Protect Your Tax File Number

In Australia your Tax File Number (TFN) is used by the Australian Tax Office to identify you. It could be used against you by other people to commit identity theft and fraud so you should take measures to ensure its security. Below are some tips to help you with this:

  • Don’t give it out to just anyone else who asks – it’s confidential. See the list below.
  • There have been bogus job ads on the internet and in newspapers that ask people to provide quite detailed personal information including tax file numbers. Don’t provide any of this information until you’ve met the potential employer at their office and confirmed their validity.
  • Don’t carry your Tax File Number in your wallet or mobile phone
  • Securely destroy any mail you receive from the Tax Office showing this number
  • Only use tax agents that are registered on the Tax Agents Board, http://www.tabd.gov.au/

tax The following are allowed to request your Tax File Number:

  • the Tax Office
  • employers
  • banks & other financial institutions
  • tax agents
  • Centrelink
  • superannuation funds

False Adwords Emails

Some people have been receiving emails that appear to come from Google AdWords. The email has a long story about your account being suspended and gives you a link to reactivate it.

At first glance the link  to Google Adwords seems genuine but instead it takes you to a fake web site that looks exactly like Google Adwords. It lets you type in your username and password, sends it to the person who setup this fake site, then takes you to the login page of the real Google Adwords site.

This is a common phishing email targeting Google Adwords customers.

Usually to identify real links from fake malicious links put the mouse pointer over the link and wait a second. Most email clients will show you the true destination either in a yellow tool-tip or at the bottom of the window.

I checked my spam folder and found one of these emails, let’s have a close look at it:

adwords phishing

The sender looks legitimate. Look at the part in the angled brackets, adwords-noreply@google.com. Technically the sender’s name & email is trivial to forge. This email didn’t really originate from Google.

Now at the end of the email is a link to http://adwords.google.com/select/login. At first glance this look innocent. What everyone should get into the habit of doing is putting the mouse pointer over the link (without clicking) and looking at the bottom of the screen to see where it really points to.

Let’s have a look at where this link would really take you:

adwords_2

It’s says: http://adwrods.google.select.ncjd43.cn (NOTE: don’t try visiting this site).

This is not Google’s site. It’s hosted on ncjd32.cn (always look at the last 2 parts of the URL, as explained in our earlier article). CN stands for China, so this fake site was registered in China – something that should make you suspicious of this link. Also note they spelt adwords wrong (adwrods). The word Google in this link doesn’t have anything to do with the real Google, it’s only here to trick casual readers.

So there you have it, an example on how to spot a phishing email.

A good virus & spam filtering system will filter out most of these phishing emails.

Note: Google Adwords is an advertising service run by Google. Go to Google’s site and type in adwords to find the real site.

Identity Theft Using LimeWire

Here’s an interesting story that hopefully raises your awareness of identity theft.

Lime Gregory Kopiloff, from Seattle USA, has pleaded guilty to a number of fraud related crimes and has been jailed for 4 years. He used LimeWire to download tax and credit reports, bank statements and student financial aid applications that people had made available using this P2P system.

Why would anyone put sensitive documents on a file sharing program for everyone to see? Maybe the people who put these files up thought they have nothing to lose, that documents should be free and shared. Whatever the reason documents like these are sensitive and should not be shared, especially through anonymous file sharing programs like LimeWire.

Gregory used this information, as well as dumpster diving and mail theft, to commit identity theft. He obtained credit cards and debit cards under these people’s names and used them to spend US$73,000 in online purchases.

In this case it’s not the technology that’s at fault, it’s the misconceived value placed on financial documents by regular people.

4.2 Million Credit Cards Stolen

fruit basket It’s no surprise there are so many stolen credit card numbers being bought and sold on the internet. Earlier this week there was a data intrusion to Hannaford Bros.’s network and 4.2 million credit card number were stolen, together with their expiry dates. Hannaford is a popular supermarket chain in USA.

If you shopped at Hannaford with a credit card recently then check your credit card statements for misuse.

The official notice from Hannaford’s CEO is here.

eBay Fraud

eBay fraud is rampant in Romania, Russia and China. In fact, eBay says that the majority of all eBay phishing emails comes from these countries.

