Thursday, January 31, 2008

Federal government rebate scams continue to grow and flourish

Two days ago I wrote about the issue of all the talk of the federal rebates and how fraudsters, scammers and ID thieves would come out of the woodwork to capitalize on it from unsuspecting and eager individuals. I had listed the common tactics that thieves will be using as reminders for what to be cautious about but it is already going well beyond those and getting people engaged from every possible angle.

Here is a list of the latest scams brought to the attention of the IRS:

Rebate Phone Call

At least one scheme using the word "rebate" as part of the lure has been identified. In that scam, consumers receive a phone call from someone identifying himself as an IRS employee. The caller tells the targeted victim that he is eligible for a sizable rebate for filing his taxes early. The caller then states that he needs the target´s bank account information for the direct deposit of the rebate. If the target refuses, he is told that he cannot receive the rebate.

This phone call is a scam. No legislation has yet been enacted that would allow the IRS to provide advance payments to taxpayers or that determines the details of those payments. Moreover, the IRS does not force taxpayers to use direct deposit. Those who opt for direct deposit do so by completing the appropriate section of their tax return, with bank routing and account information, when they file; the IRS does not gather the information by telephone.

Refund e-Mail

The IRS has seen several variations of a refund-related bogus e-mail which falsely claims to come from the IRS, tells the recipient that he or she is eligible for a tax refund for a specific amount, and instructs the recipient to click on a link in the e-mail to access a refund claim form. The form asks the recipient to enter personal information that the scamsters can then use to access the e-mail recipient´s bank or credit card account.

In a new wrinkle, the current version of the refund scam includes two paragraphs that appear to be directed toward tax-exempt organizations that distribute funds to other organizations or individuals. The e-mail contains the name and supposed signature of the Director of the IRS´s Exempt Organizations business division.

This e-mail is a phony. The IRS does not send unsolicited e-mail about tax account matters to individual, business, tax-exempt or other taxpayers.

Filing a tax return is the only way to apply for a tax refund; there is no separate application form. Taxpayers who wish to find out if they are due a refund from their last annual tax return filing may use the "Where´s My Refund?" interactive application on this Web site, The only official IRS Web site is located here at

Audit e-Mail

Another new scam brought to IRS attention contains features not seen before by the IRS. Using a technique calculated to get almost anyone´s attention, the e-mail notifies the recipient that his or her tax return will be audited. This is the first scam of which the IRS is aware that uses this to get the victim to respond.

Unusual for a scam e-mail, it may contain a salutation in the body addressed to the specific recipient by name. Most scam e-mails seen by the IRS are sent using the same technique used by spammers, in which hundreds of thousands of messages are sent to potential victims based on Internet address. Because of the volume, the typical scam e-mail is not personalized.

This e-mail instructs the recipient to click on links to complete forms with personal and account information, which the scammers will use to commit identity theft.

This e-mail is a phony. The IRS does not send unsolicited, tax-account related e-mails to taxpayers.

Changes to Tax Law e-Mail

This bogus e-mail is addressed to businesses, accountants and "Treasury" managers. It instructs them to download information on tax law changes by clicking on a series of links to publications on businesses, estate taxes, excise taxes, exempt organizations and IRAs and other retirement plans. The IRS believes that clicking on a link downloads malware onto the recipient´s computer. Malware is malicious code that can take over the victim´s computer hard drive, giving someone remote access to the computer, or it could look for passwords and other information and send them to the scamster. There are other types of malware, as well.

The urls contained in the link are not legitimate IRS Web addresses. All Web page addresses begin with

Paper Check Phone Call

In a current telephone scam, a caller claims to be an IRS employee who is calling because the IRS sent a check to the individual being called. The caller states that because the check has not been cashed, the IRS wants to verify the individual´s bank account number. The caller may have a foreign accent.

In reality, the IRS leaves it entirely up to the individual to choose to cash or not cash a paper check. The IRS has no business need to know, and does not ask for, bank account or similar information, except when taxpayers indicate on their tax return that they are opting for the direct electronic deposit of their refund. In that case, however, it is the individual´s responsibility to provide the IRS with the correct bank routing and account numbers on the tax return; the IRS does not contact taxpayers to verify the information.

