A scam has two main stages: 1) a scammer provides false information and urges a potential victim to act upon it, and 2) the victim acts on the false information and transfers some benefits to the scammer. The third stage occurs when the victim realizes that he has been cheated, but the best scams are those that go undetected and try to avoid this stage in order to repeat the process. This page will examine the psychological reasons why we fall for these scams and the social engineering manipulations that cause us to divulge confidential information or perform actions that are detrimental to ourselves.
A survey by the Federal Trade Commission conducted in late 2011 and early 2012 estimated that 25.6 million Americans had been victims of fraud. The majority of these people were duped through Internet media such as e-mail, Facebook, Twitter, and Internet auction sites and Internet classified advertisements. The people who were most susceptible to the scams were 1) risk-takers who reacted to unsolicited Internet requests or offers, 2) grieving people who had recently experienced an injury, a divorce, a death in the family or a job loss, and 3) debtors who were desperate to escape their financial troubles.
In 2010, the Internet Crime Complaint Center (IC3) received 314,587 complaints about cybercrimes that cost the victims more than $617 million dollars. The greatest number of complaints, 44,562 or 14.16 percent, were about FBI scams. The second largest number of complaints (8.9 percent) was about advance fee frauds which promise money to a victim if he pays an upfront fee; this type of scam is also called a 419 scam after the Nigerian penal code under which it is prosecuted. Other complaints included identification theft, credit card fraud, overpayment fraud, account hacking, and online sales where the merchandise purchased was not delivered. Many of these scams are perpetrated through unsolicited spam e-mails, but they can also be carried out by telemarketing.
Appeal to Fear
Fear can be used to manipulate attitudes. A scary message or phone call that includes a recommendation of how to take care of the problem can be crafted into a successful scam. You may get a phone call in which the caller says that he is from the "Microsoft response center" and he tells you that your computer is sending error messages that need to be fixed. The caller will try to convince you to visit a web site that will show the computer errors and then he will be pressure you to provide a credit card number to fix your computer. Don't fall for this trick! If you visit the web site, your computer could get infected with a virus, and by visiting the site you will provide the caller with the IP address of your computer which will enable hackers to control it remotely.
Many scams use letterheads or credentials of enforcement agencies to make the threats appear genuine. The threat may be disguised as a thank you message for scheduling a direct debit payment for an exorbitant amount of money.
Example: A direct debit for $1128.65 has been charged to your card.
You get an e-mail that says: "Verizon Notification, Thank you for using verizon.com to make your scheduled direct debit payment. Payment Amount: $1128.65, Confirmation Number: 689897944." You may become a victim of a scam if you reply to such a message or click on the links within the message. The links may take you to a website that will infect your computer with a virus. To verify the status of your account, login through the official web site of the business, but never reply or click on suspicious e-mail messages.
Example: A warrant has been issued for your arrest.
You get a message from the FBI Anti-Terrorist and Monetary Crimes Division threatening to arrest you if you do not reply back. The message explains that your identity was used to perpetrate an online international scam, and you are wanted by the FBI. However, you can make the problem go away by sending money via Western Union to the overseas address specified in the message.
Example: Your computer is sending error messages.
You visit a web page and a message like the one above warns you about a critical error or that your computer is too slow. Don't believe it! Many advertisements are designed to make you panic so that you click on them. The little triangle on the right is displayed on Google ads; this gives you a hint that the "warning" is just an advertising gimmick.
Example: Speeding violation.
An e-mail from the Speed Enforcement Division notifies you that a traffic camera caught your car speeding fifteen days ago on the weekend. You can avoid a court summons and avoid accumulating points on your driving record if you pay the speeding ticket within 24 hours by sending the amount of the fine to the following P.O. Box.
Example: Your email account will be terminated.
The following note is an appeal to fear designed to make the recipient divulge the user ID and password of an e-mail account. For potential victims who might hesitate to provide the information, the note gives reassurance that it is safe to send the password because it will be encrypted.
