Web Scams

by Gisle Hannemyr

This page is a collection of advice and links to online resources about web scams and Internet fraud (e.g. fake webshops, online banks and escrow services; advance free fraud, aka. Nigerian 419; and miscellanious financial frauds including high yield investment programs, ponzi schemes, and pyramids).

Don't be Bitten

The Internet makes it possible to play some strange identity games. For a fistful of dollars, anyone can set up a slick website and claim to be an attorney, bank, escrow agent, employment recruiter, lottery, parcel service, publisher, or webshop. And the game does not stop there - on the Internet, somone can claim to reside at the world's most exclusive addresses, from Amsterdam to Zürich, while in reality, that someone is sitting in a dingy internet-café in Lagos, Nigeria, buying Internet access by the half-hour.

Below are a list of some warning signs to look for, and some suggestions for things to check out, in order to identify possible scams and fake websites.

If it is too good to be true – it usually is. Be very suspicious of websites selling expensive brand name items at prices that no reputable store can match, investment schemes that “guarantees” double digit interest/yield, or lottery winnings and windfall inheritances that are offered you out of the blue.
Do not trust an email message just because it appears to come from a trusted source. It is very easy to fake or spoof an email. Do not respond to, or act on, information in an email without verifying that it is genuine. The contact information that appears in an email can be just as fake as the email itself. If you need to contact the sender of an email, make sure that you make contact through means of communication established independently (i.e. not through the URL, phone number, fax number or email-address listed in the spoofed email).
Don’t give personal information to people or companies you do not know. Be also very cautious if you receive a request for information (that appear to come) from people or companies you know, if the request in any way appear unusual. For instance, a reputable bank does not not send out an email form requesting all sorts off sensitive personal information from its customers. Be extra protective of account numbers, credit card numbers, CVC2/CVV2-numbers account names, passwords, PIN-codes, access codes, and social security numbers. Never respond immediately to a “security alert”, “work-at-home” offer, or similar, if the communication requests that you to give away personal information. Make sure to first check that the request is genuine and comes from a reputable source.
Email messages and insecure fill-in forms may be intercepted or eavesdropped. Never include sensitive personal information in an email. Before filling in a form with sensitive information (e.g. your credit card number), verify that the webpage with the form is secure.
Be wary of offers if there is a sense of urgency that you need to make the payment quickly (e.g. you are offered special discounts or free shipping, but only if you respond immediately).
If you are asked by a webshop to pay in advance for merchandise or services, you may be exposed to an advance fee fraud or non-delivery of merchandise fraud.
If a webshop insists that pay in advance for merchandise or services, but do not accept payment by means of credit card, or makes some excuse to prevent you from paying by credit card, it is likely that you are exposed to an advance fee fraud or non-delivery of merchandise fraud. The payment methods often used by for this type of fraud are MoneyGram or Western Union wire transfer, e-Gold, cashier's cheque, personal cheque, direct bank transfer to accounts in obscure banks in faraway places, or PayPal outside off eBay (for Paypal on eBay, see below). Common to all these payments methods are that they affords little or no protection to the consumer.
If a webshop or an online seller or buyer insists that payment and/or merchandise is routed through an escrow agent of their choice, you need to verify that the escrow agent is legitimate. There exists more than a hundred fake escrow agents whose sole purpose is to excute various forms of fraud.
Check if the site is listed in the fake website database. If it is listed, it is very likely that it is fraudulent.
If you have doubts about a site, ask a question about it in the appropriate aa419 forum. You will usually have an answer within 24 hours about whether the site is trustworthy or not.
Use Google (or your favourite Internet search engine) to search for the site's name. Also try to search for the name in combination with such terms as fraud, fake or scam (example: aigars scam).
If the site claims to be a major company, (e.g. “leading in the electronics business”), but a Google search finds nothing on them except the website itself, there are grounds for caution.
Check the site's registration data: Enter the domain name of their web site (omit http://www. and other prefixes from the URL) into the WHOIS form on NetworkSolutions.com. You can see who has registered the domain name and how long it has been online. Registrations with no, or fake, contact information, or very recent registrations (in particular if the site claims to have been around for a long time) are grounds for caution.
Check the site's physical address and telephone numbers against yellow pages or similar directories. If no such company is listed, or if the phone numbers are unlisted or belong to some other company, the site is probably fake. If it is impossible to get through to a person in the company on the phone, that is another bad sign.
Be wary of companies/sellers who communicates through free e-mail services (e.g. hotmail, gmail) that can be set-up without any proof of identity being required.
Scammers often pretend to be a legitimate company and may suggest that you verify their identity by looking up the company in some official directory. Please note that while the address and other details they use may be valid and belong to a reputable company – this does not guarantee that the person you are dealing with is actually working for that company, or is entitled to represent it.
Some fake websites misuse seals or logos from SSL certification companies such as Verisign, Thawte or TRUSTe. If a site uses one of these seals, click on it to see if a valid certificate (example) is displayed. The following indicates a fake seal:
1. The seal is not clickable.
2. The certificate shown when you click on it belongs to a different site.
3. The URL-address of the seal does not start with https:.
A fake seal means that the site itself is fake. Always report seal misuse to the seal owner.
Be very careful with what type of store you give your credit card number. If the store is recently registred in WHOIS, is not listed as reputable if you search using the “store ratings” search box at resellerratings, offer goods or services very cheap or “free”, require your credit card number for other purposes than payment (e.g. to verify that you are over 18 years old), or the store itself appear to be engaged in criminal activity (e.g. selling pirated software or stolen merchandise), you should not give it your credit card number. Many such websites exists, and their main purpose is to steal credit card numbers and then sell these numbers and its associted identity to criminals.
If you receive payment for an item sold over the Internet by cheque, verify that the cheque is genuine before shipping the merchandise. If the cheque you receive is for more than the amount asked (for whatever reason), you may be exposed to a cheque overpayment scam.
There exists a number of websites that run bogus contests for amateur painters, photographers, poets, etc. In these contents everyone is a winner, but winning has a strange twist: You have to pay to receive your prize. There is an up-front fee for everything: to attend the award ceremony, to receive a commemorative plaque, to subscribe to the anthology or catalog featuring your work, and so on. Other websites hand out bogus excellence in business awards, publish a Who's Who-knockoff, or some other type of directory or catalogue. Common to all are that the award or publication is unrecognized, and that your great “honour” will never heard off by others than those who pay the up-front fees.

