Nearly everyone here at the Lab uses the Internet to send and receive email every day. One of the unfortunate downsides is that spammers pick up email addresses and send junk mail or "spam" to addresses that they glean to advertise a variety of products and services. Spam is irritating, but it is not intended to be malicious, as opposed to "scam mail." Scams are schemes designed to either illegally make money, usually by attempting to convince recipients into providing credit card or personal identity information, or to damage or take over recipients' systems by tricking users into taking one or more undesirable actions. Scams that attempt to trick users into providing financial information to be used in identity theft schemes are often called "phishing schemes."

The number and types of Internet scams are increasing. Currently, the most frequent types of scams use bogus messages with the following types of content:

1. A fictitious person (often appearing to be from Africa) offers a large financial reward for depositing what is described as a large sum of money for those who describe themselves as deposed leaders or widows and/or children of an assassinated ruler. BUT — the recipient must first send money — as an "act of good faith."
   
   
2. A fictitious person (often appearing to be a lawyer from Africa) states that you, the recipient, are the next-of-kin of a recently deceased person who has the same last name as yours. You allegedly stand to inherit a large sum of money, but again you must first send money for one of a variety of reasons, including paying legal fees.
   
   
3. An organization such as a bank (e.g., Washington Mutual, Wells Fargo, or another) appears to send a message that informs recipients that for some reason (e.g., an alleged software upgrade that has just occurred or simply to, ironically, supposedly protect customers from identity theft) they need to update their account number, PIN number, and personal information. To do this recipients must visit a certain Web site. This type of message generally states that updating account and other information is mandatory, and that failure to do so will result in suspension or revocation of the recipient's account.
   
   
4. A software vendor such as Microsoft Corporation appears to send messages that state that for security's sake, recipients need to download and install an attachment that comes with the message. One version of this type of bogus message tells users that they need to reinstall their operating system because what is described as a newer version will cause the recipients' computers to "run faster." All the recipient needs to do, according to these messages, is "click here." "Clicking here" or downloading any such attachment installs a malicious program that might do anything from attacking other computers to installing keystroke loggers that capture all input (including credit card numbers and other personal and/or sensitive information) that users enter without their knowledge.

Worse yet, scams are for the most part becoming more credible. Scam messages now usually include full-color logos of the corporations that have purportedly sent these messages. Indicated URLs also appear to be highly credible — a phishing message might, for example, contain a link to www.bankofamericaupdate.com, something that looks very close to the URL for Bank of America's Web site.

The bottom line — don't be fooled by Internet scams. Just forward any suspicious messages of this nature to spam@lbl.gov and then delete them. Be sure to avoid forwarding them to others. In general, treat unsolicited messages and especially attachments as suspicious, even if they pass through the Lab's VirusWall, which, fortunately, identifies and deletes a large proportion of scam messages once it is updated to recognize them. Never open attachments unless you are expecting them. For unexpected attachments, call the sender to confirm before you open them or send them to cppm@lbl.gov first. Be very suspicious about giving out credit card information, PIN numbers, your social security number, your mother's maiden name, and other types of information that could be used in an identity theft.

<< Back to Network & Internet Security