Over 14,000 phishing websites were detected in July. And this represents over 154 “brands” (Paypal, banks, credit unions, etc.). Got this from Computerworld.

The number of phishing sites -- or fraudulent Web sites try to fool people into handing over sensitive personal information -- rose to 14,191 in July, an 18% increase over May, the previous all-time high, said the Anti-Phishing Working Group (APWG). The fraudulent sites mimicked a record 154 brands, up 20% over June and 12% over the previous high, also recorded in May, APWG said.

According to Symantec (via ZDNet), in March 2006, there were nearly 8 MILLION phishing emails sent every day.

Someone at Version2 Web Development, Textlinkbrokers, and 360 Enterprises is stealing my content, in clear violation of U.S. federal copyright law.

He’s responsible for a splog located at charliesidentitytheftblog.com . He steals my blog posts and plugs them into a robot-like spam blog. It appears he started doing this in August.

I wrote a post about this in April of 2004 on my first identity theft blog, scamsafe.com. You can find the pretext article here.

I’ll assume you are aware of what is going on over in the Hewlett-Packard board room. I won’t opine on it directly. But I will add this. Pretexting is not identity theft. Pre-texting is a method, a means to gather information. I wouldn’t even say that pretexting to get phone records is identity theft. Criminal fraud, maybe or maybe not. ID theft? No, unless a specific state law has written the term “phone records” into their identity theft law. And I am not aware of one that has. If you are, email me.

Why isn’t pretexting necessarily a crime? There is no federal law that makes pretexting illegal in all cases. There is a federal law (Gramm-Leach-Bliley Act of 1999) that prohibits obtaining customer information by false pretenses—from financial institutions. The only other federal jurisdiction might be the Federal Trade Commission, but that is pretty murky and they can only take civil action. Now, it is possible, I assume, for an attorney general or district attorney to broadly apply other fraud statutes in this case. But it may be an uphill battle. I’ll leave that to others to decide.

Update: Some REALLY great information and discusion is going on in the comments. Thanks for Stuart and Michael for your insights. I will follow up soon.

Update 2: This is a fascinating case, I wish I had time to dig into it more and blog about it. But I will just keep this follow up to the comments below tied to identity theft. Since the crimes occurred on persons and through records in California let’s examine CA penal code 530.5 which is the identity theft law. The private investigator used social security numbers, pretending to be certain individuals in the case, and opened online accounts at SBC/AT&T to view phone records via the web. And it’s possible the PI or their contractors did not unlawfully obtain the SSNs but paid for them through a service. The law is clear that a crime is committed when either (1) personal identifying information is used to for unlawful purpose, or (2) when someone with intent to defraud, acquires or transfers that PIF.

530.5 (a) Every person who willfully obtains personal identifying information, as defined in subdivision (b), of another person, and uses that information for any unlawful purpose, including to obtain, or attempt to obtain, credit, goods, services, or medical information in the name of the other person without the consent of that person, is guilty of a public offense…

(b) "Personal identifying information," as used in this section, means the name, address, telephone number, health insurance identification number, taxpayer identification number, school identification number, state or federal driver's license number, or identification number, social security number, place of employment, employee identification number, mother's maiden name, demand deposit account number, savings account number, checking account number, PIN (personal identification number) or password, alien registration number, government passport number, date of birth, unique biometric data including fingerprint, facial scan identifiers, voice print, retina or iris image, or other unique physical representation, unique electronic data including identification number, address, or routing code, telecommunication identifying information or access device, information contained in a birth or death certificate, or credit card number of an individual person.

(d) Every person who, with the intent to defraud, acquires, transfers, or retains possession of the personal identifying information, as defined in subdivision (b), of another person is guilty of a public offense…

It isn’t clear that phone records are PIF. However, subdivision (d) seems to apply. So this might be a 530.5 violation if someone obtained (doesn’t matter how) SSN’s with intent to defaud (commit another crime), such as those Michael Webster points out in the comments. Whew. This is too complicated.

And by the way, Patricia Dunn doesn’t seem to have committed a crime in any way. The only possible criminals from where I sit would be the private eye and/or the contractor hired to do the digging. Although the whole thing stinks from an ethical standpoint. One director (Sonsini) assurred other directors (Dunn, Perkins) that getting phone records wasn’t a crime. Dunn clearly approved the nasty investigation of other directors AND reporters. And the people hired by HP (or sub-contractors) might have committed a crime in order to obtain the information. What a disaster all around.

So, I’m with Michael Webster here. There just HAS to be a crime committed here. But I’m still not sure it was identity theft. I wonder if California will amend 530.5 to make subdivision B (the definition of PIF) more broad. Updated: The more I think about it, the more it sure seems like ID theft or damn close to it.

Update 3: It’s worth mentioning that it appears a Caller ID spoofing service was used in this case to fool AT&T customer service (read the link Michael points to in the comments). Probably a spoofcard. I told you these things are bad news.

