Wednesday, July 07, 2010

Phony Collectors Want Your Credit/Debit Card Information

About a week ago, I was made aware of a fraud group operating from a Tampa, Florida number, who were calling people and using some pretty heavy-handed tactics to collect (steal) money. Interestingly enough, the person that let me know about this had never done business with the company being impersonated.

Please note, there might be a reason for alarm even if you don't think you owe a debt and a collector calls. With more and more people becoming identity theft victims, a call from a collector could be the first notification a person gets that someone else is using their information. Of course, in this instance, since the calls were bogus, it was not the case. In fact, if you give these scammers any information they can use, you will likely become an identity theft victim yourself.

The person who provided me with this information also provided me with the number she was called from. I called the number and, after a slight delay, I got a person with a Indian accent, who identified himself as "William Scott" from ACS, Inc. Leading him on, I told him my wife was always getting us into trouble by borrowing money — and that we had received a message to call them. He asked me for my wife's name and I made one up. He then told me to wait a minute, while he looked up the file. After about a minute, he said he had located the file and that she owed $500.00, and said this was a "serious legal issue we needed to get cleared up right away." He even offered to settle for $300.00, if I paid that day with a debit/credit card.

During my conversation with William, I could hear the chatter of other calls being made. Listening carefully, I noted that all the people, "chattering" in the background seemed to have Southern Asian (probably Indian) accents. This leads me to believe that the call was being forwarded, possibly overseas. This is not hard to do and there are a lot of legitimate call centers where callers are forwarded from a local number, all over the world.

I gave him an e-mail address so he could send me a payment authorization form and he told me to fill it out, sign it and e-mail it back to him. About an hour later. I got the form coming from an e-mail address, acscorpusa@gmail.com. It asked for personal identifiers, the card number, billing address, zip code, expiration date and CVC number. There is very little doubt in my mind if I had sent the form back to him the account I gave them would have been promptly cleaned out.

I ran the number (813-434-4611) on a site called PhoneValidator.com, which tells you what company a number belongs to and if it is a cell phone or a landline. This number belongs to a PaeTec Communications in Tampa, Florida. PhoneValidator.com offers two additional tools after you run the number. One is primarily a paid search (how they make money), but they offer Google results, also. When I ran the Google results, it identified the same scam, I had run into. One site, 800notes.com, had quite a few comments about it.

The payment authorization letter listed a fax number of 646-786-4401. I ran that number and it went to a landline in New York. Again, I ran the Google results, which revealed more people getting faux collection calls. Besides the fax number on the authorization letter — designed to clean out a payment card — was another number (813-435-1963) to call them back. Although, it was another Tampa number, it went to different telecom outfit. By running the Google results, lo and behold, more complaints about phony collection calls were found, some of which stated that some pretty crude and disgusting comments were made by some of these fake collectors.

Based on the comments I found, it appeared that this activity had been going for a long time, and the Indian accents seems to be a common theme. I did report this to the authorities — but besides getting an initial call back — I haven't heard anything from them since then.

It is not uncommon for scammers to set up legitimate sounding numbers, either. As long as the bill gets paid, very little due diligence is conducted by telecom types to ensure a number actually belongs to what it says it does. Sometimes the numbers are paid for with stolen financial instruments, and it is not uncommon to call one back a week later and find it has been disconnected.

I did more research on this activity and discovered that the BBB had an interesting write-up about similar (if not the same) fraudulent collection activity. The report lists 67 complaints they had received. Another write-up in August of 2009 from the BBB suggested that the scammers had so much personal information about the victims — a data breach was suspected. In this case, it was reported that the people behind this had social security numbers, addresses and knew how to contact their victim's relatives. It also stated that people were being threatened with criminal prosecution, if they did not pay.

If you are called by a collector and you do not know anything about the debt they are talking about, you should always ask them to send you documentation proving that you owe the debt. The Federal Trade Commission (FTC) has information on their site on what your rights are and the specific laws that legitimate collection agencies have to follow. You can also file an online complaint (highly recommended if you suspect abuse) and even watch a video on how to do it properly. They also provide a number (1-877-FTC-HELP (1-877-382-4357); TTY: 1-866-653-4261) if you want to speak with a live human being.

