Subscribe to ProtectMyID Blog via RSS

Rss Posts

Rss Comments

Welcome to the ProtectMyID Blog

Lessons and stories from the front lines of fighting identity theft.


Internet Honesty is Not Required

Mar 24

Rex Davis, director of operations, Identity Theft Resource Center

During the past few years there has been more and more public focus on Internet safety, a major component of computer safety.  And, you can be certain that the criminals are continuously working on new ways to attack your computer to get personal information, which can then be used to steal from you, the consumer.  The ITRC Fact Sheet 119 – Direct Connections to the Internet and similar publications from other agencies  point out the computing threats that are most prevalent, and how to counter those threats, using firewalls, automatic updates, good antivirus software, spam filters and so on..  Certainly from time to time we will see exploits against the consumer that are newsworthy, and a few of these will command a change in the way that we, as consumers, individually protect ourselves.  However, in most cases, the required corrective actions will be taken by Microsoft, the anti-virus companies, the anti-spam community, and a large number of other network and server infrastructure companies.  Our jobs as consumers in many of these new exploits will often be to keep our patches and anti-virus definitions up to date.

However, there is a method of attack which works all too well, and which we encounter in our work at the ITRC quite often.  In general, it does not have to do with how well we keep our PC systems updated.  The Identity Theft Resource Center victim advisors deal with approximately 1000 consumer/identity-theft victim calls per month.  It is apparent to us, as we work with identity theft victims, that “Social Engineering” is alive and well, and being used in a stunning number of ways to rip-off unwary citizens.

“Social engineering” is the act of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical hacking techniques,”  according to the Wikipedia entry contributed by Joan Goodchild.  At ITRC we constantly see the results of people being led into taking action or giving up information because they were lied to in a manner that either made the lie believable, or made the victim want to believe in the lie.

Online meetings, emails, texting, and chat-room connections are used again and again to promote a “love relationship” where the hidden (but very real) agenda is to extract money from the victim under the pretense of being a lover.  Our very human need for love and relationships is used to convince us that we are special, and with just a little help (meaning money) our new partner will be able to join us, or spend more time with us, or something similar.  In the meantime, we need to continue sending money to help our new love partner deal with seemingly ever-increasing problems.  And, it is all a lie.  As our wise victim advisor Wilma says: “Honey, if you want to meet a nice girl, go to church!”  Unfortunately, we are painfully aware that this approach really does work well.  It often separates the victim from tens of thousands of dollars.

With the increase of “Social Networking” come even more opportunities for “Social Engineering.”  Facebook, MySpace, and other social networking sites are often the target of account takeover.  The criminal, in one manner or another, gains legitimate access to the password of the victim’s social networking website.  The crook then changes the password, thus preventing the real owner from gaining entry.  At first glance, you might say “so what.”  But the perpetrator is very busy sending out a very persuasive email to all those people on the “friends” listing.  This email usually indicates that the owner of the site is in a foreign country and has encountered some trouble.  The email will implore all the good friends of the account owner to wire some cash to a foreign address to help out, telling the friends that the money will be paid back immediately upon return to the U.S.  Sometimes people react and wire the money, never thinking to check with the account owner to verify the situation.

Certainly we have to exercise care in keeping our computers safe.  But as “cyber citizens” we need also gain a mental edge that makes us wary and suspicious, particularly of those we meet on the Internet.  The Internet is world wide in nature, with very limited legal oversight.  To stay safe when using the Internet, we must be skeptical of the information provided to us, and always find ways to independently confirm who we are working with, and what they represent.  Don’t put your money down until you have independently verified exactly who is on the other end of the “wire”.

1 Comment Add your comment

  1. Eric D
    Mar 30 at 15:58

    I’ve noticed an increase in “social engineering” specifically through Twitter. I receive notes through Twitter at least once a week from “long lost friends” that I’ve never heard of. These notes ask me to join their Twitter feed too.

    The most concerning thing about Twitter, though, is that ANYONE can follow you. There is not “accept friend request” feature like on Facebook. To avoid having potential criminals learn more about you, it’s wise to “prune” your Twitter follower list and keep only those you know and have relationships with.


Post a comment

Note: takes your privacy seriously. In order to post comments on this Blog Site you will be required to provide your name and email address for verification purposes only. This information will not be shared, sold or used for marketing purposes. Confidential, private or credit information should not be posted to this Blog Site at any time. Children under the age of 13 are not permitted to post comments to this Blog Site.