical street address, e-mail address, and phone number are helpful to have for checking the seller out and following up later if there is a problem. Don't do business with anyone who refuses to provide that information.

Check out the seller before you bid. Some auction sites have feedback forums with comments about the sellers based on other people's experiences. Negative information is a good warning sign, but a clean complaint record doesn't guarantee that your transaction will go smoothly. Be aware that positive reports may have been "planted" by the seller and negative comments could be from a competitor. Other sources of information are state or local consumer protection agencies and the Better Business Bureau.

Be careful if the seller is a private individual. Many consumer protection laws don't apply to private sales, though government agencies may take action if there are many complaints the same individual or criminal fraud is involved. Also, be especially cautious when dealing with sellers outside of the United States. Sellers outside the U.S. are not bound by U.S. laws, therefore, if you have a problem, the physical distance, difference in legal systems, and other factors could make resolving it very difficult.

Beware of "shills". Shills are phony bids placed with the intent to drive up the price of the item. The seller may try to raise the price artificially by making bids under fictitious names or recruiting other people to make bids, leading to a bidding war. Using bogus bidders is illegal and a violation of online auction policies. Be sure to inform auction sites about suspected fraud, as they may have policies to remove sellers from their sites if they use "shills" or don't live up to their obligations.

Look for information on the auction site about insurance. Some auction sites provide insurance that covers buyers up to a certain amount if something goes wrong. Others may have links to third-party programs that offer insurance for a fee. Read the terms of the insurance carefully. There is often a deductible, and there may be other limitations or requirements that apply. For example, you may not be covered if the seller had a negative feedback rating on the auction site at the time of the transaction.

Fraud

Victims of Fraud

Please be aware that the RISP CCU is generally not a first responder agency and RISP CCU's investigative strategy regarding Internet fraud focuses on losses that are greater than $10,000 or if the target is located in Rhode Island and has multiple complaints against them.

The RISP CCU recommends filing a full report with your local police department. You may want to contact the police department and/or Sheriff's office where the suspect resides and file a full report with that office. While we will not open an operational case, the RISP CCU is available to local law enforcement agencies to assist with the technical aspects of any computer related crime.

Additionally, you might consider contacting the Internet Crime Complaint Center. The IC3's mission is to address fraud committed over the Internet. For victims of Internet fraud, IC3 provides a convenient and easy-to-use reporting mechanism that alerts authorities of a suspected civil or criminal violation.

Take immediate action. Notify your credit card companies, financial institutions or other online service accounts about the fraud immediately. The longer you wait, the more time cyber criminals can play on your dime. Be sure to report the fraud to one of the credit reporting agencies (Equifax, Experian and TransUnion), which will prevent the identity thief from opening additional accounts in your name. Call only one — each is legally required to contact the others. That fraud alert then entitles you to free copies of your credit report, which you can use to identify and correct any fraudulent charges and make sure those charges won't smear your good name. After the first credit report, keep checking regularly to make sure no new identity theft crimes take place.

Reclaim your personal identification. Contact the agency that issued any of your accounts or personal information that has been compromised. Follow its procedures to cancel and replace your identification. Ask the agency to flag your file so that others cannot get any other identification documents in your name.

Close any accounts you suspect are compromised. Contact the security or fraud department of each business, then follow up in writing and include copies of supporting documents.

Contact the local police to file a report. Ask for a copy of the report, since you will need it to work with creditors to fix your credit.

If you spot bad charges, dispute them. Ask for the forms you need to dispute bad transactions. Once your dispute has been resolved, request a letter that shows your account has been closed and the fraudulent debts removed. This letter will also help if further disputes come up.

File a complaint with the Federal Trade Commission. By sharing your experience, you help law enforcement track down identity thieves and cyber crooks. The FTC also investigates businesses that violate consumer privacy laws.

US Department of Justice's Internet and Telemarketing Fraud
FBI's Common Fraud Schemes

For more information on Internet fraud and reporting, visit:

• FraudBureau.org
• Fraud.org

Scams

Many scams usually originate outside of the United States, and American law enforcement has great difficulty in pursuing the criminals. In addition, many of these e-mail solicitations contain computer viruses, making them even more of a menace. Be sure to maintain current anti-virus software. If you receive a letter from anyone asking you to send personal or banking information, do not reply in any manner.