The threat: "your email account will be terminated"
The solution: Send back your user name and password within the next 12 hours.
Verizon Inc. firstname.lastname@example.org
to undisclosed recipients
Dear Verizon Subscriber,
Virus Notification (The following instruction should be followed within the next 12hrs)
A DGTFX Virus has been detected in your verizon.net folders. Your email account has to be upgraded to our new Secured DGTFX anti-virus 2011 version to prevent damages to our web mail log and to your important files. Click your reply tab, Fill the columns below and send back to us or your email account will be terminated to avoid spread of the virus.
Note that your password will be encrypted with 1024-bit RSA keys for your password safety.
All verizon.net User Should Reply Now !!!
Failure to do this will immediately render your Web-email address deactivated from our database.
Thank you for your co-operation.
Warning Code :ID67565434
Verizon Inc. Account Support.
Appeal to Greed
Most people would be happy to find an investment that guarantees 11% dividends. Scams that appeal to greed exploit our desire to get reliable high returns on investments, to get something for nothing, or to make an exorbitant profit on a business deal even though the deal may be unscrupulous or illegal. Many advertisements use the word FREE in big letters to advertise a promotion, but then explain in small print the conditions of the "free" offer.
YOU ARE A WINNER!!! A letter, an e-mail or a telephone call announces that you have won a prize of several million dollars. When you respond, you find out that in order to collect your prize you have to pay a transfer fee or taxes. You can become a victim of the scam if you don't ask yourself how you could have won a lottery or prize when you never entered a contest, but greed is so powerful that this thought may not surface into your consciousness. Your losses may escalate as new fees are requested to finalize the receipt of your winnings, which, of course, you will never get. As part of the scam, you may be asked to provide identification such as driver's license and social security number which can then be used for identity theft. Prize scams are sometimes timed to coincide with promotions by legitimate sweepstakes such as the Publishers Clearing House Sweepstakes. This enables the scam artists to pose as company agents and benefit from all the TV publicity of the real contests. These are some things to keep in mind to avoid this type of scam:
NEED REPUTABLE PARTNER TO TRANSFER 60 MILLION DOLLARS. Your inbox has an e-mail seeking a discreet and trustworthy partner to help the widow of a deposed African dictator transfer 60 million dollars from a secret foreign account to the U.S. This widow is willing to give you 30% of this money for helping her transfer the money to your account, but you have to be discreet to prevent the authorities from freezing the assets. When you agree to the deal, you will find out that you need to provide a transfer fee to get the process going. This type of scam originated in the Internet cafes of Nigeria, but some new variants come supposedly from the widow of Libyan Leader Colonel Muammar Gahdafi who fled to Algeria.
Appeal to Curiosity
Scams that exploit curiosity provide some tantalizing message that lures the victim into providing confidential information or performing an action that will eventually be harmful. These are some e-mails associated with this scam.
The purpose of these messages is to get the victim to click on a link in the e-mail or open the attached file. Several bad things can happen. Opening an attached file from a spam e-mail can deploy malware on your computer. Clicking on a link may take you to a web site that infects your computer with malware that can steal passwords and e-mail addresses, set up your computer as a spambot, or give fake computer virus warnings that request money to fix the problem. Clicking on a link may also take you to a phishing web site that looks like the web site for your bank, but when you type your logon ID and your password you are actually giving it to the crooks with the fake web site who will promptly empty your bank account.
Phishing is an attempt to obtain financial or other confidential information from Internet users, typically by sending an email that looks as if it is from a legitimate organization, usually a financial institution, but contains a link to a fake website that replicates the real one.
To avoid phishing scams, NEVER click on a link in an e-mail. If the e-mail claims to be from your bank, go to the address bar of your browser and type the website address of the bank yourself or get it from your saved favorites. Also, never open an attached file in an e-mail without doing a virus scan on it. Even when the e-mail comes from a friend, their computer could have been compromised and a spambot could have sent the infectious attachment to all e-mail addresses on your friend's computer. Keep your antivirus software up to date.