And for good measure, here is some additional advice:

Don’t judge a company by their web site. It is very simple to set up a professional looking website with impressive credentials simply by stealing the overall design, graphics and contents from some other website.
There exists a large number of fake business directories and “consumer watchdog” sites on the Internet. Scammers sometimes register a fraudulent site at these services and may even give it A+ rating by generating their own positive feedback. In itself, a listing or a high rating at an unknown website does not indicate that a site is honest and trustworthy.
Check out what an offer entails before making a decision to invest or purchase. Get all information about the proposal in writing and take time to review it before acting. You may also want to discuss it with a friend or your bank manager.
If you let someone else transfer funds through your bank account, or you set up a new bank account for others to use, you are probably set up to be the fall-guy in a criminal money laundering scheme. If yours is the name associated with the bank account, it is you the police will charge with any criminal activity associated with the account, and you will also be liable for any losses caused by such criminal activity.
Older people are particularly vulnerable to scams. Protect your older relatives and friends by sharing this information with them and by offering to review any deal or proposal they've encountered online or through email.
Currently, the safest way to purchase items via the Internet is by credit card. If the seller has acted fraudulent, you can dispute the charge when you receive your monthly invoice from your credit card company. Note: If you use your credit card to buy e-Gold, Western Union wire transfer, or other intermediate means of transferring money, you are not protected by your credit card's, or any other, buyer protection program.

eBay and PayPal

eBay is an online auction and shopping website in which people and businesses buy and sell a broad variety of goods and services worldwide. eBay owns and operates its own system for payment, PayPal, and recommends that it is used for for all transactions resulting from activity on eBay.

Protection against fraud on eBay is very weak. While legitimate buyers and sellers make up the majority of eBay users, at any time there are also a number of scam artists operating on eBay. If you buy or sell goods on eBay, you need to do so with caution.