What to Do

Anyone wishing to access the IRS Web site should initiate contact by typing the address into their Internet address window, rather than clicking on a link in an e-mail or opening an attachment.

Those who have received a questionable e-mail claiming to come from the IRS may forward it to a mailbox the IRS has established to receive such e-mails,, using instructions contained in an article titled "How to Protect Yourself from Suspicious E-Mails or Phishing Schemes." Following the instructions will help the IRS track the suspicious e-mail to its origins and shut down the scam. Find the article by visiting and entering the words "suspicious e-mails" into the search box in the upper right corner of the front page.

Those who have received a questionable telephone call that claims to come from the IRS may also use the mailbox to notify the IRS of the scam.

Identity Theft “Prevention” Defined Accurately

Everybody that talks about prevention uses the word in a different way. It is about perspective. Here is an example:

Think about how you would feel if this scenario happened: Your bank called and said “someone infiltrated your savings account and they have been making withdrawals regularly for the last three months. Your account has been drained of $25,000 but due to our diligence we stopped it and you still have $15,000 left. We have effectively prevented the thief from draining your account. We thought you’d like to know we mitigated your loss.”

Was there any prevention here? Absolutely! Are you going to be happy about it? I doubt it. People are paying big money for a false sense of the word “prevention”. They are really paying for and getting “mitigation”.

Now let’s compare the words “prevention” and “mitigation”:

pre·ven·tion [ pri vénshən ] (plural pre·ven·tions)

action that stops something from happening: an action or actions taken to stop somebody from doing something or to stop something from happening

  • the prevention of crime

mit·i·gate [ mítti gàyt ] (past and past participle mit·i·gat·ed, present participle mit·i·gat·ing, 3rd person present singular mit·i·gates)

  • to mitigate a loss

lessen something: to make something less harsh, severe

When put in the context of identity theft: Everyone uses the word prevention when they are referring to credit freeze, fraud monitoring and credit reports, and credit monitoring, data scouring etc.

Now let’s look at it from the context of the consumer: Prevention would be keeping my information completely secure and preventing it from being stolen in the first place.

Real prevention is thwarting the theft of your personal information. Securing your name so nobody uses it for anything. That is what ID theft “prevention” truly is.

If I rely on a credit report, a fraud alert or a credit freeze to stop something from happening, that means that SOMEONE ALREADY HAS OBTAINED MY PERSONAL INFORMATION ! A CRIME HAS ALREADY OCURRED! Now that does not sound like identity theft prevention at all, it most definitely is mitigation. Sure it may have plugged a small hole but in the grand scheme of the information that thief still has, it is like putting a bandage on a bullet wound.

So how can credit freeze, fraud monitoring and credit reports, and credit monitoring qualify as prevention? Well, they stopped something from happening, and that has some limited value, but now who has this information and where are they going with it next? Keep in mind if they have gone to the effort to steal your info, they are going to use it. A car thief does not steal a car and drive around in it until it runs out of gas. They are going to use the stolen device until it no longer meets their needs. The same with your identity, it could be used next for medical services, prescriptions, getting arrested, forging a check, and so on.

An ID theft recovery company stated under the guise of “prevention” that they look for changes in your existing accounts and they look for new accounts and transactions in your name. By doing this, they can detect someone's attempt to steal your identity before it gets too far and before any damage has been done. Sorry people, but if any of this is detected, the damage has been done. SOMEONE HAS ALREADY STOLEN YOUR IDENTITY! THEY HAVE YOUR PERSONAL INFORMAION AND ARE PUTTING IT TO USE! This should not be sugar coated as identity theft “prevention”. The prevention ship has sailed, it is now time to mitigate.

You will still have to wonder when or where they may use it next. And you still may have work to do, to get everything closed down, changed, modified etc. and you may never be completely sure you’ve plugged the gaps because how do you know your personal information has not been passed around or sold on the black market?

