Email fraud explained

Email fraud (or email scam) is intentional deception for either personal gain or to damage another individual using email as the vehicle. Almost as soon as email became widely used, it began to be used as a means to defraud people, just as telephony and paper mail were used by previous generations.

Email fraud can take the form of a confidence trick ("con game", "scam", etc.). Some confidence tricks tend to exploit the inherent greed and dishonesty of its victims. The prospect of a 'bargain' or 'something for nothing' can be very tempting. Email fraud, as with other "bunco schemes", usually targets naïve individuals who put their confidence in schemes to get rich quickly. These include 'too good to be true' investments or offers to sell popular items at 'impossibly low' prices.

Another form of email fraud is an impersonation technique known as email spoofing: the recipient is misled by falsified origin information into making an anticipated payment into the fraudster's account rather than the correct one. The method is known as phishing or spear phishing: 'phishing' involves sending thousands of emails claiming, for example, that an account has been compromised; 'spear phishing' typically involves targeted and personalized emails or messages designed to deceive specific individuals or organizations into revealing sensitive information or performing malicious actions.[1]

Forms

Spoofing

See main article: Email spoofing. Email sent from someone pretending to be someone else is known as spoofing. Spoofing may take place in a number of ways. Common to all of them is that the actual sender's name and the origin of the message are concealed or masked from the recipient. Many instances of email fraud use at least spoofing, and as most frauds are clearly criminal acts, criminals typically try to avoid easy traceability.

Phishing

See main article: Phishing. Phishing is a type of social engineering where an attacker sends a fraudulent (e.g., spoofed, fake, or otherwise deceptive) message designed to trick a person into revealing sensitive information to the attacker[2] [3] or to deploy malicious software on the victim's infrastructure such as ransomware. Some spoof messages purport to be from an existing company, perhaps one with which the intended victim already has a business relationship. The 'bait' in this instance may appear to be a message from "the fraud department" of, for example, the victim's bank, which asks the customer to: "confirm their information"; "log in to their account"; "create a new password", or similar requests. Instead of being directed to the website they trust, they are referred to an identical looking page with a different URL.

After entering their log-in details, their username and password is visible to the perpetrators. In many cases, phishing emails can appear to be benign - for example, a message prompting the receiver that they have a new friend request on a social media platform. Regardless of how innocent the message is in itself, it will always lead the victim to an imitation web page and false log-in prompt.

In a study, researchers concluded that cognitive reflection and sensation-seeking tendencies are modest but significant predictors of susceptibility to phishing.[4] Additionally, participants who were pressured to make quick email legitimacy judgments made more errors.

Bogus offers

Email solicitations to purchase goods or services may be instances of attempted fraud. The fraudulent offer typically features a popular item or service, at a drastically reduced price.

Items may be offered in advance of their actual availability. For instance, the latest video game may be offered prior to its release, but at a similar price to a normal sale. In this case, the "greed factor" is the desire to get something that nobody else has, and before everyone else can get it, rather than a reduction in price. Of course, the item is never delivered, as it was not a legitimate offer in the first place.

Such an offer may even be no more than a phishing attempt to obtain the victim's credit card information, with the intent of using the information to fraudulently obtain goods or services, paid for by the hapless victim, who may not know they were scammed until their credit card has been "used up."

Requests for help

The "request for help" type of email fraud takes this form: an email is sent requesting help in some way. However, a reward is included for this help, which acts as a "hook". The reward may be a large amount of money, a treasure, or some artifact of supposedly great value.

This type of scam has existed at least since the Renaissance, known as the "Spanish Prisoner" or "Turkish Prisoner" scam. In its original form, this scheme has the con man purport to be in correspondence with a wealthy person who has been imprisoned under a false identity and is relying on the confidence artist to raise money to secure his release. The con man tells the "mark" (victim) that he is "allowed" to supply money, for which he should expect a generous reward when the prisoner returns. The confidence artist claims to have chosen the victim for their reputation for honesty.

Other

Among the variations on this type of scam, are the Nigerian Letter also called the 419 fraud, Nigerian scam, Nigerian bank scam, or Nigerian money offer. The Nigerian Senate emblem is sometimes used in this scam.