In a malicious script scam you are asked to copy and paste text into your browser's address bar in order to see something interesting or surprising. The text copied is actually malicious executable code that instead of showing you what was advertised, uses the account on which you are logged on to create events and pages to steal your information. The rogue code may disclose your mailing lists and send spam to your friends or change your account settings.
Don't divulge your password or financial information
Would you give a stranger the key to your house so that they can take a look inside? Probably not because you don't know what they might steal. However, people often provide their e-mail passwords to social media like LinkedIn, Facebook or Twitter. These social web sites then access your account and import your e-mail contacts in your address books. The social media use your e-mail addresses to increase their base of users and make new connections between the users.
The image below shows the LinkedIn interface that requests the password for your account in order to "confirm" it. These social websites can be very insistent and they will ask for this information every time that you login. They also encourage you to import your email contacts from Outlook or other email applications. The interface below says that they will not store your password or email anyone without your permission. However, in the very next line they say that by clicking "continue" you give them permission to send your email and password to a partner to check your e-mail contacts. In other words, you are giving them permission to logon to your account and import address book information from Gmail, Yahoo!, AOL or Hotmail. However, they could also scan e-mails that you have sent or received to look for additional email addresses that you have not saved in your address book. You can only blame yourself if you lose your privacy by providing the passwords of your accounts. Always use different passwords for your email accounts and for your social web sites, and never post financial information on social web sites. There was a case in 2012 where armed robbers broke into the home of a girl who had posted to Facebook a photo of wads of money that she had been counting for her grandmother.
Weak Passwords and PIN numbers
Computer accounts and credit cards are secured with passwords and PIN numbers. The best passwords are those that use a combination of lower case letters, upper case letters, numbers and punctuation signs. Passwords should never be words that can be found in a dictionary. Do not use passwords or PIN numbers that can be easily guessed from your birthday, your zip code, your telephone number, your occupation or your place of work. The following table has a list of the worst passwords and PIN numbers because they are easily guessed.
|Worst Passwords||Worst PIN numbers|
Tax Refund Theft
The way in which you find out that you have been a victim of Tax Refund Theft is when you submit your tax return and the IRS office informs you that this is a multiple tax return and that the money has already been paid out. Tax refund thieves file an electronic tax refund using your name, social security number and date of birth. They request a direct deposit to a temporary account opened in your name, or they may request the check to be mailed to a vacant home that they monitor.
This scam only works when the thieves have your personal information. How do they get it? Your name and social security number may be obtained from medical insurance forms, and your birth date is on your driver's license. Many people don't realize that posting a birth date on social media such as Facebook makes them more vulnerable to identity theft. Provide your social security number and date of birth only to legitimate organizations like employers, insurance companies, medical providers and financial institutions that will safeguard the privacy of your information. Never use your real birth date on social media; this is a case where lying about your age can protect you.
Appeal to Love or Loneliness
This type of scam usually targets men who don't have a wide circle of friends, so when such a man gets a spam e-mail from a Russian woman looking for a meaningful relationship and only asks for a pen pal, the temptation to reply may be too great to resist. What usually happens, is that the beautiful Russian woman is not a woman, but just a scammer who builds up the confidence of the victim little by little and then starts asking for favors. The sting may be something like: "My mother got sick and I need some money for her operation; I don't know what to do." The man may feel that he is doing a good deed to help his girlfriend by sending money, but he has just become the victim of a scam.
