Dealing with online fraud - Part 1

What a tangled web the papers weave when they talk about the internet. Rarely a week goes by without another headline screaming about the latest online scam. From mysterious foreign businessmen offering hundreds of thousands of pounds for the benefit of transferring money to your account, to unexpected lottery wins disappearing like a magician's assistant in a puff of smoke, the internet is, we are assured, frequented solely by criminals, fraudsters and scam artists.

There is certainly some truth in these assertions because con men do target internet users in an attempt to steal money, but as with all confidence tricksters, the stings are easy to spot if you follow a few sensible rules.

What the tabloids rarely seem to do is tell us how to spot the signs of a classic con, but then scare stories sell more papers than sound advice ever will. In this feature, we're going to tell you the truth about online fraud, explain how to spot the tell-tale signs and explain how to deal with them. We'll also talk about some of the tools you can use to keep criminals at bay.

Evading fraud has always been a sad fact of life. From unscrupulous plumbers who charge an arm and a leg for tightening a washer, to the market trader flogging unwatchable copies of the latest Hollywood blockbuster, there is no shortage of shifty spivs eager to take you for a few quid.

Indeed scam artists are among the finest actors we have, using their powers of pretence to pull the wool over the eyes of the good natured while fleecing them in the process. Apparent respectability and charm are their tools and the advent of the internet has merely provided another stage for them on which to shine. But it doesn't take much to bring up the house lights and expose their schemes.

The majority of online frauds rely not on the new technologies in peoples' homes, but on taking advantage of their good nature. The best defence you have against online crime is common sense: knowing when someone is trying to get one over on you. Most cons start with an email, so we'll go through the main types of fraud, explaining how the con works, what the consequences could be and how to stop it happening.

The Nigerian email fraud
The most prevalent and well-known email scam is the Nigerian Fraud (also called a 419 after the code number for the crime used by the Nigerian authorities) which is also the easiest to spot. It starts with an email dropping in to your inbox from someone who is willing to pay you a hefty commission or simple cash gift to transfer some funds from their bank account to yours. The sender will invariably claim to be the child of a wealthy and recently deceased diplomat or a businessman fleeing a country because of political upheaval.

The deal is simple: you will be asked to provide details of your bank account, and possibly to transfer a fee to the sender's bank account. The reason for this, you are told, is so that the (usually very large) sum can be placed in your account.

You are asked to send money to cover 'administration' fees and the sting occurs when you hand over the money, the details or both. If money is sent, that's usually the last you will ever hear of the matter, and no promised funds will appear. If you've handed over bank details, however, it could get a lot worse as the crooks will drain your bank account or steal your identity and run up huge credit card bills in your name.

This is a growing problem, although only a small proportion of ID theft is committed online, with most caused by discarded bank statements and the theft of other documents. We'd strongly advise you to read the guidelines on this matter provided by the Metropolitan Police here.

The Nigerian sting sounds daft, doesn't it? It is, but thousands of people around Europe have fallen for it. It is thought that many more don't report the crime because they feel so foolish. The golden rule here is to keep your wits about you. Why would this random stranger pick an unsuspecting home PC user to deal with such a large transaction?

Confidence tricks work by luring people into believing that they can make a quick buck. Deep down, we all know that great rewards do not come without hard work, unless there's something illegal going on. There are some examples of actual 419 emails here so you can see what to look out for and delete them.

How con men make contact
Don't be concerned if you receive a 419 email - simply delete it. You have not been personally targeted and there will be no consequences if you do not reply. The people behind the scam send hundreds of thousands of these messages at a time in the hope that just a handful of people will be naive enough to respond.

It's worthwhile for the crooks because sending the emails cost nothing. They get your address in one of three ways, the first of which is by using automated scanning tools to search for email addresses submitted on public forums. Most of us have registered online for a newsletter or signed up to a forum. Most keep addresses hidden but some store them on web pages.

