Internet Fraud: Types, Techniques, and How to Stay Safe

Introduction to Internet Fraud

The sharp decline in prices of home PCs and the explosive growth of the internet have increased the number of online users considerably over the years. The eagerness to exploit advanced internet features for education, entertainment, communication, business, and scientific research has grown to a great extent. The elimination of geographical barriers is the greatest advantage provided by the internet, and it continually impels users to innovate newer methods to supplement tools used in daily work across all these fields. Email, chat rooms, message boards, and websites have created a new virtual society among internet users. Business decisions, information searches, and personal interactions have all become quicker and easier through these tools.

Crimes are inherent to every society, and the virtual society created by the internet is no exception. The same crimes innovated by criminals over the years in real-world society — including theft, burglary, larceny, fraud, embezzlement, extortion, sabotage, espionage, and kidnapping — are now being carried out by criminals operating online, with greater ease and on a larger scale, aided by the weapon of an invisible shield. At any moment, internet users risk falling victim to the fraudulent practices of malicious actors. Even PC systems themselves are not exempt, as they are frequently and aggressively attacked by malicious viruses. This became a serious problem with the proliferation of the technology in the late 20th century. (Internet Fraud)

Internet fraud thus refers to the use of internet tools such as emails, chat rooms, and websites by malicious users to attract and capture prospective victims through fraudulent practices. It encompasses any fraud scheme carried out by means of specialized knowledge and expert use of internet resources to solicit and persuade innocent victims to conduct fraudulent transactions or to transmit fraud proceeds to associated financial institutions. The internet's unique capabilities — sending electronic messages instantly to recipients worldwide with a single click, and providing ready access to website information from anywhere on earth — eliminate all geographical boundaries and make fraud easier to execute and harder to trace.

The same types of fraud that have long victimized consumers and investors in real-world business are now operating online in e-commerce. Online criminals exploit victimized consumers and investors by presenting fraudulent schemes through emails that closely imitate the products offered by legitimate e-commerce merchants. These schemes are made so attractive that gullible consumers and investors are easily persuaded to participate. The process not only harms individual victims but also erodes public confidence in legitimate e-commerce and online transactions more broadly. (Internet Fraud)

Types of Internet Fraud and Scams

Online auction sites frequently offer auctions and retail goods that are represented as high-value items; however, victims who send money receive nothing in return, or at best receive something worth far less than the amount paid. Many fraudulent schemes advertise online "work-at-home" business opportunities, initially requiring a security deposit. After collecting the deposit, the fraudsters never deliver the materials required to make the opportunity viable. Through identity theft and fraud — which involves obtaining and wrongfully using a victim's personal data — fraudsters manipulate records for economic gain. Illegal transfers of money and unauthorized use of credit cards via identity theft are common examples in this category.

In securities markets, fraud is visible through so-called "pump and dump" schemes. Fraudsters artificially inflate the prices of thinly traded stocks by disseminating false information, then immediately sell off their holdings before prices return to normal. Innocent buyers, persuaded by the scheme, purchase stocks at the inflated price and suffer losses when prices fall. Similarly, fraudulent short-selling or "scalping" schemes drive down a company's stock by spreading false negative information to cause a temporary price decline. Sometimes a combination of internet techniques and traditional mass-marketing methods such as telemarketing is used to victimize large numbers of buyers. (Internet Fraud)

Fraud involving the use of illegally obtained credit card numbers to purchase goods and services from legitimate e-commerce merchants is another common scheme. In one documented pattern, a consumer is lured by an advertisement offering attractive prices. When the consumer contacts the fraudulent seller, the seller offers to ship the item before receiving payment. Once the consumer agrees, the seller uses the consumer's real name combined with a stolen credit card number belonging to another victim to purchase the item from a legitimate website. After the item ships, the consumer — convinced the transaction is legitimate — sends payment to the fraudulent seller, thereby becoming a victim.

In some cases, websites have provided misleading information purporting to offer quick online divorce proceedings via email exchanges, even without the physical presence of the spouses. After the victim pays the specified fee, the fraudsters send forged legal letters stating that a divorce has been granted, victimizing gullible clients. (Internet Fraud)

Because the internet is global in nature, internet fraud is not limited to any particular region or country. It victimizes users across borders and geographical barriers alike. The FBI reported that complaints of internet fraud soared to 48,000 during 2002, mostly concerning auction fraud, non-delivery of promised merchandise, credit card fraud, and fake investment schemes. Total reported dollar losses amounted to $54 million during that year. (Internet Fraud Rises in 2002)

These documented losses are believed to represent only a fraction of the crimes actually occurring. In addition, approximately 37,000 additional complaints were received by the FBI in 2002 that, while not classified as outright fraud, involved activities such as unsolicited email (spam), illegal child pornography, and computer intrusions. Complaints were received primarily from California, Florida, Texas, and New York, as well as from Canada, Australia, Britain, Germany, and Japan. Auction fraud accounted for 46% of total fraud complaints, with an average victim loss of $320; identity theft cases averaged a loss of $2,000. The FBI also solved a case involving the online sale of computers that victimized 300 people with a total loss of $800,000 during 2002. (Internet Fraud Rises in 2002)