Appeal to Piety
The e-mail in your inbox starts out "Beloved in God, my will to you $3,000,000". A Christian lady who is dying of cancer says that the Lord guided her to find your e-mail address in a guest-book that she was examining. She is sure that you are a God fearing person to whom she can entrust the fund that she has designated for several charitable purposes. As compensation for administering the fund according to her wishes, you will receive 30% of the total assets. This is a variation of the Nigerian 419 scam that targets religious believers who would like to help a dying woman fulfill her last wishes. The religious angle of this scam enables the scammer to manipulate the victim's actions by questioning the strength of the victim's faith in God when the victim begins to resist some aspect of the scam. The scammer can use quotations from the Bible that say how to serve the Lord and ensnare the victim further.
Emergency Help for a Friend or Relative
You receive a phone call or an e-mail from someone claiming to be your friend or relative who is in trouble outside the country. While traveling, he or she lost the wallet, got robbed or got arrested and now needs your help to get back home. Here is an example of an e-mail:
From: Maria Smith <email@example.com>
Date: Thu, Feb 21, 2013 at 6:02 AM
Subject: BAD MOMENT (Maria Smith)
This message may be coming to you as a surprise but I need your help. Few days back my family and I made an unannounced vacation trip to Manila, Philippines. Everything was going fine until last night when we were mugged on our way back to the hotel. They stole all our cash, credit cards and cellphone but thank God we still have our lives and passports safe. The hotel manager has been unhelpful to us for reasons I don't know. I'm writing you from a local library.
I've reported to the police and after writing down some statements that's the last I had from them. I contacted the consulate and all I keep hearing is they will get back to me. Our return flight leaves soon... I need you to help me out with a fast loan to settle our bills here so we can get back home. I'll refund the money as soon as we get back.
You recognize the name of Maria Smith as one of your friends. In this particular case, the e-mail had a different reply address from the sending address. The scammer had set up an e-mail at firstname.lastname@example.org so that by simply replying to the message you would be in contact with the scammer instead of your friend. This is a technique used by scammers to get money from the people listed in your friend's address book. The scammer probably obtained the address book by hacking into your friend's computer or his or her e-mail account to steal the information. In this case, the scammer will probably ask to wire the money to the Philippines, as suggested by the note. This is a scam. DON'T SEND MONEY under any circumstances. The best thing that you can do for your friend is contact her independently (start a new note, do not click "reply" for this note) and suggest to: 1) change the password of the e-mail account, 2) apply all system updates to the operating system of the computer, and 3) run an antivirus scan of the computer.
Appeal to Compassion
Sometimes a letter or an e-mail has a sad story and asks for any money that you can spare for a charitable purpose or to help a person overcome a serious problem. The only good thing about this scam is that it is straightforward and does not beat around the bush. The persons who send money may never find out if the money is really used for the charity or whether the person who has the problem really exists. The donors may never know that they have been the victims of a scam, but they may then receive follow-up messages thanking them for their support and saying how new problems have come up that require additional funds, or they may become the targets of donation requests for other causes. These scams become more popular after a hurricane, a flood or an earthquake when there is a lot of TV coverage about a disaster.
Many popular appeals for charity run television campaigns that show children with dirty faces, others show pets with matted hair and sad eyes. The advertisements say that the children are poor with no resources or that the pets were the victims of abuse and will be killed in some horrible gas chamber because they are unwanted. Could you please donate to feed and educate these children, or to try to put these pets in a home where they will be loved? Most people don't know that a private charitable foundation is required by law to pay out only 5% of its assets each year; the rest can be used for the operation of the foundation which may include high salaries and fancy cars for the administrators, and more TV ads. A person who donates $100 dollars to a charity would be surprised to discover that only $5 dollars reaches the intended beneficiaries. This may not be a scam, but it feels like one.
Appeal to Shame or Embarrassment
Some of the most pervasive spam e-mails are those for Viagra, Cialis or other male enhancement products. The premise of these offers is that the Internet provides a fairly anonymous way of obtaining a product that would be awkward or embarrassing to discuss with a doctor or pharmacist. One real problem is that any products bought in this way could be counterfeit look-alikes with ineffective or harmful ingredients. You don't know with whom you are dealing when replying to a spam e-mail, and there is no guarantee that you will receive any product if you send money. You basically could be just sending the money to the scammers.
