FBI Says Web "Spoofing"
Scams are a Growing Problem
Washington, DC - The
FBI, in conjunction with national Internet service
provider Earthlink, the Federal Trade Commission,
and the National Consumer's League, began an initiative
today to raise awareness about the growing problem
of web spoofing scams and to give consumers and
businesses important tips on how to protect themselves
from these scams.
According to Jana
Monroe, Assistant Director of the FBI's Cyber Division,
"Bogus e-mails that try to trick customers
into giving out personal information are the hottest,
and most troubling, new scam on the Internet."
The FBI's Internet
Fraud Complaint Center (IFCC) has seen a steady
increase in complaints that involve some form of
unsolicited e-mail directing consumers to a phony
"Customer Service" type of web site. Assistant
Director Monroe said that the scam is contributing
to a rise in identity theft, credit card fraud,
and other Internet frauds.
or "phishing," frauds attempt to make
Internet users believe that they are receiving e-mail
from a specific, trusted source, or that they are
securely connected to a trusted web site, when that
is not the case. Spoofing is generally used as a
means to convince individuals to provide personal
or financial information that enables the perpetrators
to commit credit card/bank fraud or other forms
of identity theft. Spoofing also often involves
trademark and other intellectual property violations.
In "E-mail spoofing"
the header of an e-mail appears to have originated
from someone or somewhere other than the actual
source. Spam distributors and criminals often use
spoofing in an attempt to get recipients to open
and possibly even respond to their solicitations.
is a technique used to gain unauthorized access
to computers, whereby the intruder sends a message
to a computer with an IP address indicating that
the message is coming from a trusted port.
involves altering the return address in a web page
sent to a consumer to make it go to the hacker's
site rather than the legitimate site. This is accomplished
by adding the hacker's address before the actual
address in any e-mail, or page that has a request
going back to the original site. If an individual
unsuspectingly receives a spoofed e-mail requesting
him/her to "click here to update" their
account information, and then are redirected to
a site that looks exactly like their Internet Service
Provider, or a commercial site like EBay or PayPal,
there is an increasing chance that the individual
will follow through in submitting their personal
and/or credit information.
According to Assistant
Director Monroe, the FBI's specialized Cyber Squads
and Cyber Crime Task Forces across the country are
zeroing in on the spoofing problem. The FBI's Legal
Attaché offices overseas are helping to coordinate
investigations that cross international borders.
The IFCC has received complaints that trace back
to perpetrators in England, Romania, and Russia.
The FBI is also working
actively with key Internet e-commerce stake-holders
such as EBay/PayPal, Escrow.com, and a variety of
Internet merchants via the Merchants Risk Council
to identify common traits of such scams, as well
as proactive measures to rapidly respond.
The FBI offers
the following tips for Internet users:
- If you encounter
an unsolicited e-mail that asks you, either directly,
or through a web site, for personal financial
or identity information, such as Social Security
number, passwords, or other identifiers, exercise
- If you need to
update your information online, use the normal
process you've used before, or open a new browser
window and type in the website address of the
legitimate company's account maintenance page.
- If a website address
is unfamiliar, it's probably not real. Only use
the address that you have used before, or start
at your normal homepage.
- Always report fraudulent
or suspicious e-mail to your ISP. Reporting instances
of spoof web sites will help get these bogus web
sites shut down before they can do any more harm.
- Most companies
require you to log in to a secure site. Look for
the lock at the bottom of your browser and "https"
in front of the website address.
- Take note of the
header address on the web site. Most legitimate
sites will have a relatively short internet address
that usually depicts the business name followed
by ".com," or possibly ".org."
Spoof sites are more likely to have an excessively
long string of characters in the header, with
the legitimate business name somewhere in the
string, or possibly not at all.
- If you have any
doubts about an e-mail or website, contact the
legitimate company directly. Make a copy of the
questionable web site's URL address, send it to
the legitimate business and ask if the request
- If you've been
victimized by a spoofed e-mail or web site, you
should contact your local police or sheriff's
department, and file a complaint with the FBI's
Internet Fraud Complaint Center at www.IFCCFBI.gov.