• When shopping online, type the merchant’s URL in by hand instead of following any “convenient” link in an email or instant message. Those links can be spoofed in a phishing attack which looks like legitimate advertising.
• Look for the prefix https in the address line. This indicates that you are on an encrypted connection to the merchant’s website. You can also look for the little yellow padlock icon in the bottom right of the browser. Be careful, however. Sophisticated hackers can spoof these signs
• Read the site’s privacy policy carefully and use common sense about the offer. If it sounds too good to be true, it probably is. If you don’t trust the company to protect your personal information, shop somewhere else.
• Make sure your own protections (anti-virus, firewall, patches) are up-to-date and running.
• Use a credit card, not a debit card. If your credit card is stolen or the number misused, federal law limits your liability to $50 (as long as you comply with the notification requirements). If a debit card number is compromised, you could lose the entire amount in the account to which the debit card is linked.
• Check your statement carefully for charges you don’t recognize. Report any anomalies to your bank and report a lost or stolen card immediately.
• Consider keeping a separate credit card with a low credit limit just for internet purchases.

And in the theme of Cyber-Monday scams, here’s one that isn’t.

There are allegations online that a Facebook-based promotion being run by Westfield, the Australian mall company. They are letting Australian customers sign up for a lottery for a $10,000 gift card in exchange for all kinds of semi-confidential information (basically the same information you’d give up for a discount card, though) and the inclusion of a Facebook app to your account. Many people have accused the Facebook app of being virus-infected and/or the sign-up of being a phish. It actually checks out, though. Despite the skepticism (which I consider entirely appropriate and healthy in our current online environment), the mall’s promotion has been confirmed. Hoax-slayer.com has a good writeup describing their confirmation of the promotion.

Whether you shop with the Westfield mall is up to you. Take a few minutes to research any such offer and company before you sign up, though. Being suspicious of an offer that seems too good to be true is an excellent habit to build.

A few of these scams appear to be targeted at tricking you into giving up your personal information but most seem to be asking for a prepaid “filing fee” or other hidden (and often recurring) charges. CIOonline wrote an in-depth analysis of one such scam. It’s fascinating reading.

The FTC is trying to chase down some of the worst offenders but these sites pop up faster than they can be taken down. As always, be very cautious about what you read on the internet. If it sounds too good to be true, it probably is.

In particular, we are already an increase in phishing messages that reference the recipient’s holiday credit care spending pattern. The messages will claim to be requests for confirmation, reports of transactions and even a few of the traditional “your account has been frozen” scams. During the holiday season, many people have more transactions and shop with more different merchants; the scammers are attempting to exploit any confusion over those transactions in order to trick you into disclosing your account information, passwords, etc. If last year is any indication, expect that phishing campaign to accelerate during this week and last until the middle of next month or so.

We are also seeing a number of scams related to the economy. The number of work-at-home scam messages is up dramatically. As you may remember from prior tips, these scams promise easy money either for helping transfer funds or to conduct “quality control checks” on merchandise. In the first case, you become part of a money laundering operation, in the second, a fence. Either way, you’re like to get a visit from some federal law enforcement agency. If it were that easy to make money, they wouldn’t need to be sending out random emails about it.

Interestingly, the old “Nigerian fraud” is back in large numbers. These are fairly transparent messages alleging that someone needs your help to get money out of a foreign country (usually in Sub-Saharan Africa) and offering you a percentage if you will allow the person to transfer the money through your bank account. Foreign lottery scams are also back in significant numbers. I believe that by now most people know that these messages are scams but in times of financial difficulty, sometimes hope trumps common sense.

If an email asks for your personal information or if it contains an offer that looks too good to be true, trust your intuition and delete the message. To learn more about how to identify common scams, check out some of the links in the archived Tips on phishing. Have a safe New Year.

You can read the full ODI press release at ohioinsurance.gov.

Insurance companies do sometimes ask for confidential information such as SSNs and birthdates in the normal course of business. However, it would be highly unusual for the insurance carrier to contact the customer directly or to do so other than in writing. If you receive a call that strikes you as suspicious, hang up and call the number printed on your last policy statement. If the call was legitimate, the customer service representative will be able to look up your account and confirm it.

Be very cautious about handing out your personal information to anyone you do not know well. Ohio customers who have already received one of these fraudulent calls, are asked to report it to the ODI at 1-800-686-1527.

Lastly, if you believe that you may have given up your confidential information to a fraudulent caller, you should check your credit report and consider putting a fraud alert on your account. For more on how to check your credit report, you can follow this link to the archive of tips on this topic.

• Never respond directly to an email request for money. If you think the request might be legitimate, ask for written information about the charity including their official name, physical address and telephone number.
• Contact the charity directly and be sure that they know about the solicitation and have authorized the use of their name. (You’d be amazed how many people claim to be collecting for the Red Cross but just pocket the cash – or pass on some miniscule percentage of the contribution.)
• Be especially cautious about suspiciously similar names. Many of these scam sites will attempt to mimic the legitimate charities.
• If you don’t remember making a pledge, you probably didn’t. Don’t let yourself be pressured into sending anyone money.
• Avoid cash donations. Don’t give out your credit card number either. Checks are best because they leave a paper trail – better for the FBI if it’s a scam and better for you if it’s legit so you can claim the tax deduction with the IRS.
• If you’ve already made a donation to a "charity" that you now believe was fraudulent, contact your local FBI office so they can investigate it.

For more, go the the FTC’s Consumer Protection website.