Internet commerce has grown substantially during recent years. Shopping online is a convenient way of buying products from the comfort of your own home, but it is necessary to deal with reputable commercial web sites and not just a random e-mail that appears in your mailbox.
Taking advantage of Ignorance or Inexperience
A person who thinks that someone is trying to pull an old trick may say: "I was not born yesterday" and reject an offer that is too good to be true, but even very smart people have been duped by the Fake Cashier Check scam. The scam goes like this:
The Federal Deposit Insurance Corp. (FDIC) requires banks to make money from certified or cashier's checks available in one to five days, but this may not be long enough for the check to clear the issuing bank. The scam works because the victim's account is credited with the money and he can wire the remainder to the scammer, but in a couple of weeks, the bank tells the victim that the check is fake and removes the money from the victim's account. The scammer never comes to take possession of the property. The counterfeit checks can look very realistic on tamper-proof paper with proper routing numbers and account numbers, so the scam may not be discovered until it is verified by the issuing bank. Avoid getting into a transaction where you have to refund an overage, and always wait until the issuing bank has cleared the check before refunding any money or surrendering possession of what you are selling.
Fake Business Deals for web site owners
The Internet offers many opportunities for earning income through advertising. A popular web site may get a substantial amount of income, and the more web pages that the site has, the greater the income. Some companies such as BET Information Systems, doing business as nSphere, promise web site owners to increase revenue by splitting advertising income 50/50 for a "localmarket" subdomain developed and hosted by BET/nSphere. The web site owner only needs to provide a few articles, set a few links to the subdomain from the home web page, and redirect the subdomain to a server controlled by BET/nSphere. nSphere organizes and generates many web pages with local information.
After the traffic builds up on the localmarket subdomain, BET/nSphere starts collecting ad revenue from Google AdSense and posts the monthly earnings in a database accessible to the web site owner. However, the company doesn't send any monthly notifications or make the payments for half of the revenue as required by the contract. When the web site owner finally tries to contact BET/nSphere by e-mail, the messages about the missing payments are ignored, and even written invoices sent by certified mail are ignored.
Doing further investigation, the web site owner finds out that the official agreement has a fake address for BET/nSphere – 100 Franklin Street, Suite 900 in Boston is actually occupied by a real estate investment company. This is why the mailed invoices were ignored. Everything about BET/nSphere is fake. The Better Business Bureau does not have any information about BET or nSphere, but they mention that the address had come up before as a virtual office. Web site owners who forget that they redirected their localmarket subdomain may continue being victims of the scam for a long time.
Web site owners are sometimes also cheated by companies that offer to pay commissions for sales or referrals from web page advertising. The web site owners lose money if the advertisers underreport the number of referrals or sales. It is not unusual for web site owners to complain that after hundreds of thousands of web page impressions the advertising company reports no sales, and therefore no commission. The web site owner cannot verify this because all the sales monitoring is done by the advertising company.
You are likely to suffer some financial losses when you provide account numbers or personal information to a scammer. Prepaid card services like the Green Dot MoneyPak are popular because they can be bought at thousands of pharmacies and convenience stores nationwide and the funds are instantly available without transaction fees after you buy the card. People use MoneyPak to pay for telecommunication services, credit card bills or to transfer money to PayPal accounts to buy merchandise on the Internet. MoneyPak works like a debit card without the need for a bank account. To pay for a service, you only need to logon to the merchant that you want to pay and provide the MoneyPak number, but if you give your MoneyPak number to a scammer, he can buy whatever he wants with your money, and your account will be empty when you try to use it. Too bad!
