Although the U.S. government’s economic stimulus package hasn’t even gotten out of Congress, scammers aren’t waiting; they’ve launched multiple campaigns that tempt users into revealing personal information, a security researcher warned today.
One spam-and-scam example, said Dermot Harnett, a principal researcher at Symantec Corp., poses as a message from the Internal Revenue Service, and claims that the recipient qualifies for something called a “stimulus payment.”
“After the last annual calculations of your fiscal activity, we have determined that you are eligible to receive a stimulus payment,” the bogus e-mail reads.
The message then tells the user to download the attached document, supposedly a form that must be submitted to the IRS.
The document, in fact, is an identity-stealing tool that asks users to provide personal information, much or all of it data that the actual IRS would presumably have on file, said Harnett.
Another stimulus-related spam campaign Harnett has monitored touts “economic stimulus grants,” and tempts the unwary with a link that offers fake testimonials.
“I found the grant I needed and filled out the forms and sent them in, and in about two weeks I received a check in my hand for $100,000,” one reads.
“This one takes people to a marketing type of site,” said Harnett, “and after it asks them to answer a few questions, including salary range, e-mail address, mailing address and date of birth, it promises to send out a CD that shows you how to claim one of these grants. They’re building up their files on people.”
Another twist: The CD comes with a postage and handling charge, which the scammers use to collect credit card information.
It’s no surprise that such spam is circulating, said Harnett. “People often have news alerts set from various organizations, so they expect to see subject lines about the stimulus package,” he said, noting that the tactic of using current events is nothing new.
Given that stimulus scams cranked up as long as two weeks ago — and President Obama’s $900 billion plan isn’t slated to come to a vote in the U.S. Senate until later today – “they’re ahead of the game,” said Harnett.
ID theft protection services
With identify theft becoming so rampant and sophisticated, how do you protect yourself?
Some credit bureaus and banks that facilitated the spread of easy credit – and in the process unwittingly made identity theft a more profitable crime – now sell services to help you avoid having your identity pilfered.
For $10 to $20 a month, a company such as LifeLock or TransUnion will monitor your credit reports, alert you if anyone opens an account in your name, and help you recover fraudulent charges.
But you can do many of the things these services offer to do, at no cost except for the effort.
To assess the paid services, we signed up with six leading firms. Even services that worked as advertised weren’t comprehensive.
Only two – Suze Orman’s Identity Theft Kit and Identity Guard – offered protection for anything beyond financial fraud. Using any of the services is better than doing nothing, but you may still have to work to safeguard your identity.
Monitoring Your Credit
The keys to your financial identity jangle in the pockets of the Big Three credit bureaus: Equifax, Experian, and TransUnion. When you apply for a credit card, sign up for a wireless plan, or apply for a job, the company you’re trying to do business with is likely to request a copy of your credit report.
If anyone steals your identity, that person’s bad behavior goes on your report, hurting your chances for a loan, a phone, or a job.
You can get a free credit report from Big Three. You also qualify for a free copy if you’ve recently been denied credit or if you’re an identity-theft victim.
The bureaus make no money by supplying free credit reports, but they make a lot of money–more than $1 billion annually, according to Javelin Strategy and Research president James Van Dyke–by selling credit-monitoring services.
For $5 to $20 per month, a credit-monitoring service will alert you whenever your report changes. If a thief opens new accounts in your name, you’ll usually find out within a few days. Most monitoring services offer online credit reports, online credit scores (showing your chances of obtaining credit), and tools for managing and improving your credit rating.
But a credit-monitoring service won’t tell you if someone steals your credit card and runs up huge bills; for that you must check your monthly billing statements. Furthermore, if you receive an alert about a dubious inquiry, you’ll have to identify it as bogus and contact the credit bureaus on your own.
Our real-world tests of two major credit-monitoring services yielded mixed results.
First we signed up for TrueCredit’s three-in-one monitoring service, which promises to deliver e-mail alerts from all three bureaus for $15 a month. The first two times our tester tried to open a new credit account, TrueCredit failed to issue an alert. A third test a month later was more successful.
“The likely explanation is that [the bureaus] had not yet completed the processing required on their end by the time the first two inquiries were made,” says Steve Katz, a spokesperson for TrueCredit’s parent company, TransUnion.
Using TrueCredit was truly annoying in other ways. Whenever we accessed our account or received an e-mail alert, we had to wade through advertisements for credit scores, low-cost credit cards, and other services.
We had better luck with Identity Guard, whose parent company, Intersections, provides identity-theft protection sold through Citibank, Equifax, GE, and other firms.
