FBI Says Web "Spoofing" Scams are a Growing Problem

The FBI, in conjunction with national Internet service provider Earthlink, the Federal Trade Commission, and the National Consumer's League, began an initiative today to raise awareness about the growing problem of web spoofing scams and to give consumers and businesses important tips on how to protect themselves from these scams.

According to Jana Monroe, assistant director of the FBI's Cyber Division, "Bogus e-mails that try to trick customers into giving out personal information are the hottest, and most troubling, new scam on the Internet."

The FBI's Internet Fraud Complaint Center (IFCC) has seen a steady increase in complaints that involve some form of unsolicited e-mail directing consumers to a phony "Customer Service" type of website. Assistant Director Monroe said that the scam is contributing to a rise in identity theft, credit card fraud, and other Internet frauds.

"Spoofing" or "phishing" frauds attempt to make Internet users believe that they are receiving e-mail from a specific, trusted source, or that they are securely connected to a trusted website, when that is not the case. Spoofing is generally used as a means to convince individuals to provide personal or financial information that enables the perpetrators to commit credit card/bank fraud or other forms of identity theft. Spoofing also often involves trademark and other intellectual property violations.

In "e-mail spoofing" the header of an e-mail appears to have originated from someone or somewhere other than the actual source. Spam distributors and criminals often use spoofing in an attempt to get recipients to open and possibly even respond to their solicitations.

"IP spoofing" is a technique used to gain unauthorized access to computers, whereby the intruder sends a message to a computer with an IP address indicating that the message is coming from a trusted port.

"Link alteration" involves altering the return address in a web page sent to a consumer to make it go to the hacker's site rather than the legitimate site. This is accomplished by adding the hacker's address before the actual address in any e-mail, or page that has a request going back to the original site. If an individual unsuspectingly receives a spoofed e-mail requesting him/her to "click here to update" their account information, and then are redirected to a site that looks exactly like their Internet Service Provider, or a commercial site like EBay or PayPal, there is an increasing chance that the individual will follow through in submitting their personal and/or credit information.

According to Assistant Director Monroe, the FBI's specialized Cyber Squads and Cyber Crime Task Forces across the country are zeroing in on the spoofing problem. The FBI's legal attaché offices overseas are helping to coordinate investigations that cross international borders. The IFCC has received complaints that trace back to perpetrators in England, Romania, and Russia.

The FBI is also working actively with key Internet e-commerce stake-holders such as EBay/PayPal, Escrow.com, and a variety of Internet merchants via the Merchants Risk Council to identify common traits of such scams, as well as proactive measures to rapidly respond.

The FBI offers the following tips for Internet users:

• If you encounter an unsolicited e-mail that asks you, either directly, or through a website, for personal financial or identity information, such as Social Security number, passwords, or other identifiers, exercise extreme caution.
• If you need to update your information online, use the normal process you've used before, or open a new browser window and type in the website address of the legitimate company's account maintenance page.
• If a website address is unfamiliar, it's probably not real. Only use the address that you have used before, or start at your normal homepage.
• Always report fraudulent or suspicious e-mail to your ISP. Reporting instances of spoof websites will help get these bogus websites shut down before they can do any more harm.
• Most companies require you to log in to a secure site. Look for the lock at the bottom of your browser and "https" in front of the website address.
• Take note of the header address on the website. Most legitimate sites will have a relatively short Internet address that usually depicts the business name followed by ".com," or possibly ".org." Spoof sites are more likely to have an excessively long string of characters in the header, with the legitimate business name somewhere in the string, or possibly not at all.
• If you have any doubts about an e-mail or website, contact the legitimate company directly. Make a copy of the questionable web site's URL address, send it to the legitimate business and ask if the request is legitimate.
• If you've been victimized by a spoofed e-mail or website, you should contact your local police or sheriff's department, and file a complaint with the FBI's Internet Fraud Complaint Center at www.ifccfbi.gov.