By this time, you know that you should not provide personal or financial information to someone you don't trust. However, some offers don't ask you for this information, they only request that you call to find out about the details of the prize that you have won or the great business deal that they offer. Beware! The area codes 284, 809 or 876 correspond to Jamaica, the Dominican Republic or the British Virgin Islands. These calls may cost you from $1.49 to $3.99 dollars per minute because they function like the American "premium rate" lines that use the 900 area code without the need of dialing 011 for international calls. Calls from the USA to Canada also look like regular long distance calls, but the rates are higher. The high rates are split between the phone companies and the people who operate the lines. The purpose of these scams is to keep you on the phone as long as possible to maximize the amount that you will pay. The operator may chit-chat or put you on hold for a long time. You will find the charges when you get your phone bill, and the phone company is not likely to cancel the charges because you dialed the foreign number willingly. Before calling an unfamiliar area code, make sure that it is not a foreign country code.
Bait and Switch
A bait and switch scam consists of presenting an expensive item at a bargain price. When a customer tries to buy it, he is told that the item is no longer available, but an equivalent item can be bought for a slightly higher price. A customer who has spent time and money getting to the store has a choice to make: accept the item at a higher price or return home empty handed. Sometimes, a lower quality item is wrapped up without any notification; the customer may not discover the switch until he comes home and opens the package. This happens more frequently when ordering merchandise from mail order catalogs and the shipper substitutes an item. The cost and hassle of mailing something back may be more expensive than accepting an unwanted item.
Bait and switch scams are successful when customers are not able to verify a claim that justifies a higher price, e.g., this ground beef is made from top sirloin and not chuck; this camera lens has internal components made of metal and not plastic; this light bulb will last 15 times longer than a regular bulb; this organic lettuce is more nutritious than regular lettuce. Who is going to check? How are they going to check?
Early in the 20th century, Charles Ponzi set up a fraudulent investment operation where he paid dividends to investors from their own funds or from money paid by subsequent investors, rather than from any actual profits from any investment. People were lured to invest in the scheme with promises of high return rates and reliable payments. The scheme collapsed in 1920 from lack of new investors, depletion of the investment capital, and withdrawal of funds by the promoter. The high notoriety of this crime established the name of "Ponzi scheme" for this type of fraud. Ponzi's shenanigans brought down six Boston banks and ruined many families. Ponzi was deported to Italy after spending some time in prison.
Bernard Madoff perpetrated the largest financial fraud in the history of the United States. Madoff was a stockbroker and investment advisor who started a Ponzi scheme in the early 1990s. Since Madoff was Jewish, many Jewish organizations wanted to invest in his funds, but he cheated all his investors equally. Madoff kept the scheme going by having a fund that consistently reported a gain of 11% every year for 15 years, but all the actual losses were hidden by co-conspirators who falsified financial records to deceive auditors. By the time that the scheme was discovered, Madoff had defrauded thousands of people and organizations of almost $65 billion dollars. Very little money was recovered. In 2009, at age 71, Madoff started serving a sentence of 150 years in prison.
List of suspicious transactions
If your transaction fits one of the descriptions below it could be a scam.
What is wrong with receiving a work-from-home offer? The prospective employer will ask for your name, address, picture ID, social security number, date of birth, and bank account numbers to send your paychecks and fill out tax forms. But if it is a scam, that information can be used to steal your identity and empty your bank account.
Medicare and Medicaid scams
Medicare and Medicaid are federal medical programs that serve millions of retired Americans and low-income individuals requiring medical assistance. In February 2012, Jacques Roy, a Texas doctor was charged with fraudulently billing Medicare and Medicaid $375 million dollars. The doctor sent recruiters to homeless shelters and paid $50 dollars to applicants that signed up as homebound patients requiring special care. The doctor then billed Medicare for unnecessary services. The scam was discovered after an audit found that Dr. Roy had certified more than 5000 patients in 2010 whereas the average for most physicians was only 104 such cases. You can help fight this type of scam by not signing any blank medical care forms and by reporting charges for services that you did not receive to the appropriate agencies.