Friday, May 16, 2008

Mortgage scams target the "already unfortunate!"

I guess I'm one of the luckier people out there. When housing prices skyrocketed, I chose to remain happy with my humble digs and watch the frenzy. Now that the bottom has fallen out of the housing boom, at least I'm still semi-whole.

The reason I can only say that I'm semi-whole is that last month I mailed a check to the IRS. In reality, it's probably going to be "proceeds from tax coffers" paying for the mess that was created.

There was fraud in the housing boom. Exactly how much, nobody really knows or is saying. With a lot of desperate people out there -- one thing is for certain -- there are going to be dishonest people approaching them with fraud schemes promising to get them out of their current dilemma.

The FBI just released an interesting report showing fraud trends that contributed to the current financial crisis the housing boom has caused. It's key findings were that mortgage fraud is on the rise, subprime loans contributed to mortgage fraud, the downward trend in housing will continue and that the current financial crisis is creating a new wave of fraud targeting the people, who have already lost their shirts, as as result of this crisis.

From the press release on this subject:

The latest mortgage scams run the gamut: from “builder-bailout” schemes where developers unload excess inventory through financial trickery…to foreclosure rescue frauds that trick homeowners into signing over the deed to their house; from seller-assistance scams that use false appraisals to sell homes…to identity theft that leads to home equity credit lines being opened and drained. See the report for more details.

The report lists the two main categories of mortgage fraud:

Mortgage loan fraud is divided into two categories: fraud for property and fraud for profit.

Fraud for property/housing entails misrepresentations by the applicant for the purpose of purchasing a property for a primary residence. This scheme usually involves a single loan. Although applicants may embellish income and conceal debt, their intent is to repay the loan.

Fraud for profit, however, often involves multiple loans and elaborate schemes perpetrated to gain illicit proceeds from property sales. It is this second category that is of most concern to law enforcement and the mortgage industry. Gross misrepresentations concerning appraisals and loan documents are common in fraud for profit schemes and participants are frequently paid for their participation.
The full report, which goes into a lot of detail on current trends can be seen, here.

Besides the latest report, the FBI has a page on their website dedicated to educating the average person how they might be taken to the cleaners as a result of mortgage fraud.

The page has information on a lot of the recently discovered schemes. Included is a well-written story about a pretty scary phenomenon called, "house stealing."

House stealing is where mortgage fraud meets identity theft.

… The con artists start by picking out a house to steal—say, YOURS. … Next, they assume your identity—getting a hold of your name and personal information (easy enough to do off the Internet) and using that to create fake IDs, social security cards, etc. … Then, they go to an office supply store and purchase forms that transfer property. … After forging your signature and using the fake IDs, they file these deeds with the proper authorities, and lo and behold, your house is now THEIRS.*

Although not considered common, there was a recent case in Southern California involving a variation of this scheme and it involved over 100 homeowners. More recently, the Boston Globe reported that 11 individuals were indicted in a $10.6 million loan fraud scam. Straw buyers and identity theft are part of the formula in this case, also.

And it doesn't only happen in the United States, I've read of this occurring in Canada, also.

The FBI has allocated 200 agents and 33 task forces to investigate mortgage fraud, according to an article in Reuters that quoted FBI Director Robert Mueller. The article mentioned that 19 major corporations are under investigation and Mueller referred to the FBI's involvement in investigating the Saving and Loan crisis, Enron and World.com, while delivering his speech.

If you happen to get approached with an offer that seems a little too good to be true (or are suspicious of a past scheme) you can report the matter to the FBI. The people behind these schemes have caused a lot of pain and suffering for a lot of people and besides that, if you pay taxes, you are probably paying for this problem.


(Courtesy of the FBI site - click for larger image)

Wednesday, May 14, 2008

Another law suit filed against Lifelock identity theft protection services in West Virginia

Despite all the publicity that Lifelock continues to do well, a third class action has been filed against them for misleading advertising in West Virginia.

From the PR Newswire release:

Marks & Klein, LLP today filed its third class action lawsuit against LifeLock, Inc., a provider of identity theft protection services, and its CEO Richard "Todd" Davis. The lawsuit was filed in the Circuit Court of Jackson County, West Virginia (Docket No. 08-C-69), on behalf of Kevin Gerhold of Falling Rivers, as well as all other LifeLock subscribers in West Virginia.

This follows similar class actions filed in New Jersey and Maryland.

"The lawsuits allege that LifeLock and its multi-million-dollar advertising campaign provided false and misleading information about the limited level of identity protection the company provides, and failed to warn them about the potential adverse impact the company's services could have on their credit profiles," according to the press release.

Additionally, the release alleges that Lifelock CEO, Todd Davis has been a victim of identity theft multiple times since using his SSN as a marketing tool to sell the service.