We signed up for Identity Guard’s $17-per-month Total Protection plan–which provides credit monitoring, credit scores, security software, and public-records searches that identify names, addresses, and property associated with your identity, along with things like licenses, tax liens, and criminal convictions–and it alerted us to every change made in our credit reports.
Unfortunately, we found Identity Guard’s interface confusing and its customer service line unhelpful.
One particular annoyance: Our account page advertised services already covered under the Total Protection plan, inviting unwary consumers to buy the same services twice under different names.
Tim Walston, a senior vice-president for Intersections, explains that the ads are provided for people who may want to obtain fresh reports between Identity Guard’s quarterly updates.
When Fraudsters Attack
If credit monitoring is a burglar alarm that goes off when someone steals your identity, a fraud alert is a deadbolt that prevents break-ins.
At least, that’s how it’s supposed to work. By law, you can place a temporary fraud alert on your credit report, requiring lenders to verify your identity before issuing credit in your name.
And if you tell one credit bureau to set up a fraud flag, it’s obliged to notify the other two. But such alerts expire after 90 days. To address the lapses in coverage, companies such as Debix, LifeLock, LoudSiren, and TrustedID will renew alerts every three months for $9 to $13 a month.
These services set their alerts in different ways. LifeLock and TrustedID contact the bureaus and set the alert. Debix (which powers LoudSiren) provides its own contact number for lenders. When a creditor calls the number, Debix’s automated voice network calls your phone and lets you approve or deny the transaction by entering a PIN. Debix can call up to three numbers until it finds you.
But in real-world tests, our results varied widely. After signing up for TrustedID, one of our testers applied for instant credit at The Gap. Store employees saw the fraud flag, called the Gap’s internal credit division (operated by GE Money Bank), and put our tester on the phone to answer multiple-choice questions about his finances.
Another tester signed up for LifeLock and applied for a card at a different Gap store; he was granted instant credit after showing the store clerk his driver’s license. In that case, LifeLock CEO Todd Davis admits, the fraud alert did not get set on the date it was requested. After requesting the alert a second time, our tester applied for another card and was asked to verify his identity more stringently. Davis adds that, either way, our tester would have been protected by LifeLock’s service guarantee (see “The ‘Million Dollar’ Question”).
In our in-store Debix test, the creditor verified our tester’s identity by putting him on the phone with the store’s credit department, bypassing Debix’s automated system.
According to Julie Fergerson, Debix’s vice president of emerging technologies, “80 percent” of creditors call Debix to verify transactions–but they are not under any legal requirement to do so. Creditors can verify your identity in other ways, such as by sending a letter that asks you to mail them copies of W-2 statements, utility bills, or other documents.
In rare instances, creditors may issue credit without bothering to check your report. That seems to be what happened to Davis, who gained notoriety by publishing his Social Security number on LifeLock’s home page and daring anyone to steal it. A Fort Worth, Texas, man promptly used Davis’s identity to obtain a $500 loan. Davis says that many low-amount lenders don’t pull credit reports, which is why the Fort Worth creditor didn’t see the fraud flag that LifeLock had placed on its CEO’s credit report.
“This person would have been able to get the loan no matter what form of protection was in place,” says Mike Prusinski, LifeLock’s vice president of communications. “As soon as Todd was aware of the problem, he reported it to LifeLock–and the remediation services investigated, found the source of the identity theft, stopped additional attempts by this same person to buy cell phones and other goods, and prevented any other consequences from the identity theft such as damage to a credit score.”
In February, Experian sued LifeLock, claiming that federal law prohibits corporations from setting fraud alerts for consumers, and calling LifeLock’s marketing practices fraudulent.
“LifeLock claims it can prevent identity theft, but that’s simply not true,” says Experian spokesperson Rod Griffin. “By the time a credit report has been pulled, the person’s identity has already been stolen.
It gives people a false sense of security.”
Davis says he can’t comment on an active lawsuit but would “welcome the chance to work out a business solution [with Experian] that will continue to protect consumers.”
Griffin won’t say whether Experian will take legal action against other fraud-alert firms. TrustedID CEO Scott Mitic notes that the law allows consumers or their “personal representatives” to set flags, and says that his company has a good relationship with the bureaus.
Debix pays one bureau for the right to set flags, Fergerson says, but she declines to identify which one. As we went to press, Identity Guard announced that it would stop setting alerts for consumers “because Experian asked us to stop,” says Intersections’ Walston.
Sources: Computerworld.com and PCWorld.com