A New Twist on Bank Account Scams
Two of my more popular recent hubs have been I Just Won the Lottery in which I described receiving a $2,950 check for winning a lottery which I had never heard of, let alone entered and Money Laundering Jobs Aplenty in which I described the process by which scam artists are successfully recruiting honest citizens to unknowingly help them move their ill gotten gains abroad.
While both have been popular, the lottery one has attracted the most people, probably because that scam has been increasing lately and, as I considered doing, people are tempted to try to scam the scammer by cashing the check and ignoring the rest of the instructions. But that sounded too easy and, upon further investigation, I was able to discover how the scam worked and then wrote and published the lottery article on HubPages. Based upon the comments I have received to date, a number of people have received similar checks and, upon attempting to verify the legitimacy of the lottery on the Internet, have discovered my article and avoided losing their money.
Well, here is a new scam I encountered the other morning in my email. By now everyone should be on to the fake emails from their banks asking them to click on a link and verify their account information. The criminals running this scam have recently been doing a very good job of not only making the email itself very professional and authentic looking but have also made the forged bank web page that they take you to look real. Of course they ask you to sign in with your user name and password which immediately provides them with access to your account.
Well, this particular morning when I opened my email at work there was one from a local Credit Union asking me to answer a 5 question survey and, in exchange, they would credit my account with $20. It looked very professional right down to the Credit Union's exact logo with the registered trademark symbol next to it. Two warning flags went up in my mind immediately and they were first, I don't have an account with that institution and, second, even if I did have an account with them I never use my work email for personal business. The email was obviously generated from some general mailing list and they were just using a shotgun approach by randomly targeting people in the city where the credit union is located in hopes of reaching people with accounts there.
I was curious about both the survey and how long the page would last. Since I had just received the email, I suspected the scam was fresh. Based upon my experience in checking the money laundering scam, I knew that these web pages usually lasted 2 to 3 days before they were tracked down and knocked off the web. So I proceeded by clicking on the link for the survey. I was taken to another very professional looking page. The survey itself was short but the questions were believable. However, there were some warning flags. My first question was, Why Wasn't I taken to a page where I could login to my account? After all, I am supposed to have $20 credited to my account for taking this survey, but here I was being asked to take the survey from a regular web page with no way for them to know what account to credit the $20 to after I completed the survey. I had my answer, when I looked at the bottom of the page and saw that they were asking for my User name, password and PIN number for my bank account. They also asked for my name, debit card number, card expiration date, 3 digit ID from the back of the card and the PIN number for the debit card. All of this on an open and unsecure web site.
The link that I had clicked on was what looked like the credit union's real URL, however, the URL that appeared in the address line of the survey page was entirely different: http://sfs.nges.ylc.edu.tw/.survey/index.htm. Not only was this URL entirely different from the one that I had clicked on but the .tw that appeared just before the first backslash is the country code for Taiwan (see my Hub entitled Cyber Geography – Internet Country Codes Explained for an explanation of Internet country codes). After highlighting and deleting the /.survey/index.html portion of the address on my browser, I hit the Go button and found myself on a site written in Chinese.
From the time I first opened the email, there was no question that this was a scam. But it was a very good one and probably duped more than one person. However, the good news in this was that when I tested the link again before leaving work, it just returned an error message indicating that the site was unavailable. Going to the credit union's real site I saw that an announcement had been posted warning people about the scam. Previously, these fraudulent sites that I have checked remained operational for a day or two, but this one was out of business in a little over nine hours between the time I received the first email and when I checked the link at the end of the day. Obviously some customers had called about the survey, thereby alerting the credit union's security officials that something was amiss.
While people are catching on to these scams and security people at the affected companies are increasing the speed at which they discover and disable these fake websites, it is still the individual who ultimately makes the decision to either react with their emotions and greedily go after the promised quick cash or react with their minds by assuming that if it appears to be too good to be true it just might be too good to be true. This particular scam was a little trickier than usual since compensation for surveys is a very common and very legitimate practice on the Internet. However, the tip off here was their asking for account access information and debit card information. As a supposed customer of that financial institution, all they would have needed was the account number of the account I wanted them to post the $20 reward. They do not need my user name and password or my debit card pin in order to differentiate the account of one John Smith from that of another John Smith. This should have raised questions even if the target of the scam had never bothered to read any of the plentiful signs, warning notices, etc. that financial institutions, the police and various consumer education organizations constantly post informing people that financial institutions NEVER telephone or email people asking for this information.
If there is ever any doubt about the authenticity of any email from your financial institution that either asks you to click on a link and sign in to your account or to provide any information about your account all you have to do is either call your financial institution, using a phone number from the phone book or an account statement from the institution, again NEVER call the number on the email, or open a new browser window, type in the institution's log-in URL and sign in to the website. Once logged on to the legitimate site of your financial institution you should either see a notice announcing the promotion or whatever was announced in the email or a warning that the email was a fraud. If there is no mention of the promotion or email announcement, you can be fairly certain that the email is a fraud and a phone call or an email to the institution using the Contact Us link on the site is in order.
© 2007 Chuck Nugent