So far only one instance of this has been reported. Here is what I wrote about it in a previous post about pending litigation between Experian and Lifelock:

Shortly thereafter, CEO Todd Davis made headlines when he organized a "posee," complete with film crew to go after the person, who stole his identity to get a loan. The identity thief in question was described as mentally disabled by the authorities and the charges were dropped because of the questionable tactics used, referred to as coercion.
So far as Lifelock not protecting people from all forms of identity theft, as alleged in all three of these actions, I offered my speculation (opinion) on what that was referring to:

Another reason there is no way to guarantee protection is that not all identity theft shows up on credit bureaus. Some examples of this are in cases of medical benefit fraud, employment fraud, government benefit fraud, some forms of check fraud and last, but not least, when it is used to commit crimes of other than a financial nature.

The press release indicates that other law suits are being considered in other States.

An item of interest not disclosed in all the other actions was that a woman had her stolen debit card used to purchase identity theft services from Lifelock:

Beyond the charges leveled in the Complaints, lead counsel Paris related the story of a Wisconsin consumer who contacted the firm regarding her accidental experience with LifeLock. "Her debit card was stolen and the thief had the audacity to use the card to buy a subscription to LifeLock," he noted. "Most disturbingly, LifeLock issued the subscription to the thief in the thief's name, clearly failing to verify the appropriate information."

I guess the person, who did this believes in protecting their own identity, at least, as long as, they aren't paying for it, themselves?

The services offered by Lifelock aren't much different than a lot of other services being offered by other companies. This has often led me to wonder if the actions against Lifelock are only the beginning?

The identity theft industry, which is growing at a double-digit rate, has attracted a of start up companies and it can be difficult for the consumer to determine exactly what they are paying for.

Most of the experts (not selling services) agree most people can fix their identity for free, and in the long run, they might do a better job of it, themselves.

If someone were to do this, a good place would be the FTC's Identity Theft page. Other decent free resources are the Identity Theft Resource Center and the Privacy Rights Clearinghouse.

Tuesday, May 13, 2008

State's top lawman takes a "Don't mess with Texas" approach to fighting identity theft


(Texas Attorney General Greg Abbot)

Texas Attorney General, Greg Abbott, is teaching the business world not to mess with the personal information of Texans.

Using a series of laws that he wrote an essay on, AG Abbot has taken legal action against Radio Shack, CVS Pharmacy and CNG Financial Corporation doing business as as Check and Go and Southwestern & Pacific Specialty Finance for not properly protecting people’s information. His office also has pending action against “Select Physical Therapy Texas Limited Partnership and its parent company, Select Medical Corporation, as well as Minnesota-based LifeTime Fitness for improperly discarding customer records,” according to a press release on his site.

Notably, it didn't take a crack team of computer security geeks to crack these cases. In all of these instances, the investigators used a more old fashioned, but often effective investigative technique called dumpster diving.

Going back to my original premise that there is a lot of unprotected information being compromised too easily, these cases represent how much low hanging fruit is available to identity thieves.

This probably wouldn’t surprise anyone who has taken a look at Attrition.org’s Data Loss Database - Open Source. Fairly frequently, mass amounts of information go missing for not very "technical" reasons.

On Tuesday, the Texas AG site announced a new tool to assist Texans in recovering from becoming an identity theft victim:

The Attorney General’s Identity Theft Victim’s Kit offers a step-by-step priority checklist that victims can use as soon as possible to prevent further damage. Once the identity theft has been confirmed, for example, victims should quickly close all bank, credit, utility and service accounts. Next, victims should contact one of the major credit bureaus and request that fraud alerts or security freezes be placed on their credit reports. This action prevents new accounts from being opened fraudulently under victims’ names.

Also mentioned in the press release is that it still pays to report identity theft to the Federal Trade Commission. They point out that, "many creditors will accept this affidavit on victims’ behalf in lieu of a police report about the crime."

They also point out something that I think is even more important:

A recent trend among identity thieves suggests the criminal may use victims’ personal information to obtain a driver’s license, file for bankruptcy, seek Social Security benefits or apply for a passport. In such cases, the Identity Theft Victim’s Kit instructs victims to immediately contact any government agencies approached by identity thieves.

A lot of people have been led to believe that the final solution to preventing identity theft is to monitor your credit bureau. Unfortunately, a lot of this has been driven via advertising campaigns by some of the pay for protection identity theft services.

Identity theft isn't only a problem in financial crimes. Criminals steal identities to work, obtain government benefits and to commit a wide range of "other than financial crimes."

Critics of the pay for protection industry have often pointed out these paid services, although convenient, accomplish what a person could do free-of-charge, themselves. Since it is an unregulated industry, the services offered varying levels of protection, also.

There are some of these services that are way better than others, and if you decide to go shopping for one, the term "caveat emptor" (buyer beware) is a wise principle to apply.

This site, http://www.texasfightsidtheft.gov/index.shtml, offers one click access to all the steps a person needs to take to recover from becoming an identity theft victim. It also offers a lot of resources that a prudent person can use to prevent identity theft.

