Fight Identity Theft Blog

Selling puppies via Craigslist - or any classified ad - can be hazardous to your bank account.

Janet from New York sent us this story about a response to an ad she placed in an online classifieds web site. Here's how it went down:

You have received a reply to your pet ad.

Hello,

I am Dan and am writing you because am much interested in your puppy for sale on the classified ads. Kindly email me the details with the actual price and the health condition of the pup. Hope the pup is still in a good state. Looking forwarding to hearing from you soon. Have a nice day.

Mr Dan

Not a bad start. His english isn't great, but that's okay. Here's Janet's reply:

Hi Dan,

I have two puppies left. The boy and the black and white girl. They are very healthy and quite active. They are $475 each. They will have their first 5way shot and have been dewormed. You can visit them if you like. They are available to leave the nest anywhere from the 19th to the 22nd. On the 22nd they will be 8weeks old.

Let me know. Don't worry about their health. I am taking good care of them. They will also come with papers.

Thanks,

Janet

A reasonable response and the price seems right (okay, I don't know anything about puppies, but I'm guessing these are pretty nice for $475 each). Here's where things turn south...

Hello

Thanks for your email. I'm okay with price of the female puppy for $475. I will be making the payment via Certified Check drawn from a United State of America bank. I will making a dual payment which will cover the payment of the puppy and little part of the shipping of the puppy to its final destination.

Furthermore, as soon as you receive payment, you need cash to deduct the money for the puppy and wire the rest to the shipper who will be available for pickup at your end. In addition, you need to deduct $90
for more proper vaccination, Purina puppy chow and vet check before the pickup. Get back to me with the below information in order to get the payment mailed:

Name to be on the check:
Address to be mailed to ( No P.O Box Please)
Phone Number(s) I can possible reach on ( Morning/Day/Evening)

I just had to let you know how lucky the pup is going to be because the pup is coming to a good home with a spacious fence yard and tender care of family of two kids and Pet Lover.. I will be happy to send you pictures of the puppy development. The shipper will be taking good of him by giving a good hospitality and making a sound delivery to me.

Moreso, I will be glad if you can scan a copy of the AKC registration document and other paperworks for me, i.e if available. Get back to me as soon as the possible so I can effect the payment.Thanks and I look forward to reading from you.

Regards,

~Pups are my World~

Janet could sense that something was very wrong here. What were the warning signs?

• Payment via check. - in an online transaction, a check should be considered worthless. Scammers are experts in creating forged checks. Your bank will initially accept the check, but will later discover that it's a forgery and will remove the funds from your account.
• Extra payment - this is a huge warning sign. Any time a buyer wants to send you more money than you're asking for, alarm bells should go off. They're hoping you will deposit the "extra money" in your bank account and then wire your money to an accomplice. Not only will you not get paid for your merchandise, you'll actually end up paying them money. Getting scammed twice instead of once is not fun.
• Payment via wire - thieves love being paid via wire because it's almost impossible to track and recover the money. Never pay by wire.
• The use of emotion - the scammers play on the sellers feelings by talking about how they'll care for the puppy, take pictures of the puppy, put the puppy in a nice, big, safe, fenced yard, etc. Emotion is a powerful tool in distracting you as they steal your money.

This story had a happy ending. Janet sensed that something was wrong and didn't send the scammers anything. We're sharing the story here with the hope of educating other people placed in the same situation.

NOTE:This is our first in an on-going series of stories direct from visitors of Fight Identity Theft. If you'd like to submit your story, go to our contact page and select "I'd like to share my story."

According to investigative reporters for WirtschaftsWoche, 21 million Germans have had their personal information stolen along with their bank account and bank code numbers. The thieves are offering to sell the data for 12 million euros (about 15.3 million dollars). It is believed the scammers gathered the data by using employees at financial institution call centers.

Could this happen in the U.S.?

It certainly could. Privacy laws throughout Europe are generally tighter than U.S. laws and Germany is among the tightest. Low employee morale, caused by a deteriorating job market and chaos within the financial sector makes crimes like this more likely. I'm sure it's tempting for employees to grab whatever data they can as they're shown the door or maybe they're just looking to add to a mediocre salary. Whatever the reason, it may be time to buckle up and prepare for a bumpy ride.

What could criminals do with this data? Make bank withdrawals.

