You've Got Fraud

Brand-name 'Spoofing' and 'Phishing' Scams Target E-mail Users

Robertson Barrett
Special to Consumer Reports WebWatch

On September 21, Debbie Buckholz, an antiques dealer in Weston, Mo., received a disturbing notice in her America Online inbox:

Dear AOL Member,
There has been a purchase added to your AOL account billing method. This purchase took place at 1-800-Flowers.com. If this order was unauthorized and you would like to cancel this order please click here.

The suspiciously monikered sender, Samdog3228, went on to describe an order for 32 dozen long-stemmed red roses, for a total of $93.64. Buckholz, who had ordered no flowers, suspected credit-card theft, and she clicked the link that promised to cancel the order. When that did nothing, she replied to the e-mail to tell the sender that she had authorized no purchase.

"A couple of days later when I turned on the computer and went to log on the Web, AOL indicated I had been barred," Buckholz says. Instead of her welcome screen, she saw a notice to call AOL Member Services, which restored her access once she had verified her identity over the phone.

So what happened here? Buckholz was one of thousands of AOL users who received the fraudulent "flowers" message in September. The scammer had stolen the password for Samdog3228's AOL account, then used it and many others to send hundreds of thousands of misleading messages. These, in turn, directed recipients to click through to a fake customer-service Web site that closely resembled the real 1-800-Flowers.com homepage.

Buckholz was lucky that she never got that far. On that page, users were asked for their AOL screen name and password in a purported attempt to resolve the "flowers" matter. If they complied, the scammers gained control of the AOL user's account, sometimes using the name to send out thousands more untraceable scam e-mails. AOL, meanwhile, was frantically conferring with officials at the real 1-800-Flowers.com to clear up confusion and had been blocking the sign-ons of any AOL accounts affected by the scam.

"If you become a victim of an online billing scam, two things have usually happened: Someone has stolen your online identity and your financial position — your billing on file with AOL," says AOL spokesman Nicholas Graham. "So if we note there is unusual activity on an account — for example, spewing hundreds of e-mails within minutes — we scramble the (sign-on) password. We will not allow the account to sign on. And when the legitimate owner calls in, we verify who they are with a series of questions and restore their access.

"Spam, Phish or Spoof?

Internet users like Buckholz are not the only victims of identity-theft scams that lure users into giving out credit-card and other personal information — a practice hackers call "phishing." Increasingly, the scam artists are also co-opting the identities of major businesses and creating look-alike Web sites — a trick called "spoofing." These techniques are often used together to deceive consumers.

In addition to causing headaches for 1-800-Flowers.com, scammers in the last six months alone have offered up sophisticated-looking customer-service e-mail and Web pages designed to look like those of eBay, Citibank and Bank of America.

(For tips on how to avoid phishing and spoofing, click here.)

"There's a growing problem with this sort of spoofing issue," says Ray Everett-Church of ePrivacyGroup.com, an e-mail software firm and privacy consultancy. "The only thing that really works is to educate consumers about the fact that these companies are never going to send messages that are going to ask people to submit a credit-card number."

AOL has been the subject of spoofs in which e-mail messages ask AOL members to send "updated" credit-card information or provide passwords to "continue" their service. Some have been easy to spot (one classic from "The AOL Billing Center" says, "We are sorry for this incontinence"), but most are much cleverer. Because AOL caters to Internet newcomers, the service repeats a no-disclosure mantra on every mail screen. "The golden rule is, we will never ask for your password or billing information," says AOL's Graham.

AOL has taken a number of steps to educate users and alert them to current scams, including periodic alerts on its welcome screen and a special "Communications Safety" area (accessed through AOL keyword "scams"). The service constantly updates its anti-spam filters, which screen out annoying e-mails identified by AOL employees and users. And AOL's 9.0 release includes options to block e-mail containing hyperlinks or spam-like words such as "Viagra," and to block e-mail from anyone other than the user's list of friends and associates.

Even so, users of AOL and other major online services, including MSN, Earthlink, Hotmail and Yahoo!, have special reasons to be careful. These services are the prime hunting grounds for senders of unsolicited commercial e-mail, or spam — and scammers use the same kinds of lists to find their targets.

"The scammers and spammers have a very simple method of obtaining e-mail addresses at major Internet service providers," says Everett-Church. "Almost all of them now have software using the 'dictionary' spamming method, which takes names and numbers and combines them — john@aol.com, john1, john2, etc. It is entirely possible for someone to join AOL or Hotmail, create their screen name or address and within seconds receive spam."

Next-Generation E-Mail?

Several legal measures are in the works to contain e-mail scams, but critics say technology is too far ahead of the law.

One technological solution, called "Trusted Sender" and advocated by privacy software firms including Everett-Church's, would make it possible to verify that any e-mail message matched a code from the person or company it claims to be from. The catch: All the major Internet companies in the world would have to agree to use the new software and make it the standard.

"If Microsoft and other such companies get together and say, 'All our mail will use this technology,' then the bulk mailers would move to this, and the spammers would fail," Everett-Church says. "But some of those big guys are going to have to step up to the plate and take the plunge."

AOL, Microsoft, Earthlink, Yahoo! and many smaller companies joined an alliance this year to explore the concept, but none of the big companies has committed to specific action or a timetable. "Trusted Sender might be helpful, but it cannot be a silver bullet to kill spam. There are always smart individuals who figure out ways to get around new technologies," says AOL's Graham. "It's an elixir, not a cure-all."

In the meantime, e-mail users who suspect they've been scammed can report incidents to the FBI's Internet Fraud Complaint Center, or consult the FTC's guide to preventing phishing and spoofing.

"I use the Internet for buying, selling and marketing," says Buckholz, the antiques dealer. "Scams, like this one that almost got me, have given me second thoughts about the advisability of using the Internet. It proves one needs to be careful when replying to e-mails from 'strangers.'"

Robertson Barrett, a media consultant and writer, was a founder and managing editor of TIME.com and ABCNEWS.com. He was also vice president and general manager of The FeedRoom, a nationwide broadband news network in partnership with NBC and Tribune, and of Channel One Interactive, the educational television network's new media division.

He writes a biweekly column on scams and schemes online ans has written about spyware and Internet "washers"for Consumer Reports WebWatch.