The main protection afforded on eBay is trough Paypal. eBay tells you that when you pay for goods using PayPal to transfer funds, your transaction will be “protected” by PayPal's Buyer Protection program.

However, this program is not very user friendly, nor is it fair. For starters, the fine print in PayPal's User Agreement (§ 13.3.a) sets a number of requirements a transaction must meet. All the requirements must be met, otherwise the transaction will not be covered by the Buyer Protection program. To be eligible for protection, you must:

Use PayPal to purchase an eligible item on eBay.
Pay for the full amount of the item with one payment. Items purchased with multiple payments like a deposit followed by a final payment are not eligible.
Send the payment to the seller through the eBay ‘Pay Now’ button, or the eBay invoice.
Open a dispute within 45 days of the date you sent the payment, and escalate the dispute to a claim within 20 days after opening the dispute.
Keep your PayPal account in good standing.

This is exploited by eBay scammers by using some ruse to get the buyer to pay into a different account than the account associated with the listing. In such cases, there are no protection for the consumer, and PayPal can (and will) refuse to cover the transaction. As PayPal do not require account holders to authenticate themselves, the owner of such accounts may not be possible to trace and any funds paid into them impossible to recover.

Being eligible for protection does not mean that PayPal will honour the protection. It only means that you will be permitted claim protection in cases of blatant fraud, limited to:

Item Not Received (INR); and
item Significantly Not as Described (SNAD).

Whether such a claim will be honoured is entirely up to Paypal, and PayPal does not have a good track record about honouring claims that may cost PayPal money.

For example, counterfeit goods abound on eBay, and PayPal actually claims it protects the buyer against this. I.e. it says that the SNAD clause apply if: “The item was advertised as authentic but is not authentic.” (see Paypal's User Agreement § 13.7.)

However, in the following case, involving a countefeit copy of Photoshop CS4, reported in a forum message by newbie@pcworld, PayPal flatly refused to honour the Buyer Protection, citing the following reason:

“Our investigation into your claim is complete. As stated in our User Agreement, the claims process only applies to the shipment of goods. It does not apply to complaints about the attributes or quality of goods received. Therefore, we are unable to reverse this transaction or issue a refund.”

If you are an eBay seller and accepts payment through PayPal, and a customer disputes the charge, PayPal response is usually to freeze your funds and suspend your account until the conflict is resolved by independent means. There is an anti PayPal-site that campaigns against this practice.

The problem with PayPal, from a user point-of-view, is that the any dispute is in the end to be decided by PayPal. However, in many cases, PayPal seems to be uninterested in making any effort to investigate anything or to resolve the dispute. Instead, PayPal may opt to freeze funds and suspend accounts in order to make life miserable for both parties – perhaps hoping that this will motivate them to come to an agreement that does not cost PayPal anything (work or money). If the conflicts drags on, and it becomes appearent that it will be impossible for PayPal to recover the disputed funds, the User Agreement gives PayPal the option to unilaterally close the case without honouring any claim. At least in some cases, this is the route that PayPal will opt for.

Funding a PayPal transaction with a credit card may give the buyer a little better protection. Because PayPal is owned by, and “part of”, eBay, most credit card companies will in this situation view PayPal as the merchant. This means that PayPal may be forced by the credit card company to accept a chargeback in cases where the merchandise is counterfeit, damaged or not delivered.

(I guess that forcing PayPal to accept a chargeback is one of the things that will result in your PayPal account being considered not in good standing – so make sure you have no funds deposited with PayPal if you try this.)

If You are Bitten

If you've become aware that you have been tricked to participate in a money laundering operation, or you yourself is the victim of an online scam, your should always start by reporting the crime to your local police. Do not waste time trying to contact law enforcment at the place of business given by the fake website itself. It is probably just as fake as the site. Your local police should be able to give you advice of what other steps you may need to take, and also coordinate the investigation with foreign law enforcement.

After reporting it to the police, you may want to do the following to get the fake site taken of the net and stop others from being scammed:

If the fake website uses the seal of an SSL certification company such as: Verisign, Thawte or TRUSTe, you should report seal misuse to the seal owner.
Contact the Internet Service Provider (ISP) and Internet Registrar of the fraudulent website and inform them of the fraud. If you do not know how to find out who the ISP and Registrar is, ask for help in the appropriate aa419 forum.
If the fraudulent website is not listed in the aa 419 fake website databse, you should report it to make sure it is listed. The simplest way of getting it listed is to report it in the appropriate aa419 forum.

