"Phishing" and Other Online Identity Theft Scams: Don't Take the Bait
Fraudsters can turn on a dime when it comes to creating new pitches to separate hard-working Americans from their money. Virtually any news item, positive or negative, can become a "hook" for a new scam—whether a natural disaster (domestic or international) or the launch of a new product or company.
But sometimes the hook can look more mundane—and can come in the form of a seemingly authentic email from a financial institution, or even a government agency or other regulator, you know and trust. This happened recently to accountholders at financial institutions used by service members and their families when scammers sent out credible-looking emails that requested personal account information. And especially around tax time, the Internal Revenue Service (IRS) regularly warns of phishing schemes that use references to tax refunds, filing issues or investigations to lure recipients into opening a bogus email.
According to computer security experts, economic cyber-crime continues to surge. "Phishing" attacks—which are scams that use spam email to lure you into revealing your bank or brokerage account information, passwords or PINs, Social Security number or other types of confidential information—have increased significantly since they were first discovered in 2005.
We are updating this Alert to tell you about some of the latest online identify theft scams targeting financial sector customers and to provide tips for spotting and avoiding these scams.
Real-Life Example: Fake SEC Office of the Whistleblower Emails
The Securities and Exchange Commission (SEC) recently warned investors to beware of emails that appear to come from the Commission’s Office of the Whistleblower. One widely-circulated email claimed that the Office of the Whistleblower received an anonymous tip about alleged misconduct at the recipient’s company, and warned that failure to respond to the email would result in an investigation of the company by the SEC. The email was in fact not from the SEC, and contains a link to malicious software.
As noted in a recent Information Notice, FINRA is not aware of similar fraudulent emails to broker-dealers or investors that purport to be from FINRA. However, we caution investors who may receive emails that purport to be from FINRA, and that contain attachments or embedded links, or that ask for sensitive information, to verify the legitimacy of the email by contacting FINRA.
"Phishing"—Fraudulent Emails That Steal Your Personal Information
Phishing scams typically involve emails that falsely claim to be from brokerage firms, banks, credit card companies, Internet auction sites, electronic payment services or some other service that you use. In other instances, the emails purport to be from government agencies. To appear genuine, these emails may use:
- The names of real people.
- Legitimate looking email addresses, such as support@[name of your financial institution].com.
- Authentic looking logos and graphics.
- Links to pages of a bona fide website.
- Official looking fine print and references to laws.
Most of these emails attempt to lure you into providing sensitive personal information by requesting that you provide it in a reply email or by clicking on a link to a website that mimics a legitimate website and asks you to provide the information. Various "urgent" messages are also used to lower your guard, such as:
- Your account will be shut down unless you update your information.
- You need to verify your identity because your account appears to be being used by a third-party in violation of the law.
- Security measures to protect your account from identify theft require you to verify your account information.
- Due to a technical update you need to reactivate your account.
- Recent changes in the law require users to identify themselves.
Phishing scams may also take advantage of the ever-changing financial landscape. Some fraudulent emails, for example, appear to originate from a financial institution that acquired the consumer's bank, savings and loan or mortgage. They direct recipients to update, validate or confirm account information by clicking on a link that redirects to a "spoofed" website that look similar to, but actually fraudulent copies of, the website of a legitimate financial institution or lender.
Real-Life Example: In 2008, staff at FINRA received multiple versions of the following phishing email:
Con artists regularly target customers of financial services firms with deceptive email tactics. According to a recent industry study, 45 percent of phishing scams detected in January 2012 spoofed banks.1
Trojan Horses—Hidden Software That Tracks Your Every Move Online
Today's Trojan Horses are malicious software programs (often called “malware” or "crimeware") that hide in files attached to an email or that you download from the Internet and install on your computer. While these programs can take many forms, Trojan Horses used in identity theft scams usually take the form of keystroke loggers—programs that log the keystrokes you type and allow scamsters to find your usernames and passwords, giving them access to your online accounts. Over the years, Trojan Horses have increasingly been showing up in "phishing" scams, or are being used in place of a phishing scam to secretly capture sensitive information.
Real-Life Examples: In 2010, a crime group sent false messages purporting to be from popular social networking sites that contained fictitious offers for popular software upgrades and fake tax forms. These “lures” took victims to sites where the criminals infected their computers with “crimeware,” allowing the criminals to access the computers remotely to steal personal information, and intercept passwords and online transaction information—and even log onto the victim’s computer to perform online banking transactions.
In October 2008, the FDIC issued a consumer alert, warning the public about fraudulent emails that appear to have come from the FDIC. These spams claim that identity thieves have wired stolen money into the recipient’s account and include what purports to be a copy of the recipient’s bank statement. However, clicking on the attachment opens an unknown executable file that could be a malicious attempt to collect sensitive personal financial information.
Brokerage Firm Identify Theft Scams—Using a Good Name for Crime
Some scamsters are creating phony websites that misappropriate the name or website content of legitimate brokerage firms to solicit business from unwary investors. By stealing the identity of a legitimate brokerage firm, scamsters can claim that they are members of the Securities Investor Protection Corporation (SIPC) and registered with . Potential investors may be urged to go to SIPC's and 's website to "verify" the phony brokerage firm, giving them a false sense of security.
Using these phony websites, the unlicensed brokerage firms often attempt to sell shares of small U.S. companies to investors in other countries. After the sale, the price usually falls and the investors lose their money. In a twist on this scam, the fraudsters may offer to help investors recover their losses by selling their thinly traded stocks (usually, bought through another scam). However, in order for the transaction to proceed, the investor must first deposit money in an "escrow account" or buy a performance bond. The phony firm then vanishes with the money.
