Hoaxes, Frauds and Scams
The dawn of the Internet Age has brought many new ways for businesses and their
customers to interact. Many goods and services that, prior to the late 1990s,
could only be purchased through personal visits to a brick-and-mortar business
establishment can now be purchased for home delivery - overnight, if desired
- using email and/or a standard web browser.
Of course, as more and more honest, legitimate businesses find new customers
on the Internet, so have the crooks and con artists likewise found cyberspace
to be fertile ground for frauds and scams. Many of these scams are distinctive
and uniquely suited for the electronic world, but many others (such as the infamous
Nigerian Scam) are simply updated versions of schemes
that have been around for decades.
E-mail, of course, is an ideal medium for scammers to ply their trade, especially
since the number of inexperienced "newbies" continues to rise around
the world. In many cases, common sense will tell you if an email or website
is fraudulent, or at the very least, suspicious. There are many clever tricks
used by scammers, though, to dupe even the most vigilant person into their traps.
Scam or "Spam"?
It is certainly true that many frauds and scams are circulated in the same
mass-mailing format as run-of-the-mill "spam", or Unsolicited Commercial
E-mail (click here for more info on "spam"),
however, not all spam is fraudulent. Annoying, yes, but not, in most cases,
illegal. In general, the object of the scammer is to fool you into giving him
something you have that he wants. Money, of course, is still the main goal,
but more and more they are trying to get you to give them personal information
about yourself - credit card numbers, bank account numbers, Social Security
Numbers, etc. - that will allow them to commit, among other things, identity
theft. In some cases, the object is to get you to visit a bogus web site that
will surreptitiously download malicious software onto your computer, allowing
them to remotely control it for use in hacking exploits such as a "Distributed
Denial of Service" (DDoS) attack. Whatever the motive behind it, scams
and frauds are all about separating you from your valuables in one way or another.
Hoaxes are sometimes nearly impossible to distinguish from scams and frauds,
and in fact can be used as a vehicle to commit fraud. In general, though, hoaxes
are about trying to get you to believe something that isn't true, and act on
it, rather than to engage in a fraudulent financial transaction. The lines can
be blurry, though. Many hoaxes are, essentially, "Internet practical jokes"
that sometimes have unfortunate consequences. Hoaxes tend to have a very long
lifespan as well. The first great Internet hoax, the infamous "Good
Times" virus (1994) still gets spread around by well-meaning new Internet
users. In recent years, another prevalent Internet hoax revolves e-mails urging
the recipients to delete the files jdbmgr.exe
or sulfbnk.exe from their
hard drive if they exist, allegedly because they are virus files (they're not - they're
important Windows system files, see here
for a rundown on this hoax). This perennial favorite is still making its way
around as well. Many well-known Internet hoaxes of the last several years are
simply re-workings of "urban legends" that have been around for decades.
How can I tell if an e-mail message is a hoax, fraud or scam?
It's not always easy, but start with your own common sense. If it seems
fishy or phony to you, chances are it is.
You also have many powerful tools at your disposal that can help you ferret
out the truth - search engines like Google,
Yahoo! and Bing
are very useful for seeing how widespread the e-mail is, and what other people
have said and done about it. If the e-mail message contains distinctive bits
of information such as company name(s), names of individual people, telephone
numbers (especially toll free numbers), try plugging them into the search box
to see how many "hits" you get. You might be surprised to find how
well-known it is.
There are also a number of popular web sites that collect and track information
about hoaxes, scams and frauds, and most of them have their own search features
built in. A few of the more accredited and respected of these sites are:
A generic type of scam that has become very common via e-mail since 2002 has
come to be known as "phishing". This involves a "spoofed"
(i.e., forged) email, usually appearing to be from a well-known company or business,
requesting the recipient to "verify" account data. Amazon.com and
eBay are among the most frequently spoofed companies, but probably the most
prevalent target is PayPal. These messages often contain images that are exact duplications of the firm's logos and trademarks, all the more to look legitimate and official. Here is an actual, typical example of this scam:
The objective, of course, is to get unwitting PayPal users to click on the
link to a forged or otherwise bogus website and give away important personal
information. These sorts of "phishing" messages are usually sent as
spam to millions of addresses, and they can be sure to reach a large number
of actual PayPal account holders (or Amazon, or eBay, or whatever the target
It is important to realize, also, that the sites these messages attempt to
get you to access can be designed in a way that important information can be
taken from your hard drive without your knowledge. The tendency of many people
who receive a message like this, and who do not have PayPal accounts will be
to click on the link and tell them they've "made an error". Doing
so may expose personal information on their computer to "harvesting".
For a more thorough and detailed discussion of "phishing", see:
A Few Rules of Thumb
- E-mail is a very insecure medium, and is easily forged. Do not assume that
the name in the "From:" line is the real person or company that
actually sent the message.
- Just as you should not believe everything you read in a newspaper or magazine,
be equally skeptical of information you read in e-mail or on websites.
- Never, ever give sensitive, personal information (including passwords) in
response to an e-mail or website query unless you are absolutely sure that
you are dealing with the person or company you believe you are. When purchasing
over the web, make certain that the business or company is using a Secure
Server (implementation of Secure Sockets Layer [SSL] or Transport Layer Security [TLS] to encrypt data between
your computer and theirs). You can tell if this is the case by looking at
the URL in the box at the top. If it begins https:
instead of http:, then
you are communicating via a secure session, and the business is more than
likely legit - OR - if you see a small "padlock" icon in the corner of the browser window, and the icon appears to be "locked", that is an indication that your session is SSL/TLS-encrypted. SSL/TLS websites make use of digital certificates issued by trusted
- No matter how urgently an e-mail message implores you to "pass on this
virus warning to everyone in your address book", and no matter how authentic
it appears to be, do not blindly forward it to all your friends - you may
be proliferating the next "Good Times" virus. Even if it comes from
your best friend, or your mother, don't pass it on - research it first, and
think how smart and cool you'll look when you can reply, "It's a hoax
- check this website for the real story".
- Look before you click on a link, whether it's in an e-mail or on a website.
It may not be leading you where you think it is. With most e-mail programs
and web browsers, if you pass your mouse pointer over the link without clicking,
you can see the actual destination displayed on the program screen (usually
at the lower left). If the link says "Click here to go to GoodCompany.com,"
but the link destination displayed is actually NeverHeardOfEm.org, the link
may lead to a malicious site.
- Never open an e-mail attachment unless you are absolutely, positively certain
about who sent it, why they sent it, and what the attachment actually is.
- Obtain and use good anti-virus software, and update it weekly, at least.
Penn users may download officially supported anti-virus software (PennKey
authentication required) from the Supported
Should I report it, and if so, to whom?
If you have received an e-mail message or visited a website that appears to
be perpetrating a hoax, fraud or scam, take a little time to research it as
suggested above. In most cases, you'll find that it's well-known and well-documented,
and in many instances is simply a variation on an "oldie but goodie".
As long as you have not responded or acted in the manner they're attempting
to get you to do, you can generally delete it and not worry about reporting
it to law enforcement or computing support staff. If you're still in doubt,
though, you can contact Penn Information Security at email@example.com
and request help.
Last updated: Friday, April 23, 2010