Mark Lee is the trust and safety manager for eBay UK and he’s made the following comments:

  • “[there’s] no fear of real punishment [in these countries]”
  • “These attacks are definitely organised”
  • “There are towns in Romania where the entire focus is on sites like eBay as the main source of income”

There have been several hundred arrests in Romania after eBay initiated a campaign to stop fraud, in June 2007. But this hasn’t stopped them and it’s still rampant in these parts.

Techniques used by these criminals include asking eBay shoppers for personal details (when people bid or ask questions on the site) – this is known as phishing and the personal details are later used to commit other crimes.

If you use eBay to buy or sell goods have a read here [ http://pages.ebay.com/securitycenter/ ] for tips and tutorials on eBay security. And continue to read FraudO.com for online security tips.

PayPal Phishing

There’s a new phishing attack targeting PayPal customers. It begins with an email like the following:

Subject: PayPal Account Review Department

Dear PayPal customer,

We recently reviewed your account, and we suspect an unauthorized transaction on your account

Protecting your account is our primary concern. As a preventive measure we have temporary limited your access to sensitive information.

Paypal features. To ensure that your account is not compromised, simply hit “Resolution Center” to confirm your identity as member of Paypel.

  • Login to your Paypal with your Paypal username and password.
  • Confirm your identity as a card member of Paypal

Please confirm account information by clicking here Resolution Center and complete the “Steps to Remove Limitations.”

hookAll typos and grammatical errors are from the original email.

If someone was to click on the link provided in the email they would be taken to a hacked copy of PayPal’s site and they’d be asked to provide their bank’s name, ATM PIN code, mother’s maiden name, birth date,and social security number. All very personal information that the real PayPal doesn’t need.

So avoid traps like these by never giving out sensitive information like the above, not trusting emails you didn’t ask for, and most of all use a good antivirus package that also scans web sites for attacks such as this. Also have a look at the new version of Haute we discussed recently, available for free.

There are thousands of phishing emails such as this and over time the quality of them gets better, such as the tax scams we wrote about earlier (Australian version here, US version here) and the student phishing attack last month.

Fraudulent eBay Bid

Records Imagine someone steals your eBay password and bids $3,002,500 on an item on eBay? That’s what happened last week to someone only identified as jopsoup.

His password was stolen while he was at an internet cafe and it was used to make a bid on a record collection.

The matter’s been cleared up by eBay because it was of such a large amount. For smaller items it might not end so well. Always be cautious when using other people’s computers, especially public computers at internet cafes or at hotels.

(Full article here)

Fraud Statistics

The US Federal Trade Commission (FTC) has released a report showing some statistics on fraud for 2007. These statistics come from people who report incidents of fraud to them, so it’s really limited to USA. The problem worldwide would be much much worse.

The top 20 complaint categories were:

Rank    Category    Complaints

  1. Identity Theft    258,427
  2. Shop-at-Home/Catalog Sales    62,811
  3. Internet Services    42,266
  4. Foreign Money Offers    32,868
  5. Prizes/Sweepstakes and Lotteries    32,162
  6. Computer Equipment and Software    27,036
  7. Internet Auctions    24,376
  8. Health Care Claims    16,097
  9. Travel, Vacations, and Timeshares    14,903
  10. Advance-Fee Loans and Credit Protection/Repair    14,342
  11. Investments    13,705
  12. Magazines and Buyers Clubs    12,970
  13. Business Opportunities and Work-at-Home Plans    11,362
  14. Real Estate (Not Timeshares)    9,475
  15. Office Supplies and Services    9,211
  16. Telephone Services    8,155
  17. Employ. Agencies/Job Counsel/Overseas Work    5,932
  18. Debt Management/Credit Counseling    3,442
  19. Multi-Level Mktg./Pyramids/Chain Letters    3,092
  20. Charitable Solicitations    1,843

That’s 258,427 cases of identity theft in one year, in one country! The total fraud losses recorded in this report totals more than $1.2 billion. The full report is here.

Tax Refund Scams Have Reached Australia

The tax refund scam mentioned a few days ago now comes in an Australian version. It’s the same email and same scam but customised to look like the Australian Tax Office (ATO). They even make a fake website that copies the ATO’s website.

The scam involves asking people for their credit card number, expiry date, security code, and other personal details.

australia