Nigerian Scams

A letter or e-mail from Nigeria (or sometimes another African country) offers the recipient the "opportunity" to share in a percentage of millions of dollars that the author is trying to transfer illegally out of Nigeria. The recipient is encouraged to send the scammer information such as blank letterhead stationery, bank name, account numbers, and other identifying information using a fax number provided in the letter.

Other Scams

There are several variations of the Nigerian Scam that criminals may use to exploit their victims. Here are some examples:

• Beneficiary of a Will: The victim receives an e-mail that claims they are the named beneficiary in the will of an estranged relative, and stand to inherit an estate worth millions. In order to complete the inheritance, the victim's personal financial information is needed to "prove" that they are the beneficiary and to "expedite the transfer of the inheritance."
• "Over" Paying: The victim advertises an item for sale on the Internet, and is contacted by an interested buyer from Nigeria or another African country. The scammer then sends the victim a check or money order for an amount much larger than the asking price of the item. The victim is then asked to deposit the difference back to the scammer. If the victim does not wait for the bank to verify the check, they can end up losing thousands of dollars.
• Donation Solicitations: The victim receives an e-mail requesting "donations" to fight an evil government or dictatorship in Africa. The scammer requests that the victim provide bank account information so that the "donation" can be directly withdrawn from the bank.
• Fake Web site: The scam artist sets up a fake online bank and "deposits" the amount of money referenced in the scam e-mail. When the victim expresses any misgivings about the existence or size of the fund transfer that is to take place, they are directed to the site, which shows a multi-million dollar deposit.
• American Soldier in Afghanistan or Iraq: The victim receives a letter purporting to be from an American soldier in Iraq or Afghanistan who has discovered a treasure of terrorist currency and needs help to embezzle the funds out of the country. The victim needs only to provide their personal and financial information for the soldier to deposit the funds into the victim's account.

If you have received an Nigerian Scam Solicitation:

Nigerian scam solicitations that come by e-mail should be forwarded to the Federal Trade Commission (FTC) at spam@uce.gov
Any e-mail that asks for personal financial information is likely a scam. The RISP CCU urges recipients of these e-mails not to respond to them in any way whatsoever.

The Secret Service asks if you have been victimized by the Nigerian scam to forward appropriate written documentation to the United States Secret Service at the address below:
US Secret Service
Financial Crimes Division
950 H Street N.W.
Suite 5300
Washington, DC 20223
Phone: (202) 406-5850
Fax: (202) 406-5031

Consumers or businesses that claim to have lost money in a Nigerian scam should call their local Secret Service office or, for general information, call 202-406-5572.

Work from Home Scams

Cyberspace has become rife with e-mails and Web sites offering "get-rich-quick" and "work-at-home" employment opportunities. Like any other scam, "work-at-home" fraud only exists because there are Internet users still falling for the same old tricks — users who are interested in getting something for nothing.
There is truly no substitute for due diligence when it comes to investigating supposed work-at-home programs. For example, employers generally do not require new employees to buy anything in order to start working for them. Any requirement to do so should raise some suspicion. Be aware of the following warning signs:

• The employer never offers a regular salary.
• The employer promises huge earnings for part-time work.
• The employer offers neither credentials, nor references for other employees you can contact.
• The employer requires that you pay a sum of money before you are told how the company works.
• The employer does not give refunds for merchandise you have to purchase in order to start working.
• The employer wants to use your bank account, or open a bank account in your name.

Remember, if it seems too good to be true, it probably is.

IC3's Internet Crime Schemes
IC3's Internet Crime Prevention Tips

Phishing Scams

Phishing is a scam where Internet fraudsters send spam or pop-up messages to lure personal and financial information from unsuspecting victims. Many of these "spoofed" e-mail messages appear to come from banks, insurance agencies, retailers, credit card companies, and other legitimate businesses.

These fraudulent messages are designed to trick the recipients into disclosing personal information such as account usernames, passwords, credit card numbers, social security numbers, and home addresses. Most of these e-mails look "official," and as a result, recipients often respond to them, resulting in financial losses, identity theft, and other fraudulent activity.

