It certainly looked like the real thing. Full of eBay logos and links, the e-mail said their accounts were expiring, and they’d better fill out a form quickly or risk losing their current auctions. So they did — typing in everything from drivers license numbers to credit card PINs. Since then, thieves have attempted to steal their money and their private information has been posted on the Internet for all the world to see. The lapse in judgment was momentary, but the consequences continue to unfold.
What's the easiest way to steal consumers’ personal data for identity theft? Just ask them for it.
So-called “phisher” e-mails, which look like authentic notes from real companies like eBay, Citibank or America Online, are a growing problem for Internet users, who continue to fall for the dupe and give away credit card numbers, Social Security numbers, and other critical personal data.
The e-mails are remarkably successful, say Internet scam artists who’ve discussed their techniques anonymously with MSNBC.com. One claimed as many as 10 percent of recipients fill out the forms, which take advantage of the ease with which genuine Web sites are copied. With imitation artwork and text a fake Web site can look like the real thing to anyone not looking closely.
Anyone can be tricked by the phisher e-mails.
MSNBC TV anchor Contessa Brewer fell for the ploy in September, giving up her Social Security number to a Web page that looked like an authentic one from America Online. The instant she hit submit, she knew she had made a mistake.
“I know better,” she said. “But I had just moved, and I was filling out a whole lot of forms at the time, and this just seemed like one more form.”
One e-mail, many victims
That’s just about what happened to dozens of consumers who answered one such phisher e-mail sent out in July. Eventually, their data reached its way to a chat room devoted to swapping “phish” stories, enabling MSNBC.com to contact the victims and hear their stories.
One victim, when shown the chat room log, responded with astonishment.
“There’s my cell number. My PIN. Wow, that’s scary,” said Nikki Rizzi of New York. “My Social Security Number. Look at that.”
The information was posted to the chat room apparently as the result of a dare from one member to the other. Internet fraud artists looking to sell “hot” financial account information often post a slice of the stolen data to boost their credibility.
All of the victims contacted had been hit with some kind of financial fraud but few had made the connection between the fake eBay e-mail and the fraud until contacted by MSNBC.com. Several didn’t even remember filling out the form.
Contrary to conventional wisdom, most of the victims were Internet-savvy. Several regularly check their credit cards and bank statements online, for example, and discovered their identities had been stolen just that way. Still, the e-mail was convincing enough to dupe them.
“They sent you e-mail posing as eBay. The page looks so real, you fall for it and give them all your information,” said Ed Dwyer, of Thompson Falls, Mont. Like the other victims, Dwyer surrendered virtually all the keys to his financial kingdom: His bank name, account number and routing number. His credit card number, expiration date, and PIN number. Even his Social Security number, driver license number, date of birth and mother’s maiden name.
Two weeks later, Dwyer, 34, was watching TV when he heard the Federal Trade Commission was warning people about the phisher scams. The examples the FTC cited were identical to the eBay e-mail Dwyer had received.
“Right then I felt like a sucker,” he said.
But he’s hardly the only one.
Rizzi, 25, fell for the same scam. Then, during one 15-minute span in September, someone made seven separate $200 cash advance withdrawals from his MBNA credit card. Four other attempts later that night were stopped.
“I was out coming home from gym and went to use my card and it was invalid,” Rizzi said. “The next day I checked it out online, and there were seven transactions done but I still had my credit card in my hand. Whoever it was used my credit card number to make a fake credit card and had my PIN.”
Rizzi didn’t know how the criminal had managed to get the PIN until he was reminded of the eBay look-alike e-mail by MSNBC.com.
“I do remember that one . ... I thought it seemed weird,” he said. “But being a young person, you embrace the Internet.”
Rizzi has since changed banks, canceled all credit cards and moved, making most of the stolen data which appeared in the public chat room useless. But not all of it.
“I can’t change my Social Security number,” he said. “What am I supposed to do about that?”
Fraud alerts help
Experts say that best thing for victims to do is check their credit reports — which are available for free to victims of identity theft — and to place a “fraud alert” on their records at each of the three credit reporting bureaus. But none of the victims interviewed for this story had taken that step, or were advised to do so by their financial institutions.
Randall Allen, of Witchita, Kan., thought he was being careful. He uses eBay to buy equipment for his company and set up a special credit union account just for online purchases. Allen maintained only a fractional balance in the account, just in case a criminal ever managed to access it. He even checked the account weekly.
Still, the original eBay look-alike e-mail was enough to fool Allen.
“I remember filling in the form,” he said. “Now, I feel like, gosh I just gave them the keys to everything, didn’t I?”
He discovered something was wrong when an overdraft notice appeared on the account, after someone moved $100 out of it.
A couple of weeks later, a sales representative at Gateway called him after someone tried to buy a new computer via automatic withdrawal from his credit union. But by then, the account had been blocked.
A lot of lost time
Allen, like all of the other victims interviewed for this piece, hasn’t yet lost any money because of the identity theft, thanks to refunds from the financial institutions involved. But he did lose a lot of time — half a day at the credit union office dealing with paperwork, followed by more paperwork later, he said.
“It took me a lot of time to take care of this,” Allen said. “Luckily, I watch my money. But I want this kind of stuff to stop. I cannot believe people do this.”
David Aasum of Rochester, Minnm. had $800 wired out of his bank account in September, when most of the financial crimes connected to the July eBay look-alike e-mail took place. It’s not clear why the successful “phisher” waited so long.
“I monitor my accounts all the time,” Aasum, 60, said, adding that after he discovered the withdrawal, “it was immediately taken care of by my bank.” By that Aasum means that his bank put $800 back into his checking account. But the bank didn’t advise him to take other steps to protect his now stolen identity, such as contacting credit bureaus, he said.
Fraud fighter Dan Clements, who operates a credit card fraud awareness Web site called CardCops.com, spotted the chat room where the data was posted and shared the information with MSNBC.com.
“It’s really just a numbers game,” Clements said. ”(Criminals) send out hundreds of thousands of those, and if they get just a few back they are ahead of the game.”
While it’s easy to criticize victims for divulging personal information, Clements said so many Internet users are falling for the trick that the financial industry has to do more than simply blame the victims.
“Busy professionals, sophisticated people see an e-mail with the right logos, fill it out, and hit submit. Lots of times, an instant later, they think, ‘What have I done,’ but it’s too late,” he said. “We have seen that the banking industry has been slow to respond to some of these issues.”
EBay could do a better job warning consumers, too, Aasum suggested.
“When I got it, I did try to contact the real eBay, and they never responded,” he said. But he has received other notices from eBay saying the firm would never ask for information such as credit card PIN numbers. “I guess I don’t know what eBay could really do,” he said.