Criminals can use the bank account info to make withdrawals - either big or small. A .57 cent bank withdrawal from 21 million accounts still ads up to... ummm... let me get my calculator out... $11.97 million dollars. And that's this month, and next month, and the next month, etc. until they're caught or they decide to make a big withdrawal and run.

Here's their strategy, detailed in an IT World article:

Although banking passwords were apparently not included on the CD, criminals would be able to use this data to withdraw funds from a victim's account, said Thierry Zoller, an independent security consultant based in Luxembourg.

Scammers could use this type of information to initiate a large number of debits from German banks, making each withdrawal small in hopes that it would not be noticed by the victim, he said.

This is why carefully checking your bank records is important. If you see a unexplained entry - even if it's small - you should track it down until you understand where it came from. Otherwise you might unexpectedly see a much bigger withdrawal from the same source somewhere down the line.

More about this story at the WirtschaftsWoche in English and German.

You can also find coverage at The Register, and IT World.

Thanks to our friends at Kroll Fraud Solutions, we have some excellent 2008 tax season tips for avoiding identity theft:

The U.S. economy may not be the only beneficiary of the recently passed federal economic stimulus package – identity thieves are getting a boost, too. Why? In the wake of the recent IRS announcement that more than 130 million Americans will receive tax rebates this year, identity thieves are using the promise of extra cash to lure Americans into disclosing their sensitive personal information.

These “phishing” schemes can take a variety of forms, the most common of which involves an identity thief who calls or e-mails a consumer pretending to be an IRS employee. The consumer is promised a sizable rebate if they file their taxes early. All the caller needs in exchange is the consumer’s bank account number to deposit the check.

The bad news is that schemes like the one described above are common; the good news is that falling victim to one is avoidable – as long as consumers get smart on the facts and follow the proper precautions.

Below ID theft expert Brian Lapidus, chief operating officer of Kroll’s Fraud Solutions, offers some important advice that every consumer should know about protecting their personal information during tax season. At Kroll, Lapidus oversees a highly-skilled team that includes veteran licensed investigators who meet regularly with IRS agents to stay apprised of emergent tax fraud issues – bolstering the team’s specialized work supporting breach victims and restoring individuals' compromised identities to pre-theft status.

Preparing your taxes?

• Beware of phishing schemes. The IRS never contacts consumers by e-mail or phone to request sensitive personal information (SSN, checking account information, etc.). If you receive a phone call or e-mail that you suspect may be a “phishing” scam, file a complaint with the Anti-Phishing Working Group and contact the IRS immediately.
• Avoid shopping mall kiosks or pop-up preparers who offer to assist you with tax preparation. Considering the amount of sensitive personal information involved in the tax preparation process, you probably don’t want to hand over your files to someone whose experience and background are unfamiliar to you. Ask a trusted friend to introduce you to his/her tax preparer or consult a local CPA association for trustworthy members.

Filing electronically?

• Avoid using wireless networks. Use of wireless networks means your data is being transmitted over open airwaves, similar to a radio transmission. If not properly secured, data can easily be picked up by an uninvited party.
• Don't prepare your taxes on a public computer. Public computers can contain “keylogger” spyware, which records every keystroke including passwords and account information. Keyloggers make it possible for an identity thief to steal any information entered into the computer during your session. Preparing your taxes on a public computer also increases your vulnerability to “shoulder surfers” – individuals who look over your shoulder to observe what you are doing and, more importantly, collect the sensitive data you’re entering.
• Only keep a record of your tax claims as long as necessary. Thieves can't steal what you don't have. Purge the data once the need for it has expired. Suggested guidelines for individual recordkeeping are available online through the IRS at: http://www.irs.gov/publications/p552/ar02.html#d0e617.

Filing by mail?

• Don't put your completed claim in an unlocked mailbox for pick-up. Instead, deposit outgoing mail at a post office.
• Take it one step further and opt for delivery tracking. That way you can be certain that your information has gotten to the IRS safely.
• Waiting for your tax rebate? Promptly remove mail from your mailbox after delivery. The longer your mail sits in an unsecured mailbox, the greater your chances of it falling into the wrong hands.
• You may also choose to have the IRS deposit your tax rebate directly into your bank account, further minimizing the risk of theft.

Every one loves a "Top 10" this time of year, so here is a great one from our friends at Kroll Fraud Solutions. It was put together by Brian Lapidus - Kroll Fraud Solution chief operating officer and identity theft expert.

Enjoy!