The intended victim is often told their name or email address was selected through a random computer ballot and sponsored by a marketing company. In order to claim their so-called winnings, the victim is asked to provide their bank account details and other personal information. The victim is asked to contact the claims agent or award department.

An email is sent to the victim's inbox, supposedly from a hitman who has been hired by a "close friend" of the recipient to kill him or her but will call off the hit in exchange for a large sum of money. This is usually backed up with a warning that if the victim informs local police or the FBI, the "hitman" will be forced to go through with the plan. This is less an advance-fee fraud and more outright extortion, but a reward can sometimes be offered in the form of the "hitman" offering to kill the man who ordered the original hit on the victim.[6]

Usually this scam begins at an online dating site, and is quickly moved to personal email, online chat room, or social media site. Under this form, fraudsters (pretended males or females) build online relationships, and after some time, they ask for money from the victims. They claim the money is needed due to the fact they have lost their money (or their luggage was stolen), they have been beaten or otherwise harmed and they need to get out of the country to fly to the victim's country.

The intended victim is solicited via email to work as a 'secret shopper', often after the victim's resume has been posted at a job search site. Once engaged, the victim is sent a counterfeit check along with instructions and forms for work as a secret shopper. The provided instructions typically are to make several small transactions at nearby businesses, recording their experience on an official looking form. Universally is the instruction for the victim to also create a significant wire transfer, with a request to rate the experience. The counterfeit check is cashed at the unsuspecting victim's financial institution in order to accomplish the listed tasks.

This type of email spam states that an anonymous person posted a secret about the recipient and that he needs to pay a fee in order to see the message.

The victim is seeking a job and posts a resume on any internet job site. The scammer spots the resume and sends the victim an email claiming to be a legitimate job listing service, and claiming to have a client who is looking for an employee with their skills and experience. The victim is invited to click on a link to apply for the job. Clicking the link takes the victim to a job description specifically written for the skills and experience on the victim's resume, and provides a very high salary, and invites them to "click here" to apply for the job. If the victim clicks on that "apply" link, they are taken to an "application" form that asks for the normal job application information, PLUS the victim's social security number, date of birth, the name of the bank and account number where they will want their paycheck to be deposited to, a "relative" reference, etc. With this information, the scammer can open up a bank account in any on-line bank and utilize the victim's credit to buy items online and ship them to associates who are in on the scam.

Avoiding email fraud

Due to the widespread use of web bugs in email, simply opening an email can potentially alert the sender that the address to which the email is sent is a valid address. This can also happen when the mail is 'reported' as spam, in some cases: if the email is forwarded for inspection, and opened, the sender will be notified in the same way as if the addressee opened it.

Email fraud may be avoided by:

Many frauds go unreported to authorities, due to feelings of shame, guilt, or embarrassment.

Notes and References

  1. Web site: Myers . Brandon . What is Spear Phishing . PC Support.
  2. Jansson . K. . von Solms . R. . 2011-11-09 . Phishing for phishing awareness . Behaviour & Information Technology . en . 32 . 6 . 584–593 . 10.1080/0144929X.2011.632650 . 5472217 . 0144-929X.
  3. Fatima . Rubia . Yasin . Affan . Liu . Lin . Wang . Jianmin . 2019-10-11 . How persuasive is a phishing email? A phishing game for phishing awareness . Journal of Computer Security . 27 . 6 . 581–612 . 10.3233/JCS-181253. 204538981 .
  4. Jones . Helen S. . Towse . John N. . Race . Nicholas . Harrison . Timothy . 2019-01-16 . Email fraud: The search for psychological predictors of susceptibility . PLOS ONE . en . 14 . 1 . e0209684 . 10.1371/journal.pone.0209684 . 1932-6203 . 6334892 . 30650114 . free .
  5. Web site: New E-Scams & Warnings. FBI . Fbi.gov . 2012-02-18.
  6. Web site: Hitman Bribe Scam . snopes.com . 2012-02-18.
  7. Web site: Top 10 Phish Scams. 2006-09-01. 2006-09-01. McAfee.
  8. Web site: Internet Crime Complaint Center's Scam Alerts. 2012-10-23. 2013-12-22. IC3.gov.
  9. Web site: Internet Crime Complaint Center's (IC3) – Scam Alerts . October 17, 2011 . ic3.gov . October 26, 2011.