Another productive method is to guess addresses by using a tool that runs through every known combination of names, initials and words in the dictionary, then sending them to popular domain names such as hotmail.com or yahoo.com. When sending the email is free, there's no real limit on how many addresses the crooks can try.

Finally, there are some companies that exist purely to harvest valid email addresses online and sell them to marketing companies. Some of these specialists are none too careful about who they sell their lists to.

In recent years, the people behind the 419 trick (and they are with few exceptions organised criminals based in Africa) have added extra frills to the con to gain their victims' confidence. All manner of identification may be provided, such as scans of official-looking documents. You may be sent links to other online evidence of the sender's authenticity, such as companies and even profiles on online dating websites.

All look credible but are fake. The key giveaway will be a line claiming that, although the situation appears to be a 419 email, it most certainly is not. The Metropolitan Police provides more information here.

An even nastier version of the 419 fraud involves criminals who insist that you do not have to hand over any details but simply want to arrange to meet you. Initial meetings usually appear perfectly respectable, but at some point your details will be stolen. In some cases, people have even been lured to Africa to finalise the deal, often the prelude to robbery, assault and, in one case, murder.

If you have handed over any information, including telephone numbers, addresses, postcodes or banking details, contact your local police. You can find out more about email crime and register for an update of newly found cons here.

The Phisherman's tale
The Nigerian Fraud has garnered many admirers in the criminal world, and has spawned thousands of subtle variations. Some UK surfers have been fooled by emails telling them that they have won a foreign lottery, but first must pay a fee to receive the money. The fact that they had no knowledge of entering such a lottery failed to alert some people who believed in the existence of the quick buck.

Subtler frauds are also afoot, though. Phishing is a process by which criminals try to get you to hand over your bank account or credit card details by pretending to be your bank. You receive an email that appears to come from a bank with which you have an account. Like the Nigerian emails, they are sent at random, so don't be alarmed.

It will ask you to confirm your username and password under the pretence of a computer failure at the bank's headquarters, an audit of customers or something similar. The email often contains a link to a website that is almost identical to that of the bank in question, but it's a fake.

The victim is prompted to enter the sensitive information and then their account is promptly drained or used to run up huge bills.

The phisherman's tale is the tallest of tall stories. No bank or building society will ever request information in this way, because email is not a secure method of sending information. It's a bit like sending a postcard; anyone could read it if they wanted to go to the trouble of searching hard enough for it.

This doesn't mean that your personal emails are available for public viewing online, but Trojans can be used to install programs that can scan messages for what appears to be confidential information, such as number sequences that could be banking details. But why go to the bother of doing this and scanning millions of everyday emails when it's easier to con somebody into handing over the details willingly?

Online auction sites don't ask people to 'confirm' user passwords in this way either, so if you receive any such emails just delete them. There is some worrying news on this front, however, with attacks becoming more sophisticated.

The security company Messagelabs says it has found evidence of a new type of phishing email that can access accounts without users handing over their information. It works by taking advantage of yet another Windows flaw. Many email programs automatically preview the contents of an email before you actually open it and the new phishing email uses this feature to run a small program.

Nothing happens, but the next time the user accesses their online bank account, the program records every key typed on the keyboard and emails it secretly back to the fraudster, who can then look for usernames and passwords.

Microsoft has released a patch for this vulnerability, which you can download from Windows Update. You can also get Windows Service Pack 2 (SP2), which will seal lots of other loopholes through which con men can sneak. If you haven't downloaded SP2 yet, make sure you back up all your important files before doing so.

You can also change a few Windows settings to combat phishing emails. In Internet Explorer, choose Options from the Tools menu and click on the tab marked Read. Make sure the box marked 'Automatically download message when preview pane' is not ticked. Then click on the Security tab and ensure you have ticks in the boxes marked 'Warn me when other applications try to send mail as me' and 'Do not allow attachments to be saved or opened that could be a virus'.