1. Beware the Word "Prevent"

No person and no product can prevent identity theft. As long as criminals can benefit from stealing, there will be theft. Sensitive personal information (SPI) is everywhere, housed and archived in a mind-boggling variety of ways. Individuals and companies can reduce access to SPI and improve safeguards around it by working to change how we share, collect, store and dispose of information.

2. There Are No Guarantees

This mantra holds true for a lot of things in life and dealing with identity theft is no exception. While a number of instances of fraud can be restored to pre-theft status, some identity dilemmas simply can’t be fixed. If you’re on the ‘no fly list’ thanks to an imposter or an error, you’ll stay there. A third-party solution cannot deliver a remedy.

3. Watch for "Shoulder Surfers" and "Skimmers"

Shield the entry of personal identification numbers (PINs), and be aware of people standing entirely too close by when using your credit or debit card in public. Especially with the advent of cell phone cameras, a sneaky, shoulder surfing thief can get your private information pretty easily, if you’re not careful. It’s also advisable to use teller machines that are familiar to you, so you are in a better position to identify when the equipment looks different or doesn’t “feel right.” Your increased awareness may reveal a skimmer’s attempt to steal PINs and banking details at that site.

4. Keep Your Social Security Card Safe at Home

Unless you’re on your way to fill out a job application, there are very few reasons to carry around the crown jewel of SPI. At lunch a few weeks ago, the woman beside me opened her wallet for a credit card and there was her Social Security card, too. Remember, ID theft and fraud are not exclusively credit-related – thieves can use a clean Social Security number to construct a whole new life.

Additional note from Dave: I regularly receive emails from Fight Identity Theft visitors explaining how they just had their purse or wallet stolen with their Social Security card inside. Remove that card today!

5. Destroy Before You Dump That Old Computer

Erasing data just enables the computer to write over that space again; it doesn’t actually eliminate the original bits and bytes. Physically remove the hard-drive to ensure you’re not tossing out or passing along your personal details. Our company is often called upon to recover data from an erased or damaged drive; we’re very good at it – and so are some professional thieves.

Additional note from Dave: You could also consider using a software tool like Eraser to do a complete wipe of your drive. If you physically remove your drive, smash the drive with a hammer (find someone strong) before throwing it in the trash.

6. Choose "Forget Me’ Instead of  "Remember Me"

  How many Web sites do you frequent that invite you to enable an automatic log on the next time you visit? Don’t check that box! When convenience trumps confidentiality, you’re asking for trouble. The harder you make it for hackers to follow your trail into an online store or bank account, the better.

Additional note from Dave: This is absolutely necessary when using public computers. In fact, you should avoid accessing any secure sites from a public computer (like a library, internet cafe) or when using a public wireless network or wifi hotspot.

7. Don’t Rely On Fraud Alerts Or Credit Freezes Alone

Fraud alerts are meant to stop an identity thief from opening new accounts in your name. Credit freezes let you restrict access to your credit report, which would also make it hard for someone else to open new accounts. But, neither one will stop a thief from trading your SPI for cash, or using it for tax fraud or in any of the countless other ways fraudsters exploit stolen identities.

8. Practice Prudent Posting

Social networking sites on the internet enable individuals around the world to chat, share photos, recruit employees, date, post resumes, auction property, and more. Because the Web makes it possible for any posted document to link with another, any data you put out online have the potential to stay there for what amounts to electronic eternity.

Additional note from Dave: I suggest creating usernames or an email address that don't contain your name or anything traceable to you, whenever possible. You also might consider using different usernames on different sites. This makes sense because if someone is able to determine that you use "CatLuvr55" on one site, it's an easy search to track down  "CatLuvr55" on any other sites where you have a profile.

9. Keep That Key

When you check out of a hotel where you were issued a card-key to unlock the door to your room, don’t leave the card-key behind. Hold on to it until you’re safely home and can shred or otherwise discard it safely. Some say it’s an urban myth that the card-keys hold vital details like credit card numbers, while others report having tested and confirmed the presence of private data coded into the magnetic strip. Even if there’s no definitive answer, why risk it?

Additional note from Dave: Not sure I'm convinced on this one. I'd need to see more data showing that it is a problem. Snopes.com debunks this pretty thoroughly.

10. What’s In Your Wallet?

Make photocopies of the personal material in your wallet: Driver’s license, credit cards, insurance cards, all of it – front and back. Should your wallet be lost or stolen, you won’t be left wondering what was actually taken, and you’ll be able to quickly notify the appropriate agencies about what has taken place.