Identity Theft, Phishing, and Spoofing

One case from the same period involved the swindling of 700 people worldwide through fraudulent trade of computers, camcorders, and other electronics, with nothing ever delivered — a fraud totaling $922,000. The magnitude of the problem continues to grow. As the scope of e-commerce expands, internet fraud is expected to rise proportionately. Growing public awareness of resources such as the Internet Fraud Centre encourages victims to file complaints, bringing fraudulent methods increasingly to light. (Internet Fraud Rises in 2002)

Fraud and scams have existed in every society throughout history. A key characteristic common to schemes such as Ponzi or pyramid scams, get-rich-quick offers, and deceptive advertising is that they all succeed only with the willing — if unwitting — participation of victims. Every fraud begins when the schemer identifies a specific desire of the target — for profit, gratification, advancement, or anything else that can be used as bait. Where bank robbers once needed weapons and disguises for large hauls, internet criminals can now achieve their goals simply by obtaining personal information such as social security numbers or credit card numbers. (Fraud over the Internet: The Same Old Story, Different Medium)

"Identity theft" literally refers to crimes resulting from the illegal acquisition of another person's personal data — name, date of birth, driver's license number, financial information — and its wrongful use for personal gain. Unlike a fingerprint, personal data can be stolen and used by someone else. When the identifying information required by the internet falls into the wrong hands, it allows criminals to profit at the victim's expense. The consequences can be devastating, affecting bank accounts, credit records, employment, loan eligibility, and even resulting in wrongful arrests for crimes the victim never committed. (Fraud over the Internet: The Same Old Story, Different Medium)

Most internet fraud originates with spam mail, which includes unsolicited "junk" emails, Unsolicited Commercial Emails (UCE), fake commercial emails using phishing and spoofing techniques, and non-commercial chain letters with malicious hidden attachments. The FBI's Assistant Director of the Cyber Division, Jana Monroe, stated in a press release: "Bogus e-mails that try to trick customers into giving out personal information are the hottest and most troubling new scam on the internet." The two primary techniques used by internet criminals to steal personal data are phishing and spoofing. The fundamental requirement for both methods is convincing users that they are securely connected to a trusted website or receiving email from a trusted source. Using phishing, hackers imitate the addresses of legitimate companies and persuade people to share their passwords and credit card numbers. By purchasing domain names similar to those of trusted companies, hackers send out mass emails asking consumers to verify account information. (Identity Theft)

While most consumers recognize and ignore such bait, some are tempted into responding. Consumers who hold no account with the imitated company simply discard the message as junk mail. However, actual customers of the imitated company sometimes believe the email is genuine and respond. Phishers typically capture victim data through three methods: the victim replies directly to the phishing email providing account or verification information; the victim fills out an email form in response to the fraudulent message, automatically sending their data to the criminals' systems; or the victim is tricked into clicking a link that directs them to the phisher's website rather than the legitimate site. (Identity Theft)

These fraudulent emails contain requests such as "click here to update your account information." The linked website is crafted to appear virtually identical to a legitimate site — an online store, an ISP, or an auction site — making it extremely difficult for ordinary users to distinguish the fake from the real, leading them to execute transactions believing them to be routine. Recent examples of phishing domains used to target eBay customers include "ebay-verification.net," "change-ebay.com," and "ebayservices-cancelorder.cjb.net." The fraudulent URL "paypalsys.com" has similarly been used to scam PayPal customers. Major companies targeted by phishing have included AOL, MSN, Earthlink, Yahoo, PayPal, eBay, Best Buy, Discover Card, Bank of America, and Providian, among others.

Spoofing is another method used to convince email users to provide personal data. In this technique, the header of an email is falsified to make it appear to have originated from a different source than its actual origin. In 2003, criminals spoofed emails to use the FBI's site address, sending messages under the subject line "Mass theft of debit cards" and encouraging users to provide their personal information to prevent "any fraud operations with the Account." (Identity Theft)

With phishing, the destination of a reply email is hidden, and through clickable links, victims' personal information is transmitted instantly to the fraudster's server. To avoid falling victim to phishing and spoofing, users should never send sensitive personal information by email. It is also wise to be suspicious of any message that prompts entry of a password or financial information via an email form. Spam is so prevalent that at least half of all emails are estimated to be spam or UCE. It can be very difficult to identify spammers after receiving spam mail, as some spammers install hidden software enabling remote access — typically on always-on broadband computers — and use those machines to send spam, concealing their own identities. (Identity Theft)

Combating email fraud is not always possible due to jurisdictional limitations. Awareness and common sense remain the user's best defenses. To deal with spam, it is advisable never to open suspected spam messages — simply delete them unread. Even opening a message confirms to the spammer that the email address is active. Operating two separate email addresses — one for trusted contacts and one for general use — is a prudent practice. Signing up for free email accounts increases exposure to spam; checking the privacy policy before registering is recommended. When signing up for online services, users should always select the option to decline sharing of their email address. Care should be taken when posting an email address on the internet, as spammers use web crawlers to harvest addresses. Tricks such as rendering email addresses as image files, inserting spaces between letters, or making addresses non-clickable can help keep them human-readable but immune to automated crawlers. (Internet Scams — High-Tech Confidence Games)