After reviewing this site, I noted that it could be used by citizens of just about anyone residing in the United States of America.

In closing, the approach taken by Attorney General Abbott and his office is refreshing and a lot of other elected officials would benefit from studying what I consider a "no nonsense" approach to combating identity theft.

Sunday, May 11, 2008

Symantec May Spam Report reveals IRS e-mail leads to vampire game?

Symantec just released it's monthly spam report. I always find these reports a valuable tool to see exactly what trends the cybercriminal and less than ethical e-commerce communities have been up to in the past month.

Although most of us view spam as a major nuisance, the fact remains that spam is the preferred vehicle of marketing garbage and ripping off human beings on the Internet.

This month continues a nasty trend where spammers and phishermen (identity and information thieves) continue to manipulate Google's search engine:

For some time, spammers have used reputable brands to try and deliver spam and phishing messages to end-users. In the last year, Google has become a favorite target for some spammers. In November 2007, Symantec reported the emergence of a technique where spammers manipulated Google’s advanced search query and the “I’m feeling lucky” option to direct users to a spam site. In February 2008, Symantec reported that spammers had manipulated parameters in Google URLs used for AdSense and redirected unsuspecting end-users to a spam website. In April 2008 phishing emails purporting to come from the Google AdWords service have emerged. Google AdWords is a service that allows advertisers to intelligibly connect with individuals who search using Google. In the Google AdWords phishing samples that have emerged, the end-user is encouraged to click on a link to update their billing information and/or renew their account. The link in these phishing emails leads to a fraudulent website where personal information is requested and harvested.
Spear phishing, where specific people are targeted arrived in inboxes in the form of fake government subpoenas addressed to corporate executives. Also seen were come-ons to become a movie star, spam being sent in the form of instant messages and the 419 (Advance Fee) boys inserting calendar reminders in their spam to remind people send them their money.

While closely related to the long known use of job sites to gather information to commit identity theft, a new twist has been noted where professional networking sites are used for this purpose, also.

From the May report:

One of the side effects stemming from the growth of personal and professional networking sites is the increase in unsolicited emails that operate under the guise of connecting business professionals with their peers. The recipient is asked to join the “inner circle” and is encouraged to supply the network with their professional history by clicking on a URL which brings the user to a registration page. The page requests personal information that could be used for identity theft and could fuel future spam attacks.

In these monthly reports, Symantec normally has one twist with a particularly ghoulish or amusing angle. This month is no exception and they are reporting an IRS spam campaign that leads to a site where you can raise a vampire from the dead:

This time, instead of the refund link taking you to a site to steal your credentials, the link takes you to a popular web-based game in which you incarnate a vampire. The vampire gains more power every time end-users click on his link. It’s a rough, dark world out there… be warned.
I found this especially ironic because scammers and spammers are often referred to as ghouls or vampires when being described in literary terms. So far as the connection to all of this with the IRS, I'll leave that to the reader's imagination.

The IRS having their name spammed is nothing new. As predicted, there is an IRS spam (phishing) campaign going on right now using the tax stimulus program as a come-on to steal personal and financial information, which will probably be used to commit financial crimes. I'm predicting this might be a topic of interest on the June Spam Report.

The full report on the State of Spam for the month of May may be seen courtesy of Symantec, here.

FBI reports tax stimulus phishing campaign underway

The FBI Cyber Investigations Division issued a press release that spammers are phishing for people's personal details using the tax stimulus program as bait.

The Federal Bureau of Investigation warns consumers of recently reported spam e-mail purportedly from the Internal Revenue Service (IRS) which is actually an attempt to steal consumer information. The e-mail advises the recipient that direct deposit is the fastest and easiest way to receive their economic stimulus tax rebate. The message contains a hyperlink to a fraudulent form which requests the recipient's personally identifiable information, including bank account information. To convince consumers to reply, the e-mail warns that a failure to complete the form in a timely manner will delay the issuance of the rebate check.

My guess is that the intent in getting your bank account information is to take it over and drain it of all it's assets.

Please note that phishing normally requires a person to willingly give up their information, but more and more, a new phenomenon is being seen called a drive by infection is being seen in the "wild" a.k.a. the Internet.

I wrote about this recently in a post called, "Nowadays, all you need to do is visit the wrong site to have your personal information stolen! "

As noted in the post, the phishermen have been seen using social engineering ploys, along with malicious software in conjunction with each other.

If you want to learn more via FBI recommended educational tools, or report a phishy e-mail, here is a way you may do so:

Please notify the IC3 by filing a complaint at www.ic3.gov. More information on scams is also available on www.fbi.gov and www.lookstoogoodtobetrue.com.

You can also report IRS related phishing scams to phishing@IRS.gov, here.

FBI press release with example of one of the phishmails, here.

In case you want to see when you are going to get your "actual" stimulus check (if you qualify), the IRS has a tool to figure it all out on their site.