FBI Says Web "Spoofing"
Scams are a Growing Problem
Washington, DC - The FBI, in
conjunction with national Internet service provider Earthlink,
the Federal Trade Commission, and the National Consumer's League,
began an initiative today to raise awareness about the growing
problem of web spoofing scams and to give consumers and businesses
important tips on how to protect themselves from these scams.
According to Jana Monroe, Assistant
Director of the FBI's Cyber Division, "Bogus e-mails that
try to trick customers into giving out personal information are
the hottest, and most troubling, new scam on the Internet."
The FBI's Internet Fraud Complaint
Center (IFCC) has seen a steady increase in complaints that involve
some form of unsolicited e-mail directing consumers to a phony
"Customer Service" type of web site. Assistant Director
Monroe said that the scam is contributing to a rise in identity
theft, credit card fraud, and other Internet frauds.
"Spoofing," or "phishing,"
frauds attempt to make Internet users believe that they are receiving
e-mail from a specific, trusted source, or that they are securely
connected to a trusted web site, when that is not the case.
Spoofing is generally used as a means to convince individuals
to provide personal or financial information that enables the
perpetrators to commit credit card/bank fraud or other forms
of identity theft. Spoofing also often involves trademark and
other intellectual property violations.
In "E-mail spoofing"
the header of an e-mail appears to have originated from someone
or somewhere other than the actual source. Spam distributors
and criminals often use spoofing in an attempt to get recipients
to open and possibly even respond to their solicitations.
"IP Spoofing" is a
technique used to gain unauthorized access to computers, whereby
the intruder sends a message to a computer with an IP address
indicating that the message is coming from a trusted port.
"Link alteration" involves
altering the return address in a web page sent to a consumer
to make it go to the hacker's site rather than the legitimate
site. This is accomplished by adding the hacker's address before
the actual address in any e-mail, or page that has a request
going back to the original site. If an individual unsuspectingly
receives a spoofed e-mail requesting him/her to "click here
to update" their account information, and then are redirected
to a site that looks exactly like their Internet Service Provider,
or a commercial site like EBay or PayPal, there is an increasing
chance that the individual will follow through in submitting
their personal and/or credit information.
According to Assistant Director
Monroe, the FBI's specialized Cyber Squads and Cyber Crime Task
Forces across the country are zeroing in on the spoofing problem.
The FBI's Legal Attaché offices overseas are helping
to coordinate investigations that cross international borders.
The IFCC has received complaints that trace back to perpetrators
in England, Romania, and Russia.
The FBI is also working actively
with key Internet e-commerce stake-holders such as EBay/PayPal,
Escrow.com, and a variety of Internet merchants via the Merchants
Risk Council to identify common traits of such scams, as well
as proactive measures to rapidly respond.
The FBI offers the following
tips for Internet users:
- If you encounter an unsolicited
e-mail that asks you, either directly, or through a web site,
for personal financial or identity information, such as Social
Security number, passwords, or other identifiers, exercise extreme
- If you need to update your information
online, use the normal process you've used before, or open a
new browser window and type in the website address of the legitimate
company's account maintenance page.
- If a website address is unfamiliar,
it's probably not real. Only use the address that you have used
before, or start at your normal homepage.
- Always report fraudulent or
suspicious e-mail to your ISP. Reporting instances of spoof
web sites will help get these bogus web sites shut down before
they can do any more harm.
- Most companies require you to
log in to a secure site. Look for the lock at the bottom of
your browser and "https" in front of the website address.
- Take note of the header address
on the web site. Most legitimate sites will have a relatively
short internet address that usually depicts the business name
followed by ".com," or possibly ".org."
Spoof sites are more likely to have an excessively long strong
of characters in the header, with the legitimate business name
somewhere in the string, or possibly not at all.
- If you have any doubts about
an e-mail or website, contact the legitimate company directly.
Make a copy of the questionable web site's URL address, send
it to the legitimate business and ask if the request is legitimate.
- If you've been victimized by
a spoofed e-mail or web site, you should contact your local police
or sheriff's department, and file a complaint with the FBI's
Internet Fraud Complaint Center at www.IFCCFBI.gov.