So how much is “mitigation” really worth? It is up to you, but most will pay much more for “prevention”.

True identity theft “PREVENTION” is about stopping the crime from occurring, and that starts with preventing and keeping your information out of the hands of the thieves to start with. True prevention is up to you! True prevention starts with you doing the right things with your personal information.

Don’t confuse paying for mitigation services and expect prevention. You may not end up being happy with the results.

Tuesday, January 29, 2008

Talk of federal government rebates gives identity thieves a fresh angle

It is on the news almost nightly, in the newspaper daily, and on the internet. We are hearing about it just about every day. To stimulate the economy, President Bush is working very hard to seal the deal for many Americans to get rebate checks from the federal government.

For many Americans all the talk of a bonus $600-$1200 check from the federal government is exciting news. Many would like to get it today if that were possible. Everyone wants to be sure the government has their correct name, address, and all the other pertinent information so there will not be a delay. Unfortunately, many will end up with their identity stolen instead.

The thieves will play on that anticipation of you wanting the extra cash as soon as possible and will deploy all the traditional and still effective tactics.

The more common and widespread tactics that will be used:

1)Phishing: Hundreds of millions of emails will go out across the country claiming to be from the IRS or the federal government and will direct you to a special website to verify your personal information. If you click on the link you will end up at an official looking site with all the federal seals making it look authentic. Some phishing sites will even have warning about identity theft on them to give them a more secure look to any visitor.

Red Flag: People have many different email accounts, the government does not use email to contact anyone. You do not supply an email on you tax return!

2)Vishing: This is like the email hunt for information, but you will get a phone call instead. It may be a live person, it may be a recording, it may be a recording asking you to call an 800 number back and verify your information. They may ask for your social security number, bank account number where you would like your check deposited, even a pin number for a debit account.

Red Flag: The federal government will not call you for anything like this, ever. What makes this method even more dangerous, thieves can purchase any name they want to appear on your caller ID, such as IRS Rebate, Federal Rebate Office, US Gov’t Rebate, or any combination of words to get you to believe the call is authentic.

3)Websites: There will be scores of websites popping up using search terms to get you to visit them. Such terms will be “IRS rebate” ,“Federal Rebate”, “ Government Rebate” to name a few. They will bank on people using searches in Google and MSN and Yahoo, to find out more information. The sites may bait people in by claiming if you enter your information now, you will get a check in 2 or 3 weeks. That expediency will be extremely enticing to many so they will get drawn in and become victims.

Red Flag: The only sites that may have any information about this program will be an existing one with quite a bit of other information as well. It will end with a .GOV suffix. Examples are IRS.Gov, SSA.Gov, WhiteHouse.Gov. Any site with an official sounding name but a different suffix is not a federal site. Example is which is owned by and is a play to get you to use their services for tax filing.

4)US Postal Service Mail: You may get a letter or a post card in the mail asking you to verify your bank account or social security number or other sensitive information. It may ask you to call a specified number or go to a website and enter in information.

Red Flag: The government will be using tax returns from previous years records to determine eligibility and addresses. They are not going to mount a new campaign to update records and personal information. If you do get something in the mail from the IRS or other federal agency, take the time to verify the validity prior to acting on it.

None of these tactics are new, but the event that will trigger their upsurge is. Basically this is an extra bonus for identity thieves to prey on victims who will not see this coming because they are blinded by the thought of the dollar sign.

The only real way to combat this offensive is to think about the details before you act. Ask yourself a few common sense questions, and practice fire prevention vs. firefighting.

The best defense for your identity is self defense.

Monday, January 28, 2008

Attention grabbing survey sites could set the stage for ID theft

There are a number of sites that quiz you about yourself and then tell you something about yourself in return. Our site does that as well. We ask you information about your personal daily habits and use proprietary algorithms backed by research to gage your risk for ID theft with an output that is in an easy to understand ID Risk Level. No ads, no personal information requested, not even email.

Someone emailed me recently asking about other sites that have quizzes and pointed out a few in particular and asked me how safe they are even if just for fun.