Real-Life Example: In February 2004, the Missouri Secretary of State's Office issued a cease and desist order against a company for stealing the name of a real brokerage firm and creating a fraudulent "virtual office," including a phony website and fake Kansas City address. Using this stolen identity, the operators of the phony firm solicited international investors offering to exchange thinly traded securities for shares of Yahoo stock. The fraudsters required investors to deposit money in an escrow account at the National Bank of Greece in Cyprus to comply with "short sale regulations," telling investors that the money would be returned after the exchange was completed. Investors were told that the phony firm's agents were licensed investment bankers and that it was a member of the Securities Investor Protection Corporation (SIPC). While this was true of the legitimate brokerage firm, located in Minnesota, it was not true of the fraudulent virtual firm.
Phishing Today: Scams Growing More Sophisticated
Phishing scammers are growing ever more sophisticated:
- It used to be that misspelled company names and jumbled Web URLs were a clear tip off to early phishing ploys. But now seemingly legitimate links can hijack users to a fraudulent site through technical code buried behind the message.
- Scammers have learned to modify a directory called a host file in Microsoft Windows that can turn your browser into vehicle for a phishing excursion: type in a Web address from your browser and you could be directed to a fraudulent site.
- Domain-name servers match up users or customers with the computers they use to access the Internet. If the server is corrupted, it’s possible that identity thieves could be routing users to a look-alike site.
Seven Tips to Protect Yourself from Online Identity Theft
1. Beware of email requesting personal information. Don't reply to or click on a link in an unsolicited email that asks for your credit card, bank or brokerage account information, passwords or PINs, social security number or other types of confidential information, even if it looks like the email comes from a financial institution with which you do business. When in doubt, log onto the main website of your credit card, bank or brokerage firm at the normal Web address you use or call your firm using a telephone number that you know or one from a previous account statement to inquire about whether the request for information is legitimate. Alternatively, you can obtain the main office address and primary telephone number for any brokerage firm through FINRA BrokerCheck. You also can visit the Anti-Phishing Working Group's website to find out about some of the latest phishing attacks.
2. Leave suspicious websites. If you think a website is not legitimate, leave it immediately. Legitimate firms typically offer customers a number of ways to contact them.
3. Keep your personal and financial information secure online. Here are a few simple steps that you can take to make your information more secure when you go online:
- Keep your computer system up to date with the latest security patches.
- Use anti-virus and spyware detection software and be sure to update this software regularly, as new viruses and Trojan Horse programs appear frequently.
- Use personal firewall software. Firewall software should thwart intruders from getting access to your PC over a network.
- Consider installing a Web browser tool bar to help protect you from known fraudulent websites. These toolbars alert you to known phishing websites.
- Never download software or files from an unknown source.
- Change your passwords on a regular basis. Never send your password to anyone in an email. Try not to write down your password, but if you must, put it in a safe place.
- Avoid emailing personal or financial information.
- Read your firm's policies on online security. Review other tips and security instructions that may be offered to better protect your access.
- Before submitting personal or financial information through a website, look for the locked padlock image— —on your browser's status bar or look for "https://" [note the "s"] at the beginning of the Internet address. While a padlock image and "https://" does not mean that the website is authentic or secure—indeed both can be forged—the absence of either the padlock or the https:// does mean that the site is not secure.
- Log off of any secure legitimate website after completing a transaction.
- Be careful when using Internet kiosks or other people's computers. Since you don't know what security precautions have been taken, you may be putting your confidential information at risk.
4. Know who you are doing business with. Before you open an account with a brokerage firm, use FINRA BrokerCheck to make sure the brokerage firm and broker are properly registered and to verify phone and address information you receive from the firm or broker. Investments are a major financial undertaking and should be afforded the same degree of investigation and caution as any other major purchase you might make.
5. It is a good idea to check your credit report every year. To guard against identity theft, look for accounts you did not open and any unexplained transactions. You can obtain free annual copies of your credit report from each of the three major credit bureaus online at www.annualcreditreport.com or by calling (877) 322-8228. You may also contact the credit bureaus directly as follows:
6. Review your account statements. This is your last line of defense. If you are victimized, the sooner you catch it, the better. Regularly review your online account information for unauthorized trades, cash withdrawals or any other unrecognized activity; do the same as soon as you receive each monthly or quarterly statement. If you have moved, make sure to update your postal address with all of the firms where you have accounts. If you receive your statements by email and change your Internet service provider or otherwise change your preferred email address, make sure to update your email address with all of the firms where you have accounts. Immediately report any suspicious activity to your brokerage firm.
7. Act quickly if you believe you've been scammed. If you believe that you're a victim of one of these scams, you need to act quickly. For example, you may only have 60 days to report a loss or theft of funds through an electronic funds transfer to limit your liability.
- Identity Theft. If you believe your identity has been stolen, the Federal Trade Commission's Identity Theft website contains step-by-step directions of what you should do.
- Investment Scams. If you're the victim of a brokerage firm identity theft scam, contact FINRA's Complaint Center.
- FINRA, Protect Your Identity
- FINRA & SIFMA, Keeping Your Account Secure: Tips for Protecting Your Financial Information
- SEC Investor Alert, SEC Warns of Government Impersonators
- FDIC, Consumer Alert, Email Claiming to Be From the FDIC
- FTC, www.OnGuardOnline.gov
To receive the latest Investor Alerts and other important investor information sign up for Investor News.
1 SymantecCloud, Symantec Intelligence Report, January 2012.