The phenomenon of fraud by telephone is becoming more and more common. Officially dubbed "vishing," which is phishing by telephone, the people behind it spoof financial institutions to gather personal and financial details to commit identity theft and financial crimes. Cheap long distance — enabled by VoIP (Voice over Internet Protocol) — and caller ID spoofing (which is legal) have made vishing pretty easy to accomplish.

If you get a phone call that doesn't make sense, take a deep breath and then make sure the person calling you is legitimate before proceeding!

Saturday, January 02, 2010

Will 2010 be a Banner Year for Identity Thieves?

For the past six months or so, this blog was put on hold. I could come up with a lot of excuses why it was put on hold -- such as increased workload and job responsibilities -- but I probably just needed a break from writing.

Now that I am taking a look at getting back into blogging, it doesn't appear much has changed in the fraud arena or that the news is getting better. Of course, I probably already knew that. After all, I didn't get much of a break from all the fraud that is going on out there, I merely wasn't writing about it.

For instance, Jay Foley at the Identity Theft Resource Center did a recent interview with Tom Field at Bank Info Security and is predicting some scary trends for 2010. Two of the predictions are that medical identity theft and too good to be true scams will be on the rise.

I can attest to the too good to be true schemes being on the increase. They happen all over North America on a daily basis. Strangely enough, the scams seem to recycle themselves and use the same bogus financial instruments, over and over, again.

"Well, first and foremost we are going to see a lot more scams. Because of the tough economic times, we are seeing a lot of scammers come out of the woodwork and try to suck you into this quick job, that quick job, here make a little extra money, and invariably what happens is you find yourself on the hook for greater debt and greater problems because you went to work with these scammers," according to Jay Foley.

Besides this, Jay is predicting an increase in medical identity theft, which struck me as "interesting" given all the media attention on health care legislation. Apparently, he is seeing a lot of people, who are without insurance, use some else's name and social security number to piggyback on someone else's benefits. In the article (also a podcast), Jay aptly points out that the medical industry has been plastering social security numbers on just about every document they create for years.

It should be noted -- especially as move towards digital medical records -- that in the wrong hands these records can be used for more than medical identity theft. The same information can be used to commit a host of financial crimes, including scamming the government and the insurance companies. In case you missed it, the WSJ did a story on the subject, where an insider (employee) downloaded 1100 records, which were later used by his cousin to commit $2.8 million in fraud.

There is no doubt that medical records have been identified as an easy place to steal information by the criminal element. The "trillion" dollar question right now is if making these records digital is going to make the problem worse? Only time will tell.

Estimates on medicare fraud vary greatly, but some go as high as $80 billion a year. Please note this is an estimate on medical fraud in the public sector and doesn't account for the fraud directed at the private sector. The NHCAA (National Healthcare Anti-Fraud Association) is a good place to see all the different aspects of this growing problem. The end result is a monetary loss that we all end up paying for, whether as a taxpayer or a consumer.

It's pretty hard to get an accurate estimate of how much fraud occurs, we can only guess what it might be based on the known incidents. The reality is the more successful frauds are never discovered. After all, most of the people committing fraud go to great lengths to keep their activities anonymous. It is bad for business, otherwise.

So far as industries that will be targeted, Jay predicts the payment services industry and medical industry will be the most attractive to information thieves. Is this because the payment services industry is where there is instant access to money and the medical industry has an abundance of easily accesible information to steal?

Also predicted is that the scammers, hackers and identity thieves behind these schemes are going to be much younger. Citing the urban legend status given to Albert Gonzalez (28), who has now been identified as being a member of the Shadow Crew and behind the TJX, Heartland and Dave and Buster's breaches as a fueling factor. According to Jay, his group is seeing a trend where teenagers are putting up fake e-commerce sites etc. etc. to steal payment information and steal money.

Jay also points out that most information theft is being done by insiders, or people who are given access to it. I've always said that you can have the best security systems out there -- but if you give the wrong person access -- even the best systems can be redered useless. With information being worth money, people can be recruited or even planted in organizations to steal it. While the Albert Gonzalez types make good news stories, if an organized crime group (or lone crook) wants to get in a system, it's a lot easier if they have an inside connection.

Perhaps we need to take a step back and realize that the human being is the most important part of any security equation. Human beings are on both side of the equation, whether they are the victim or the victimizer. As long as we continue to maintain information in easily accesible places (to make money) and send it (electronically) all over the place, we are going to have a problem.

You can read more about Jay Foley and the Identity Theft Resource Center (highly recommended), here.