Good News about Identity Theft from Community Dispatch
Here is a direct quote from a little web site (Sponsored by the IRS?) called Community Dispatch.
You Can Help Shut Down Phishing SchemesThe good news is that you can help shut down these schemes and prevent others from being victimized. If you receive a suspicious e-mail that claims to come from the IRS, you can relay that e-mail to a new IRS mailbox, phishing@irs.gov. Follow instructions in the link below for sending the bogus e-mail to ensure that it retains critical elements found in the original e-mail. The IRS can use the information, URLs and links in the suspicious e-mails you send to trace the hosting Web site and alert authorities to help shut down the fraudulent sites. Unfortunately, due to the expected volume, the IRS will not be able to acknowledge receipt or respond to you.
While this is a nice thought in theory, and while it is a good idea to notify the FBI and the IRS of any suspicious email you receive, here's the problem.
Let's play out a hypothetical. Let's say I'm a crook. I live in the Ukraine. (I'm entity #1). I have an online contact in Iran (Entity #2). He and I decide that we want to set up a web site to phish people's information. We choose a hosting provider based in Iran (Entity #3), and route the connection through a DNS server (Entity #4) that physically sits with a company in Russia (Entity #5).
Following me so far?
Good.
Now, I gather up about 10 million email addresses. It's not hard. There are many companies that will sell you 10 million email addresses for $100 or less. We pick one of these companies (Entity #6).
We find someone who we feel we can trust (Entity #7) through an online forum (entity #8), and pay them $500. They are a broker for us. and as the go-between, their job is to find us a way to send out 10 million emails. They find someone (entity #9) charging $350 for this service, and over the next 48 hours, from multiple IP Addresses, using a complex set of hacked computers (entity #10) (BotNets - a series of hacked computers), over 10 million emails are sent out on our behalf.
Remember, our total cost at this point is about $600. Before the email has reached the victim, there are already 10 completely separate entities involved in this crime.
What do we send out? Well, we write an email that is HTML based (meaning it looks pretty - more than just text), and we build the email to look like it has come from XYZ bank (Entity #11). Your bank is XYZ Bank, and their web site is XYZBank.com, and we know you trust them, because you put your money with XYZBank. You must trust that they will keep track of your hard earned cash.
We tell you to come directly to our web site. XY.ZBank-security.com (Entity #12). Oh yeah, when we set up XY.ZBank-security.com, we used a person's information from a previous Identity Theft. So the web site is actually registered to John Doe (Entity #13), 123 Anywhere Street, Somewhere USA
You read the email. You're not fooled. You don't click, and you don't open our phishing web site.
But your daughter/son/grandma/dad (Entity #14)... doesn't know about phishing scams. They open the email. They log in to their account. It takes them to a "Security Verification Page" which grabs their social security number, their name, and their address.
Out of 10 million emails we send out, 10000 people actually come through to our phishing web site. 100 of them (Entities #15 - #114) actually put in their full information.
This happens within 72 hours from the time we send out the email. We decide that's pretty decent, and we take the site down.
We take it down before we're even discovered, because remember, anyone who is looking for us, is looking via the DNS Server in Russia. They think we're in Russia. And then poof, the site goes down.
Then we each take a copy of the 100 names. At this point, I part ways with the guy in Iran. He has his 100 names, and I have mine.
Now, as a criminal, I know 10 or so people who will buy this information from me for $20/name. So I set appointments with them (online, and anonymously of course), and at 9:00 AM, I sell 100 names to onlne_crook1 (Entity #115), at 10:00 AM, I sell 100 names Online_crook2 (Entity #116), at 11:00 AM, I sell 100 names Online_crook3 (Entity #117) and so on. (Through Entity #124) I collect my payment through an anonymous payment method (Entity #124-A), and walk away at the end of the day with $20,000 for my last 4 days work.
Online_crook1 (the first person I sold to) decides to resell the information to Joe_Criminal (Entity #125), on an online message board, anonymously, for $50/name. Joe_Criminal goes and gets a driver's license and a home loan from an online loan processor (Entity #126) in the name of your daughter/son/grandma/dad.
Six months later, your daughter/son/grandma/dad calls you in a panic. They're being sued by a large mortgage company (Entity #127) (the loan was sold) for the full amount of the mortgage that they owe on a house in a state where they have never even set foot.
Remember, over 100 people (EASILY over 100 people) have been involved in this transaction before your daughter/son/grandma/dad ever knew they had become a victim of Identity Theft.
That is the monumental task that faces fraud investigators, the secret service, the FBI, and local and state law enforcement.
That is also the monumental task that many victims of Identity Theft find themselves up against when they attempt to restore their good name.
