RSA

VICTIM OF ONLINE FRAUD?

What to do if you are a victim of online fraud

According to the annual Online Fraud Survey conducted by RSA in December 2006, for which 1678 adults in 8 countries were interviewed, trust in the online channel is falling. Despite this, many people continue to use the internet without adopting the minimum precautions which can help to protect against becoming a victim of online fraud.

Keeping your PC’s operating system up-to-date, installing good anti-virus software and a firewall, not connecting to your online bank account from Internet Cafés, unknown wireless networks and PCs goes a long way to protecting yourself from trojans, spyware, phishing and numerous other threats to our online identities.

Nevertheless, these basic rules of prudence are sometimes ignored. But where does this “recklessness” come from? Misinformation, lack of knowledge about the threats and an ‘It couldn’t happen to me’ style attitude could well be partly to blame.

We have described some of the most likely situations during which exposure to online fraud can happen, and answered some of the most common questions associated with them, including advice on what to do if you think you have been exposed to identity theft and online fraud.

10year

1. I received an email which looked as though it was from my bank, asking me to click on a link and enter my username and password on the website, which I did. Did I run any risk?

As a general rule, banks will never send emails requesting passwords or other personal information. Emails like this should not be trusted and need to be deleted immediately – they are almost certainly fraudulent.

If you have entered your personal details, call your bank immediately to cancel your old usernames and passwords and create news ones. Almost all online banking systems allow you to perform this operation yourself online, but – in the unlikely event that your PC is infected by spyware or a keylogger – it is advisable to contact your bank by telephone or from a different, uncompromised, PC.

If you have fallen victim to a phishing attack, you should report it to the appropriate police department. Even if you did not click on the link or enter any personal details, you can still report the phishing attempt to the relevant authorities, who will use it to gather intelligence – thus contributing to the fight against online fraud.

2. My bank statement contains transactions which I didn’t perform. What should I do? Will I get my money back?

Although every bank has different policies relating to reimbursing victims of fraud,.all UK banks offer a full refund of any losses incurred, as long as customers have taken adequate care in safeguarding their security details. They also provide online help and support along with email addresses and telephone numbers for emergency purposes.

When joining an online banking service, you should check its policies and guidelines related to fraud which can usually be found on the website.

However, if the theft of funds occurred by no fault of the bank's - for example if you hadn’t secured your PC or had unwittingly provided your bank account details to a fraudster - then getting your money back may be more difficult.

The sooner the relevant authorities are contacted, the higher the chance of catching the culprits and reducing the damage. However, it should be noted that very few criminals have been caught and charged for this type of crime to date.

If you think your accounts have been compromised, you should do the following:

Contact your bank or credit card company immediately by telephone, report the event and inform them of the suspect transactions. Follow the telephone call with a letter explaining what has happened and including all relevant documentation. You have 60 days from the postal date on your bank or credit card statement during which to do this.

Report the crime to your local police station or relevant police department, supplying them with a copy of the statement with the suspicious items highlighted. Remember to make a note of the crime number and any other correspondence with law enforcement authorities and forward to your bank, credit card company and any other creditors. Don’t send originals: always photocopies.

Change your usernames and passwords to ALL online banking and credit card accounts, preferably by contacting your bank via telephone (there is usually a freephone number).

Make a copy of all communications between yourself and all of the other financial institutions and authorities involved, including emails.

3. If the author of online frauds is identified and brought to justice, what will happen to them? Do victims who lost money have the right to compensation?

The rapid change in the nature of fraudulent threats, and their international nature, make them extremely difficult to legislate against. In the UK, the Fraud Act of 2006 took 30 years to finalise due to constant technological advances, including in later years the Internet.

Under the Act, possession of any software or data for use in online fraud could result in a prison term of up to five years, while those writing the code face a maximum penalty of ten years’ imprisonment. Phishing attacks, and the distribution of Trojans and spyware are all covered by these measures.

However, in reality, these laws can only be enforced effectively within the country’s boundaries and have little meaning for global fraudsters, who operate in territories where legal protection is far less rigorous.

All UK banks offer full refunds to victims of online fraud as long as adequate care has been taken in protecting personal data.

4. I clicked on an URL in an email which seemed to come from a charity to make a donation. I ended up in a web page where I entered my credit card number in their form. Was that OK?

Probably not, and you should carefully monitor the use of your credit cards over the coming months. You could also call the charity and ask for confirmation that they sent you that email, and received your payment. Some very simple advice is to manually type the URL of the organisation you want to send a donation to into the address bar. This is a type of phishing attack, and if you are a victim you should follow tips 1 and 2.

5. How can I identify a phishing scam and how do I report it?

If the email you receive is unsolicited and from a company with which you do no business, you can be pretty sure it is a scam. If you receive an unsolicited email from a company you do hold an account with, you can be pretty sure it’s a scam if it asks for personal information the company should already have on file about you. Banks will NEVER ask for personal data by email. If you’re still not sure about the legitimacy of an email, call the company at a phone number you know to be accurate.

Many companies that have been spoofed have an email address to which you can send emails you receive, for example, abuse@mybank.com or phishing@mybank.com. The Anti-Phishing Working Group also register phishing scams and are a good resource for more information on what to do if you’re a victim of phishing

Be suspicious of any email with urgent requests for personal financial information. Phishers have been known to include upsetting or enticing (but false) statements in their emails to get people to react immediately. More recently, some phishers have toned down their language, as email recipients have become more aware of the use of this tactic. Either way, the email typically asks for information such as usernames, passwords, credit card numbers, etc.

Be careful of emails that are not personalized and/or may contain spelling errors and/or awkward syntax and phrasing. Many phishing emails are sent in great bulk and, therefore, are not personalized. Many emails also are being sent from individuals in other countries, thus resulting in misspelled words and awkward syntax and phrasing.

At first glance, it may not be obvious to the recipients that what is in their inbox is not a legitimate email. The "From" field of the email may have the .com address of the company mentioned in the email (it is very simple to change the "from" information in any email client), and the clickable link may also appear to be taking you to the company's website. However, once the hyperlink is highlighted, the bottom left of the screen shows the real Web site address to which you will go. The email may even contains the company logo and images that have been taken from the Web site of the company mentioned in the scam email.

6. How do phishers get my email address?

Phishing emails are essentially dangerous spam. Spammers utilize a variety of techniques to gather email addresses — websites, newsgroups, guesswork and list trading. These are the same methods used by phishers. Phishers do not gather email addresses from bank records; unfortunately, one common misconception by consumers is that their bank actually provided the criminals with their names and email addresses. This is simply not the case.

7. Is online banking still safe despite phishing and pharming?

Online banking can be a safe and effective way to manage your money; however, just as you would not share your financial information with a stranger who knocked at your front door, so should you be cautious when online. Treat unsolicited emails asking for information with extreme caution and do not click on links within emails. Only visit websites you know to be secure and type the address in manually - look for the padlock in the bottom right corner or “https” at the beginning of the address. Also, make sure your computer’s security software is current and that you have downloaded the most recent updates.

Banks combat phishing schemes by educating their customers, installing fraud detection software and working with industry coalitions. These coalitions, along with law enforcement agencies at local and international levels, are working together to find fraudsters, shut down their websites and prosecute them.

Who can offer an aid in case of online fraud and identity theft

Bank Safe Online is the UK banking industry's initiative to help online banking customers stay safe online. Its members include all the major high-street banks. The organisation sets out simple steps you can take to help keep safe online. It provides regular updates on the latest scams, and enables you to report any suspicious emails or websites directly the organisation.