How to Avoid Phishing Scams

Tips from fraud.org

Watch out for "phishy" e-mails. The most common form of phishing is e-mails pretending to be from a legitimate retailer, bank, organization, or government agency. The sender asks to "confirm" your personal information for some made-up reason: your account is about to be closed, an order for something has been placed in your name, or your information has been lost because of a computer problem. Another tactic phishers use is to say they're from the fraud departments of well-known companies and ask to verify your information because they suspect you may be a victim of identity theft!

Don't click on links within e-mails that ask for your personal information. Fraudsters use these links to lure people to phony Web sites that looks just like the real sites of the company, organization, or agency they're impersonating. If you follow the instructions and enter your personal information on the Web site, you'll deliver it directly into the hands of identity thieves. To check whether the message is really from the company or agency, contact them directly or use a search engine to fine their Web site.

Beware of "pharming". In this latest version of online ID theft, a virus or malicious program is secretly planted in your computer and hijacks your Web browser. When you type in the address of a legitimate Web site, you're taken to a fake copy of the site without realizing it. Any personal information you provide at the phony site, such as your password or account number, can be stolen and fraudulently used.

Protect your computer with anti-virus and anti-spyware software, a firewall, and keep them up to date. Also, protect your inbox with a spam filter, which can help reduce the number of phishing e-mails you get.

If someone contacts you and says you've been a victim of fraud, verify the person's identity before you provide any personal information. Legitimate credit card issuers and other companies may contact you if there is an unusual pattern indicating that someone else might be using one of your accounts. But usually they only ask if you made particular transactions; they don't request your account number or other personal information. Law enforcement agencies might also contact you if you've been the victim of fraud.

Job seekers should also be careful. Some phishers target people who list themselves on job search sites. Pretending to be potential employers, they ask for your social security number and other personal information. Follow the advice above and verify the person's identity before providing any personal information.

Report phishing, whether you're a victim or not. Tell the company or agency that the phisher was impersonating. You can also report the problem to law enforcement agencies through the National Consumers League (NCL) Fraud Center. The information you provide helps to stop identity theft.

Be suspicious of any e-mail with urgent requests for personal financial information. Phishers typically include upsetting or exciting (but false) statements in their e-mails to get people to react immediately. They typically ask for information such as usernames, passwords, credit card numbers, social security numbers, date of birth, etc. Phisher e-mails are typically NOT personalized, but they can be. Valid messages from your bank or e-commerce company generally are personalized, but always call to check if you are unsure.

Always ensure that you're using a secure Web site when submitting credit card or other sensitive information via your Web browser.

The FTC warns users to be suspicious of any official-looking e-mail message that asks for updates on personal or financial information and urges recipients to go directly to the Web site of the company to find out whether the request is legitimate. If you suspect you have been phished, forward the e-mail to uce@ftc.gov or call the FTC help line, 1-877-FTC-HELP

Victims of Phishing

Act immediately if you've been hooked by a phisher. If you provided account numbers, PINS, or passwords to a phisher, notify the companies with whom you have the accounts right away. For information about how to put a "fraud alert" on your files at the credit reporting bureaus and other advice for ID theft victims, contact the Federal Trade Commission's ID Theft Clearinghouse or 877-438-4338, TDD 202-326-2502.

Visit the Anti-Phishing Working Group for information on fraud, crime, and identity theft that result from phishing, pharming, malware, and e-mail spoofing of all types.

Information Security

Creating Strong Passwords

Passwords are a fact of life on the Internet today — we use them for everything from ordering flowers and online banking to logging into our favorite airline Web site to see how many miles we have accumulated.

The following tips can help make your online experiences secure:

Select a password that cannot be easily guessed. Strong passwords have eight characters or more and use a combination of letters, numbers and symbols (e.g., # $ % ! ?). The more obscure the password, the more difficult it will be to hack.

Keep your passwords in a safe place. Never tell anyone else your password. If your computer is in a public place, or a place where it can be seen by people other than you, never write your password down near it.

Try not to use the same password for every service you use online. It is a good idea to use a different password for secure environments than the one you use for those that are less secure. This way if an attacker manages to find out what your "home" password is, they will not be able to follow you to work and use that information against you.

Change passwords on a regular basis. It is recommended that you change your passwords at least every 90 days. This can limit the damage caused by someone who has already gained access to your account.

Type your login and password every time you need to use it. Don't be lazy and let your computer auto-fill your login or save your passwords. If your password fills in automatically, malicious individuals could have easy access to all your information.

McAfee's Protecting Your Passwords Against Cracking