The AP via Cnet.com reports that AT&T filed suit against 25 data brokers that fraudulently gets access to private phone records. Hey, this is nothing new. All a data broker, or private investigator, has to do is pre-texting: pretend to be YOU in order to fool the phone company into handing over your records. It’s easy. This is another example of why identity theft is not just about credit cards. With personal identifying information, a fraudster can unlock all kinds of doors.

AT&T has joined the fight to keep unauthorized data brokers from obtaining and selling its customers' calling records.

On Wednesday, the company's services division filed a lawsuit in U.S district court in San Antonio, Texas, to block 25 unnamed "John Doe" defendants who have allegedly pretended to be customers to gain access to account information.

AT&T said that the so-called data brokers had fraudulently obtained records for some 2,500 customers. The company said this information was used mainly in legal and domestic disputes and that no driver's license numbers or sensitive financial data were accessible.

There is a little irony here, since AT&T was sued itself recently for providing sensitive data to the government. But that’s entirely different and it’s good that AT&T is doing something here about pre-texting and fraud.

Ted Richardson has a post on Qchex. I blogged about them in May 2005 over on scamsafe.com. They make it criminally easy to commit check fraud, or even worse, demand draft fraud. I was even contacted by NBC television about Qchex and I going to write a long article about them. A Santa Barbara police officer I talked to about Qchex (he’s now with the Beverly Hills PD) told me it was remarkable how simple fraud was with Qchex. So much so, that he asked me to tell the TV guys to not do a story—and that I not write write about it. He didn’t want the word to get out because, according to him, even a halfwit could use it.

Even more striking was this. A short time later, I was talking to a couple of fraud investigators for a large bank. Really nice guys. I asked them about Qchex and they just smiled and didn’t say anything. I asked again and they just kept smiling. That’s when I knew it was bad news. My advice: if you see an email, check or document that says Qchex on it, do not trust it.

It’s not news that Internet auctions is a huge business. So is auction fraud. In 2005, it was the second more reported fraud complaint, after identity theft, according to the FTC. There are lots of ways you can get burned in an auction on a site like EBay. One of those is counterfeit stuff. Ted has a post on his blog on How to Spot a Counterfeit on EBay.

Photo by jansun.

What is the name of the U.S. federal law that protects consumers from check fraud and limits your liability (for non-electronic transactions)? Submit your guess via email (see left sidebar) and wait for the answer next week. (I will update this article). The winner will be the first to provide a correct answer. Winner will get an exclusive sneak peak at our forthcoming product with a one-on-one demo by me. To learn more about the product, visit www.mytruston.com.

Answer: There is no specific U.S. federal law that limits your liability for check fraud. There are federal laws protecting consumers related to ATM/debit cards (EFTA), credit cards and other credit-based transactions (FCRA, FCBA, Truth in Lending act, etc). When you think about how easy check fraud is and how rampant it is, maybe that’s a little surprising. Here’s some facts from Frank Abagnale (yep, that guy). 1.2 million worthless checks enter the banking system each day. And according to the Nilson Report, annual check fraud losses are well over $20 billion. And check fraud is growing, not decreasing as you might think.

But, the Uniform Commercial Code (UCC) does address check fraud. That isn’t Federal law but guidelines for state laws which have been adopted, not in its entirety however, by 49 of 50 states. So the UCC is useful as a central place to research and reference. For example, the UCC clearly addresses liability related to check fraud and loss.

The UCC defines responsibilities for check issuers and paying banks under the term “ordinary care.” In sections 3–403(a) and 4–401(a), a bank can charge items against a customer’s account only if they are “properly payable” and the check is signed by an authorized person. So that protects account holders from bogus checks. But, if a signature is forged, the issuer may be liable if:

1. According to UCC 3–406, the account holder failed to exercise “ordinary care” they might be prevented from seeking any restitution from the bank—because the account holder’s own failures led to a forged or altered check. So, make it a practice to protect your checkbook and check writing materials.  Also, UCC 4–406 requires that customers reconcile their statement within a reasonable time and report unauthorized checks immediately. Typically this means within 30 days of the statements being mailed. Ouch. Check your bank statements regularly and report suspicious activity immediately.

2. Or, according to UCC 3–406(b) and 4–406(e), if both the bank and account holder did not exercise ordinary care, the check issuer’s own procedures for writing checks will be examined to determine negligence. Banks are not required to physically examine every check, so customers may be held liable for all or part of the loss, even if the bank did not review the signature (so obvious forgeries could STILL leave you holding the bag). 

Last piece of advice. When you open a checking account you might have been entering into a specific contract with your bank related to your responsibilities and liability for fraud. Banks are required to clearly state these to customers. So you might be signing something that addresses these things, like how quickly you must report suspected fraud. 