Now, sending the phishing email to the FBI is a great idea. In fact, send all IRS-related phshing emails to phishing@irs.gov. It can't hurt, and it helps the FBI and IRS to track patterns in these types of crimes.
But also know that only 1 in 700 identity thieves is ever caught.
If this topic has interested you, please leave your comments below, and take a look here to see an actual solution to this problem for individuals.
While this is a nice thought in theory, and while it is a good idea to notify the FBI and the IRS of any suspicious email you receive, here's the problem.
Let's play out a hypothetical. Let's say I'm a crook. I live in the Ukraine. (I'm entity #1). I have an online contact in Iran (Entity #2). He and I decide that we want to set up a web site to phish people's information. We choose a hosting provider based in Iran (Entity #3), and route the connection through a DNS server (Entity #4) that physically sits with a company in Russia (Entity #5).
Following me so far?
Good.
Now, I gather up about 10 million email addresses. It's not hard. There are many companies that will sell you 10 million email addresses for $100 or less. We pick one of these companies (Entity #6).
We find someone who we feel we can trust (Entity #7) through an online forum (entity #8), and pay them $500. They are a broker for us. and as the go-between, their job is to find us a way to send out 10 million emails. They find someone (entity #9) charging $350 for this service, and over the next 48 hours, from multiple IP Addresses, using a complex set of hacked computers (entity #10) (BotNets - a series of hacked computers), over 10 million emails are sent out on our behalf.
Remember, our total cost at this point is about $600. Before the email has reached the victim, there are already 10 completely separate entities involved in this crime.
What do we send out? Well, we write an email that is HTML based (meaning it looks pretty - more than just text), and we build the email to look like it has come from XYZ bank (Entity #11). Your bank is XYZ Bank, and their web site is XYZBank.com, and we know you trust them, because you put your money with XYZBank. You must trust that they will keep track of your hard earned cash.
We tell you to come directly to our web site. XY.ZBank-security.com (Entity #12). Oh yeah, when we set up XY.ZBank-security.com, we used a person's information from a previous Identity Theft. So the web site is actually registered to John Doe (Entity #13), 123 Anywhere Street, Somewhere USA
You read the email. You're not fooled. You don't click, and you don't open our phishing web site.
But your daughter/son/grandma/dad (Entity #14)... doesn't know about phishing scams. They open the email. They log in to their account. It takes them to a "Security Verification Page" which grabs their social security number, their name, and their address.
Out of 10 million emails we send out, 10000 people actually come through to our phishing web site. 100 of them (Entities #15 - #114) actually put in their full information.
This happens within 72 hours from the time we send out the email. We decide that's pretty decent, and we take the site down.
We take it down before we're even discovered, because remember, anyone who is looking for us, is looking via the DNS Server in Russia. They think we're in Russia. And then poof, the site goes down.
Then we each take a copy of the 100 names. At this point, I part ways with the guy in Iran. He has his 100 names, and I have mine.
Now, as a criminal, I know 10 or so people who will buy this information from me for $20/name. So I set appointments with them (online, and anonymously of course), and at 9:00 AM, I sell 100 names to onlne_crook1 (Entity #115), at 10:00 AM, I sell 100 names Online_crook2 (Entity #116), at 11:00 AM, I sell 100 names Online_crook3 (Entity #117) and so on. (Through Entity #124) I collect my payment through an anonymous payment method (Entity #124-A), and walk away at the end of the day with $20,000 for my last 4 days work.
Online_crook1 (the first person I sold to) decides to resell the information to Joe_Criminal (Entity #125), on an online message board, anonymously, for $50/name. Joe_Criminal goes and gets a driver's license and a home loan from an online loan processor (Entity #126) in the name of your daughter/son/grandma/dad.
Six months later, your daughter/son/grandma/dad calls you in a panic. They're being sued by a large mortgage company (Entity #127) (the loan was sold) for the full amount of the mortgage that they owe on a house in a state where they have never even set foot.
Remember, over 100 people (EASILY over 100 people) have been involved in this transaction before your daughter/son/grandma/dad ever knew they had become a victim of Identity Theft.
That is the monumental task that faces fraud investigators, the secret service, the FBI, and local and state law enforcement.
That is also the monumental task that many victims of Identity Theft find themselves up against when they attempt to restore their good name.
Now, sending the phishing email to the FBI is a great idea. In fact, send all IRS-related phshing emails to phishing@irs.gov. It can't hurt, and it helps the FBI and IRS to track patterns in these types of crimes.
But also know that only 1 in 700 identity thieves is ever caught.
If this topic has interested you, please leave your comments below, and take a look here to see an actual solution to this problem for individuals.