Dealing with Your Loss

Internet scams are operated by dangerous criminals. If you are scammed, you should never try to handle the situation yourself. As soon as you realize that you are involved with criminals, you must report it to your local police. Ask for, and follow, their instructions. Under no circumstance should you maintain communication with, or agree to physically meet, the criminals. Such communications or meetings may lead to further monetary loss, extortion, physical violence, or even murder.

In many scams, the setup cleverly involves the victim in some criminal activity, such as money laundering, tax evation or financial fraud. By setting the scam up this way, the con artist hopes to dissuade the victim from contacting the police. Do not fall into their trap. In such cases, you've probably been set up to be the “fall-guy”. The best defense is a good offense: Go to the police before they come for you.

Be extremely wary of any organization or individual that claim to be able to help you recover your loss or part of it. Such claims are usually fraudulent and money paid for such “help” will also be lost.

Following the Money

The police has some means to “follow the money” involved in web scams:

Western Union has been required to maintain records of pay-outs. If Western Union wire transfer has been used to transfer money across borders, this information can be obtained through the use of a subpoena or court order.

Con artists that maintain web sites posing as shops, banks and escrow agencies need to register the Internet address of these web sites with an Internet Registrar. The sites themselves must be hosted by an Internet Service Provider (ISP). While the names and addresses that can be extracted through an WHOIS Search may be as genuine as a four pound note, the services that Internet Registrars and ISPs provide must be paid for. Again, by use of subpoena or court order, law enforcement can gain access to financial records that show who paid for those web sites.

However, tracking down the real criminals is not an easy task. They hide behind stolen identities and “mules”. (A “mule” is in this case a stooge hired as a local “accountant” or “representative” that handles the money laundering and setting up Internet services without knowning that their work is part of a scam.) To see behind the smokes and mirrors of stolen identities and local dupes, law enforcement need to piece together many different pieces of evidence, spanning jurisdictions, technologies and organizations.

Link farm

Law Enforcement and other GOs

Federal Bureau of Investigation (US): Internet Fraud
FBI & NW3C (US): The Internet Crime Complaint Center
Federal Trade Commission (US): Diploma Mills: Degrees of Deception
Post & teletilsynet (NO): Nettvett (Norwegian)
Metropolitan Police London (UK): Fraud alert - 419 fraud
Postal Service (US): Looks Too Good To Be True.com

Consumer Groups, Services and other NGOs

Anti-Phishing Working Group: Home Page
Artists Against 419: Fake Banks and Other Scams (forum and db)
BankSafeOnline.org.uk: Money Mules Explained
Crimes of Persuasion (Les Henderson): Schemes, Scams, Frauds
eBay (Jenny Lake): 13 Red Flags to look for on eBay
eBay: Spoof email tutorial
eConsumer.gov: One stop shop for cross-border e-commerce complaints
Escrow-Fraud.com: Stop Escrow Fraud
Firetrust: Anatomy of a Chinese scam
Fraudaid (Annie McGuire): Fraud Victim Assistance and Education
Fraudwatchers: News portal about online fraud
iDeceive: A Spotlight on Deceptive Internet Practices (blog)
Netcraft: Phishing and bank-fraud detection
PayPal: Protect Yourself from Fraudulent Emails
Phishtank: Phishing Database
Quatloos: Financial & Tax Fraud Education
ResellerRatings: WebShop Review Database
ResellerRatings: Online Scam Stores
RipOffReports: Reports from dissatisfied customers (forum)
Scam.com: All types of scams (forum)
Scambusters: Internet Scams (news)
ScamPatrol.org: Internet Scams (forum)
Spamhaus: Online Scams FAQ
SSL.com: How can I tell if a web page is secure?

Report Fraud and Seal Abuse

FBI & NW3C (US): The Internet Crime Complaint Center
Thawte: Trusted Site Seal
Verisign: Report Seal Misuse

Articles

Dhamija, Tygar and Hearst: Why Phishing Works (pdf)