On the Internet, the domain naming system treats every combination of domains as a unique destination. Owning example.com gives you no special rights to example.org. And while you may be able to make a case for trademark infringement, the domain naming system has a strong bias in favor of "first-come, first-served." If a domain name is important to your brand, you need to act to protect it.

If you’re not already monitoring internet domain registrations that are similar to your trademark and business, you really should start. There are several good monitoring services out there, some that will send daily alerts for free. Remember, however, that you can’t commandeer every possible variation of your domain – there are just too many possibilities. Get the domains that you think are most important and monitor the rest.

The message from the Asian company, however, is a scam. We have traced two different types of these messages so far. In the first case, it was a straightforward con for a credit card number. In the second case, it was an actual domain registrar using questionable tactics to generate business. In both cases, we investigated the company – a Google search on some keywords from the email will often return examples of others who have run into the same con – and decided not to respond to their phishing attempt.

If someone registers a domain name similar to yours, look at the domain registration. (There are several excellent lookup tools on the web. I tend to use whois.domaintools.com). If the other person registering the domain appears to be a legitimate business that just happens to have a similar name to yours, don’t worry too much about it. We regularly bump into the the Westfield Group that owns Westfield Shoppingtown Malls (an Australian firm). We also know about domains registered to a car repair shop on a Westfield Road in Indiana. There’s no connection and no evidence of fraud – and they got to the domain first. As long as they keep the domain out of the phishers’ hands, I can live with that. I also don’t worry too much about the domain resellers who buy the domain name then “park” it with some generic ads. (Here is an example.) As long as there’s no evidence of misuse and no obvious confusion with my brand, I’m willing to let most of those sit.

At home, fix your firewall, update your antivirus and patches and practice safe surfing. If google or yahoo (or your existing antivirus program) give you a warning that you are about to go to a sight that might contain malicious code, heed the warning. Do not override it just because you think that you’re going to a "safe" site like the hotel.

At work, shut your computer off every day. (Your IT department probably pushes updates to your computer’s defenses every day but many of those updates can’t take effect until you restart your computer. If you leave your computer on for an extended period, you will be missing those critical updates.) And, of course, practice safe surfing.

If you get one of these pop-up warnings, never allow it to scan your computer. If you think you might have triggered one of these scams, call IT.

Spoofing of the Microsoft Malicious Software Removal Tool (MSRT) is particularly common but all the Microsoft updates have been spoofed in one form or another.

In one recent case, the spoof was triggered by infected ‘friend’ requests on MySpace. Users triggered the trap when they went to check on the profile of the person trying to befriend them. If you are a MySpace or Facebook user, beware of friend requests from people you don’t know and be cautious when surfing other people’s profiles.

If you get a request to update software on your work computer, ignore it unless you also received an email from your IT department explaining the update. If you receive the pop-up on your home computer, go to your Control Panel and look for the Security Center. Once there, initiate the check for updates yourself rather than trusting the pop-up. Never click a pop-up that shows up on your computer unexpectedly.

Luckily, many of these attacks are blocked by our anti-virus software but some will always get through. Be on the lookout for these kinds of scams. If you see a message that looks suspicious, do not open it, even if it appears to come from someone you know. If you’re unsure about the message, call the alleged sender and just ask if he/she really sent it.

If you run a business, make sure that your staff know about these scams, too. Make sure you set a culture of security where it’s safe for the employee to call you and confirm a message’s legitimacy. (If you’re the one writing the messages and you’re getting a lot of calls, check out "How not to look like a phish".)

In this scam, you will get a very friendly call from someone who knows your name (possibly because they called your number late last night just to see whose name came up on the voicemail) and who may even claim to be from your own IT department. After a minute of friendly chatter, he/she will ask for the number on the printer behind you, perhaps saying that "it’s part of our inventory of systems". The scammer is betting that most people today have a printer very close to their desks.

Several weeks later, you will receive an unsolicited replacement toner cartridge in the mail. You don’t remember ordering toner but who keeps track of things like that? And if you didn’t order it, one of your co-workers probably did. So you open the box and tuck the toner away for a rainy day.

Weeks after that, the scammer sends an invoice for five to ten times the market price for the toner cartridge. The scammer is counting on the fact that most finance departments will just pay small invoices and even if they don’t, they’ll forward the invoice to you for approval. You remember receiving the toner and, since most of us assume we are dealing with honest people, you are likely to approve the payment without checking the price. The great thing about this scam is that it’s not illegal to charge too much for a product. Under US law, it’s "buyer beware". If you agree to pay five times what something is worth, that’s between you and the seller.

If you don’t pay, expect a series of followups demanding payment. If you call about the invoice, the scammer will likely offer to play back a tape recording of your employee saying "yes" to a request for toner. The scammer likely did get your employee to say "yes" to something and then cut-and-pasted the sound clip in front of a different question.

If you get one of these scams, first refuse to answer the question. No one should be asking about your systems without cause – even something as seemingly innocuous as your printer models. Second, alert your Receiving folks to watch for toner or other office supplies coming from someone other than your regular supplier. If you can identify the shipment in time, refuse to accept delivery. Third, do not pay the scammer. Do not pay any return or restocking fees either. Under Federal Trade Commission rules, any unordered merchandise can be considered a gift. You didn’t order it. You have no obligation to give them money. (You might, however, want to have your legal counsel send the scammer a cease-and-desist letter. You should probably also double-check your state laws. Ohio gives even stronger protection and permission to consider the unordered package a gift.)