Some sites, by piquing your interest in certain, even silly subjects, are looking for something. There are a number of sites that purport being able to tell you when you are going to die! Wonderful, that information will certainly come in handy. It makes my retirement investment planning so much easier.

Well, you’re not gullible, but you went there for fun, as a joke, just to see, etc. All in good fun as long as you are not giving them any personal information.

So what could a site like this really be after? Mainly ad revenue. By getting thousands of people to go through the site and take the “date of your death survey”, they land you in a seemingly never ending, page after page of offers for everything from free laptops to a cruise around the world to magazines and so on. The catch is you have to get past saying no to these or fill out a few with your personal information like name, address, phone number, email etc. and what seems to be fairly harmless information. Only, once you go past the myriad of ads asking you to fill in information will you get your “calculated” date with the grim reaper.

So I tried it at a site this person asked me about. I answered the few simple questions and then waited for my results, it had to be calculated, apparently they have a long connection to go through and the grim reaper’s WiFi was down. In the meantime, they graciously had me take review some of their fine offers and click “no” if not interested. I counted 97 (yes, I counted because I assumed it was going to be big) offers that I said “no” to and still was not given my much awaited date with death. I even filled in a few with some random misinformation thinking if they got me on one maybe they would cough up that date! Nothing. I literally gave up as it was appearing to be more and more of a perpetual scam. I guess I’ll need to keep my retirement plans in place for now.

Seriously though, what was really happening was a massive operation to get you to provide just the basics of personal information. Now the company that runs the site may only be a conduit and collecting ad dollars from the marketing agency who is the real culprit in this operation. Fill one out correctly with real information and you have just asked to receive a minimum of 100,000 emails with other exciting offers include. Hey, you asked!

That information may possibly be used by them directly for ID theft, Spamming, phishing, etc. They may sell it to others who will use it unscrupulously. Worse yet, you will be put on a sucker list. This is a list created about people who willingly provide information thinking they are going to win a prize. AKA in their business “a sucker”. ID thieves love suckers. They know they are the easiest of easy targets. The people who think they will really get something for nothing, the same people who ultimately will give the thieves the keys to their identity in much the same way. The thieves already know you are an optimists, and play that hand against you to the fullest.

So the next time you go to a site and think you are providing information that is harmless, looking for that humorous “date of your death” you may find out a new date, when your identity was stolen.

Friday, January 25, 2008

Prudential’s rock crumbles when it comes to securing personal information

Prudential Financial gets a spot on our office’s Identity Defense Wall of Shame this month. They had a temp worker collect personal information from a customer then the temp worker stole the customer’s identity to go on a three month, $70,000 spending spree!

According to the article about this event, Prudential takes customer information and security very seriously. We see that clearly from the end result of this encounter between a Prudential temp employee and a Prudential customer.

Stop and think about what happened here. A financial conglomerate worth $36 billion does not have the sense of how to secure personal information that it receives. Collecting customer information is the most volatile point in a transaction because it is up to the person who collects it as to how the information is treated. This is where Prudential’s security falls apart. The people collecting information should be trusted, longer term, well paid employees, who hopefully, will want to keep their job and have little or at least minimal incentive to steal. Instead they gave that crucial task to a 23 year old temp worker, who obviously did not care about his temp job and felt he needed to supplement his income.

I’m sure they spend millions on data security, and backup systems and passwords and encryption etc. As a financial institution they are required to have secure systems on all fronts. But no matter how big your walls are, or how many lines of defense you have, if you can’t complete step 1 and put the information into secure areas, it is useless. Picture your bank having the tellers leave all the money on the counters at night and still go lock the safe.

If Prudential has procedures in place, the management team is not reading the company manual. To be fair, this could easily happen with just about any employee and it is where a significant portion of all ID theft occurs. But when you assign tasks to someone who is not even an employee, then any incentive to do the right thing is minimized because there is no long term bond.

For the sake of all of their existing customers let’s hope they have a better system in place for securing their personal information.