Basic Identity Theft Precautions
Your Identity for a Free Gift Card
IRS warns of ‘tax refund’ e-mail scam

Basic Virus Precautions
"Free Services" Stealing Personal Info

Name: IRS warns of ‘tax refund’ e-mail scam
Type: Scam

Dec. 2, 2005—IRS is warning consumers against a phish e-mail scam that directs them to a Web site to enter personal identifying and financial information in order to receive a tax refund.

The bogus e-mail, which claims to come from “tax refunds@irs.gov,” tells the recipient that he or she is eligible to receive a tax refund for a given amount. It provides a link that recipients are supposed to follow to submit a form online. Recipients are also asked to provide personal identifying and financial information—the kind of information used by ID thieves to defraud consumers of their funds and credit.

Sophos, an online-security firm, says the scam exploits a security vulnerability at a legitimate government site to re-route consumers to the scammer’s site.

IRS, in a warning issued Wednesday, says it never asks for personal identifying or financial information using unsolicited e-mail. It notes also that, contrary to the information in the scammer’s e-mail, taxpayers do not have to complete a special form to obtain a refund.

IRS advises people not to open attachments in suspect e-mails because they can trigger computer viruses. Instead, it suggests calling IRS 1-800-829-1040 to find out whether the IRS is trying to contact them about a tax refund.

Name: Your Identity for a Free Gift Card
Type: Scam

Description: "Identity Theft 911" reports a new phishing scam that uses the promise of gift cards or merchandise from major retailers to lure recipients into providing sensitive personal and financial information.

The phishing email prompts members to fill out an online "survey" that asks for the name of their financial institution, passwords, email addresses, and other personal account information. In exchange, at least one version of the scam promises a retail gift card valued up to $500. The member will never receive the free gift card. The only thing the member will get is a headache, because his/her identity will be stolen.

With millions of Americans buying gifts online during this holiday season, fraud experts are warning consumers to be wary of scams offering gift cards or merchandise in exchange for personal or financial information.

Name: "Free Services" Stealing Your Personal Information
Type: Scam/Spyware

There are organizations on the Internet that offer 'free services' such as Internet acceleration or email virus scanning. Some of those organizations have 'privacy policies' that are so loosely defined as to allow them to harvest and share information that is universally considered to be personal and highly sensitive by Internet users. Such organizations ask unwitting end users to configure their browsers to cause all web traffic, including highly sensitive encrypted secure traffic to be decrypted, pass through that organization's servers to be harvested and then continue on to its intended destination. Hence, information that is thought by the end user to be inaccessible to everyone except the intended recipient is collected, and according to liberal privacy policies, may be shared by the intermediaries with unnamed third parties. We believe such organizations may rely upon the fact that many inexperienced Internet users don't understand the ramifications of such a situation (referred to in information security circles as a 'man-in-the-middle' exploits), or that they will carelessly click through acceptance terms without reading the fine print of the privacy policy. In our opinion, this dangerous situation is made worse by the fact that end users' efforts to uninstall such software on their computers has been designed so that it will often fail, leaving what amounts to a back door by the organization to usurp what are supposed to be private communications in the future.

Consider MarketScore, (formerly known as NetSetter) which we believe follows this sort of business model. MarketScore installs its own trusted root certificates, so that it can intercept secure (SSL) connections made by the end user machine.

The privacy policy of MarketScore states:

...Marketscore monitors all of your Internet behavior, including both the normal web browsing you perform, and also the activity you may have through secure sessions, such as when filling a shopping basket or filling out an application form that may contain personal financial and health information...

... We monitor the Internet connections of our users so we can not only accurately and anonymously model the browsing habits of Internet users, but also their shopping, registration, and other interactions as well...

... In addition to the monitoring of your Internet behavior, we may also combine the information that you provide us with information such as credit or prescription information that we obtain from third parties such as consumer preference reporting companies, credit reporting agencies, and prescription benefits managers....

... There are some limited cases in which we share personally identifiable information with third parties. Specifically, we provide personally identifiable information to third parties for the purpose of conducting the secure and confidential matches discussed more fully above....

It is important that Internet Banking users be aware that those Internet companies that use technologies to intercept encrypted communications have full access to end users' personal information and have publicly stated that they can share users' information with third parties.