Note: In my research for this blog post, I referenced Check Fraud and Identity Theft, Volume IV, by Abagnale and Associates. Any fraud or compliance experts that find any errors or omissions, please email or comment.

Updates below…

I probably receive two dozen emails a week from people asking about check cashing and work at home scams. There are hundreds or even thousands of these running simultaneously and they aggressively target people in the U.S. Often, but not always, they are run out of eastern Europe. They are very difficult for law enforcement to track and shutdown. My guess is that many of them are run by organized crime rings or terrorist organizations.

One of their major ways of reaching people is through job web sites, online classifieds and social/community networks, such as CareerBuilder, Monster.com, Hotjobs, and Craigslist. The phony companies, people, and offers behind these schemes change constantly, but they have several characteristics that are similar. They offer a way to make money for doing virtually no work. It’s usually centered around cashing checks or wiring funds. And it’s always about working from home or independently. Their absurd and false business proposition is that they need agents, representatives or financial processors in the United States to help them process payments from U.S. customers or vendors. It’s a  ridiculous concept—any foreign business that is legitimate would simply use a local office and bank to accept payments. THESE ARE ALL FRAUDULENT SCAMS. There are never any exceptions.

They will either use the “agent” to launder funds for them, steal funds from the agent themselves or, both. They dupe people by telling them they get a cut or fee for processing payments. They typically send you stolen, falsified or counterfeit checks. And the “job” is to deposit the checks in your account and wire funds to them (or write them a check and send via overnight mail). Often they use forged cashier’s checks as well, which fool people all the time. (Cashier’s checks are not cash, they are as risky as any other check. If you can steal or forge a regular check, why not a cashier’s check? Think about it.)

I’ve have tracked hundreds of these, usually through my old blog scamsafe.com, which still gets dozens of comments a week from people asking about work at home scams. I can sniff them out in seconds. There’s a new one called InDigit that is worth checking out to get a taste of a more creative fraud attempt. Their web site is designed to fool you into thinking they are a legitimate business: www.indigit.net. Here is a link to their job offer on Craigslist for a “Project Agent” (it will hopefully be taken down soon). This is a totally fake company and bogus web site. They tell you they are a software company that has been in business for seven years with 250 employees. And yet, they registered the domain name July 2006.

The takeaway: assume any work-at-home job that involves depositing payments and sending funds is a scam. And to report an online scam, go to the FBI’s IC3 website at www.ic3.gov.

Update: Another point to add. The job boards are utterly useless in stopping this fraud. They are in the business of accepting ads, not taking them down. They do very little to stop it although they may talk a good story. I was contacted by CareerBuilder a while back and they promised they were diligent in fighting fraud. I took them at their word, reported some abuse and waited. I didn’t see any let up in scam job postings on their site. Their standard line is that people should report fraud and then they will shut it down. By now they should realize that job seekers don’t realize it is fraud until it is too late, and by then the fraudsters have re-posted using a different name and tactic. With two interns, they could cut bogus job postings significantly. Scan all their ads for certain keywords, monitoring new job posting companies and flag accounts that use foreign addresses of any kind. And put a link on every ad that lets visitors flag a posting as suspect. That won’t catch them all but it’s a start.

Update 2: One of my readers send an email to InDigit asking if they were a scam. This is the response he received from”Eva Habenicht”. It’s a funny read:

Dear X, We are insulted to the innermost of our hearts with you groundless suspicions. We know that in the Internet present false and knavish firms. Because of it there is not much confidence to our and other firms. But we build our business exclusively on the confidence and honest. We must to stop our collaboration if you have any suspicions in our honesty.

Update 3: Michael Webster is blogging about this here. He suggests, I think, that the job boards and social networks that post misleading “business opportunities” is a violation of Section 5 and 12 of the FTC Act. Now I assume it is that only the FTC itself can go after such violations. So Michael seems to be suggesting that the FTC Act be amended to allow for “private cause of action”  which to me means allowing individuals to file suit for FTC Act violations.

Update 4: The scammers are watching. I noticed in my server logs that someone from the Russian Federation was reading my blog. The were referred to my website by an internal, hidden web page of a company called FranceSoftUnicom. That sounded suspicious to me. I visited their web site, and sure enough, it’s another bogus company. They also offer Financial Agent positions. Watch out for FranceSoftUnicom, it’s a scam also.

Lottery scams, especially international lottery schemes, have been around a long time. The Internet makes it easier for the fraudsters to reach the public.  A Canadian lottery outfit is warning Americans to watch out for a lottery letter scam. Typically these dirtbags will ask you for a fee in order to collect your winnings or maybe ask for your account numbers to wire you money. Then they steal your money.

Here’s the take away: U.S. residents can’t win a foreign lottery because they are not allowed in the U.S. There is no such thing as a lottery in Canada or any other country that offers sweepstakes and prizes to U.S. citizens.