Global computer fraud probe ignited by latest e-mail scam

Exploiting terrorism jitters and Patriot Act phobias, the nation's latest e-mail scam has set off an international computer fraud investigation, federal authorities said yesterday.

The bogus e-mail, which first arrived in computers several days ago, claimed to notify recipients that U.S. banking regulators had suspended the insurance on their bank accounts "due to suspected violations of the Patriot Act."


Homeland Security Director Tom Ridge advised the action, the e-mail said.

It directed people to a government "IDVerify" site where they could provide the necessary personal data, which would be checked with government records.


"This only takes up to a minute and when we have verified your identity, you will be notified of said verification," the message said. "And all suspensions of insurance on your account will be lifted."

The message claimed to be from the Federal Deposit Insurance Corp., the government guarantor of bank deposits, and the Comptroller of the Currency, which regulates the nation's banking system.

Such scams have had a familiar formula in recent years, typically impersonating well-known commercial firms and trying to lure people to reveal bank account numbers, Social Security numbers and other data that can be used to steal their identity and money.

In Web fraud terms, they are called "phishing" scams, because they fish for private confidential information.

This is the first time the "phishing" scams have taken on the FDIC, agency officials said.

FDIC call centers have been inundated with scam reports since the e-mail first surfaced, officials said. By yesterday afternoon, more than 5,400 callers said they had received the fraudulent message.

"I would say we have never been overwhelmed by e-mail the way we have been in this instance," said spokeswoman Elizabeth Ford. "But in a sense, this is good news because it shows people are recognizing this is a scam and they are sending information to us so we can find the bad guys."

The FBI and FDIC investigators are on the case, Ford said. Evidence indicates the e-mail came from several sites around the globe, including Pakistan, Taiwan and China. Investigators have also determined that a Web site in Russia was used to collect data from anyone who fell for the ploy.


So far, however, there may be fewer victims of this scam than in the past, government officials said. There is more awareness of such activity now because of highly publicized scams that used companies such as Citibank, eBay and Best Buy, they said.

"Some preliminary numbers show that a very, very small percentage of people have fallen for this," Ford said. "Of the 5,401 reports we received, only five people said they submitted information to the bogus Web site. We're hopeful that most people have become too savvy to give out personal information in response to an unsolicited request like this."

But even a handful of victims would provide the scammers with enough information to do some major damage, privacy experts said. They could send out a million messages, receive a dozen responses - including credit card or bank account numbers - and have what they need to steal hundreds of thousands of dollars.

"If they get even a minuscule response, it has been a successful ruse for them," said Beth Givens, director of the Privacy Rights Clearinghouse, an advocacy and education organization based in San Diego.

"A scam like this one is very, very clever. It uses some hot-button issues, such as terrorism and the Patriot Act, to pull people in. It plays on people's fears."

Most "phishing" scams, however, have a similar, recognizable approach that provides some alleged trouble requiring people to give out their personal information on a fake, but realistic-looking, "impostor" Web site, Givens said.


They also contain logical flaws that are dead giveaways something is amiss.

"This bogus FDIC e-mail, for example, starts out 'to whom it may concern,'" she said. "It only takes a moment for you to think that through: Why would it start out in such an impersonal way, then it goes on to claim they have information about your personal account?

"You'd have to know that no governmental agency would ever contact you in such a way if they really wanted to discuss such confidential information."

The Orlando Sentinel is a Tribune Publishing newspaper.